{
	"id": "16650f81-f105-4607-8016-1c80aa8a620e",
	"created_at": "2026-04-06T00:16:42.641391Z",
	"updated_at": "2026-04-10T03:28:21.031126Z",
	"deleted_at": null,
	"sha1_hash": "9d9d19cb54babb636513bb3f0045e8695f6cddd0",
	"title": "Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 971340,
	"plain_text": "Mallox affiliate leverages PureCrypter in MS-SQL exploitation\r\ncampaigns\r\nBy Sekoia TDR,\u0026nbsp;Jeremy Scion,\u0026nbsp;Livia Tibirna\u0026nbsp;and\u0026nbsp;Pierre Le Bourhis\r\nPublished: 2024-05-13 · Archived: 2026-04-05 13:01:29 UTC\r\nThis report was originally published for our customers on 2 May 2024.\r\nAs part of our critical vulnerabilities monitoring routine, Sekoia’s Threat \u0026 Detection Research (TDR) team\r\ndeploys and supervises honeypots in different locations around the world to identify potential exploitations.\r\nTable of contents\r\nIntroduction\r\nInfection flow\r\nInitial access\r\nExploitation\r\nPost exploitation\r\nPureCrypter payload analysis\r\nBackground\r\nOverview\r\nAnti-analysis\r\nNext stage execution\r\nMallox ransomware deployment\r\nBackground\r\nInitial access\r\nInternal structure\r\nRaaS operation\r\nDouble extortion\r\nVictimology\r\nPayload overview\r\nIdentified affiliates\r\nFocus maestro\r\nFocus vampire\r\nFocus hiervos\r\nInfrastructure\r\nMaestro\r\nXhost-overview\r\nDetection\r\nConclusion\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 1 of 20\n\nIoCs\r\nIntroduction\r\nRecently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot. It was targeted by an\r\nintrusion set leveraging brute-force tactics, aiming to deploy the Mallox ransomware via PureCrypter through\r\nseveral MS-SQL exploitation techniques.\r\nOur investigation of Mallox samples led us to identify two affiliates with distinct modus operandi. The first\r\nfocuses on exploiting vulnerable assets, while the second aims at broader compromises of information systems on\r\na larger scale.\r\nThis blogpost report aims at presenting a comprehensive technical analysis of the techniques used to compromise\r\nthe MS-SQL server we deployed. Additionally, it delves into the behaviour observed, with a focus on Mallox\r\nransomware and its affiliates. Finally, we offer insights into detection opportunities to mitigate such threats in the\r\nfuture.\r\nInfection flow\r\nOur MS-SQL honeypot was deployed online on 15 April 2024 8am UTC and monitored throughout the following\r\nweek. It exposes the MS-SQL port, the authentication is configured as mixed and the sa (SQL Administrator)\r\naccount is associated with a weak password.\r\nInitial access\r\nThe initial access occurred through a brute-force attack targeting the MS-SQL server. As illustrated in the graph\r\nbelow, the attacker primarily targeted the “sa” account. The account was compromised at 8.50 am, less than an\r\nhour after it went online. We observed approximately 320 attempts per minute during this timeframe.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 2 of 20\n\nFigure 1. A breakdown of the accounts targeted by bruteforce.\r\nAll of the attacking IPs addresses belong to AS208091, which is owned by the hosting provider XHost Internet\r\nSolution. Despite a successful compromise of the account, the attacker persisted to brute-force throughout the\r\nentire observation window.\r\nExploitation\r\nThe first attempt of exploitation was observed on 15 April 2024, at 2.17 p.m, several hours after the account was\r\ncompromised. All of the exploitation attempts (connection, payload hosting) can be traced back to AS208091.\r\nBased on the collected IOCs and the spotted TTPs, we attribute all of the exploitation attempts to the same\r\nintrusion set.\r\nThe MS-SQL logs provide detailed information about the attacker’s actions, revealing two distinct exploitation\r\nschemes. Based on the timestamps, it is likely that the attacker utilised scripts or tools in both cases. \r\nFrom numerous exploitation attempts we observed, 19 of them allowed us to identify two distinct, recurring\r\noperating patterns. The commands are systematically aimed at dropping and executing the same payload. Sections\r\ndedicated to this threat are included later in this report. \r\nThe observed exploitation attempts are detailed below.\r\nExploitation Pattern 1:\r\nThe attacker enabled the “TRUSTWORTHY” parameters for the master database which is disabled by\r\ndefault. These parameters allow database users to impersonate other users by using the EXECUTE AS\r\nstatement.\r\nIt enabled the clr enabled parameter, which allows the SQL Server to execute user assemblies. Activating\r\nboth the “clr enabled“ and “TRUSTWORTHY” parameters is a prerequisite for exploiting CLR\r\nAssembly. \r\nThe attacker created an assembly named “shell” and stored it on the “msdb” database with “Unsafe” permission.\r\nThis assembly is a .NET DLL containing a class called StoredProcedure which includes a cmd_exec function. This\r\nfunction executes commands passed to it as parameters via cmd.exe. This assembly corresponds to a CLR SqlShell\r\nmalware, which has been documented by Asec in connection with the compromise of an MS-SQL server by the\r\nTrigona ransomware.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 3 of 20\n\nFigure 2. cmd_exec function from shell assembly.\r\nThe attacker created a stored procedure named cmd_exec that calls the SqlShell malware.\r\nFinally, it called the stored procedure to execute a command passed in parameter which performs the\r\nfollowing actions:\r\nUsing echo and redirect, it creates a PowerShell script that downloads a binary and saves it to the\r\nProgramData folder;\r\nIt then calls PowerShell to execute the script;\r\nFinally, It uses WMIC to execute the binary.\r\nFurther execution is blocked by Microsoft Defender. At this stage, it is unclear whether the following actions are\r\nexecuted iteratively by the script or executed because the previous command has been blocked.\r\nThe attacker enabled xp_cmdshell parameters to allow SQL Server to spawn a Windows command shell\r\nand pass in a string for execution. This is a well known technique used by attackers to compromise MS-SQL servers.\r\nIt used xp_cmdshell to execute the same command that was observed in case 1\r\nand also enabled Ole Automation Procedures parameters to allow the SQL Server to leverage OLE objects to\r\ninteract with other COM objects.\r\nFinally, it used sp_oacreate to create the OLE object wscript.shell, and then called this object via\r\nsp_oamethod to execute arbitrary commands on the underlying operating system. \r\nExploitation Pattern 2:\r\nIn this case, based on MS-SQL log analysis and more specifically the client_app_name field, a relevant pattern\r\nemerges: vYMiFrYR. This application name appears several times and is systematically associated with the same\r\naction sequence. It is most certainly an exploitation tool. \r\nNote that the CrackMapExec MS-SQL tool leaves a fairly similar trace: a random application name of 8 characters\r\nlong. This is also the case for the Metasploit exploit module.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 4 of 20\n\nFigure 3. MS-SQL logs extract related to exploitation.\r\nIn this instance, we see the same sequence as in the previous case, but without the attempt to deploy the assembly\r\nand the associated stored procedure.\r\nPost exploitation\r\nThe payloads dropped through MS-SQL exploitation correspond to PureCrypter. The behaviour observed is very\r\nsimilar to the analysis of ANY RUN.\r\nThe infection chain is as follows:\r\n1. The payload downloads a file from the Internet. The file has a random name and a multimedia file\r\nextension (e.g. mp4, wav, pdf). As documented by Any Run, this behaviour is specific for Purecrypter;\r\n2. The downloaded file contains encrypted data via 3DES;\r\n3. A .NET library is obtained after decryption. It is executed using the Reflective Code Loading technique by\r\nthe previous payload. This DLL corresponds to PureCrypter’s stage2. Its first action is to load a third-party\r\npayload from the resources;\r\n4. This third-party payload is the Mallox ransomware.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 5 of 20\n\nFigure 4. Mallox deployment workflow.\r\nIt is worth noting that during these last attempts, the attacker tried to deploy Mallox without PureCrypter. Since\r\nprevious attempts involving PureCrypter have failed, the attacker likely attempted to spread its ransomware\r\ndirectly. This was possibly done to ensure that the failures were not related to the crypter.\r\nPureCrypter payload analysis\r\nBackground\r\nPureCrypter is a loader developed in .NET whose main capability is to download and execute a payload.\r\nIt is developed and sold as a Malware-as-a-Service (MaaS) by a threat actor operating under the alias PureCoder\r\n(aka PureTeam). PureCoder operates on various Russian-speaking cybercrime forums such as XSS, UfoLabs and\r\nCrackedIO, where it offers a wide range of malware from the Pure family, alongside PureCrypter (e.g. PureMiner,\r\nPureLogs, PureClipper, etc.)\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 6 of 20\n\nPureCoder customers subscribe for either monthly or lifetime licences. The malware allows customised\r\nPureCrypter payloads by choosing the injection, anti-analysis and persistence methods. \r\nIntrusion sets such as 8220 gang and the Mallox ransomware operators were previously reported leveraging\r\nPureCrypter in lucrative campaigns.\r\nOverview\r\nPureCrypter employs various techniques to evade detection and analysis by security software and researchers. By\r\nusing these techniques, the first stage of the infection attempts to be stealthy, allowing it to carry out its malicious\r\nactivities unimpeded.\r\nAnti-analysis\r\nThe loader performs a series of environment detection and anti-analysis techniques that are listed below:\r\nThe malware lists all running processes and searches for the module name SbieDll.dll, which is the DLL\r\nused by Sandboxie.\r\nThe malware retrieves the Win32_BIOS using a WMI query (`select * from Win32_BIOS`) to check if it is\r\nrunning in a virtual environment. It looks for values such as VMWare, Virtual, A M I, or Xen. A similar test\r\nis performed on the computer manufacturer model using another WMI query (select * from\r\nWin32_ComputerSystem), with tested values including Microsoft, VMWare, and Virtual.\r\nThe malware also checks the monitor size. If the monitor size is 1440×900 or if the width is below 1024\r\nand the height is below 768, the malware stops its execution.\r\nThe malware checks the username as well. If the username is `john`, `anna`, or `xxxxxxxx`, the malware\r\nexits.\r\nA network test is performed using the following commands: `ipconfig /renew and ipconfig /release`.\r\nThe malware uses a technique detailed by The Red Team Vade Mecum called EtwEventWrite Patching to\r\navoid system logging events.\r\nFigure 5. Patching EtwEventWrite.\r\nThe malware lists all running processes and searches for the module name SbieDll.dll, which is the DLL\r\nused by Sandboxie.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 7 of 20\n\nFigure 6. Amsi ScanBuffer patching.\r\nThe malware prepares for the execution of the next payload by adding `MpPreference -Exclusion` to\r\nWindows Defender and ExclusionProcess for itself and the dropped payload.\r\nThe malware ensures its persistence on the infected host by adding a registry key in the current user hive\r\nunder `Software\\Microsoft\\Windows\\CurrentVersion\\Run\\`.\r\nFinally, the malware looks at its processus privileges in order to elevate them with the SeDebugPrivilege\r\nthat might be used by the dropped payload.\r\nNext stage execution\r\nPrior to the series of environment detection and privilege adjustment checks, the loader loads a resource with a\r\nspecific structure. The first four bytes of the resource indicate the size of the data to be deflated. The loader then\r\nuses a memory stream object to read the correct number of bytes from the resource, which is then gunzipped.\r\nFigure 7. Function to read the compressed resource.\r\nThis resource is a protobuf definition, which aligns with some of our previous observations regarding the imported\r\nlibraries. The definition, however, is incomplete and is as follows:\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 8 of 20\n\nWhere the “Ydxhjxwf.exe” is the name under which the Mallox ransomware is executed, the long entry is the PE\r\nstored encrypted using AES in CBC mode. Purecrypter executes its next-stage payload, the Mallox ransomware\r\nwith the filename “Ydxhjxwf.exe”. \r\n{\r\n \"1\": {\r\n \"1\": {\r\n \"2\": {\r\n \"1\": 1,\r\n \"2\": \"\\u0000\\u0007z\\u0000\\u0006Ѽ=\\u0003���\\u007f���\\u0010V_�F\\u0016��^w\\u0018Zo�%\\u001f�l���\r\n\u003ctruncated\u003e\r\n\\u000fU�[6�y����ϵ�\\rٻ\\\u003c����u0010��Q��(%D\\u0005P\\u000e�I\\u0002l�@B��\\u0015[I�?Jմ��Ko\\u001d��6\\\r\n \"3\": 1,\r\n \"4\": 1,\r\n \"5\": \"Itself\",\r\n \"6\": {},\r\n \"7\": {}\r\n }\r\n },\r\n \"2\": {\r\n \"3\": {\r\n \"1\": 30,\r\n \"3\": \"Zyzpeofm\"\r\n }\r\n },\r\n \"3\": {\r\n \"4\": {\r\n \"1\": {\r\n \"2\": \"%appdata%\",\r\n \"3\": \"Ydxhjxwf.exe\"\r\n }\r\n }\r\n }\r\n }\r\n}\r\nNB: The long entry in the protobuf definition is Mallox PE stored encrypted using AES in CBC mode.\r\nMallox ransomware deployment\r\nBackground\r\nMallox is a Ransomware-as-a-Service (RaaS) operation distributing the namesake ransomware. The Mallox\r\nransomware is distributed since at least June 2021 and is also known as Fargo, TargetCompany, Mawahelper, etc.\r\nSeveral variants of the ransomware are simultaneously leveraged by Mallox operators.The attack volume\r\naccelerated in late 2022 and continued to increase throughout 2023, likely due to the RaaS launchment and the\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 9 of 20\n\nadoption of the double extortion technique as detailed in the next sections of this part. Moreover, Mallox was\r\nreported to be the most distributed ransomware in early 2023 based on AhnLab data.\r\nInitial access\r\nThe intrusion set is reported to mainly exploit vulnerable MS-SQL Servers to gain access. Also, it was previously\r\nreported compromising victims’ networks through brute-force and dictionary attacks targeting accounts protected\r\nwith weak credentials. Alternatively, Mallox operators exploit known, unpatched vulnerabilities.\r\nMallox operators deploying the Xollam variant were also reported leveraging OneNote for phishing campaigns\r\naiming to gain access to victims’ systems.\r\nInternal structure\r\nThe Mallox ransomware representatives are likely former members of tier ransomware operations. Of note, they\r\ndeclared having acquired the Mallox project from another threat group. \r\nAlthough the Mallox internal organisation and its structure remain undocumented, their negotiation website\r\nintroduces several categories of “staff” people, which we observed evolving over time. Notably, we identified the\r\npresence of the following usernames: Admin, Support, Maestro, Team, Neuroframe, Panda and Grindr.\r\nFigure 8. Screenshot from Mallox .onion website with Staff section.\r\nAs detailed later in this report, we were also able to identify these usernames, in addition to Hiervos and Vampire,\r\nin Mallox ransomware samples collected in the wild in April 2024. Therefore, TDR analysts assess that these\r\nnames correspond to Mallox operators and/or affiliates of their private RaaS. As of April 2024, Sekoia is not able\r\nto establish any direct link between these usernames and known personas operating on cybercrime forums that we\r\nmonitor.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 10 of 20\n\nRaaS operation\r\nWe observed the Mallox ransomware operation transitioning into the Ransomware-as-a-Service distribution model\r\nfrom mid-2022.\r\nTDR analysts identified two online personas – “Mallx” and “RansomR” (aka “Mallox”) – operating on multiple\r\nunderground forums and actively recruiting affiliates (referred to as “pentesters” in the ransomware-related slang)\r\nfor distributing the Mallox ransomware.\r\nIt is possible that RansomR and Mallx are the same individual or two different individuals sharing the role of\r\nadministrator of the Mallox RaaS program.\r\nOur observations reveal that the RaaS recruitment campaigns launched by the RansomR persona on numerous\r\ncybercrime forums were only maintained for a short time, and the threat actor ceased to be active in mid-2023. On\r\nthe contrary, the Mallx persona persisted in recruiting affiliates for the Mallox RaaS, also acquiring initial accesses\r\non the RAMP forum and conducting other cybercrime-related activities (e.g. selling 0day vulnerabilities) until at\r\nleast March 2024. Of note, RAMP is currently a top-tier forum and marketplace dedicated to cybercrime activities\r\namong which Ransomware-as-a-Service is a major component.\r\nIn January 2023, Mallox representatives stated they are a small, closed ransomware group operating from the\r\nEuropean region. This is consistent with their recruiting ads on the RAMP forum posted throughout 2023, where\r\nMallx seeked to partially expand its private affiliate program. The threat actor was looking to partner with\r\nadvanced, Russian-speaking threat actors able to establish initial access on victims’ networks either for sale to\r\nMallox operators or for direct participation in their private RaaS if the obtained accesses proved to be of\r\nsignificant interest.\r\nAs illustrated below, the Mallox RaaS operation focuses on the exploitation of Fortinet, Cisco and VPN accesses\r\nfor ransomware propagation. It leverages the Big Game Hunting (BGH) strategy, as it targets entities with a high\r\nrevenue (over $10M) primarily in the United States, the United Kingdom, Canada, Australia and Germany.\r\nMallox’ victims selection seems consistent with those of most opportunistic ransomware, sparing government and\r\neducational assets from attacks.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 11 of 20\n\nFigure 9. Mallox RaaS advertisement on the RAMP forum.\r\nDouble extortion\r\nBased on our observations, Mallox was distributed in simple extortion campaigns centred around data encryption\r\nwhich persisted until early 2022.\r\nThis tactic evolved by mid-year 2022, when Mallox transitioned to leveraging the double extortion strategy by\r\nexfiltrating victims’ data in addition to encrypting it, further threatening to publish stolen data. Initially, they used\r\ndedicated Twitter,Telegram and cybercrime forums accounts for data leakage.\r\nFrom October 2022 onwards, Mallox started to use dedicated TOR resources for double extortion, urging victims\r\nto engage negotiations via a dedicated TOR page using provided personal IDs, or by sending the IDs to a specific\r\nemail address. Based on the evidence gathered by TDR, Mallox operators exclusively communicate in English on\r\ntheir negotiation portal with victims.\r\nIn separate cases, ransomware operators leverage the triple extortion tactic by threatening to contact the victims’\r\npartners to discreditate them, and also warn victims based in Europe that they are at risk of contravening the\r\nGDPR principles if the stolen data ends up being publicly released.\r\nThe group abuses the AnonFiles file-sharing service to upload and share exfiltrated data.\r\nRansom demands associated with Mallox compromises vary widely, being reported to range from $1000 to\r\n$60,000. TDR found that in one case involving a Colombian-based victim, the ransom amount was reduced from\r\n$50,000 to $20,000 within a two-week period.\r\nVictimology of Mallox ransomware\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 12 of 20\n\nMallox is almost certainly an opportunistic intrusion set impacting organisations in various verticals, notably the\r\nmanufacturing, the retail and the technology ones.\r\nAlthough Mallox representatives actively seek high-revenue targets (as indicated in recruitment posts on\r\ncybercrime forums), most of the ransomware’s victims known in open-source are small and middle size\r\nenterprises. However, a few big names, such as the Federation of Indian Chambers of Commerce and Industry or\r\nGaruda Indonesia airline company. \r\nNo casualties were observed in Eastern Europe, in line with the group’s previous announcements about avoiding\r\nattacking entities from Kazakhstan, Russia, Qatar, and Ukraine. Based on Trend Micro telemetry data from 2022\r\nand 2023, Mallox campaigns notably impacted Asian countries.\r\nThe victims identified by Sekoia in open source ranged from $5M to over $780M in annual revenue.\r\nOn the Mallox Data Leak Site (DLS), stolen data from over 35 victims was released between 21 October 2022 and\r\nApril 2024. It is noteworthy that the real number of all Mallox compromises is expected to be much higher.\r\nFigure 10. Countries affected by Mallox since January 2023 based on claims on the Mallox Data Leak Site.\r\nPayload overview\r\nMallox ransomware is developed in C++, the malware does not have any anti-analysis nor environment detection.\r\nThis aligns with the use of PureCrypter as an initial payload in its campaign.\r\nOne of the first actions of the ransomware is to check the default language to ensure that it is not executed in a\r\nrussian-speaking environment.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 13 of 20\n\nFigure 11. Countries not affected by Mallox since january 2023.\r\nThe ransomware then adjusts its privileges to leverage the SeTakeOwnershipPrivilege and SeDebugPrivilege\r\nprivileges.\r\nWhereafter, the Mallox begins its destructive activities by starting a thread that disables certain recovery options\r\nand ignores all failures at boot time. This thread is also responsible for stopping a set of services.\r\n1. bcdedit /set {current} bootstatuspolicy ignoreallfailures\r\n2. bcdedit /set {current} recoveryenabled no\r\n3. Stop services (See figure 12 and 13): \r\nFigure 12. Extract of Service that the ransomware attempt to stop.\r\nFigure 13. Mallox function used to stop services.\r\nThe malware deletes shadow copies using the infamous command: vssadmin.exe delete shadows /all /quiet. It also\r\ndeletes links to tools such as wmic.exe, powershell.exe, bcdedit.exe, etc.\r\nThe main function of the ransomware iterates through the disks and drives of the infected host to encrypt files.\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 14 of 20\n\nOnce the files are encrypted, the malware registers the new victim with its Command and Control server by\r\nsending a host fingerprint over an HTTP POST request. The fingerprint includes five pieces of information:\r\nA field “user” that contains the ransomware operator’s name;\r\nA field “TargetID” that contains the victim’s identifier;\r\nA field “max_size_of_file” that contains the largest file;\r\nA field “SystemInformation” that contains the OS version and architecture, the default language, the public\r\nIP address and username;\r\nA field “size_of_hdd” that contains the size of the hard drive disk.\r\nFigure 14. HTTP POST request to register new victim.\r\nBefore ending its activity, the ransomware displays the following message to the victim: “Do NOT shutdown OR\r\nreboot your PC: this might damage your files permanently!” Additionally, it alters some registry keys to hide the\r\nShutdown, Restart, and Signout buttons in the Windows GUI menu. These changes are made in the hive\r\n“SOFTWARE\\\\Microsoft\\\\PolicyManager\\\\default\\\\Start\\\\” with the following keys:\r\nHideShutDown\r\nHideRestart\r\nHideSignOut\r\nMallox ransomware affiliates identified\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 15 of 20\n\nReversing and sandbox execution revealed data being sent via HTTP Post to the URL\r\nhxxp://91.215.85[.]142/QWEwqdsvsf/ap.php. Pivoting on this URI path takes us back to whyers[.]io, which is\r\nalso associated with Mallox. This URI path is therefore a helpfulmonitoring pattern.\r\nAs detailed previously, data sent via POST corresponds to the host fingerprint.\r\nFigure 15. Data exchange between a victim and Mallox C2.\r\nFigure 16. Username sent to the C2.\r\nSystem information can be viewed in the Mallox onion page and as this network communication is the only one\r\nobserved, Sekoia assesses with high confidence that this URL serves as a relay to the Mallox .onion site.\r\nAs detailed above, maestro is identified as a Mallox “staff member”. It is also possibly a ransomware operator.\r\nTDR assumes that the username would be the affiliate’s or operator’s ID attribute. To confirm this hypothesis, we\r\nanalysed the public sandbox execution associated with Mallox from ANY.RUN and Triage. In the around twenty\r\ncases investigated, the above-mentioned URL was presented in 19, and for the remaining cases, the data was sent\r\nto hxxps://whyers[.]io.\r\nAs a result, five different users were identified: maestro, hiervos, admin, vampire and panda.\r\nBased on the infection IDs associated with these usernames, it was possible to obtain information on the\r\nransomware operations conducted by some of them. It was also found that Mallox creates unique payment\r\naddresses (Bitcoin and Tether) for each infection ID.\r\nFocus maestro\r\nMaestro is the user to whom the most recent of the collected samples are linked. The ransom fixed by Maestro is\r\nalways $5,000. An infection ID is generated each time the ransomware is run. Maestro seems to target vulnerable\r\nservers, but does not appear to seek to lateralise itself in the victims’ information systems.\r\nSince March 2024, it has been using PureCrypter to load Mallox. This is the only affiliate observed to use this\r\ncombination of malware. \r\nFocus vampire\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 16 of 20\n\nFew samples are linked to this user. The ransom demanded is usually high, as $3,000,000. It also leverages the\r\ndouble extortion technique, with a bot sending a daily message in the Mallox .onion victim chat to pressure the\r\nvictims by reminding the number of days left to pay before the data is released. \r\nUnlike Maestro, in vampire-related campaigns the infection ID is associated with the sample. It does not vary\r\nbetween each ransomware execution.\r\nBased on this information, Sekoia assumes that vampire is more likely to target a company’s entire IT system than\r\nisolated servers.\r\nFocus hiervos\r\nBased on the samples analysed, this user appeared to be one of the most active operators/affiliates in 2023. In\r\nmost cases, a different ID is generated each time the ransomware is executed. The ransom demanded was 4,500$\r\nin 2023 and 3,000$ in 2024. Hiervos operates in the same way as Maestro, targeting independent servers.\r\nA case was also found where the ransomware was associated with a fixed ID. The ransom demand was also\r\nhigher, reaching 15,000$.\r\nInfrastructure\r\nMaestro\r\nAll the attacks (bruteforce and exploitation) conducted by maestro are carried out from IP addresses in AS208091\r\nand owned by Xhost. A Shodan search on these IP addresses shows very similar profiles, they are systematically\r\nOS Windows 2012 servers exposing the same ports, in particular Netbios. By pivoting on the Netbios names\r\nassociated with these servers, new IP addresses are identified. They always belong to the same AS and have the\r\nsame characteristics.\r\nVarious threat intelligence reports, particularly relating to ransomware activity, previously referred to this AS.\r\nResearch into the related IP addresses also shows that most of them are known to the intelligence community and\r\nare associated with brute force attacks targeting MS-SQL, RDPs and VPNs. VirusTotal shows that many of them\r\nare associated with hosting malware, in particular PureCrypter. \r\nXhost overview\r\nAS208091 is owned by the company XHOST INTERNET SOLUTIONS LP, registered in the United Kingdom on\r\n31 January 2022. According to information from the English House Registry, the company’s office is registered at\r\nSuite 6060 128 Aldersgate Street, Barbican, London, England, EC1A 4AE. It is a virtual office address belonging\r\nto Mail Boxes ETC. Xhost Internet Solutions which is a Limited Partnership (LP); the partners are two companies\r\ndomiciled in the Seychelles that appear in various open-source articles covering financial controversies.\r\nEstablishing Limited Partnerships (LPs) or Limited Liability Partnerships (LLPs) in the UK recognised as a\r\ncommon method exploited for money laundering.\r\nThe Xhost website hxxps://www.isxhost[.]uk/ is static, does not display any customer interface – only a contact\r\npage points to an email address that does not respond to the solicitation. The abusive email address returns a 550\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 17 of 20\n\nMail error (Mailbox is full / Blocks limit exceeded / Inode limit exceeded). It is a kind of empty shell.\r\nXhost presents the profile of a shell company whose website serves to legitimise its business. Sekoia continues its\r\ninvestigation to determine who manages the company’s assets (range of IP addresses and AS).\r\nDetection\r\nMS-SQL logs are not natively collected in a Windows event log. However, they do contain information that is\r\nuseful for detecting a compromise. It is recommended to include them into the SOC perimeter. Based on MS-SQL\r\nlogs:\r\nTrack connections to the MS-SQL server, particularly from public IP addresses. Monitor IP addresses that\r\nmanage to connect after several failed authentications.\r\nCheck parameter changes, in particular the activation of xp_cmdshell, clr or Ole Automation.\r\nThe execution of drop commands and payload execution via the MS-SQL server can be detected based on the\r\nprocess tree. This type of rule works very well on a honeypot, but in production it runs the risk of generating false\r\npositives linked to the use of advanced stored procedures for sysadmin or dbadmin.\r\ndetection:\r\n selection:\r\n process.parent.name: 'sqlservr.exe'\r\n process.name: 'cmd.exe'\r\n process.command_line|contains:\r\n - 'ProgramData'\r\n - 'WMIC'\r\n - 'powershell'\r\n condition: selection\r\nWMI is abused by attackers, in this case WMIC is called to execute the payload. This behaviour is relevant and\r\ncould be detected with this rule.\r\ndetection:\r\n selection:\r\n process.command_line|re: '(?i).*process[^a-z]+call[^a-z]+create[^a-z].*'\r\n condition: selection\r\nMallox use bcedit to inhibit system recovery. This technique could be caught with this rule\r\ndetection:\r\n case1:\r\n process.name: 'bcedit.exe'\r\n process.command_line|contains|all:\r\n - 'set'\r\n - 'bootstatuspolicy'\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 18 of 20\n\n- 'ignorealfailures'\r\n case2:\r\n process.name:\r\n process.command_line|contains|all:\r\n - 'set'\r\n - 'recoveryenabled'\r\n - 'no'\r\n condition: 1 of case*\r\nAlthough it has an mp4, mp3 or wav extension, the mime type of the downloaded file does not correspond to a\r\nmultimedia file. If the proxy logs the real mime type of the file, by comparing the extension name with the mime\r\ntype, it is possible to detect this masquerade. \r\nConclusion\r\nThe Mallox ransomware operation has been active since June 2021, and enhanced its reach over time with the\r\nadoption of the (private) RaaS model and the double extortion technique. \r\nThe MS-SQL exploitation operations detailed in this report are consistent with the previously documented initial\r\naccess methods attributed to the Mallox group.\r\nOur recent investigations on Mallox-related compromises provided valuable insights into its business model. Of\r\nparticular interest is the use of two distinct operating methods. The first involves the targeting of vulnerable\r\nservers in a singular operation, which makes it possible to remain discreet in return for relatively low revenues.\r\nThe second method involves a broader compromise of information systems coupled with double extortion tactics,\r\nresulting in significantly higher income.\r\nOur analysis also highlights various users of this RaaS, including Maestro, who appears to be one of the staff and\r\na ransomware operator. The investigation reveals the common TTPs leveraged by this operator that focuses on\r\ntargeting MS-SQL servers, and details the techniques used to exploit vulnerable servers. The usage of Xhost IPs\r\naddresses also stands out as a significant behavioural pattern associated with Maestro.\r\nWhen investigating the hosting company Xhost Internet linked to AS208091, suspicions arise. While formal links\r\nwith cybercrime-related activities remain unproven, the involvement of this AS previous instances of ransomware\r\ncompromise and the longevity of the IP address monitoring is intriguing. Sekoia.io analysts will continue to\r\nmonitor activities associated with this AS and to investigate the related operations.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nIoCs\r\nThe list of IoCs is available on Sekoia GitHub repository.\r\nCybercrime Malware Ransomware\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 19 of 20\n\nShare this post:\r\nSource: https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nhttps://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/"
	],
	"report_names": [
		"mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns"
	],
	"threat_actors": [
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434602,
	"ts_updated_at": 1775791701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d9d19cb54babb636513bb3f0045e8695f6cddd0.pdf",
		"text": "https://archive.orkl.eu/9d9d19cb54babb636513bb3f0045e8695f6cddd0.txt",
		"img": "https://archive.orkl.eu/9d9d19cb54babb636513bb3f0045e8695f6cddd0.jpg"
	}
}