{
	"id": "ead35d49-d0a1-4328-8bd4-16bb6df7579c",
	"created_at": "2026-04-06T00:17:39.787616Z",
	"updated_at": "2026-04-10T03:20:49.046699Z",
	"deleted_at": null,
	"sha1_hash": "a8bc267d11c899b3cf77ef0233a0be271a3b5463",
	"title": "Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3372616,
	"plain_text": "Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)\r\nBy S2W\r\nPublished: 2021-07-23 · Archived: 2026-04-05 18:10:45 UTC\r\nAuthor: Talon @ S2WLAB\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nHaron ransomware was first discovered in July 2021. When infected with this ransomware, the extension of the\r\nencrypted file is changed to the victim’s name. They are using a ransom note and operating their own leak site\r\nsimilar to Avaddon ransomware. They have disclosed only one victim on the leak site so far.\r\nDetailed analysis\r\nA. Similarity of ransom notes\r\nPress enter or click to view image in full size\r\nThe highlighted part in the picture above is the same part between Haron and Avaddon.\r\nThe main difference is that Haron suggests a specific ID and Password for victim to log in to the\r\nnegotiation site.\r\nB. Similarity of negotiation sites\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 1 of 7\n\nB-1. Haron operates the negotiation site and leak site on the same domain\r\nPress enter or click to view image in full size\r\nAvaddon operated negotiation and leak sites on different domain addresses.\r\nIn the case of Haron, ID and password are required to have access to the negotiation page.\r\nB-2. Comparing the contents of the negotiation sites\r\nPress enter or click to view image in full size\r\nThe appearance of negotiation site is almost identical except for the name of ransomware “Haron” or\r\n“Avaddon”\r\nThe overall interface and string of the negotiation page are similar, but the date notation hh:mm\r\ndd:MM:yyyy has converted to hh:mm yy.MM and icon in the chat window has disappeared\r\nB-3. Haron’s chat feature is built based on open source\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 2 of 7\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nAs shown in the picture above, the leak site of Haron has the same structure as that of Avaddon.\r\nHaron also uses a strategy to induce negotiations within that period by setting the time for the next data\r\nupdate, but there is no DDoS attack notice yet. It has not been confirmed whether they would carry out a\r\nDDoS attack like Avaddon.\r\nAlso, Avaddon gave 10 days for negotiation, but Haron gave about 6 days.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 3 of 7\n\nD. Comparative analysis of Haron and Avaddon\r\nD-1. The files related to Avaddon\r\nThere are logos, icons as well as sample data of victims used by Avaddon on the Haron’s server. However,\r\nall of the files can be collected at the client level.\r\nThe last modified date of the files is the same as the date (2021–06–11) when Avaddon disappeared after\r\nsending the decryption key to BleepingComputer\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 4 of 7\n\nD-2. Haron is based on Thanos Ransomware\r\nHaron is using Thanos Ransomware to infect victims. Even the functions are almost the same as before.\r\nPress enter or click to view image in full size\r\nThanos ransomware is a RaaS that has been sold on DDW since 2019\r\nhttps://medium.com/s2wlab/story-of-the-week-ransomware-on-the-darkweb-2-ace644c6db3f\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 5 of 7\n\nRecently, Thanos builder has been published on github.\r\nhttps://github.com/Hacker-Data/Thanos-Ransomware-Builder\r\nPress enter or click to view image in full size\r\nConclusion\r\n1. It is difficult to conclude that Haron is a re-emergence of Avaddon based on our analysis.\r\nAvaddon developed and used their own C++ based ransomware.\r\nBut Haron is using C# based Thanos ransomware which is publicly available.\r\nThe Web Interface of Haron’s Leak site is almost identical to that of Avaddon ransomware assuming that\r\nHaron mimicked Avaddon’s UI.\r\n- When ransomware gangs rebrand, they usually change many things such as the design of the leak site.\r\n- Example : Gandcrab → Sodinokibi/REvil, Babuk → Payload.bin\r\n2. Haron ransomware gang doesn’t have their own dedicated skills compared to other well known ransomware\r\ngangs such as Avaddon.\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 6 of 7\n\nUsing Thanos ransomware leaked to the public.\r\nUsing open-source chat feature on their negotiation site.\r\nCopycat UI from Avaddon on their leak site.\r\nInsufficient authentication process when accessing the negotiation site.\r\n- Anyone can enter the negotiation and leak site using test/test account.\r\n* However, after this publication, the test account has removed.\r\nMalware Hash\r\n1. Haron : 6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c\r\n2. Thanos : c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850\r\nHomepage: https://www.s2wlab.com\r\nFacebook: https://www.facebook.com/S2WLAB/\r\nTwitter: https://twitter.com/s2wlab\r\nSource: https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4"
	],
	"report_names": [
		"quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8bc267d11c899b3cf77ef0233a0be271a3b5463.pdf",
		"text": "https://archive.orkl.eu/a8bc267d11c899b3cf77ef0233a0be271a3b5463.txt",
		"img": "https://archive.orkl.eu/a8bc267d11c899b3cf77ef0233a0be271a3b5463.jpg"
	}
}