{
	"id": "76f24c97-9785-4b2f-b6c5-02c225a073f6",
	"created_at": "2026-04-06T00:09:13.761026Z",
	"updated_at": "2026-04-10T03:24:16.974537Z",
	"deleted_at": null,
	"sha1_hash": "bb0870e1da7b10e993ff7dd72397b8a6406ca8f1",
	"title": "How to target European SMEs with Ransomware? Through Zyxel!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192618,
	"plain_text": "How to target European SMEs with Ransomware? Through Zyxel!\r\nBy L M\r\nPublished: 2024-11-22 · Archived: 2026-04-05 16:42:20 UTC\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nThe ransomware attack we analyzed was executed in under 1.5 hours, significantly faster than previously\r\nreported human-operated attacks, highlights the escalating speed of these threats.\r\nThe threat actor used malware-less lateral movement techniques, leveraging existing system tools like\r\nRemote Desktop, coupled with manual credential harvesting and alterations to firewall configurations to\r\naccelerate their attack.\r\nWe observed two distinct waves of extortion activity — an earlier wave back in September 2024 using the\r\n“unitui57” identifier and a later wave attributed to Helldown activities reported by Sekoia and TrueSec,\r\nsuggesting evolving tactics or a merging of threat actor operations over time.\r\nZyxel’s response to these incidents has been vague, with no clear identification of the vulnerabilities\r\nexploited, raising concerns about undisclosed vulnerabilities or a potential supply chain compromise\r\nfollowing an August 2024 breach.\r\nIntroduction\r\nRecent ransomware attacks are way faster than in the past, especially for SMEs. We recently investigated a case\r\nthat outshone even the 5-day dwell time for ransomware attacks reported in Mandiant’s M-Trends 2024 and was\r\neven faster than the 3-hour cases reported by The DFIR Report (1, 2). The actor we were tracking completed the\r\nentire attack kill chain in under 1.5 hours — starting with initial access, progressing through hands-on-keyboard\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 1 of 9\n\nlateral movement, and culminating in ransomware deployment. Furthermore, we could associate this activity\r\ncluster with the recently disclosed Helldown operations discussed within the community.\r\nIn this article, we share our findings from an investigation into an emerging ransomware operator active since at\r\nleast September 2024. Our goal is to provide a clearer understanding of the threats SMEs, which form a crucial\r\npart of the broader enterprise supply chain, are currently facing.\r\nTechnical Details\r\nIntrusion’s TTPs\r\nDuring our investigation, we uncovered numerous technical details, but here we’ll focus on those essential for\r\nprofiling the threat actor and their malicious toolkit.\r\nFirst things first, the initial access. We observed the threat actor leveraged direct SSL VPN connections over Zyxel\r\nfirewalls. This was the starting point of all the actor’s activity, which, in the cases we investigate, was able to\r\nleverage Active Directory administrative credentials since the first step inside the victim's internal network. But,\r\ndon’t worry, we’ll discuss how he could be able to obtain them later because it is a peculiar point that opens many\r\nspeculations.\r\nAlso, the actor conducted lateral movement in a malware-less way, through Remote Desktop (mstsc.exe), nothing\r\nnew, but extremely effective especially when targeting organizations without advanced user behavioral analytics\r\nand lacking advanced detection mechanisms in place. Anyway, in its “living-off-the-land” frenzy, maybe also\r\nthanks to the short time frame of the intrusion, the attacker made some mistakes and revealed its own Windows\r\nhostname: ALICE43E9.\r\nThe actor’s internal network discovery phase is pretty trivial but effective. As in many other intrusions, we\r\nobserved the download and the usage of the Advanced IP Scanner tool, a legit tool by Famatech Corp, in a\r\nparticular version: 2.5.4594.1, the latest available, built back in 2022.\r\nHowever, here comes one of the peculiarities of this actor. The crooks also modified the Zyxel configuration by\r\nadding a couple of high-priority ACL rules: two ANY ANY rules flattening all the internal network (“Policy-Control_NPF” and “Policy-Control_IPX”). This way, the threat actors were able to speed up the discovery of\r\nvaluable hosts, such as the ESXi nodes and Veeam backup servers.\r\nThe cybercriminals also showed credential harvesting capabilities through the manual analysis of configuration\r\nfiles, for instance, Veeam ones, and extracting them from its encrypted database with tools like “Veeam-Get-Creds.ps1”.\r\nRegarding the “action on objective” part of the kill chain, we observed its capability to conduct operations directly\r\non ESXi nodes, running its ransomware payload there to directly encrypt the virtual disk images on the nodes,\r\nending up with this ransom request like this:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 2 of 9\n\nFigure. Example of ransom request\r\nHere we noticed a few more peculiarities. In the meanwhile of their encryption operation, the threat actor was also\r\nleveraging a quite peculiar tool to monitor the status of the part of the compromised internal server: “HRSword”.\r\nThis tool appears to be associated with the open-source “Huorong Sword GUI Frontend” by Beijing Huorong\r\nNetwork Technology Co., Ltd., popular in Chinese-speaking circles.\r\nThis tool is also mentioned as part of the kill chain observed in recent Hellcat intrusions by both TrueSec and\r\nSekoia, and this peculiarity gives us another clue the intrusions may be operated by the same threat cluster.\r\nNevertheless, we conducted further investigations, particularly focusing on the malicious artifacts, and uncovered\r\nsomething potentially unique and worth noting.\r\nMalicious Artifacts — Did we miss something?\r\nWe decided to dig deeper into the criminal communication channels linked to this intrusion cluster, and that’s\r\nwhen we noticed something interesting.\r\nSpecifically, we found evidence of earlier extortion activity in the wild using the same TOX and email extortion\r\nchannels. These operations, it turns out, began well before the 31 Oct 2024 tweet by @TuringAlex reported by\r\nSekoia, and even before Zyxel’s bulletin on 9 Oct 2024.\r\nAlthough the Helldown ransomware note started circulating in the wild on November 19, 2024 (hashes:\r\n47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19 and\r\ncb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea, as also reported by Sekoia), we\r\nobserved a different stream of extortion attempts that we were able to trace back to the early days of September\r\n2024, at least the 16th.\r\nGet L M’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWe identified a series of ransom notes referencing the “unitui57” email account and the TOX ID\r\n0DA1273FBA71042128CF800A3021BA695D702C9D6BCF0257333A22927E2D4A5C569C3ADAE7A9, which\r\ndiffer from those associated with Helldown. Alongside the ransom notes, we uncovered evidence of the Windows\r\nencryption tool used during this early wave of attacks.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 3 of 9\n\nFigure. Samples matching “helldown” (Source:ReversingLabs)\r\nPress enter or click to view image in full size\r\nFigure. Samples matching “unitui57” (Source:ReversingLabs)\r\nThis Windows sample (hash: fdb069d1e7d5474007ec4a9e8e0c84b7c70dcd6a) matched an old 2023 Astralocker\r\nYARA signature from Malpedia by @fxb_b. This is particularly intriguing because Astralocker’s code was based\r\non the old Babuk leaked code, which aligns with the extensive Babuk attributions observed on VT. Interestingly,\r\nthis Windows locker seems different than the Helldown ones attributed to the later attack waves\r\n(hash:b81df159e7e338a3159f27ef3358094f, be37cd010227d7b953b07b93d2e5dadc).\r\nFigure. Matching yara sequence on fdb069d1e7d5474007ec4a9e8e0c84b7c70dcd6a\r\nAdditionally, even the extortion note from the September wave looks quite different from the November Hellcat\r\nones. The “unitui57” note doesn’t mention the Helldown group or their leak site, while the latter does. However,\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 4 of 9\n\ndespite this discrepancy in the Windows encryption operations, we uncovered some intriguing connections in the\r\nESXi part — so, keep reading the next section.\r\nPress enter or click to view image in full size\r\nFigure. Comparison between Helldown ransom note (left) and the September wave’s one (right)\r\nDigging the ESXi Code\r\nWe dissected and had the chance to analyze a piece of malware code tied to the previously mentioned September\r\nwave, let’s call it “unitui57” for short. Notably, the decryption utility from the “unitui57” wave shares the same\r\ncompiler metadata as the October/November wave, explicitly linked to Helldown.\r\nFigure, september wave ESXi decryptor (3f8aeeec35c6fc2ba8d43c03322a17ce, left), “helldown”\r\nwave ESXi encryptor (64cc86931bab241dcc08db03e659bcc5, right)\r\nMore interestingly, we noticed that the two samples share a common structure in their encryption/decryption\r\nroutines, utilizing the Salsa algorithm and implementing compatible intermittent encryption methods.\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 5 of 9\n\nFigure. Decryption loop ESXi decryptor September wave (left), Encryption loop ESXi encryptor\r\nhelldown wave (right)\r\nGiven this similarity, we believe the ESXi locker used during the early September wave is also likely attributable\r\nto the Helldown organization.\r\nThe (Very Opaque) Zyxel Response\r\nOn 9th October 2023, Zyxel released a security bulletin (link), stating they were tracking “unspecified” threat\r\nactors targeting Zyxel devices. The bulletin noted, “In some cases where AD is used and its administrator\r\ncredentials were also stolen, the hacker uses the SSL VPN connection to access the AD server and encrypt files”.\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 6 of 9\n\nAside from a few IoCs — such as the ACL rule names — the clarity stops there. The vendor merely states that\r\nthese attacks exploited “previous vulnerabilities on earlier firmware versions: ZLD V4.32 to ZLD V5.38”, without\r\nreferencing any specific CVEs. Instead, simply, they advised users to “upgrade your device to the LATEST\r\nfirmware (V5.39) if it is still not upgraded”.\r\nAlso, on 21 Nov 2024 (link), Zyxel issued another bulletin on the same topic. But, as usual, clarity isn’t their\r\nstrong suit. This time, they just stated: “We confirm that the reported issues are not reproducible on firmware\r\nversion 5.39, released on September 3, 2024”.\r\nSo, with this little bit of information in hand, we dove into the latest known CVEs associated with Zyxel firewall\r\nproducts, including those highlighted in Zyxel’s 2024–09–03 security bulletin one famously (and indirectly)\r\nreferenced in the two prior bulletins. But here’s the spoiler: we found no smoking gun, even after analyzing the\r\nreserved incident-related data we had at our disposal (and, if anyone could share info about this, it would be\r\ngreat!).\r\n+----------------+----------------+---------------------------------------------------------+\r\n| Vulnerability | PoC | Exploitability Assessment Related to Ransomware Intrusions |\r\n+----------------+----------------+---------------------------------------------------------+\r\n| CVE-2023-6397 | N/A | Improbable (authenticated DoS) |\r\n| CVE-2023-6398 | N/A | Less likely (authenticated RCE) |\r\n| CVE-2023-6399 | N/A | Improbable (authenticated DoS) |\r\n| CVE-2023-6764 | N/A | Less likely (unauthenticated RCE requiring detailed |\r\n| | | knowledge of device’s memory layout and configuration) |\r\n| CVE-2023-48795 | PoC available | Improbable (SSH MITM) |\r\n| (Terrapin) | | |\r\n| CVE-2024-3596 | PoC available | Less likely (RADIUS request forgery) |\r\n| CVE-2024-6343 | N/A | Improbable (authenticated DoS) |\r\n| CVE-2024-6387 | PoC available | Less likely (unauthenticated RCE requiring a race |\r\n| (regreSSHion) | | condition win) |\r\n| CVE-2024-7203 | PoC available | Less likely (authenticated RCE) |\r\n| CVE-2024-42057 | N/A | Less likely (unauthenticated RCE requiring User-Based- |\r\n| | | PSK authentication mode and a valid user with a |\r\n| | | username exceeding 28 characters) |\r\n| CVE-2024-42058 | N/A | Improbable (unauthenticated DoS) |\r\n| CVE-2024-42059 | N/A | Less likely (authenticated RCE) |\r\n| CVE-2024-42060 | N/A | Less likely (authenticated RCE) |\r\n| CVE-2024-42061 | N/A | Improbable (reflected XSS) |\r\n+----------------+----------------+---------------------------------------------------------+\r\nAnyway, just a couple more interesting tidbits: the community discussion about the 03/09 patch seems to have\r\ndisappeared, and in August 2024, Zyxel was compromised by Helldown. The criminal gang claimed to have\r\nexfiltrated 253 GB of internal documents — possibly including source code?\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 7 of 9\n\nFigure. Sep 3rd, patch community discussion\r\nPress enter or click to view image in full size\r\nFigure. Zyxel compromise claimed in Helldown leak site\r\nConclusion\r\nThe attack chain we investigated aligns with the October/November cases mentioned by Sekoia. Thanks to the\r\nevidence we uncovered, we were able to link this campaign to the September wave referenced in the same Sekoia\r\narticle, which is likely tied to the Zyxel bulletin issued on October 9th.\r\nIn the early phase of this campaign, the threat actor appeared to have deliberately concealed their connection to\r\nthe Helldown group and even used a different locker for Windows environments. This raises several hypotheses\r\nabout their behavior — perhaps Helldown wanted to distance themselves from these activities, or maybe the initial\r\nthreat actor joined Helldown a few weeks later. It’s hard to say for certain.\r\nAnother unresolved issue is the hypothetical vulnerability exploited by the attacker. Zyxel’s statements remain\r\ncarefully vague, and our analysis of known exploitable vulnerabilities didn’t uncover any definitive evidence. This\r\nleaves room for speculation — ranging from the possibility of an undocumented 0-day to a supply chain\r\ncompromise linked to the August intrusions. What is clear, however, is that Zyxel’s position remains ambiguous.\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 8 of 9\n\nDespite their community and security team being involved in these cases from the start, the lack of clarity is\r\npuzzling, and the reasons for this remain unclear.\r\nIndicator of Compromise\r\nExtortion channels:\r\nTox ID:\r\n0DA1273FBA71042128CF800A3021BA695D702C9D6BCF0257333A22927E2D4A5C569C3ADAE7A9;\r\nunitui57@onionmail[.org\r\nTox ID:\r\n19A549A57160F384CF4E36EE1A24747ED99C623C48EA545F343296FB7092795D00875C94151E\r\nhelldows@onionmail[.org\r\nThreat Actor operator workstation:\r\nALICE43E9\r\nSource: https://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nhttps://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a"
	],
	"report_names": [
		"how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a"
	],
	"threat_actors": [
		{
			"id": "a602818a-34da-445f-9bac-715cc9b47a3d",
			"created_at": "2025-07-12T02:04:58.190857Z",
			"updated_at": "2026-04-10T02:00:03.850831Z",
			"deleted_at": null,
			"main_name": "GOLD PUMPKIN",
			"aliases": [
				"HellCat"
			],
			"source_name": "Secureworks:GOLD PUMPKIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434153,
	"ts_updated_at": 1775791456,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb0870e1da7b10e993ff7dd72397b8a6406ca8f1.pdf",
		"text": "https://archive.orkl.eu/bb0870e1da7b10e993ff7dd72397b8a6406ca8f1.txt",
		"img": "https://archive.orkl.eu/bb0870e1da7b10e993ff7dd72397b8a6406ca8f1.jpg"
	}
}