{ "id": "84f7d673-ffc8-4bcd-ad77-e4ef3034d32b", "created_at": "2026-04-06T00:18:05.438404Z", "updated_at": "2026-04-10T13:13:00.863953Z", "deleted_at": null, "sha1_hash": "a740c1b4eaad06e9ed274fb516a40a636672415b", "title": "CosmicBeetle steps up: Probation period at RansomHub", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1130984, "plain_text": "CosmicBeetle steps up: Probation period at RansomHub\r\nBy Jakub Souček\r\nArchived: 2026-04-02 11:08:11 UTC\r\nESET researchers have mapped the recent activities of the CosmicBeetle threat actor, documenting its new\r\nScRansom ransomware and highlighting connections to other well-established ransomware gangs.\r\nCosmicBeetle actively deploys ScRansom to SMBs in various parts of the world. While not being top notch, the\r\nthreat actor is able to compromise interesting targets.\r\nCosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually\r\nimproved. We have also observed the threat actor using the leaked LockBit builder and trying to leech off\r\nLockBit’s reputation by impersonating the infamous ransomware gang both in ransom notes and leak site.\r\nBesides LockBit, we believe with medium confidence that CosmicBeetle is a new affiliate of RansomHub, a new\r\nransomware gang active since March 2024 with rapidly increasing activity.\r\nIn this blogpost, we examine CosmicBeetle’s activities during the past year and analyze the connections to other\r\nwell-established ransomware gangs. We also provide insight into ScRansom.\r\nKey points of the blogpost:\r\nCosmicBeetle remains active in 2024, continually improving and distributing its custom\r\nransomware, ScRansom.\r\nWe provide an analysis of ScRansom, emphasizing that it is impossible to restore some\r\nencrypted files.\r\nCosmicBeetle has been experimenting with the leaked LockBit builder and has been trying to\r\nabuse its brand.\r\nCosmicBeetle may be a recent affiliate of the ransomware-as-a-service actor RansomHub.\r\nCosmicBeetle exploits years-old vulnerabilities to breach SMBs all over the world.\r\nOverview\r\nCosmicBeetle, active since at least 2020, is the name ESET researchers assigned to a threat actor discovered in\r\n2023. This threat actor is most known for the usage of its custom collection of Delphi tools, commonly called\r\nSpacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher. In August 2023, ESET researchers\r\npublished their insights into CosmicBeetle. Shortly before publishing, new custom ransomware we named\r\nScRansom appeared that we believe, with high confidence, is related to CosmicBeetle. We have since found\r\nfurther reasons to increase our confidence of this relation and believe that ScRansom is now that group’s\r\nransomware of choice, replacing the previously utilized Scarab ransomware.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 1 of 17\n\nAt the time of that publication in 2023, we had not observed any activity in the wild. That, however, changed\r\nshortly thereafter. CosmicBeetle has since been spreading ScRansom to SMBs, mainly in Europe and Asia.\r\nScRansom is not very sophisticated ransomware, yet CosmicBeetle has been able to compromise interesting\r\ntargets and cause great harm to them. Mostly because CosmicBeetle is an immature actor in the ransomware\r\nworld, problems plague the deployment of ScRansom. Victims affected by ScRansom who decide to pay should\r\nbe cautious. While the decryptor itself works as expected (at the time of writing), multiple decryption keys are\r\noften required and some files may be permanently lost, depending on how CosmicBeetle proceeded during\r\nencryption. We go into more details later in this blogpost. In keeping with our experience regarding CosmicBeetle,\r\nan interesting study of immature ransomware groups recently published by GuidePoint Security shows\r\ncorresponding results.\r\nCosmicBeetle partially tried to address, or rather hide, these issues by impersonating the recently disrupted\r\nLockBit, probably the most infamous ransomware gang of the past few years. By abusing the LockBit brand\r\nname, CosmicBeetle hoped to better persuade victims to pay. CosmicBeetle also utilized the leaked LockBit Black\r\nbuilder to generate its custom samples with a ransom note in Turkish.\r\nRecently, we have investigated an interesting case that leads us to believe that CosmicBeetle may be a new\r\naffiliate of RansomHub. RansomHub is a fairly recently emerged ransomware-as-a-service gang that quickly\r\ngained the public’s eye when Notchy, the notorious affiliate of the BlackCat ransomware gang who claimed\r\nresponsibility for the attack on Change Healthcare, complained that BlackCat stole Notchy’s ransom payment and\r\nwill therefore be partnering with the rival gang RansomHub instead.\r\nThis blogpost documents the evolution of ScRansom for the past year and CosmicBeetle’s approach to\r\ncompromising victims. We also dive deeper into the threat actor’s relations to other ransomware gangs.\r\nAttribution\r\nWe believe with high confidence that ScRansom is the newest addition to CosmicBeetle’s custom toolset. In this\r\nsection, we explain our reasoning.\r\nESET telemetry shows several cases where ScRansom deployment overlaps with other tools commonly used by\r\nCosmicBeetle. Additionally, a ZIP archive uploaded to VirusTotal contains two embedded archives, each one\r\nprobably containing samples from an intrusion. Both archives contain ScRansom, ScHackTool, and other tools\r\ncommonly used by CosmicBeetle, further supporting our suspicions.\r\nThere is a lot of code similarity between ScRansom and previous CosmicBeetle tooling, namely:\r\nDelphi as the programming language of choice,\r\nIPWorks library for encryption,\r\nidentical Turkish strings in the code,\r\nusing spaces after colons in strings, which earned the Spacecolon toolset its name, and\r\nGUI similarity with ScHackTool.\r\nAll of these similarities further strengthen our attribution. Although Zaufana Trzencia Strona analysts recently\r\npublished a blogpost about CosmicBeetle where they attributed CosmicBeetle to an actual person – a Turkish\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 2 of 17\n\nsoftware developer, ESET researchers don’t think this attribution is accurate. That attribution is based on the\r\ncustom encryption scheme used in ScHackTool (not ScRansom). Specifically, they found a malicious sample\r\n(SHA‑1: 28FD3345D82DA0CDB565A11C648AFF196F03D770) that contains this algorithm and is signed by a\r\nTurkish software development company VOVSOFT with a strange-looking headquarters.\r\nBut the mentioned sample does not belong to VOVSOFT; it is actually a malicious patched version of Disk\r\nMonitor Gadget, one of many products developed by VOVSOFT signed properly (SHA-1:\r\n2BA12CD5E44839EA67DE8A07734A4E0303E5A3F8). Moreover, the digital signature was copied from the\r\nlegitimate version and simply appended to the patched version, resulting in the malicious sample apparently being\r\nsigned, but not having a valid signature.\r\nInterestingly, ScHackTool’s encryption scheme is used in the legitimate Disk Monitor Gadget too. Zaufana\r\nTrzencia Strona analysts discovered that the algorithm likely originates from this Stack Overflow thread from 13\r\nyears ago. Since the author of the post, MohsenB, has been an active user of Stack Overflow since 2012 – and,\r\nbased on profile pictures, is not the VOVSOFT developer himself – it is likely that this algorithm was adapted by\r\nVOVSOFT and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool.\r\nInitial access and victimology\r\nCosmicBeetle often uses brute-force methods to breach its targets. Besides that, the following vulnerabilities are\r\nbeing exploited by the threat actor:\r\nCVE-2017-0144 (aka EternalBlue),\r\nCVE-2023-27532 (a vulnerability in a Veeam Backup \u0026 Replication component),\r\nCVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac,\r\nCVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and\r\nCVE-2020-1472 (aka Zerologon).\r\nSMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is\r\nthe segment most likely to use the affected software and to not have robust patch management processes in place.\r\nCosmicBeetle’s leak site is, as we will demonstrate shortly, very unreliable and inconsistent; therefore we refer to\r\nESET telemetry. Figure 1 demonstrates CosmicBeetle’s victims according to ESET telemetry.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 3 of 17\n\nFigure 1. Heatmap of CosmicBeetle attacks since August 2023, according to ESET telemetry\r\nWe observed attacks on SMBs in the following verticals:\r\nmanufacturing,\r\npharmaceuticals,\r\nlegal,\r\neducation,\r\nhealthcare,\r\ntechnology,\r\nhospitality leisure,\r\nfinancial services, and\r\nregional government.\r\nBrand\r\nMost ransom notes dropped by ScRansom do not assign a name to the ransomware. CosmicBeetle relies mainly\r\non email and qTox, an instant messaging application utilized by many ransomware gangs, mainly due to its usage\r\nof the Tox protocol. The Tox protocol provides peer-to-peer end-to-end encrypted communication.\r\nThe only name CosmicBeetle chose for its custom ransomware is, ironically, NONAME, as the threat actor briefly\r\nbranded the ransomware, which we discuss in the following section. Due to the chaotic nature of the branding, for\r\nthe purpose of this blogpost, we will continue to refer to the ransomware as ScRansom.\r\nLockBit copycat\r\nIn September 2023, CosmicBeetle decided to set up a dedicated leak site (DLS) on Tor, which it named\r\nNONAME. This site, illustrated in Figure 2, is a rip-off of LockBit’s leak site (see Figure 3).\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 4 of 17\n\nFigure 2. NONAME dedicated leak site on Tor\r\nFigure 3. Typical design of the real LockBit dedicated leak site\r\nWhile a few graphical changes have been made, the inspiration is still clear. Moreover, the design is not the only\r\nsimilarity with LockBit. All of the victims visible in Figure 2 were actually compromised by LockBit, not\r\nScRansom. This can be verified by using DLS tracking services, such as RansomLook. All of the victims were\r\nposted on LockBit’s leak site, most of them in September 2023, shortly before the NONAME DLS appeared. The\r\nWork ID string is added to increase the illusion of being related to ScRansom, as this is how victims are identified\r\nin ransom notes.\r\nIn early November 2023, CosmicBeetle decided to move even further and decided to impersonate LockBit\r\ncompletely. They did so by registering the domain lockbitblog[.]info and using the same approach as for the\r\nNONAME DLS, only this time, they included the LockBit logo as well (see Figure 4). Then, for a time,\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 5 of 17\n\nScRansom’s ransom notes linked to this website. The same inspiration is visible and the graphical similarity to the\r\nNONAME DLS (Figure 2) is undeniable.\r\nFigure 4. Website mimicking the official LockBit leak site, set up by CosmicBeetle\r\nA sample built using the leaked LockBit 3.0 builder was uploaded to VirusTotal in August 2024 from Türkiye.\r\nWhat makes this sample unique is that it uses a ransom message (see Figure 5) in Turkish and the qTox ID it\r\nmentions is one we conclusively linked to CosmicBeetle. ESET telemetry corroborates this connection, as we\r\nhave investigated a case where deployment of LockBit overlapped with CosmicBeetle’s toolset.\r\nI have encrypted your data and for the fee you will pay, I will reconnect to your system, decrypt it and deliver it to\r\nyou.\r\nWe would like you to know that you cannot get your data back with known data recovery methods.\r\nThese methods will only cause you to lose time.\r\nHowever, if you still want to use data recovery companies or programs, please perform and/or have performed the\r\nprocess on their copies, not on your original files.\r\nCorruption of the original files may cause irreversible damage to your data.\r\nThe originals of your encrypted files have been deleted by using a random data writing technique.\r\nYour backups have been deleted by writing data on all the backups in your NAS Storage and Disks.\r\nIf a return is not made within 48 hours, the password used in the system will be deleted and your data will never\r\nbe returned.\r\nYour disks are encrypted with Full disk encryption, unauthorized intervention will cause permanent data loss!\r\nDo not believe the computer guys who say they will not open even if you pay them or the people around you who\r\nsay they will take your money and not give you your files\r\nI have enough references to trust you\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 6 of 17\n\nI do not know you, so there is no point in having bad feelings towards you or doing you harm,\r\nmy only aim is to make an income from this business. After your payment,\r\nI will connect to your server as soon as possible to restore your data.\r\nI will also explain how to secure your system after this process so that such incidents will never happen to you\r\nagain.\r\nPersonal Key\r\ne-mail 1 : sunucuverikurtarma@gmail[.]com\r\nBackup\r\ne-mail : serverdatakurtarma@mail[.]ru\r\nQTOX :\r\nA5F2F6058F70CE5953DC475EE6AF1F97FC6D487ABEBAE76915075E3A53525B1D863102EDD50E\r\nFigure 5. Ransom note that contains a TOX ID used by CosmicBeetle, dropped by a LockBit sample. Text was\r\nmachine translated from Turkish.\r\nRelation to RansomHub\r\nUsing leaked builders is a common practice for immature ransomware gangs. It allows them to abuse the brand of\r\ntheir well-established competitors while also providing them with a ransomware sample that usually works\r\nproperly. The LockBit connection, however, is not the only one we have observed.\r\nIn June, we investigated an incident involving ScRansom. From our telemetry, we were able to gather the\r\nfollowing:\r\nOn June 3rd, 2024 CosmicBeetle attempted to compromise a manufacturing company in India with\r\nScRansom.\r\nAfter failing, CosmicBeetle tried a variety of process-killing tools to remove EDR protection, namely:\r\nReaper,\r\nDarkside, and\r\nRealBlindingEDR.\r\nOn June 8th, 2024, RansomHub’s EDR killer was executed on the same machine.\r\nOn June 10th, 2024, RansomHub was executed on the same machine.\r\nThe way RansomHub’s EDR killer was executed is very unusual. It was manually extracted via WinRAR from an\r\narchive stored at C:\\Users\\Administrator\\Music\\1.0.8.zip and executed. Such execution is very unusual for\r\nRansomHub affiliates. On the other hand, using the Music folder and manually extracting and executing payloads\r\ncertainly is typical CosmicBeetle behavior.\r\nTo our knowledge, there are no public leaks of RansomHub code or its builder (though RansomHub itself is\r\nprobably based on code bought from Knight, another ransomware gang). Therefore, we believe with medium\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 7 of 17\n\nconfidence that CosmicBeetle enrolled itself as a new RansomHub affiliate.\r\nTechnical analysis\r\nSimilar to the rest of CosmicBeetle’s custom arsenal, ScRansom is written in Delphi. The earliest samples we\r\nwere able to obtain were compiled at the end of March 2023, though, to the best of our knowledge, in-the-wild\r\nattacks didn’t start before August. ScRansom is under ongoing development.\r\nThe GUI is typical for Delphi applications, though not so much for ransomware. All ScRansom samples contain a\r\nstructured GUI. The older samples, usually named “Static” by the developers, require user interaction to actually\r\nencrypt anything. While this may seem a complication, it may be one of the reasons why ScRansom evaded\r\ndetection for some time, as running such samples in analysis sandboxes does not display any malicious activity.\r\nLaunching such an encryptor requires the threat actor to have access to the victim’s screen and be able to\r\nmanipulate their mouse. This is not the first time CosmicBeetle has used this approach – ScHackTool is also a tool\r\nthat needs to be executed on the victim’s machine and requires manual interaction. We are not entirely sure how\r\nCosmicBeetle achieves this goal, but guessing from the other tools used, we believe using VPN access with\r\npreviously stolen credentials and RDP is the most probable scenario.\r\nCosmicBeetle also has experimented with a rarely seen variant named “SSH”. The encryptor logic is identical to\r\nthe other variants, but instead of encrypting local files, it encrypts files over FTP.\r\nNewer builds utilize automation, though only by simulating clicking the correct buttons from code. These\r\nautomated builds, named “Auto” by the developers, are usually bundled inside an MSI installer together with\r\nsmall tools or scripts to delete shadow copies. The GUI is hidden by default; its most recent version is illustrated\r\nin Figure 6.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 8 of 17\n\nFigure 6. User interface of ScRansom\r\nA complex GUI with a lot of buttons, some of which do nothing, is typical for CosmicBeetle. While the GUI with\r\nfour tabs looks complex, the functionality is actually very straightforward. ScRansom encrypts files on all fixed,\r\nremote, and removable drives based on a hardcoded list of extensions (see Appendix A: Targeted file extensions) –\r\nthis list can be modified via the text box labeled Extensions.\r\nScRansom employs partial encryption – only parts of the file are encrypted. Five encryption modes are supported:\r\nFAST\r\nFASTEST\r\nSLOW\r\nFULL\r\nERASE\r\nThe first four modes simply differ in how the ransomware decides what portions of the file to encrypt. Their\r\nutilization seems to still be partially in development, as not all of the modes are used. The last mode, ERASE, is\r\nimportant, however – when applied, selected portions of targeted files are not encrypted but their contents are\r\nreplaced with a constant value, rendering these files unrecoverable. Which mode is applied for a given file is\r\ndetermined either via the radio buttons in the Actions tab or via the inclusion of its extension in the Criteria tab.\r\nThe extensions list labeled Virtual Extensions triggers a different encryption function that, however, is identical to\r\nthe regular one. As you probably guessed, White Extensions should define a list of extensions excluded from\r\nencryption, though this feature is not implemented.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 9 of 17\n\nBesides encrypting, ScRansom also kills various processes and services (see Appendix B: Processes killed and\r\nAppendix C: Services killed). Recently, a new Delphi sample was split off from ScRansom into a part that we\r\nnamed ScKill, whose sole purpose is to kill processes. ScRansom also employs debug-like features like loading a\r\nlist of extensions to encrypt from an ext.txt file and ransom note content from a note.txt file.\r\nEncryption\r\nInitial ScRansom samples utilized simple symmetric encryption using AES-CTR-128. Since December 2023, the\r\nencryption scheme has been updated. The new scheme is quite (unnecessarily) complex. ScRansom, at the start,\r\ngenerates an AES key we will call ProtectionKey, and an RSA-1024 key pair we will call RunKeyPair.\r\nEvery ScRansom sample using this new scheme contains a hardcoded public RSA key from a pair we will call\r\nMasterKeyPair. This public key is encrypted using RSA into what CosmicBeetle calls Decryption ID.\r\nFor every file, an AES-CTR-128 key that we will call FileKey is generated. Portions of the file are then encrypted\r\nusing AES with FileKey. When ScRansom finishes encrypting a file, it appends data to its end, specifically:\r\nThe string TIMATOMA (or TIMATOMAFULL if the whole file was encrypted).\r\nThe string TBase64EncodingButton12ClickTESTB64@#$% (TESTB64 in older builds), encrypted by\r\nAES using FileKey.\r\nThe following entries, delimited by $ (a dollar sign):\r\nHex-encoded RunKeyPair.Public,\r\nDecryption ID,\r\nRunKeyPair.Private, encrypted using AES-CTR-128 with ProtectionKey, and\r\nFileKey, encrypted using RSA with RunKeyPair.Public.\r\nInformation about encrypted blocks start and their length (absent if the full file is encrypted).\r\nFinally, Decryption ID is stored into a text file named DECRYPTION_IDS.TXT and also written in the ransom\r\nnote named HOW TO RECOVERY FILES.TXT. Decryption ID is different each time the encryptor is executed.\r\nOn subsequent execution(s), the Decryption IDs are appended to the DECRYPTION_IDS.TXT file, but not\r\nupdated in the ransom note.\r\nThe filename (including extension) is then base64 encoded and the .Encrypted extension appended. Despite the\r\ncomplexity of the whole process, we have summarized it in Figure 7.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 10 of 17\n\nFigure 7. Encryption scheme utilized by the latest ScRansom samples\r\nDecryption\r\nWe were able to obtain a decryptor implemented by CosmicBeetle for this recent encryption scheme.\r\nCosmicBeetle does not provide its victims with the MasterKeyPair.Private key but with the already decrypted\r\nProtectionKey (that needs to be entered in the field labeled CPriv Aes Key). Additionally, the decryptor expects\r\nthe Decryption ID, which is useless, as the private key is not provided; indeed, the decryptor ignores its value. The\r\nGUI of the decryptor is illustrated in Figure 8.\r\nFigure 8. GUI of a ScRansom decryptor. ProtectionKey needs to be entered into the text box labeled\r\nCPriv Aes Key\r\nIf the correct ProtectionKey is entered, the decryptor works as expected. If victims decide to pay the ransom, they\r\nneed to collect all Decryption IDs from all the machines where ScRansom was executed. CosmicBeetle then\r\nneeds to provide a different ProtectionKey for all of the Decryption IDs. Victims then need to manually run the\r\ndecryptor on every encrypted machine, enter the correct ProtectionKey (or try all of them), click the Decrypt\r\nbutton and wait for the decryption process to finish.\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 11 of 17\n\nMoreover, from collaboration with one of the victims, we learned that ScRansom was executed more than once on\r\nsome machines, leading to even more Decryption IDs. This victim collected 31 different Decryption IDs,\r\nrequiring 31 ProtectionKeys from CosmicBeetle. Even with those, they were unable to fully recover all of their\r\nfiles. Assuming the encrypted files were not tampered with, this may be the result of missing some Decryption\r\nIDs, CosmicBeetle not providing all of the required ProtectionKeys, or ScRansom destroying some files\r\npermanently by using the ERASE encryption mode. This decryption approach is typical for an immature\r\nransomware threat actor.\r\nSeasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct\r\ndecryption, which boosts their reputation and increases the likelihood that victims will pay. Typically (like in the\r\ncase of the leaked LockBit Black builder), a decryptor is built together with an encryptor. When distributed to the\r\nvictim, no additional user effort is required, as the key is already contained in the binary. Additionally, one key is\r\nsufficient to decrypt all encrypted files, regardless of where they are in the victim’s network.\r\nConclusion\r\nIn this blogpost, we have analyzed CosmicBeetle’s activity over the past year. The threat actor is still deploying\r\nransomware, though it switched from Scarab to a new custom family we call ScRansom. Probably due to the\r\nobstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit’s\r\nreputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that\r\nvictims will pay.\r\nWe also spotted CosmicBeetle trying to deploy LockBit samples built using the leaked builder, though only\r\nbriefly, before switching back to ScRansom. The threat actor puts efforts into continual development of\r\nScRansom, changing encryption logic and adding features.\r\nRecently, we observed the deployment of ScRansom and RansomHub payloads on the same machine only a week\r\napart. This execution of RansomHub was very unusual compared to typical RansomHub cases we have seen in\r\nESET telemetry. Since there are no public leaks of RansomHub, this leads us to believe with medium confidence\r\nthat CosmicBeetle may be a recent affiliate of RansomHub.\r\nScRansom undergoes ongoing development, which is never a good sign in ransomware. The overcomplexity of\r\nthe encryption (and decryption) process is prone to errors, making restoration of all files unsure. Successful\r\ndecryption relies on the decryptor working properly and on CosmicBeetle providing all necessary keys, and even\r\nin that case, some files may have been destroyed permanently by the threat actor. Even in the best-case scenario,\r\ndecryption will be long and complicated.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 12 of 17\n\nFiles\r\nSHA-1  Filename  Detection  Description \r\n4497406D6EE7E2EF561C\r\n949AC88BB973BDBD214B\r\nauto.exe  Win32/Filecoder.Spacecolon.A \r\nAuto variant of\r\nScRansom. \r\n3C32031696DB109D5FA1\r\nA09AF035038BFE1EBE30\r\nProject1.exe  Win32/Filecoder.Spacecolon.B \r\nAuto variant of\r\nScRansom. \r\n26D9F3B92C10E248B7DD\r\n7BE2CB59B87A7A011AF7\r\nNew.exe  Win32/Filecoder.Spacecolon.A \r\nStatic variant of\r\nScRansom. \r\n1CE78474088C14AFB849\r\n5F7ABB22C31B397B57C7\r\nProject1.exe  Win32/Filecoder.Spacecolon.B \r\nAuto encryptor\r\nvariant of\r\nScRansom, Turkish\r\nransom note. \r\n1B635CB0A4549106D8B4\r\nCD4EDAFF384B1E4177F6\r\nProject1.exe  Win32/Filecoder.Spacecolon.A \r\nStatic SSH\r\nencryptor variant of\r\nScRansom. \r\nDAE100AFC12F3DE211BF\r\nF9607DD53E5E377630C5\r\nProject1.exe  Win32/Filecoder.Spacecolon.A \r\nDecryptor variant of\r\nScRansom (oldest). \r\n705280A2DCC311B75AF1\r\n619B4BA29E3622ED53B6\r\nRarlab_sib.msi  Win32/Filecoder.Spacecolon.A \r\nMSI file with\r\nembedded\r\nScRansom, ScKill,\r\nBAT script to stop\r\nservices, and BAT\r\nscript to delete\r\nshadow copies. \r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n66.29.141[.]245 www.lockbitblog[.]info Namecheap, Inc. 2023-11-04 Fake LockBit leak site.\r\nRansom note fragments\r\nEmail addresses\r\ndecservice@ukr[.]net\r\nnonamehack2024@gmail[.]com\r\ntufhackteam@gmail[.]com\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 13 of 17\n\nnonamehack2023@gmail[.]com\r\nnonamehack2023@tutanota[.]com\r\nlockbit2023@proton[.]me\r\nserverrecoveryhelp@gmail[.]com\r\nrecoverydatalife@gmail[.]com\r\nrecoverydatalife@mail[.]ru\r\nTox IDs\r\n91E3BA8FACDA7D4A0738ADE67846CDB58A7E32575531BCA0348EA73F6191882910B72613F8C4\r\nA5F2F6058F70CE5953DC475EE6AF1F97FC6D487ABEBAE76915075E3A53525B1D863102EDD50E\r\nF1D0F45DBC3F4CA784D5D0D0DD8ADCD31AB5645BE00293FE6302CD0381F6527AC647A61CB08D\r\n0C9B448D9F5FBABE701131153411A1EA28F3701153F59760E01EC303334C35630E62D2CCDCE3\r\nTor links\r\nhttp://nonamef5njcxkghbjequlibwe5d3t3li5tmyqdyarnrsryopvku76wqd[.]onion\r\nhttp://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd[.]onion\r\nhttp://7tkffbh3qiumpfjfq77plcorjmfohmbj6nwq5je6herbpya6kmgoafid[.]onion\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic  ID  Name  Description \r\nReconnaissance \r\nT1595.002 \r\nActive Scanning:\r\nVulnerability Scanning \r\nCosmicBeetle scans its targets for a\r\nlist of vulnerabilities it can exploit. \r\nT1590.005 \r\nGather Victim Network\r\nInformation: IP Addresses \r\nCosmicBeetle scans the internet for IP\r\naddresses vulnerable to the\r\nvulnerabilities it can exploit. \r\nResource\r\nDevelopment \r\nT1583.001 \r\nAcquire Infrastructure:\r\nDomains \r\nCosmicBeetle registered its own leak\r\nsite domain. \r\nT1587.001 \r\nDevelop Capabilities:\r\nMalware \r\nCosmicBeetle develops its custom\r\ntoolset, Spacecolon. \r\nT1588.002  Obtain Capabilities: Tool \r\nCosmicBeetle utilizes a large variety\r\nof third-party tools and scripts. \r\nT1588.005  Obtain Capabilities: Exploits \r\nCosmicBeetle utilizes publicly\r\navailable PoCs for known exploits. \r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 14 of 17\n\nTactic  ID  Name  Description \r\nT1588.001  Obtain Capabilities: Malware \r\nCosmicBeetle probably obtained\r\nransomware from RansomHub and\r\nthe leaked LockBit 3.0 builder. \r\nInitial Access  T1190 \r\nExploit Public-Facing\r\nApplication \r\nCosmicBeetle gains initial access by\r\nexploiting vulnerabilities in FortiOS\r\nSSL-VPNand other public-facing\r\napplications. \r\nExecution \r\nT1204  User Execution \r\nCosmicBeetle relies on user execution\r\nfor some of its tools, though this is\r\nusually done by the threat actor via\r\nRDP. \r\nT1059.003 \r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell \r\nCosmicBeetle executes various BAT\r\nscripts and commands. \r\nT1059.001 \r\nCommand and Scripting\r\nInterpreter: PowerShell \r\nCosmicBeetle executes various\r\nPowerShell scripts and commands. \r\nPersistence  T1136.001 \r\nCreate Account: Local\r\nAccount \r\nCosmicBeetle often creates an\r\nattacker-controlled administrator\r\naccount. \r\nDefense Evasion \r\nT1078  Valid Accounts \r\nCosmicBeetle abuses valid accounts\r\nwhose credentials it successfully\r\nobtains. \r\nT1140 \r\nDeobfuscate/Decode Files or\r\nInformation \r\nScRansom samples protect public\r\nRSA keys by encryption. \r\nCredential\r\nAccess \r\nT1110.001 \r\nBrute Force: Password\r\nGuessing \r\nCosmicBeetle utilizes RDP and SMB\r\nbrute-force attacks. \r\nT1212 \r\nExploitation for Credential\r\nAccess \r\nCosmicBeetle exploits known\r\nvulnerabilities to obtain credentials. \r\nImpact \r\nT1485  Data Destruction \r\nCosmicBeetle renders some encrypted\r\nfiles unrecoverable. \r\nT1486  Data Encrypted for Impact \r\nCosmicBeetle encrypts sensitive files\r\non compromised machines. \r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 15 of 17\n\nAppendix A: Targeted file extensions\r\nThis configuration is hardcoded in every ScRansom sample and is subject to frequent change. The following\r\nsections contain the most recent configuration at the time of writing.\r\nFilename masks to encrypt\r\n*._ms \r\n*.0001 \r\n*.001 \r\n*.002 \r\n*.003 \r\n*.004 \r\n*.005\r\n*.006 \r\n*.007 \r\n*.008 \r\n*.1* \r\n*.2* \r\n*.3* \r\n*.3dm \r\n*.3dmbak \r\n*.3ds \r\n*.4* \r\n*.5* \r\n*.6* \r\n*.7* \r\n*.7z \r\n*.8* \r\n*.9* \r\n*.a01 \r\n*.a02 \r\n*.bkup  \r\n*.blend  \r\n*.box  \r\n*.bpf  \r\n*.btr  \r\n*.bup  \r\n*.c1  \r\n*.cbd  \r\n*.cbu  \r\n*.cdr  \r\n*.cdx  \r\n*.cfgbak  \r\n*.cgd  \r\n*.couch  \r\n*.csv  \r\n*.ctf  \r\n*.d0  \r\n*.d1  \r\n*.d2  \r\n*.d3  \r\n*.d4  \r\n*.da1  \r\n*.da2  \r\n*.da3  \r\n*.da4  \r\n*.fp5  \r\n*.fp7  \r\n*.frm  \r\n*.ful  \r\n*.full  \r\n*.fxl  \r\n*.gan  \r\n*.gbk  \r\n*.gdb  \r\n*.gho  \r\n*.ghs  \r\n*.hbp  \r\n*.hlp  \r\n*.hrl  \r\n*.ib  \r\n*.ibd  \r\n*.idx  \r\n*.imd  \r\n*.indd  \r\n*.itdb  \r\n*.iv2i  \r\n*.jet  \r\n*.jpg  \r\n*.L5X  \r\n*.lbl  \r\n*.oeb  \r\n*.ol2  \r\n*.old  \r\n*.one  \r\n*.ora  \r\n*.ost  \r\n*.ostx  \r\n*.ova  \r\n*.pak  \r\n*.par  \r\n*.pbd  \r\n*.pcb  \r\n*.pdb  \r\n*.pdf  \r\n*.pod  \r\n*.ppt  \r\n*.pptx  \r\n*.pqb  \r\n*.pri  \r\n*.prt  \r\n*.psd  \r\n*.psm  \r\n*.pst  \r\n*.pstx  \r\n*.ptb  \r\n*.SLDPRT  \r\n*.sldprt  \r\n*.sldrpt  \r\n*.slp  \r\n*.sna  \r\n*.sna  \r\n*.spf  \r\n*.spl  \r\n*.sql  \r\n*.sqlaudit  \r\n*.sqlite  \r\n*.sqlite3  \r\n*.srd  \r\n*.step  \r\n*.stm  \r\n*.stp  \r\n*.tar  \r\n*.tar.gz  \r\n*.tga  \r\n*.tgz  \r\n*.tib  \r\n*.tibx  \r\n*.tif  \r\n*.tiff  \r\n*.tmp  \r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 16 of 17\n\n*.a03 \r\n*.a06 \r\n*.accdb \r\n*.ACD \r\n*.adm \r\n*.afi \r\n*.ai \r\n*.alt \r\n*.arc \r\n*.arc \r\n*.archive \r\n*.ard \r\n*.asm \r\n*.avhdx \r\n*.avi \r\n*.axf \r\n*.b1 \r\n*.bac \r\n*.backup \r\n*.bak \r\n*.BBCK \r\n*.BBCK3  \r\n*.bck  \r\n*.bco  \r\n*.bdmp  \r\n*.bi4  \r\n*.bik  \r\n*.bin  \r\n*.bkf  \r\n*.bkp\r\n*.danger  \r\n*.dat  \r\n*.db  \r\n*.db1  \r\n*.db2  \r\n*.dbc  \r\n*.dbdmp  \r\n*.dbf  \r\n*.dbs  \r\n*.dbw  \r\n*.df  \r\n*.dft  \r\n*.diff  \r\n*.dmp  \r\n*.doc  \r\n*.docx  \r\n*.dwg  \r\n*.dxf  \r\n*.dxt5_2d  \r\n*.ebk  \r\n*.edb  \r\n*.edp  \r\n*.elg  \r\n*.eml  \r\n*.encvrt  \r\n*.fbf  \r\n*.fbk  \r\n*.fbw  \r\n*.fdb  \r\n*.fmp12\r\n*.ldb  \r\n*.ldf  \r\n*.llp  \r\n*.log  \r\n*.log1  \r\n*.lst  \r\n*.mat  \r\n*.max  \r\n*.mdb  \r\n*.mdbx  \r\n*.mdf  \r\n*.mmo  \r\n*.mov  \r\n*.mp4  \r\n*.mrimg  \r\n*.msg  \r\n*.mtx  \r\n*.myd  \r\n*.myi  \r\n*.nb7  \r\n*.nbf  \r\n*.ndf  \r\n*.ndk  \r\n*.ndx  \r\n*.nsf  \r\n*.nsg  \r\n*.ntf  \r\n*.nx1  \r\n*.nyf  \r\n*.obk\r\n*.qba  \r\n*.qbb  \r\n*.qbm  \r\n*.qbw  \r\n*.qic  \r\n*.qrp  \r\n*.qsm  \r\n*.qvx  \r\n*.rar  \r\n*.raw  \r\n*.rbf  \r\n*.rct  \r\n*.rdb  \r\n*.redo  \r\n*.rfs  \r\n*.rman  \r\n*.rpd  \r\n*.rpo  \r\n*.rpt  \r\n*.rtf  \r\n*.sai  \r\n*.saj  \r\n*.seq  \r\n*.sev  \r\n*.sic  \r\n*.sko  \r\n*.skp  \r\n*.SLDASM  \r\n*.SLDDRW  \r\n*.SLDLFP\r\n*.trc  \r\n*.trn  \r\n*.tuf  \r\n*.upd  \r\n*.usr  \r\n*.vbk  \r\n*.vbm  \r\n*.vct  \r\n*.vcx  \r\n*.vhd  \r\n*.vhdx  \r\n*.vib  \r\n*.vix  \r\n*.vmdk  \r\n*.vmsd  \r\n*.vmsn  \r\n*.vmx  \r\n*.vmxf  \r\n*.vob  \r\n*.vrb  \r\n*.vswp  \r\n*.wim  \r\n*.wt  \r\n*.xls  \r\n*.xlsm  \r\n*.xlsx  \r\n*.zip  \r\n*ibdata\r\nSource: https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nhttps://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" ], "report_names": [ "cosmicbeetle-steps-up-probation-period-ransomhub" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "70ef487b-c5d9-444f-83c9-256034fbb601", "created_at": "2024-10-04T02:00:04.772159Z", "updated_at": "2026-04-10T02:00:03.717985Z", "deleted_at": null, "main_name": "CosmicBeetle", "aliases": [], "source_name": "MISPGALAXY:CosmicBeetle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434685, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a740c1b4eaad06e9ed274fb516a40a636672415b.pdf", "text": "https://archive.orkl.eu/a740c1b4eaad06e9ed274fb516a40a636672415b.txt", "img": "https://archive.orkl.eu/a740c1b4eaad06e9ed274fb516a40a636672415b.jpg" } }