{ "id": "7ac819ee-f7e1-4e99-854b-90a74cd36238", "created_at": "2026-04-06T01:31:56.295033Z", "updated_at": "2026-04-10T03:36:37.120257Z", "deleted_at": null, "sha1_hash": "a38000b4525fe499078a09d23b107dae4a4eaefd", "title": "Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5982133, "plain_text": "Recent TZW Campaigns Revealed As Part of GlobeImposter Malware\r\nFamily\r\nBy Jim Walter\r\nPublished: 2023-02-15 · Archived: 2026-04-06 01:10:17 UTC\r\nIn recent years, efforts to apprehend threat groups and shrink their operating landscape have gone international. As\r\nauthorities across multiple countries continue to implement sanctions and openly communicate current trends to the public,\r\nthreat groups increasingly resort to rebranding or creating similar variants under different names to sidestep crackdowns and\r\nobfuscate their identities.\r\nIn a February 2023 blog post, Ahnlab described a new ransomware campaign affecting South Korean organizations which\r\ndeployed a malware they dubbed “TZW” ransomware. Our research links TZW ransomware to a known malware family\r\ncalled GlobeImposter (sometimes referred to as LOLNEK or LOLKEK). Close inspection of host origins and prominent file\r\nsimilarities used in both TZW and GlobeImposter campaigns suggest that actors behind GlobeImposter are updating their\r\npayloads and obfuscating their infrastructure in a manner consistent with a rebrand effort.\r\nOverview of GlobeImposter \u0026 New Variant TZW\r\nGlobeImposter has a long and winding history. First observed in-the-wild in 2016, the name “GlobeImposter” is based on\r\nthe ransomware’s mimicry of Globe ransomware payloads. Multiple new versions and variations of GlobeImposter have\r\nappeared in the years since. Frequently, these have been referred to by their extension (e.g., .DREAM , .Nutella , .NARCO ,\r\n.LEGO ). However, these are all part of the same umbrella malware family. In that same year, Emisoft released a decryption\r\ntool for early versions of GlobeImposter. Shortly after, the malware authors responded with an updated version for which no\r\ndecryption tools are available.\r\nSince 2017, campaigns delivering GlobeImposter have continued to proliferate even though the ransomware has only\r\nevolved slightly. The ransomware has also been used in conjunction with some well-documented high-end cybercriminal\r\ngroups. For example, in 2017 TA505 (also known as G0092, GOLD TAHOE) began using GlobeImposter in replacement of\r\nJaff, GandCrab, and Snatch to extend the reach and effectiveness of their campaigns.\r\nGlobeImposter’s Delivery Methods Explained\r\nGlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment. The payloads\r\nare typically distributed via 7zip or traditional zip file archives. The archives often include a JavaScript ( .js ) file that\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 1 of 10\n\ndownloads and executes the GlobeImposter payload.\r\nMore recent campaigns from within the past three years still tend to follow this formula.\r\nGlobeImposter has also been distributed as a later-stage infection within some well-known botnets. For example, in 2017\r\nGlobeImposter was distributed via the Necurs botnet. This occurred as part of multiple spam campaigns that also included\r\n7zip archives and followed the execution flow previously described.\r\nLinking TZW Attacks to GlobeImposter\r\nAhnLab’s research revealed a ransomware campaign they referred to as “TZW” with victims in South Korea. The name is\r\nderived from the first 3 characters of the TOR-based victim portal. A closer look suggests that “TZW” samples represent a\r\nnew variant of the GlobeImposter family.\r\nThe pre-TZW GlobeImposter ransom notes follow the same template as the current TZW samples. Ransom note similarities\r\nare far from reliable, but it’s worth noting their likenesses.\r\nExample of a GlobeImposter ransom note.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 2 of 10\n\nExample of a TZW variant GlobeImposter ransom note.\r\nOnce a machine is infected, more concrete markers indicate a deeper level of similarity. One such marker is the “CRYPTO\r\nLOCKER” string appended to the tail of the encrypted files. This is a known marker present across GlobeImposter variants.\r\nExamples of CRYPTO LOCKER markers at EOF (TZW and LOLKEK variants).\r\nGlobeImposter has the ability to delete volume shadow copies, thereby inhibiting the recovery of data. There are clear\r\nsimilarities around the methodology of the VSS removal.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 3 of 10\n\nGlobeImposter shadow copy removal highlights.\r\nGlobeImposter vs TZW variant shadow copy removal procedure.\r\nCode and functionality, by and large, are identical across GlobeImposter payloads pointing to\r\nobzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.] onion and those pointing to the newer\r\ntzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion .\r\nA thorough comparison of the two respective samples shows there are only minor differences.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 4 of 10\n\nZoomed-out view of GlobeImposter (hex) compared against the TZW variation.\r\nAhnLab’s research describes artifacts from a specific sample within a specific campaign. We have seen the newer TZW\r\nvariations vary somewhat with regards to file metadata.\r\nTwo TZW payloads, varied file metadata\r\nA majority of the TZW variant samples that we have analyzed resemble the version on the left hand side. The version on the\r\nright was seen in the samples noted by AhnLab.\r\nUnderstanding TZW and GlobeImposter’s Shared Infrastructure\r\nPrevious GlobeImposter payloads directed victims to a TOR-based portal at\r\nobzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion .\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 5 of 10\n\nGlobeImposter Victim Portal 1.\r\nBeginning in late 2022, we start to see victims also being directed to\r\ntzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion . The interfaces and required steps are identical:\r\nGlobeImposter Victim Portal 2 from late 2022 onward.\r\nAt the time of writing, both victim portals remain active. In addition, we can confirm the relationship between these via the\r\npublicly-viewable Apache Server Status Page.\r\nThis Apache status screen is visible as a result of a misconfiguration on the Apache server, allowing us to see all the active\r\nvhosts (virtual hosts) present there.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 6 of 10\n\nApache Status page – GlobeImposter victim portal.\r\nThrough this view we see that the following vhosts are active on the device.\r\nobzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion\r\ntzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion\r\nlinux[.]3bcd0a[.]com\r\nVhosts on GlobeImposter victim portal.\r\nThis evidence of shared infrastructure suggests that the newly rebranded TZW ransomware samples are likely being\r\noperated by the same group that was pushing recent waves of GlobeImposter malware.\r\nHow to Protect Against GlobeImposter and TZW Ransomware\r\nSentinelOne Singularity™ protects against malicious behaviors and malware associated with GlobeImposter and TZW.\r\nWith the site policy set to Protect, GlobeImposter ransomware is detected and prevented automatically. In Detect-only mode,\r\nanalysts can observe the malware’s behaviour and file encryption attempts, rolling back the device to a clean state on\r\ncompletion of the test.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 7 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nBased on our analysis, the TZW ransomware recently documented by AhnLab is yet another example of the threat actors\r\nbehind GlobeImposter pivoting their TTPs alongside a rebrand, including a new but related Onion address. We also show\r\nthat the old “LOLNEK” Onion address and the Onion address within the TZW variant are hosted on the same server as two\r\nvhosts.\r\nRegardless of the name or brand, GlobeImposter continues to pose a threat to enterprises. Ensuring good user hygiene, along\r\nwith strong, properly-configured, and robust security controls will go a long way to prevent these attacks from affecting\r\nyour environment.\r\nSentinelOne Singularity™ protects against malicious behaviors and malware associated with GlobeImposter and TZW.\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 8 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIndicators of Compromise\r\nSHA1\r\n4585da0ff7a763be1a46d78134624f7cd13e6940\r\n14be1c43fbfb325858cda78a126528f82cf77ad2\r\ndc98b516c9c589c2b40bc754732ad5f16deb7c82\r\nd034880d1233d579854e17b6ffad67a18fb33923\r\n858f3f7f656397fcf43ac5ea13d6d4cbe7a5ca11\r\n9a080cd497b8aa0006dc953bd9891155210c609c\r\n8c64e820a4c5075c47c4fbaea4022dc05b3fd10b\r\n3326708ba36393b1b4812aa8c88a03d72689ac24\r\ncf5ab37612f24ed422a85e3745b681945c96190e\r\ncf21028b54c4d60d4e775bf05efa85656de43b68\r\nOnions\r\ntzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion\r\nobzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion\r\nMITRE ATT\u0026CK\r\nT1005 – Data from Local System\r\nT1202 – Indirect Command Execution\r\nT1486 – Data Encrypted for Impact\r\nT1070.004 – Indicator Removal: File Deletion\r\nT1112 – Modify Registry\r\nT1012 – Query Registry\r\nT1083 – File and Directory Discovery\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1082 – System Information Discovery\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 9 of 10\n\nT1490 – Inhibit System Recovery\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nSource: https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nhttps://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/" ], "report_names": [ "recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439116, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a38000b4525fe499078a09d23b107dae4a4eaefd.pdf", "text": "https://archive.orkl.eu/a38000b4525fe499078a09d23b107dae4a4eaefd.txt", "img": "https://archive.orkl.eu/a38000b4525fe499078a09d23b107dae4a4eaefd.jpg" } }