{ "id": "119181c8-c7df-46f4-9ba8-58e7f8cd230a", "created_at": "2026-04-06T00:07:12.54817Z", "updated_at": "2026-04-10T03:30:33.239022Z", "deleted_at": null, "sha1_hash": "ad84a427088844e30b0311ed1a1ac07ba762c5e2", "title": "Novel obfuscation leveraged by Hive ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3073942, "plain_text": "Novel obfuscation leveraged by Hive ransomware\r\nBy SC Staff\r\nPublished: 2022-03-31 ยท Archived: 2026-04-05 17:41:45 UTC\r\nRansomware, Threat Management, Risk Assessments/Management, Breach\r\nThe Hive ransomware gang has been leveraging a novel obfuscation approach involving IPv4 addresses and\r\nnumerous conversions resulting in Cobalt Strike beacon downloads, BleepingComputer reports. The new\r\ntechnique dubbed \"IPfuscation\" was identified by Sentinel Labs researchers who examined various 64-bit\r\nWindows executables, all of which had Cobalt Strike-delivering payloads. Hive has obfuscated the payload by\r\nimpersonating ASCII IPv4 addresses but converting the file from string to binary prompts the appearance of\r\nshellcode. Researchers found that upon completion, the shellcode will be executed by the malware through direct\r\nSYSCALLs or proxy execution. More IPfuscation variants have been observed by researchers, with IPv6, MAC,\r\nand UUID addresses also being leveraged by the ransomware group. The findings suggest that static signature\r\ndependence alone is inadequate in detecting malicious payloads. Organizations should also deploy behavioral\r\ndetection, artificial intelligence-based analysis, and holistic security approaches for their endpoints to better detect\r\nIPfuscation techniques, according to researchers.\r\nGet essential knowledge and practical strategies to protect your organization from ransomware attacks.\r\nSC Staff\r\nRelated\r\nhttps://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware\r\nPage 1 of 3\n\nhttps://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware\r\nPage 2 of 3\n\nBrokk purportedly hacked by Play ransomware, data leaked\r\nSC StaffApril 3, 2026\r\nBrokk, a leading Swedish global remote-controlled demolition machinery manufacturer, had a 4 GB dataset\r\nallegedly stolen from its systems exposed by the Russia-linked Play ransomware operation, which threatened to\r\nleak all pilfered data should it refuse to fulfill the demanded ransom, reports Cybernews.\r\nGet daily email updates\r\nSC Media's daily must-read of the most current and pressing daily news\r\nSource: https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware\r\nhttps://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware" ], "report_names": [ "novel-obfuscation-leveraged-by-hive-ransomware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434032, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad84a427088844e30b0311ed1a1ac07ba762c5e2.pdf", "text": "https://archive.orkl.eu/ad84a427088844e30b0311ed1a1ac07ba762c5e2.txt", "img": "https://archive.orkl.eu/ad84a427088844e30b0311ed1a1ac07ba762c5e2.jpg" } }