{ "id": "e9110a68-52b1-453a-b25a-cfb0510f8891", "created_at": "2026-04-06T00:19:10.828916Z", "updated_at": "2026-04-10T13:13:00.754798Z", "deleted_at": null, "sha1_hash": "a851272326c9506046d982bead637689fecadb31", "title": "The Shade Encryptor: a Double Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 246273, "plain_text": "The Shade Encryptor: a Double Threat\r\nBy Victor Alyushin\r\nPublished: 2015-09-14 · Archived: 2026-04-05 13:43:53 UTC\r\nA family of ransomware Trojans that encrypts files and adds the extensions “.xtbl” and “.ytbl” emerged in late\r\n2014/early 2015, and quickly established itself among the top three most widespread encryptors in Russia (along\r\nwith Trojan-Ransom.Win32.Cryakl and Trojan-Ransom.BAT.Scatter). This threat has been assigned the verdict\r\nTrojan-Ransom.Win32.Shade according to Kaspersky Lab’s classification. The original name given to the\r\nencryptor by its creator is not known; other security vendors detect it as Trojan.Encoder.858,\r\nRansom:Win32/Troldesh.\r\nThere has been no appreciable evolution of this Trojan over time – only the format of the encrypted file’s name,\r\nthe C\u0026C server addresses and the RSA keys have been changing.\r\nThere are two main methods used to deliver the malware to victims’ computers: spam messages and exploit kits\r\n(in particular, NuclearEK).\r\nWhen delivered via spam, the user receives a letter with a malicious file attached. The system is infected when the\r\nuser attempts to open the attachment. The following file names have been used when spreading Trojan-Ransom.Win32.Shade:\r\ndoc_dlea podpisi.com\r\ndoc_dlea podpisi.rar\r\ndocumenti_589965465_documenti.com\r\ndocumenti_589965465_documenti.rar\r\ndocumenti_589965465_doc.scr\r\ndoc_dlea podpisi.rar\r\nнеподтвержден 308853.scr\r\ndocumenti dlea podpisi 05.08.2015.scr.exe\r\nakt sverki za 17082015.scr\r\nIt should be noted that the file name changes for each mass mailing campaign, so the potential file names are not\r\nlimited to those listed above.\r\nThe second delivery mechanism – via exploit kit – is more dangerous because the infection occurs when the\r\nvictim unwittingly visits a compromised website. It may be a site belonging to cybercriminals, or a legitimate\r\nresource that has been hacked. In most cases, the user is completely unaware of the danger the website poses.\r\nMalicious code on the website exploits a vulnerability in the browser or a plugin, and the Trojan is then covertly\r\ninstalled in the system. Unlike the spam delivery method, the victim doesn’t even have to run an executable file.\r\nAfter Trojan-Ransom.Win32.Shade ends up in the system, it connects to a C\u0026C server located in the Tor network,\r\nreports the infection and requests a public RSA-3072 key that is subsequently used to encrypt files (as discussed\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 1 of 9\n\nbelow). Should the connection attempt fail, the Trojan chooses one of the 100 public keys that are stored within its\r\nbody for just such an eventuality.\r\nThe Trojan then starts encrypting files. While scanning for objects to encrypt, it uses the static list of extensions\r\nshown in the screenshot below.\r\nWhen encryption is complete, a menacing image is set as the desktop background:\r\nThe Trojan leaves ransom demands in the files README1.txt, …, README10.txt. The contents of these files are\r\nalways the same:\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 2 of 9\n\nHowever, unlike most other encryptors, Trojan-Ransom.Win32.Shade doesn’t stop there. It doesn’t terminate its\r\nprocess, but instead starts an infinite loop in which it requests a list from the C\u0026C server containing the URLs of\r\nadditional malware. It then downloads that malware and installs it in the system. This sort of activity is typical of\r\ndownload bots. We have spotted malware from the following families being downloaded:\r\nTrojan.Win32.CMSBrute (a more detailed description is provided below).\r\nTrojan.Win32.Muref\r\nTrojan.Win32.Kovter\r\nTrojan-Downloader.Win32.Zemot\r\nBelow is the code for the download and listening loop:\r\nIt is therefore very important to run a complete anti-malware scan of the computer if the Shade encryptor (or the\r\n.xtbl, .ytbl files it creates) is detected. If left untreated, the system will most probably remain infected with several\r\nmalicious programs downloaded by the encryptor.\r\nCommon features of Shade family Trojans\r\nWritten in C++ using STL and its own classes.\r\nStatically linked with Tor client.\r\nUses boost (threads), curl, OpenSSL libraries.\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 3 of 9\n\nEach sample has the URL of a C\u0026C server hardcoded in it. A total of 10 C\u0026C server addresses were\r\nidentified in various samples, eight of which are currently active. All the C\u0026C servers are located in the\r\nTor network.\r\nAll strings (including the names of imported functions) are AES encrypted. They are decrypted when the\r\nprogram starts, then the import table is dynamically populated.\r\nPrior to setting the new desktop background, the old one is saved in the registry.\r\nTypically packed with UPX and an extra packer. Once unpacked, it is 1817 KB in size.\r\nCreates 10 identical files named README1.txt, …README10.txt on the victim computer, containing\r\nransom demands in Russian and English.\r\nA unique 256-bit AES key is generated to encrypt the contents and the name of each file. The encryption is\r\ndone in CBC mode with a zero initialization vector.\r\nContains 100 public RSA-3072 keys with the public exponent 65537 (A total of 300 different public keys\r\nwere detected in various samples).\r\nHas the capability of downloading and launching malware.\r\nThe cryptographic scheme\r\nGenerating an infected computer ID\r\n1. 1 The Trojan obtains the computer name (comp_name) with the help of API function GetComputerName,\r\nand the number of processes (num_cpu) with the help of API function GetSystemInfo;\r\n2. 2 Using the serial number of the system volume, it calculates a 32-bit constant and converts it into a HEX\r\nstring (vol_const);\r\n3. 3 Obtains data about the OS version (os_version) divided with the symbol “;” (e.g. “5;1;2600;1;Service\r\nPack 3”);\r\n4. 4 Creates the string comp_namenum_cpuvol_constos_version;\r\n5. 5 Calculates the MD5 hash of this string;\r\n6. 6 Converts the MD5 hash into a HEX string and uses its first 20 characters as the computer’s ID.\r\nReceiving key data\r\nWhen the computer ID has been generated, the Trojan attempts to connect to the C\u0026C server located in the Tor\r\nnetwork, sends the computer ID to it and receives the public RSA key in return. If the connection attempt fails,\r\none of the 100 public RSA keys hardcoded in the Trojan body is selected.\r\nEncrypting files\r\nThe algorithm AES 256 in CBC mode is used to encrypt files. For each encrypted file, two random 256-bit AES\r\nkeys are generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file name.\r\nThese keys are placed in the utility structure key_data, which is then encrypted with the selected RSA key (so it\r\ntakes up 384 bytes after encryption) and placed at the end of the encrypted file:\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 4 of 9\n\nIn C syntax, this stricture can be written as follows:\r\nThe Trojan attempts to rename the encrypted file using the result of the calculation\r\nBase64(AES_encrypt(original file name)).xtbl (e.g. ArSxrr+acw970LFQw.xtbl). Failing this, it simply adds\r\nthe extension .ytbl to the original file name. In later versions, the Trojan adds the infected computer’s ID and then\r\nthe extension .xtbl to the file name, e.g. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl.\r\nCommunication with a C\u0026C server\r\nThe address of one C\u0026C server is contained in the Trojan’s body. The servers are located in the Tor network and\r\ncommunication is established using a Tor client that is statically linked to the Trojan.\r\nThe sample sends the following requests to the C\u0026C server:\r\n1. 1 Request for a new public RSA key:\r\nGET http://\u003cserver\u003e.onion/reg.php?i=ID\u0026b=build\u0026v=version\u0026ss=stage\r\nID – the ID of the infected computer;\r\nbuild – the ID of the specific Trojan sample;\r\nversion – the Trojan’s version (we encountered versions 1 and 2);\r\nstage – the stage of encryption – request for a new public key or a message about completing file\r\nencryption.\r\n2. 2 Error message:\r\nGET http://\u003cserver\u003e.onion/err.php?i=ID\u0026b=build\u0026v=version\u0026err=error\r\nerror – a base64-coded message about an error during encryption.\r\n3. 3 Report about the encryptor’s current stage:\r\nGET http://\u003cserver\u003e.onion/prog.php?i=ID\u0026b=build\u0026v=version\u0026ss=stage\u0026c=count\u0026f=finish\r\ncount – the current count of encrypted files;\r\nfinish – the flag showing that encryption has completed.\r\n4. 4 Information about the system:\r\nPOSThttp://\u003cserver\u003e.onion/sys.php?\r\ni=ID\u0026b=build\u0026v=version\u0026ss=stage\u0026c=count\u0026k=key_number\u0026si=info\r\nkey_number – the number of the selected RSA key (if the key was not received from the server, but\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 5 of 9\n\nselected from the keys contained in the Trojan’s body);\r\ninfo – information collected from the infected computer:\r\nComputer name\r\nUser name\r\nIP address\r\nComputer domain\r\nList of logical drives\r\nWindows version\r\nList of installed software\r\n5. 5 Request for a list of URL addresses from which additional malware needs to be downloaded and\r\nlaunched:\r\nGET http://\u003cserver\u003e.onion/cmd.php?i=ID\u0026b=build\u0026v=version\r\nPropagation of the encryptor\r\nPartnership program\r\nThe code that the user is prompted to email to the cybercriminals can have the form ID|0 if the public code was\r\nreceived from the C\u0026C server, or ID|key_number|build|version if one of the public RSA keys hardcoded in the\r\nTrojan’s body was selected, with the corresponding number used for the value key_number. ID is the identity of\r\nthe infected computer, build and version are numeric values that denote respectively the ID of the specific Trojan\r\nsample and the encryptor’s version.\r\nWhile analyzing the Trojan’s samples, we detected several combinations of the ‘build’ value, email addresses used\r\nto communicate with the cybercriminals, and C\u0026C addresses. Different ‘build’ values are associated with different\r\nemail addresses, although the same C\u0026C can serve several different samples of the Trojan:\r\nbuild C\u0026C email\r\n2 a4yhexpmth2ldj3v.onion\r\nfiles1147@gmail.com\r\npost100023@gmail.com\r\n2 a4yhexpmth2ldj3v.onion\r\ndecode0987@gmail.com\r\ndecode098@gmail.com\r\n4 a4yhexpmth2ldj3v.onion\r\ndecodefile001@gmail.com\r\ndecodefile002@gmail.com\r\n6 a4yhexpmth2ldj3v.onion\r\nfiles08880@gmail.com\r\nfiles08881@gmail.com\r\n2 e4aibjtrguqlyaow.onion\r\ndecodefiles1@gmail.com\r\ndecodefiles@india.com\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 6 of 9\n\n15 e4aibjtrguqlyaow.onion\r\npost8881@gmail.com\r\npost24932@gmail.com\r\n12 gxyvmhc55s4fss2q.onion\r\ndecode00001@gmail.com\r\ndecode00002@gmail.com\r\n14 gxyvmhc55s4fss2q.onion\r\ndecode010@gmail.com\r\ndecode1110@gmail.com\r\n4 gxyvmhc55s4fss2q.onion\r\ndeshifrovka01@gmail.com\r\ndeshifrovka@india.com\r\nWe observed the propagation of different samples from the encryptor’s two versions. For each specific sample of\r\nthe same version of the Trojan there existed a unique combination of ‘build’ (ID of the specific sample) and the\r\nemail address (for communication with the cybercriminals).\r\nAlthough we found no partnership notices, based on the data we can assume the Trojan is distributed, and the\r\nransom collected, via a partnership network. Possibly, the malware sample IDs (the ‘build‘ value) and the\r\ndifferent email addresses are associated with various partners responsible for distributing this malicious program.\r\nGeography\r\nMost of the Trojan infections occur in Russia, Ukraine and Germany. According to KSN data, the distribution of\r\nTrojan-Ransom.Win32.Shade is as follows.\r\nRussia 70,88%\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 7 of 9\n\nGermany 8.42%\r\nUkraine 6.48%\r\nAustria 3.91%\r\nSwitzerland 2.98%\r\nPoland 1.45%\r\nKazakhstan 1.20%\r\nBelarus 1.07%\r\nBrazil 0.55%\r\nDownloaded malware: Trojan for brute forcing website passwords\r\nAmong the malicious programs downloaded by Trojan-Ransom.Win32.Shade is a trojan used for brute forcing\r\nwebsite passwords. The internal organization of the brute forcer is very similar to that of the encryptor Trojan\r\nitself – it was most probably created by the same team of cybercriminals. This downloaded brute forcer Trojan has\r\nbeen assigned the verdict Trojan.Win32.CMSBrute.\r\nCommon features of the CMSBrute family\r\nWritten in C++ using STL and its own classes.\r\nStatically linked with the Tor client.\r\nUses boost (threads), curl, OpenSSL libraries.\r\nEach sample has a hardwired URL to one C\u0026C server. A total of three C\u0026C server addresses were detected\r\nin different samples. All the C\u0026Cs are located in the Tor network and are different from the addresses\r\nencountered in the Trojan-Ransom.Win32.Shade samples.\r\nAll strings (along with the names of imported functions) are AES encrypted. When the program launches,\r\nthey are decrypted and the import table is then dynamically populated.\r\nTypically UPX packed. Once unpacked, it is 2080-2083 KB in size.\r\nCopies itself to one of the C drive folders with the name csrss.exe.\r\nDownloads additional DLL plugins. The plugins contain code that determines the content management\r\nsystem (CMS) installed on the targeted site, searches for the administration console and cracks passwords.\r\nWe have detected plugins for websites based on Joomla, WordPress and DataLifeEngine.\r\nCommunication with the C\u0026C server\r\nEach sample of Trojan.Win32.CMSBrute contains the address of one C\u0026C server. The servers are located in the\r\nTor network and communication with them is established using the Tor client that is statically linked to the Trojan.\r\nThe sample sends the following requests to the C\u0026C server:\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 8 of 9\n\n1. 1 Register new bot:\r\nGET http://\u003cserver\u003e.onion/reg.php?n=ID\u0026b=build\u0026v=version\u0026sf=stage\r\nID – the ID of the infected computer. It is calculated using a slightly different algorithm than the one used\r\nfor the Shade encryptor;\r\nbuild – the ID of the specific sample of the malicious program. We have encountered build1 only;\r\nversion – the version of the malicious program. We have encountered version 1 only;\r\nstage – the stage of the Trojan’s operation.\r\n2. 2 A request to receive URL addresses for downloading/updating DLL plugins.\r\nGET http://\u003cserver\u003e.onion/upd.php?n=ID\u0026b=build\u0026v=version\u0026p=plugins\r\n3. 3 Request for a task to determine the CMS on the website and to check the login credentials:\r\nGET http://\u003cserver\u003e.onion/task.php?n=ID\u0026b=build\u0026v=version\u0026p=plugins\r\nplugins – the versions of installed DLL plugins.\r\nThe server’s response comes in the JSON format and contains URLs of the websites to be attacked and a\r\ndictionary for breaking passwords.\r\n4. 4 Send a brute force report:\r\nPOST http://\u003cserver\u003e.onion/rep.php?n=ID\u0026b=build\u0026v=version\u0026rep=report\r\nreport – a JSON string containing a report about the CMS found on the website, as well as broken login\r\ncredentials to the administration console.\r\nRecommendations\r\nIn the case of Trojan-Ransom.Win32.Shade, all advice that was previously given on how to counteract encryptors\r\nis still relevant. Detailed instructions are available at:\r\nhttps://support.kaspersky.com/10952\r\nIf your computer has already suffered an attack by this Trojan, it is extremely important that you run a full scan\r\nand treat it with an anti-malware solution. Remember that Trojan-Ransom.Win32.Shade downloads and installs\r\nmalware belonging to several various families, as stated at the beginning of this article.\r\nAppendix\r\nThe following samples were used while writing this article:\r\nVerdict MD5\r\nTrojan-Ransom.Win32.Shade.ub 21723762c841b2377e06472dd9691da2\r\nTrojan-Ransom.Win32.Shade.ui bb159b6fe30e3c914feac5d4e1b85a61\r\nTrojan.Win32.CMSBrute.a 543d1620ce976cb13fec190ccc1bc83a\r\nSource: https://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nhttps://securelist.com/the-shade-encryptor-a-double-threat/72087/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" ], "report_names": [ "72087" ], "threat_actors": [], "ts_created_at": 1775434750, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a851272326c9506046d982bead637689fecadb31.pdf", "text": "https://archive.orkl.eu/a851272326c9506046d982bead637689fecadb31.txt", "img": "https://archive.orkl.eu/a851272326c9506046d982bead637689fecadb31.jpg" } }