{
	"id": "ea6f737b-7922-41c8-9205-fe10139d91ac",
	"created_at": "2026-04-06T00:09:34.258701Z",
	"updated_at": "2026-04-10T03:24:29.219417Z",
	"deleted_at": null,
	"sha1_hash": "d07b829a5a79775cb395d46608f35ee272b887b0",
	"title": "Can You See It Now? An Emerging LockBit Campaign | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 635189,
	"plain_text": "Can You See It Now? An Emerging LockBit Campaign |\r\nFortiGuard Labs\r\nBy Eliran Voronovitch\r\nPublished: 2023-03-01 · Archived: 2026-04-02 12:07:23 UTC\r\nFortiGuard Labs has observed a new LockBit ransomware campaign during last December and January using a\r\ncombination of techniques effective against AV and EDR solutions. LockBit has been one of the more dangerous\r\nransomware, active since 2019. It was part of several successful attacks against a large variety of industries,\r\nincluding critical infrastructure.\r\nThis blog post discusses the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.\r\nOverview\r\nDescriptions of the attack refer to the stages outlined in Figure 1 below. The attack starts with a .img container (1)\r\nand a social engineering technique of displaying a single file once it’s mounted while hiding the rest of its files\r\nfrom the user. It can also cause malware analysts to miss the payloads while examining the samples manually.\r\nFigure 1: Campaign execution stages\r\nThe user is then prompted to open the single visible shortcut (2) file.\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 1 of 7\n\nFIgure 2: Contents of the .img file, including the hidden files\r\nIn some of the cases that we’ve observed, a python script is executed (2.1) using the official Python embed\r\npackage. The only purpose of the script is to run the subsequent BAT scripts. Some variants used a known UAC\r\nbypass method abusing the legitimate fodhelper.exe (3.1). This enables the attacker’s BAT file to run in a new\r\nelevated process without the user’s approval.\r\nFigure 3: UAC bypass implementation.\r\nThe BAT script (4) does several things:\r\n1.     Changes the password of the logged-in user.\r\n2.     Copies its files to C:\\ProgramData.\r\n3.     Ensures that after the system reboots, it logs in without user interaction (using SysInternals Autologon).\r\n4.     Tries to -\r\na.     Set the next reboot to be in Safe Mode using bcdedit.exe.\r\nb.     Register a new service that will run its VBS script (4.1) using sc.exe.\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 2 of 7\n\nc.      Sets the service to run also in Safe-Mode using reg.exe.\r\n5.     If it fails, it sets in the registry a BAT file (4.2) to be run on logon as another UI shell by Winlogon.\r\n6.     Reboots the machine.\r\nFigure 4: Persistence of the BAT file (4.2).\r\nThe ransomware executable resides within a password-protected archive. The script that runs after boot executes\r\nanother BAT script (4.3) to extract the ransomware payload. It uses the 7-zip archiver and then runs it with a ‘-\r\npass’ argument that is needed for the malicious executable to unpack itself.\r\nFigure 5: Command inside BAT script (4.3) decrypting and running the ransomware\r\nThe final payload is LockBit. Analysts from TrendMicro have published an analysis of the ransomware.\r\nTargeting focuses on Spanish-speaking victims – all samples target Mexican or Spanish firms, mainly in the\r\nconsulting and law sectors.\r\nRansomware note:\r\nYour data are stolen and encrypted\r\nThe data will be published on TOR website if you do not pay the ransom\r\nYou can contact us and decrypt one file for free on this TOR site\r\n(you should download and install TOR browser first https://torproject.org)\r\nhttp://\u003conion address\u003e\r\nYour company id for log in: \u003cunique id\u003e\r\nEvasive Tradecraft\r\nThe detection rate of the samples in VirusTotal was a minimal single digit, with some completely undetected,\r\nsuggesting the campaign’s methods are effective in defense evasion.\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 3 of 7\n\nFigure 6: Detection in VirusTotal of one of the .img files.\r\nDelivery through a .img container bypasses the Mark of The Web (MOTW) protection mechanism. Multi-stage\r\nscripts that extract a password-protected ransomware executable, which is unpacked only when run with a unique\r\npassword, allow evading traditional signature-based detection.\r\nThe malware authors have shown a creative and wide-ranging usage of signed, legitimate executables: the\r\nmounting of .img files by Windows Explorer, python execution by a signed interpreter, the extraction of encrypted\r\narchives by 7-zip, and automatic log-in using Sysinternals’ Autologon. This allows for minimal reliance on custom\r\ncode, trimming development costs, and staying under the radar of EDRs.\r\nSummary\r\nThis campaign’s highly evasive nature demonstrates that attackers continue to leverage increasingly obscure\r\nmethodologies to avoid detection. This unique combination of executables wasn’t seen in previous LockBit\r\nattacks.\r\nThese payloads may be related to the LockBit builder leak in late 2022. Hence, a definitive attribution to the\r\noriginal group behind LockBit, or its affiliates, may be difficult. Other cybercriminals would want to associate\r\nthemselves with the deterrence already afforded by past acts of LockBit.\r\nFortinet Solutions\r\nFortiEDR detects and blocks these threats out of the box without any prior knowledge or special configuration. It\r\ndoes this using its post-execution prevention engine to identify malicious activities:\r\nFigure 7: FortiEDR blocking the ransomware.\r\nAll network IOCs have been added to the FortiGuard WebFilter blocklist.\r\nFortiGuard Antivirus has coverage in place as follows:\r\nW32/Lockbit.K!tr.ransom\r\nThe FortiGuard Antivirus service engine is included in Fortinet’s FortiGate, FortiMail, FortiClient, and FortiEDR\r\nsolutions.\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 4 of 7\n\nIn addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real-time\r\nwith other Alliance members to help create better protections for customers.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio. If you think this or any other cybersecurity threat has impacted your\r\norganization, contact our Global FortiGuard Incident Response Team.\r\nAppendix A: MITRE ATT\u0026CK Tactics and Techniques\r\nTactic \\ Technique ID Description\r\nTA0002 Execution\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nT1059.005 Command and Scripting Interpreter: Visual Basic\r\nT1059.006 Command and Scripting Interpreter: Python\r\nT1204.002 User Execution: Malicious File\r\nTA0003 Persistence\r\nT1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1543.003 Create or Modify System Process: Windows Service\r\nTA0005 Defense Evasion\r\nT1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 5 of 7\n\nT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1562.009 Impair Defenses: Safe Mode Boot\r\nTA0040 Impact\r\nT1486 Data Encrypted for Impact\r\nT1529 System Shutdown/Reboot\r\nAPPENDIX B: IoCs\r\nIMG SHA256\r\n1ef3ae251833be08b6f3e525969ae02c28cb0238e3adb3091e572a10633f7ef7\r\ndad61d9f919a9cc84ae633e948946e7546b21dc4d9d47d19d96fd308c7de40cb\r\nd73bcd2e29191b260a26d87c3035bde33163cc319649291db9f04c48c94da896\r\nee2b182a56ded459a113513985ff624631a9515c7efa2282708483ace640eb3a\r\ndca325a0028dc8e41dcf739cd00701a19066fc88c0d22be5316f7a4b7b219fe8\r\n35bf036bf46fa21f3354d60a2c50d2959e1e9193bec8364575dc3fd4644732ae\r\n781ead305cdb5fa0153369431dedd40fe138308fcdf5dfda1cfeaaba296752e3\r\n1ef3ae251833be08b6f3e525969ae02c28cb0238e3adb3091e572a10633f7ef7\r\ndad61d9f919a9cc84ae633e948946e7546b21dc4d9d47d19d96fd308c7de40cb\r\nd73bcd2e29191b260a26d87c3035bde33163cc319649291db9f04c48c94da896\r\nee2b182a56ded459a113513985ff624631a9515c7efa2282708483ace640eb3a\r\ndca325a0028dc8e41dcf739cd00701a19066fc88c0d22be5316f7a4b7b219fe8\r\n35bf036bf46fa21f3354d60a2c50d2959e1e9193bec8364575dc3fd4644732ae\r\n781ead305cdb5fa0153369431dedd40fe138308fcdf5dfda1cfeaaba296752e3\r\n1858a862390adcaa4cea6782e7dba077697475ff9ada9d75c4897ccd563998af\r\nRansomware Executables\r\nSHA256 Name\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 6 of 7\n\ncb049c6e59106bbdfd804a9d02bb31ea09a3918018cbb97fb12d2bcf9e475465 documentos.exe\r\n334148a7434f4fd27dcc6600edc2f29e4f11ada0be9f71f807cbd4154abd74be documentos.exe\r\nfd3577ff36496320485ffa05681ffa516a56fc4818c3fc89774aa4bb20e2c17f documentos.exe\r\n8465c979990e75262d15e93453287d6107f008035d6d6a05bd3a92c2e3fe1d40 HacAK.exe\r\n40828437094a02ab467a0c0343d08c110d3b0c2972b609bcdd355667614209f EMJgp.exe\r\n50f49ac742a127085e0a824bcae7e25326ea0ef0741f0abe34ce494f2c4ef4d2 byhHI.exe\r\ncc58dcd32a440e7f95d19b653a55c1e2c383efc2bd19443238dd3008c1cbe147 bOpDX.exe\r\n 6eb6431dcfb1e7105fb05e2d8b01e231f6d4b82a1df3639499d0adacd00757cc gVozH.exe\r\nDomains\r\npoliovocalist[.]com\r\nIPs\r\n198.244.187[.]248\r\n150.129.218[.]231\r\nLockBit Portal URLs\r\nhxxp://lockbit3jx6je7tm6hhm6zzafgy6hpil3ur6jmc2a4ugan7xzztv6oqd[.]onion\r\nhxxp://lockbitdvbpfczc3yrs37kpp6avnrgr7yygi2f45qxvef2yqi36lpxyd[.]onion\r\nhxxp://lockbit3hc6syym13ki2ag5jskr6q5qa3spspjpmtfhh6fufut737zid[.]onion\r\nhxxp://lockbitov3afmxgknfhk2o5d4uqrhygd7ty3xqm56qd6zjlu6u43pgyd[.]onion\r\nSource: https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nhttps://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign"
	],
	"report_names": [
		"emerging-lockbit-campaign"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d07b829a5a79775cb395d46608f35ee272b887b0.pdf",
		"text": "https://archive.orkl.eu/d07b829a5a79775cb395d46608f35ee272b887b0.txt",
		"img": "https://archive.orkl.eu/d07b829a5a79775cb395d46608f35ee272b887b0.jpg"
	}
}