{
	"id": "1a3fe78d-075a-49b6-a533-3fbb224ef291",
	"created_at": "2026-04-06T00:07:48.608445Z",
	"updated_at": "2026-04-10T03:20:28.055553Z",
	"deleted_at": null,
	"sha1_hash": "c177a14f18a6d682397e93ca1bf9eec0eb0e3f7c",
	"title": "New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3345346,
	"plain_text": "New MortalKombat ransomware and Laplas Clipper malware threats\r\ndeployed in financially motivated campaign\r\nBy Chetan Raghuprasad\r\nPublished: 2023-02-14 · Archived: 2026-04-05 19:48:51 UTC\r\nTuesday, February 14, 2023 08:00\r\nSince December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the\r\nrecently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal\r\ncryptocurrency from victims.\r\nTalos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP)\r\nport 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat\r\nransomware.\r\nBased on Talos’ analysis of similarities in code, class name, and registry key strings, we assess with high confidence\r\nthat the MortalKombat ransomware belongs to the Xorist family.\r\nTalos continues to see attack campaigns targeting individuals, small businesses, and large organizations that aim to\r\nsteal or demand ransom payments in cryptocurrency. Leveraging cryptocurrency offers threat actors attractive\r\nbenefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track.\r\nTalos recommends that users and organizations be meticulous about the recipient’s wallet address while performing\r\ncryptocurrency transactions. Talos encourages updating computers with the latest security updates, implementing\r\nrobust endpoint protection solutions with behavioral detection capabilities, and maintaining tested, offline backup\r\nsolutions for endpoints with a reasonable restoration time in the event of a ransomware attack.\r\nMulti-stage attack chain delivers malware or ransomware and removes infection markers\r\nA typical infection in this campaign begins with a phishing email and kicks off a multi-stage attack chain in which the actor\r\ndelivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging\r\nanalysis.\r\nThe malicious ZIP file attached to the initial phishing email contains a BAT loader script. When a victim opens the loader\r\nscript, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it\r\nautomatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat\r\nransomware. The loader script will run the dropped payload as a process in the victim’s machine, then delete the\r\ndownloaded and dropped malicious files to clean up the infection markers.\r\nInfection summary flow diagram.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 1 of 12\n\nCryptocurrency-themed email lure used as initial infection vector\r\nThe initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global\r\ncryptocurrency payment gateway. Additionally, the emails have a spoofed sender email, “noreply[at]CoinPayments[.]net”,\r\nand the email subject “[CoinPayments[.]net] Payment Timed Out.” A malicious ZIP file is attached with a filename\r\nresembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view\r\nthe contents, which is a malicious BAT loader.\r\nPhishing email sample.\r\nBAT loader used to deploy Laplas Clipper malware and MortalKombat ransomware\r\nTalos observed different attacks in this campaign where the actor used the BAT loader script to download and execute either\r\nLaplas Clipper malware or MortalKombat ransomware.\r\nThe BAT loader script uses the living-off-the-land binary (LoLBin) bitsadmin to download a malicious ZIP file from the\r\nattacker-controlled download server to the victim machine’s local user applications temporary folder. Using an embedded\r\nVB script, the BAT loader script inflates the downloaded malicious ZIP in the “%TEMP%” location and drops a malicious\r\nexecutable file with double file extensions “\u003cfilename\u003e.PDF.EXE”. The BAT loader script starts the dropped malware using\r\nthe Windows start command and deletes the downloaded ZIP file and the dropped payload.\r\nBAT loader downloading and executing MortalKombat ransomware.\r\nBAT loader downloading and executing Laplas Clipper malware.\r\nMortalKombat and Laplas Clipper payloads deployed to elicit cryptocurrency gains\r\nTalos observed the threat actor deploying MortalKombat ransomware and Laplas Clipper malware in this campaign, both\r\nused to steal cryptocurrency from the victim.\r\nMortalKombat ransomware functionality\r\nMortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its\r\ndevelopers and operating model. The name of the ransomware and the wallpaper it drops on the victim system are almost\r\ncertainly a reference to the Mortal Kombat media franchise, which encompasses a series of popular video games and films.\r\nTalos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application,\r\ndatabase, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s\r\nmachine. It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process. MortalKombat\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 2 of 12\n\ndid not show any wiper behavior or delete the volume shadow copies on the victim’s machine. Still, it corrupts Windows\r\nExplorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s\r\nmachine, making it inoperable. An example ransom note and the victim machine’s wallpaper of MortalKombat ransomware\r\nare shown below:\r\nMortalKombat’s ransom note and wallpaper.\r\nThe attacker uses qTOX, an instant messaging application available on the GitHub repository, to communicate with the\r\nvictim. qTOX’s developer claims the application offers users a secure channel without any monitoring, an attractive feature\r\nfor cybercriminals. In the ransom note, the attacker instructs the victim to use qTOX for communication and provides the\r\nattacker’s qTOX ID\r\n“DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8”. The attacker\r\nalso provides the email address “hack3dlikeapro[at]proton[.]me” as an alternate means of communication.\r\nLaplas Clipper functionality\r\nLaplas Clipper malware is a relatively new clipboard stealer first observed by threat researchers in November 2022. The\r\nstealer belongs to the Clipper malware family, a group of malicious programs that specifically target cryptocurrency users.\r\nLaplas Clipper targets users by employing regular expressions to monitor the victim machine’s clipboard for their\r\ncryptocurrency wallet address. Once the malware finds the victim’s wallet address, it sends it to the attacker-controlled\r\nClipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard. If victims\r\nsubsequently attempt to use the lookalike wallet address while performing transactions, the result will be a fraudulent\r\ncryptocurrency transaction. Laplas Clipper is available at hxxps[://]laplas[.]app for a relatively low cost, with subscription\r\nrates ranging from $49 per week to $839 per year.\r\nLaplas Clipper purchasing options.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 3 of 12\n\nThe Laplas Clipper developers are actively producing new variants of the malware. On December 20, 2022, the developers\r\nannounced via their Telegram channel a new Clipper variant written in C++ and available as an EXE and DLL. The\r\ndevelopers also mentioned they plan to release future updates that will add the capability to check the victim’s\r\ncryptocurrency wallet balance.\r\nLaplas Clipper developers’ announcement.\r\nTwo download URLs identified in the attacker’s infrastructure\r\nTalos spotted two download URLs associated with the attacks in this campaign. One of them reaches an attacker-controlled\r\nserver via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to\r\nTalos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.\r\nThe other URL downloads the Laplas Clipper payload from the transfer[.]sh server associated with IP address\r\n144[.]76[.]136[.]153. The Laplas Clipper malware employed in the attacks communicates with the Clipper bot at\r\n“clipper[.]guru”. The Clipper bot and the communication URL patterns of the GO Laplas Clipper variant identified are\r\nconsistent with the .Net Laplas Clipper variant reported by the security researchers at Cyble.\r\nTechnical analysis of the payloads reveals unique identifiers\r\nTalos conducted extensive technical analysis on MortalKombat ransomware and the GO variant of the Laplas Clipper\r\nmalware, discovering unique identifiers and capabilities.\r\nMortalKombat ransomware technical analysis\r\nMortalKombat ransomware is a 32-bit Windows executable with numerous destructive capabilities. In the initial phase of its\r\nexecution, it copies itself into the local user profile’s applications temporary folder with a random filename. The ransomware\r\nexecutable filename identified in this campaign is “E7OKC9s3llhAD13.exe”. The ransomware also drops a JPEG image file\r\nin the local user profile’s application temporary folder, which loads as the victim’s wallpaper.\r\nMortalKombat performs time stomping on the newly created file in the temporary folder by modifying the creation time\r\nwith the value “Wednesday, September 7, 2022, 8:06:35 PM”. Talos has not identified the ransomware operator’s intention\r\nbehind the hardcoded date and time.\r\nThe ransomware loads its encrypted, embedded resources from its .rsrc section. It decrypts the resources in the victim\r\nmachine’s memory and generates an extensive list of file extensions for the ransomware to target, along with the ransom\r\nnote and the file extension for the encrypted files.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 4 of 12\n\nList of file extensions the MortalKombat targets.\r\nThe ransomware establishes persistence by creating a Run registry key with the name “Alcmeter” and adding the absolute\r\npath of the ransomware executable file in the local user profile’s applications temporary folder. MortalKombat also registers\r\nits classes, filename extension, and icon for the encrypted files through the defaulticon registry key and shell open command\r\nkeys.\r\nThe below table shows the registry key value pairs created by the ransomware:\r\nRegistry Key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Alcmeter\r\nHKEY_CLASSES_ROOT\\ZJKCLJAULDZDACP\r\nHKEY_CLASSES_ROOT\\..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransom\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ZJKCLJAULDZDACP\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_M\r\nHKEY_CLASSES_ROOT\\ZJKCLJAULDZDACP\\DefaultIcon\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ZJKCLJAULDZDACP\\DefaultIcon\r\nHKEY_CLASSES_ROOT\\ZJKCLJAULDZDACP\\shell\\open\\command\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ZJKCLJAULDZDACP\\shell\\open\\command\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 5 of 12\n\nMortalKombat discovers and maps the logical drives of the victim’s machine, appends “\\*.*” and searches through all\r\nfolders recursively. The ransomware enumerates every file and matches the file extension using the extensive list of file\r\nextensions decrypted from the ransomware’s resource section. In the event of a match, the ransomware encrypts the files and\r\nappends a new file extension\r\n“..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware”\r\nto the encrypted files. Simultaneously, the ransom note file “HOW TO DECRYPT FILES.txt” will be created in every folder\r\nwhere the files are encrypted. Upon successfully encrypting the files, the ransomware changes the victim machine’s\r\nwallpaper by loading the dropped JPEG image from the local user’s application temporary folder. The ransomware also\r\ncorrupts the deleted files in the recycle bin folder and changes the file names and types, as seen below:\r\nModified recycle bin of the victim’s machine after MortalKombat execution.\r\nFinally, the ransomware removes the applications and folders from the Windows startup and disables the Windows run\r\ncommand window. It deletes the root registry key of the installed applications in the HKEY_CLASSES_ROOT registry hive\r\nusing the API RegDeletekeyA, cleaning up its infection markers.\r\nThe function that deletes the registry keys.\r\nMortalKombat is likely part of the Xorist ransomware family\r\nTalos’ analysis of MortalKombat uncovered similarities with Xorist variants seen in the wild and the Xorist executable\r\ngenerated by the leaked builder. Xorist is a ransomware family that appeared in 2010 and has evolved with several variants\r\ncreated using a ransomware builder. The ease with which the Xorist variants can be customized allows threat actors to build\r\nnew variants with different names, encryption file extensions, and custom ransom notes.\r\nTalos found a leaked version of the Xorist builder where the builder interface options closely resembled an actual Xorist\r\nransomware builder interface, as shown in a report by PCrisk. The builder generates a ransomware executable file that the\r\nattackers can further customize.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 6 of 12\n\nLeaked Xorist builder interface.\r\nTalos observed that the ClassName string “X0r157” and the persistent registry key string “Alcmeter” in the MortalKombat\r\nbinary are consistent with the Xorist variants seen in the wild and with the ransomware executable generated by the leaked\r\nXorist builder.\r\nCode similarities in the Xorist, MortalKombat, and leaked builder-generated sample.\r\nComparing the Xorist variant and the MortalKombat binaries showed Talos similarities in the code, leading us to assess with\r\nhigh confidence that the MortalKombat ransomware belongs to the Xorist ransomware family.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 7 of 12\n\nBindiff results of Xorist and MortalKombat Ransomware.\r\nLaplas Clipper technical analysis\r\nThe GO variant of the Laplas Clipper identified in this campaign is a 32-bit executable downloaded from the attacker-controlled hosting server with persistence capabilities. In the initial phase of its execution, the Clipper decrypts a few of the\r\nembedded encrypted strings with a decryption routine that first decodes the base64 encoded strings and then decrypts them\r\nwith the XOR key “\\x3F” to generate the key, folder name, process ID file, and executable filenames.\r\nString decryption function of Laplas Clipper malware.\r\nThe below table shows the strings associated with the GO Clipper malware of this campaign:\r\nEncrypted strings Decrypted string\r\nW10IW10PWgwHWgZeXQxaCloIXg1dBlwMXVsIDQsLWQtZDQ0NDlsJWVpZC10GXA1dCg5aC14HWVkJXlpeBg0KXA== db7db0e38e9ab3e\r\nXFNWT09aTRFYSk1K clipper[.]guru\r\ncG5eZ295aUlZaA== OQaXPFVvfW\r\ne1tQWnxUXlVtWRFPVls= DdoeCkajRf.pid\r\na3xwfX5WTGVGcxFaR1o= TCOBAisZyL.exe\r\nAfter the string decryption routine, the Clipper establishes persistence on the victim’s machine by creating a folder using the\r\ndecrypted string “OQaXPFVvfW” in the local user profile’s applications roaming folder and copies itself into the folder\r\nwith the filename using another decrypted string “TCOBAisZyL.exe.” The absolute path of the persistent location identified\r\nin this campaign is “C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\OQaXPFVvfW\\TCOBAisZyL.exe.”\r\nLaplas Clipper also creates a Windows scheduled task by executing the schtasks command shown below:\r\ncmd.exe /C schtasks /create /tn OQaXPFVvfW /tr ”C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\OQaXPFVvfW\\TCOBAisZyL.exe”\r\n/st 00:00 /du 9999:59 /sc once /ri 1 /f\r\nThe scheduled task executes the Clipper malware every minute for 416 days on the victim’s machine, resulting in\r\ncontinuous monitoring of the victim’s clipboard for a cryptocurrency wallet address. The attacker uses the technique of\r\nexecuting the malware through scheduled tasks to evade detection.\r\nA main handler function of the Clipper malware executes its functionality. First, it registers the victim’s machine with the\r\nClipper bot by sending the victim’s desktop name and user ID. The Clipper then sends another request to the Clipper bot and\r\nreceives the regular expressions in the victim’s system memory. The Clipper reads the victim machine’s clipboard contents\r\nand executes a function to perform regular expression pattern matching to detect the cryptocurrency wallet address. When a\r\ncryptocurrency wallet address is identified, the Clipper sends the wallet address back to the Clipper bot. In response, the\r\nClipper receives an attacker-controlled wallet address similar to the victim’s and overwrites the original cryptocurrency\r\nwallet address in the clipboard.\r\nThe regular expressions of cryptocurrency wallet addresses received by the Clipper malware from the Clipper bot are shown\r\nbelow:\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 8 of 12\n\nRegular expressions received Cryptocurrencies\r\n1[1-9A-HJ-NP-Za-km-z]{32,33}\r\n3[1-9A-HJ-NP-Za-km-z]{32,33}\r\nX[1-9A-HJ-NP-Za-km-z]{33}\r\n[1-9A-HJ-NP-Za-km-z]{44}\r\nDash\r\nBc1q[023456789acdefghjklmnpqrstuvwxyz]{38,58} Bitcoin\r\nq[a-z0-9]{41}\r\np[a-z0-9]{41}\r\nBitcoin Cash\r\nL[a-km-zA-HJ-NP-Z0-9]{33}\r\nM[a-km-zA-HJ-NP-Z0-9]{33}\r\nZcash\r\nltc1q[a-zA-Z0-9]{38} Litecoin\r\n0x[a-fA-F0-9]{40} Ethereum\r\nBnb1[0-9a-z]{38} Binance coin\r\nD[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32} Dogecoin\r\n4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\r\n8[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\r\nMonero\r\nr[0-9a-zA-Z]{33} Ripple\r\nt1[a-km-zA-HJ-NP-Z1-9]{33} Tezos\r\nronin:[a-fA-F0-9]{40} Ronin\r\nT[A-Za-z1-9]{33} Tron\r\naddr1[a-z0-9]+ Cardano\r\ncosmos1[a-z0-9]{38} Cosmos\r\nCommunication with the attacker-controlled Clipper bot is performed using the HTTP GET method. Talos compiled a list of\r\nthe URLs the Clipper malware generates to communicate with the Clipper bot “clipper[.]guru”, seen below:\r\nURLs Purpose\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 9 of 12\n\nhxxp[://]clipper[.]guru/bot/online?guid=\u003cDESKTOP-NAME\u003e\\\r\n\u003cUSERID\u003e\u0026key=db7db0e38e9ab3e5e7a2b9c3bd7244f4f2221d6fef4b9c2b51e4a8ff6aea925c\r\nRegisters Victim’s\r\nmachine with the\r\nclipper bot\r\nhxxp[://]clipper[.]guru/bot/regex?\r\nkey=db7db0e38e9ab3e5e7a2b9c3bd7244f4f2221d6fef4b9c2b51e4a8ff6aea925c\r\nGets the regular\r\nexpression patterns\r\nfrom the clipper bot\r\nhxxp[://]clipper[.]guru/bot/get?address=\u003cVictims crypto wallet address copied from the\r\nclipboard\u003e\u0026key=db7db0e38e9ab3e5e7a2b9c3bd7244f4f2221d6fef4b9c2b51e4a8ff6aea925c\r\nSends the victim’s\r\ncrypto wallet address\r\nto the clipper bot\r\nTalos created two dummy Ethereum wallets in Metamask for analysis purposes. During our analysis, the Clipper malware\r\nsent our dummy Ethereum wallet address to the Clipper bot from the analysis sandbox’s clipboard. In return, we received\r\nthe attacker-controlled wallet address that looked similar to our original wallet address.\r\nClipper malware copies the wallet address from the victim’s clipboard.\r\nThe table below shows the cryptocurrency wallet address sent from our analysis machine and the corresponding address\r\nreceived from the Clipper bot “clipper[.]guru”:\r\nCryptocurrency wallet address sent from the analysis\r\nmachine\r\nCryptocurrency wallet address received from the\r\nClipper bot\r\n0x516DE893B9c9430066bC1116Feaa6E09A6349d83 0x516Acfd0bae6e65A45e0808c6Ae7560d9622B246\r\n0xbd0b7a89674A0CFf1870b5aC65578b39172979f9 0xbd04EeD05CE7C532670A4564Ae6acbE849a7dB97\r\nThe attacker-controlled wallet addresses received from the Clipper bot are valid, and their status can be seen in the\r\nblockchain shown below:\r\nBlockchain showing the attacker-controlled wallet details.\r\nVictimology\r\nTalos observed that victims of this campaign are predominantly located in the United States, with a smaller percentage of\r\nvictims in the United Kingdom, Turkey, and the Philippines.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 10 of 12\n\nMITRE ATT\u0026CK TTPs\r\nThe campaign demonstrate several techniques of MITRE ATT\u0026CK framework that the actor has employed in their attacks,\r\nmost notably:\r\nCommand-Line Interface - T1059\r\nScripting - T1064\r\nExecution through API - T1106\r\nBITS Jobs - T1197\r\nRegistry Run Keys / Startup Folder - T1060\r\nModify Registry - T1112\r\nSystem Information Discovery - T1082\r\nFile and Directory Discovery - T1083\r\nQuery Registry - T1012\r\nPeripheral Device Discovery - T1120\r\nExfiltration Over Unencrypted Non-C2 Protocol - T1048.003\r\nData Encrypted for Impact - T1486.\r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 11 of 12\n\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org. Snort SIDs for this threat are 61261-61265, 300397.\r\nClamAV detections are also available for this threat:\r\nWin.Infostealer.Laplas-9985973-1\r\nWin.Trojan.CryptoTorLocker2015-1\r\nTxt.Downloader.VbsAgent-9986821-1\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries related to this threat, please follow the links:\r\nMortalkombat Ransomware File Extension Artifact\r\nMortalkombat Ransomware Registry Persistence Artifact\r\nIndicators of Compromise\r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nhttps://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/"
	],
	"report_names": [
		"new-mortalkombat-ransomware-and-laplas-clipper-malware-threats"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c177a14f18a6d682397e93ca1bf9eec0eb0e3f7c.pdf",
		"text": "https://archive.orkl.eu/c177a14f18a6d682397e93ca1bf9eec0eb0e3f7c.txt",
		"img": "https://archive.orkl.eu/c177a14f18a6d682397e93ca1bf9eec0eb0e3f7c.jpg"
	}
}