{
	"id": "a2d453a5-d7da-4e58-8414-a35c144a1596",
	"created_at": "2026-04-10T03:20:59.659219Z",
	"updated_at": "2026-04-10T03:22:19.066759Z",
	"deleted_at": null,
	"sha1_hash": "b23b0904022d122b2a4745094ae1c081f9b421d6",
	"title": "From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13561535,
	"plain_text": "From the Front Lines | Hive Ransomware Deploys Novel\r\nIPfuscation Technique To Avoid Detection\r\nBy James Haughom\r\nPublished: 2022-03-29 · Archived: 2026-04-10 02:59:49 UTC\r\nBy James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, and Shai Tilias\r\nOverview\r\nIn a recent IR engagement, our team happened upon a rather interesting packer (aka crypter or obfuscator) that\r\nwas ultimately utilized to construct and execute shellcode responsible for downloading a Cobalt Strike Beacon.\r\nThe sample at the end of this chain is not necessarily sophisticated or particularly novel, but it does leverage an\r\ninteresting obfuscation technique that we have dubbed “IPfuscation”.\r\nIn this post, we describe this novel technique as it is used across several variants of malware. Along with the\r\nIPfuscation technique, we have identified a number of markers which have allowed us to pivot into additional\r\ndiscoveries around the actor or group behind this campaign.\r\nTechnical Details\r\nThe samples in question are 64-bit Windows Portable Executables, each containing an obfuscated payload used to\r\ndeliver an additional implant. The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses.\r\nEach one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string\r\nto binary. The binary representation of all of these IPs is combined to form a blob of shellcode.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 1 of 20\n\nThe general flow is:\r\n1. Iterate through “IPs” (ASCII strings)\r\n2. Translate “IPs” to binary to reveal shellcode\r\n3. Execute shellcode either by:\r\nProxying execution via callback param passed to EnumUILanguagesA\r\nDirect SYSCALLs\r\nUsing byte sequences, sequences of WinAPI calls, and some hardcoded metadata affiliated with the malware\r\nauthor, we were able to identify a handful of other variants of this loader (hashes provided below with the IOCs),\r\none of which we have dubbed “UUIDfuscation” and was also recently reported on by Jason Reaves. A Golang\r\nCobalt Strike loader was also discovered during the investigation, which had a hardcoded source code path similar\r\nto what we have already seen with the ‘IPfuscated’ samples, suggesting that the same author may be responsible\r\nfor both.\r\nTools, COTS, LOLBINs and More\r\nThe TTPs uncovered during the incident align with previous reporting of the Hive Ransomware Affiliate Program,\r\nwith the attackers having a preference for publicly available Penetration Testing frameworks and tooling (see\r\nTTPs table). Like many other ransomware groups, pre-deployment Powershell and BAT scripts are used to\r\nprepare the environment for distribution of the ransomware, while ADFind, SharpView, and BloodHound are used\r\nfor Active Directory enumeration. Password spraying was performed with SharpHashSpray and\r\nSharpDomainSpray, while Rubeus was used to request TGTs. Cobalt Strike remains their implant of choice, and\r\nseveral different Cobalt Strike loaders were identified including: IPfuscated loader, Golang loader, and a vanilla\r\nBeacon DLL. Finally, GPOs and Scheduled Tasks are used to deploy digitally signed ransomware across the\r\nvictim’s network.\r\nIPfuscated Cobalt Strike Loader\r\nOur team discovered and analyzed a 64-bit PE (4fcc141c13a4a67e74b9f1372cfb8b722426513a) with a hardcoded\r\nPDB path matching the project structure of a Visual Studio project.\r\nC:\\Users\\Administrator\\source\\repos\\ConsoleApplication1\\x64\\Release\\ConsoleApplication1.pdb\r\nThis particular sample leverages the IPfuscation technique. Within the binary is what appears to be an array of IP\r\naddresses.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 2 of 20\n\nEach of these “IP addresses” is passed to RtlIpv4StringToAddressA and then written to heap memory.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 3 of 20\n\nWhat is interesting is that these “IP addresses” are not used for network communication, but instead represent an\r\nencoded payload. The binary representation of these IP-formatted strings produced by RtlIpv4StringToAddressA\r\nis actually a blob of shellcode.\r\nFor example, the first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary\r\nrepresentation of 0xE48348FC (big endian), and the next “IP” to be translated is “240.232.200.0”, which has a\r\nbinary representation of 0xC8E8F0. Together, they create the below sequence of bytes.\r\nDisassembling these “binary representations” shows the start of shellcode generated by common pentesting\r\nframeworks.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 4 of 20\n\nOnce the shellcode has finished being deobfuscated in this manner, the malware proxies invocation of the\r\nshellcode by passing its address to the EnumUILanguagesA WinAPI function. This is achieved by supplying the\r\nshellcode address as the UILanguageEnumProc , which is a callback routine to be executed.\r\nThe shellcode is the common Cobalt Strike stager to download and execute Beacon. Here is a look at the PEB\r\ntraversal to find one of the modules lists, followed by the ROT13 hash being calculated for target WinAPIs to\r\nexecute.\r\nHell’s Gate Variant\r\nA handful of additional samples were found with a similar sequence of functions and static properties, including\r\nthe same error message. The Hell’s Gate variant (d83df37d263fc9201aa4d98ace9ab57efbb90922) is different\r\nfrom the previous sample in that it uses Hell’s Gate (direct SYSCALLs) rather than EnumUILanguagesA to\r\nexecute the deobfuscated shellcode. This sample’s PDB path is:\r\nE:\\Users\\PC\\source\\repos\\HellsGate+ipv4\\x64\\Release\\HellsGate+ipv4.pdb\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 5 of 20\n\nIn this variant, the IP-formatted strings are procedurally placed in local variables, rather than being looped through\r\nas seen previously.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 6 of 20\n\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 7 of 20\n\nOnce all the IP strings have been defined within the scope of this function, memory is allocated with\r\nNtAllocateVirtualMemory via a direct SYSCALL, and the deobfuscation loop commences.\r\nFollowing the loop, a few SYSCALLs are made to pass control flow to the deobfuscated shellcode.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 8 of 20\n\nIPfuscation Variants\r\nAmong the discovered variants were three additional obfuscation methods using techniques very similar to\r\nIPfuscation. Rather than using IPv4 addresses, the following were also found being used to hide the payload:\r\nIPfuscation – IPv6 addresses\r\nUUIDfuscation – UUIDs \u0026 base64 encoded UUIDs\r\nMACfuscation – MAC addresses\r\nHere we can see the original IPfuscated sample versus the UUID variant being translated via UuidFromStringA .\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 9 of 20\n\nThe UUID variant stores the obfuscated payload in the same manner as IPfuscated samples.\r\nThe MAC address variant translates the shellcode via RtlEthernetStringToAdressA and then uses a callback\r\nfunction, a parameter to EnumWindows , to pass control flow to the shellcode. Again, the MAC addresses forming\r\nthe payload are stored the same as with previous variants.\r\nThe IPv6 variants operate almost identically to the original IPfuscated sample. The only difference is that IPv6-\r\nstyle address are used, and RtlIpv6StringToAddressA is called to translate the string to binary data.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 10 of 20\n\nGolang Cobalt Strike Loader\r\nAmong other samples discovered during the incident was a Golang-compiled EXE\r\n(3a743e2f63097aa15cec5132ad076b87a9133274) with a reference to a source code Golang file that follows the\r\nsame syntax as one of the identified IPfuscated samples.\r\n[0x0045d2c0]\u003e iz~go~Users\r\n4542 0x000d62e9 0x004d78e9 27 28 .rdata ascii\r\nC:/Users/76383/tmp/JzkFF.go\r\nGetProcAddress is called repeatedly, with 8 byte stack strings being used to form the WinAPI names to be\r\nlocated in memory.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 11 of 20\n\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 12 of 20\n\nThe shellcode is stored as a cleartext hexadecimal string in the .rdata section.\r\nThis string is read into a buffer and translated into binary, somewhat similar to the IPfuscated flow.\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 13 of 20\n\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 14 of 20\n\nBefore translation into binary:\r\nAfter translation into binary:\r\nControl flow is then passed to the shellcode, which is yet another Cobalt Strike stager attempting to download\r\nBeacon.\r\nConclusion\r\nOur incident response team is constantly intercepting early-use tactics, techniques and artifacts, with IPfuscation\r\njust the latest such technique deployed by malware authors. Such techniques prove that oftentimes a creative and\r\ningenious approach can be just as effective as a highly sophisticated and advanced one, particularly when\r\nenterprise defense is based on security tools that rely on static signatures rather than on behavioral detection.\r\nIf you would like to learn how SentinelOne can help protect your organization regardless of the attack vector,\r\ncontact us or request a free demo.\r\nIndicators of Compromise\r\nSHA1 Description\r\nd83df37d263fc9201aa4d98ace9ab57efbb90922 IPfuscated Cobalt Strike stager (Hell’s Gate variant)\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 15 of 20\n\n49fa346b81f5470e730219e9ed8ec9db8dd3a7fa IPfuscated Cobalt Strike stager\r\nfa8795e9a9eb5040842f616119c5ab3153ad71c8 IPfuscated Cobalt Strike stager\r\n6b5036bd273d9bd4353905107755416e7a37c441 IPfuscated Cobalt Strike stager\r\n8a4408e4d78851bd6ee8d0249768c4d75c5c5f48 IPfuscated Cobalt Strike stager\r\n49fa346b81f5470e730219e9ed8ec9db8dd3a7fa IPfuscated Cobalt Strike stager\r\n6e91cea0ec671cde7316df3d39ba6ea6464e60d9 IPfuscated Cobalt Strike stager\r\n24c862dc2f67383719460f692722ac91a4ed5a3b IPfuscated Cobalt Strike stager\r\n415dc50927f9cb3dcd9256aef91152bf43b59072 IPfuscated Cobalt Strike stager\r\n2ded066d20c6d64bdaf4919d42a9ac27a8e6f174 IPfuscated Cobalt Strike stager (Hell’s Gate variant)\r\n27b5d056a789bcc85788dc2e0cc338ff82c57133 IPfuscated Cobalt Strike stager\r\nSHA 256 Description\r\n065de95947fac84003fd1fb9a74123238fdbe37d81ff4bd2bff6e9594aad6d8b UUID variant\r\n0809e0be008cb54964e4e7bda42a845a4c618868a1e09cb0250210125c453e65 UUID variant\r\n12d2d3242dab3deca29e5b31e8a8998f2a62cea29592e3d2ab952fcc61b02088 UUID variant\r\n130c062e45d3c35ae801eb1140cbf765f350ea91f3d884b8a77ca0059d2a3c54 UUID variant\r\n39629dc6dc52135cad1d9d6e70e257aa0e55bd0d12da01338306fbef9a738e6b UUID variant\r\n5086cc3e871cf99066421010add9d59d321d76ca5a406860497faedbb4453c28 UUID variant\r\n56c5403e2afe4df8e7f98fd89b0099d0e2f869386759f571de9a807538bad027 UUID variant\r\n60cfce921a457063569553d9d43c2618f0b1a9ab364deb7e2408a325e3af2f6f UUID variant\r\n6240193f7c84723278b9b5e682b0928d4faf22d222a7aa84556c8ee692b954b0 UUID variant\r\n6a222453b7b3725dcf5a98e746f809e02af3a1bd42215b8a0d606c7ce34b6b2b UUID variant\r\n6bdd253f408a09225dee60cc1d92498dac026793fdf2c5c332163c68d0b44efd UUID variant\r\n9c90c72367526c798815a9b8d58520704dc5e9052c41d30992a3eb13b6c3dd94 UUID variant\r\n9cd407ea116da2cda99f7f081c9d39de0252ecd8426e6a4c41481d9113aa523e UUID variant\r\na586efbe8c627f9bb618341e5a1e1cb119a6feb7768be076d056abb21cc3db66 UUID variant\r\nc384021f8a68462348d89f3f7251e3483a58343577e15907b5146cbd4fa4bd53 UUID variant\r\nc76671a06fd6dd386af102cf2563386060f870aa8730df0b51b72e79650e5071 UUID variant\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 16 of 20\n\ne452371750be3b7c88804ea5320bd6a2ac0a7d2c424b53a39a2da3169e2069e9 UUID variant\r\ne9bb47f5587b68cd725ab4482ad7538e1a046dd41409661b60acc3e3f177e8c4 UUID variant\r\ne9da9b5e8ebf0b5d2ea74480e2cdbd591d82cd0bdccbdbe953a57bb5612379b0 UUID variant\r\nefbdb34f208faeaebf62ef11c026ff877fda4ab8ab31e99b29ff877beb4d4d2b UUID variant\r\nf248488eedafbeeb91a6cfcc11f022d8c476bd53083ac26180ec5833e719b844 UUID variant\r\ne61ecd6f2f8c4ba8c6f135505005cc867e1eea7478a1cbb1b2daf22de25f36ce MAC Address Variant\r\nf07a3c6d9ec3aeae5d51638a1067dda23642f702a7ba86fc3df23f0397047f69 MAC Address Variant\r\n7667d0e90b583da8c2964ba6ca2d3f44dd46b75a434dc2b467249cd16bf439a0 IPv6 Variant\r\n75244059f912d6d35ddda061a704ef3274aaa7fae41fdea2efc149eba2b742b3 x86 IPv4 Variant\r\n7e8dd90b84b06fabd9e5290af04c4432da86e631ab6678a8726361fb45bece58 x86 IPv4 Variant\r\nC2 Description\r\n103.146.179.89 Cobalt Strike server\r\nservice-5inxpk6g-1304905614.gz.apigw.tencentcs[.]com Cobalt Strike server\r\nservice-kibkxcw1-1305343709.bj.apigw.tencentcs[.]com:80 Cobalt Strike server\r\n103.146.179.89 Cobalt Strike server\r\n1.15.80.102 Cobalt Strike server\r\n175.178.62.140 Cobalt Strike server\r\n84.32.188.238 Cobalt Strike server\r\nYARA Rules\r\nimport \"pe\"\r\nrule IPfuscatedCobaltStrike\r\n{\r\nmeta:\r\ndescription = \"IPfuscated Cobalt Strike shellcode\"\r\nauthor = \"James Haughom @ SentinelLabs\"\r\ndate = \"2022-3-24\"\r\nhash = \"49fa346b81f5470e730219e9ed8ec9db8dd3a7fa\"\r\nreference = \"https://s1.ai/ipfuscation\"\r\nstrings:\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 17 of 20\n\n$ipfuscated_payload_1 = \"252.72.131.228\"\r\n$ipfuscated_payload_2 = \"240.232.200.0\"\r\n$ipfuscated_payload_3 = \"0.0.65.81\"\r\n$ipfuscated_payload_4 = \"65.80.82.81\"\r\n$ipfuscated_payload_5 = \"86.72.49.210\"\r\n$ipfuscated_payload_6 = \"101.72.139.82\"\r\n$ipfuscated_payload_7 = \"96.72.139.82\"\r\n$ipfuscated_payload_8 = \"24.72.139.82\"\r\n$ipfuscated_payload_9 = \"32.72.139.114\"\r\n$ipfuscated_payload_10 = \"80.72.15.183\"\r\n$ipfuscated_payload_11 = \"74.74.77.49\"\r\n$ipfuscated_payload_12 = \"201.72.49.192\"\r\n$ipfuscated_payload_13 = \"172.60.97.124\"\r\n$ipfuscated_payload_14 = \"2.44.32.65\"\r\n$ipfuscated_payload_15 = \"193.201.13.65\"\r\n$ipfuscated_payload_16 = \"1.193.226.237\"\r\n$ipfuscated_payload_17 = \"82.65.81.72\"\r\n$ipfuscated_payload_18 = \"139.82.32.139\"\r\n$ipfuscated_payload_19 = \"66.60.72.1\"\r\n$ipfuscated_payload_20 = \"208.102.129.120\"\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n5 of ($ipfuscated_payload_*)\r\n}\r\nrule IPfuscationEnumUILanguages\r\n{\r\nmeta:\r\ndescription = \"IPfuscation with execution via EnumUILanguagesA\"\r\nauthor = \"James Haughom @ SentinelLabs\"\r\ndate = \"2022-3-24\"\r\nhash = \"49fa346b81f5470e730219e9ed8ec9db8dd3a7fa\"\r\nreference = \"https://s1.ai/ipfuscation\"\r\nstrings:\r\n$err_msg = \"ERROR!\"\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n$err_msg and\r\npe.imports(\"ntdll.dll\", \"RtlIpv4StringToAddressA\") and\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 18 of 20\n\npe.imports (\"kernel32.dll\", \"EnumUILanguagesA\")\r\n}\r\nrule IPfuscationHellsGate\r\n{\r\nmeta:\r\ndescription = \"IPfuscation with execution via Hell's Gate\"\r\nauthor = \"James Haughom @ SentinelLabs\"\r\ndate = \"2022-3-24\"\r\nhash = \"d83df37d263fc9201aa4d98ace9ab57efbb90922\"\r\nreference = \"https://s1.ai/ipfuscation\"\r\nstrings:\r\n$err_msg = \"ERROR!\"\r\n$syscall = { 4C 8B D1 8B 05 ?? ?? 00 00 0F 05 C3 }\r\n$set_syscall_code = {C7 05 ?? ?? 00 00 00 00 00 00 89 0D ?? ?? 00 00 C3}\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\nall of them and\r\npe.imports(\"ntdll.dll\", \"RtlIpv4StringToAddressA\")\r\n}\r\nrule IPfuscatedVariants\r\n{\r\n meta:\r\n author = \"@Tera0017/@SentinelOne\"\r\n description = \"*fuscation variants\"\r\n date = \"2022-3-28\"\r\nhash = \"2ded066d20c6d64bdaf4919d42a9ac27a8e6f174\"\r\nreference = \"https://s1.ai/ipfuscation\"\r\n strings:\r\n \r\n $code1 = {33 D2 48 8B [2-3] FF 15 [4] 3D 0D 00 00 C0}\r\n \r\n $code2 = {B9 00 00 04 00 FF [9] 41 B8 00 00 10 00}\r\n \r\n condition:\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 19 of 20\n\nany of them\r\n}\r\nMITRE ATT\u0026CK – Hive Ransomware Gang\r\nTTP Description MITRE ID\r\nBAT/Powershell scripts Automate pre-ransomware deployment actions T1059\r\nScheduled Tasks Execute the ransomware payload T1053\r\nCobalt Strike Primary implant / backdoor S0154\r\nADFind Active Directory enumeration S0552 / T1087\r\nSharpHashSpray Password spraying T1110.003\r\nDomainHashSpray Password spraying T1110.003\r\nBloodhound/SharpHound Active Directory enumeration S0521 / T1087\r\nSigned Ransomware Ransomware payload is digitally signed T1587.002\r\nDomain Policy GPO Deploy ransomware via GPO T1484\r\nNet-GPPPassword Steal cleartext passwords from Group Policy Preferences T1552.006\r\nRubeus Request Kerberos Ticket Granting Tickets T1558\r\nSharpview Active Directory enumeration T1087\r\nRDP Lateral movement via RDP T1021.001\r\nSAM Dump Credential theft T1003.002\r\nSource: https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nPage 20 of 20\n\n  https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/    \nOnce all the IP strings have been defined within the scope of this function, memory is allocated with\nNtAllocateVirtualMemory  via a direct SYSCALL, and the deobfuscation loop commences. \nFollowing the loop, a few SYSCALLs are made to pass control flow to the deobfuscated shellcode.\n   Page 8 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/"
	],
	"report_names": [
		"hive-ransomware-deploys-novel-ipfuscation-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775791259,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b23b0904022d122b2a4745094ae1c081f9b421d6.pdf",
		"text": "https://archive.orkl.eu/b23b0904022d122b2a4745094ae1c081f9b421d6.txt",
		"img": "https://archive.orkl.eu/b23b0904022d122b2a4745094ae1c081f9b421d6.jpg"
	}
}