{
	"id": "54af6e9c-39a1-4e4c-af46-52ada226fa26",
	"created_at": "2026-04-06T00:15:24.079101Z",
	"updated_at": "2026-04-10T03:21:07.614299Z",
	"deleted_at": null,
	"sha1_hash": "a31acabf2ebce877c8de4e189ab03ff149b35340",
	"title": "TFlower (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28457,
	"plain_text": "TFlower (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:44:36 UTC\r\nTFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly\r\ninstalled on networks by attackers after they gain access via RDP. TFlower displays a console showing activity\r\nbeing performed by the ransomware when it encrypts a machine, further indicating that this ransomware is\r\ntriggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started,\r\nthe ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the\r\nWindows 10 repair environment is disabled by this ransomware. This malware also will terminate any running\r\nOutlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to\r\nencrypted files, but prepends the marker \"*tflower\" and what may be the encrypted encryption key for the file to\r\neach affected file. Once encryption is completed, another status report is sent to the C2 server.\r\n[TLP:WHITE] win_tflower_auto (20251219 | Detects win.tflower.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tflower\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
	],
	"report_names": [
		"win.tflower"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a31acabf2ebce877c8de4e189ab03ff149b35340.pdf",
		"text": "https://archive.orkl.eu/a31acabf2ebce877c8de4e189ab03ff149b35340.txt",
		"img": "https://archive.orkl.eu/a31acabf2ebce877c8de4e189ab03ff149b35340.jpg"
	}
}