{
	"id": "35a141ae-680e-4e51-9a9c-fda1a5a63181",
	"created_at": "2026-04-10T03:20:41.265461Z",
	"updated_at": "2026-04-10T03:22:18.243597Z",
	"deleted_at": null,
	"sha1_hash": "d171d4144f92afffa19026e43f5375b0d72d81de",
	"title": "New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2428821,
	"plain_text": "New threat actor targets Bulgaria, China, Vietnam and other\r\ncountries with customized Yashma ransomware\r\nBy Chetan Raghuprasad\r\nPublished: 2023-08-07 · Archived: 2026-04-10 03:07:51 UTC\r\nMonday, August 7, 2023 08:00\r\nCisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a\r\nransomware operation that began at least as early as June 4, 2023.\r\nThis ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by\r\nmimicking WannaCry characteristics.\r\nThe threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom\r\nnote strings in the binary, they download the ransom note from the actor-controlled GitHub repository by\r\nexecuting an embedded batch file.\r\nThreat actor analysis\r\nTalos assesses with high confidence that this threat actor is targeting victims in English-speaking countries,\r\nBulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in\r\nthese countries’ languages. The presence of an English version could indicate the actor intends to target a wide\r\nrange of geographic areas.\r\nTalos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub\r\naccount name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name.\r\nThe ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s\r\ntime zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry,\r\nyour file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying\r\n“sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which\r\ncould indicate the attackers themselves are Vietnamese.\r\nWe further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and\r\ncreated a public repository called “Ransomware” on that date, which overlaps with the compilation date of the\r\nransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian,\r\nVietnamese, Simplified Chinese and Traditional Chinese.\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 1 of 6\n\nGitHub repository that contains ransom notes.\r\nRansom note\r\nThe actor demands the ransom payment in Bitcoins to the wallet address\r\n“bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to\r\npay within three days, according to our ransomware note analysis. The actor has an email address,\r\n“nguyenvietphat[.]n[at]gmail[.]com,” for the victims to contact them. At the time of our analysis, we had not\r\nobserved any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware\r\noperation might still be in a nascent stage.\r\nThe ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s\r\nidentity and confuse incident responders.\r\nThe ransom note for WannaCry ransomware.\r\nRansom notes samples of the Yashma variant.\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 2 of 6\n\nAfter encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image\r\nbelow. It seems that the operator downloaded this picture from www[.]FXXZ[.]com and embedded it in the\r\nYashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the\r\nWannaCry ransomware.\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 3 of 6\n\nYashma variant wallpaper (left) and WannaCry wallpaper (right).\r\nCustomized Yashma ransomware variant\r\nThe actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023.  Yashma is a 32-bit\r\nexecutable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this\r\nvariant, most of Yashma’s features remained unchanged and have been described by the security researchers at\r\nBlackberry, with the exception of a few notable modifications.\r\nUsually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes\r\nan embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub\r\nrepository. This modification evades endpoint detection solutions and anti-virus software, which usually detect\r\nembedded ransom note strings in the binary.\r\nContents of the batch file.\r\nEarlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key\r\nand by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The\r\nvariant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url”\r\nbookmark file in the startup folder that points to the dropped executable located at\r\n“%AppData%\\Roaming\\svchost.exe”.\r\nA function that creates the bookmark file.\r\nOne notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After\r\nencrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?”\r\nand then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to\r\nrecover the deleted files from the victim’s hard drive.\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 4 of 6\n\nThe code snippet shows the anti-recovery feature of the ransomware.\r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 62131 - 62143 and 300633 - 300638.\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 5 of 6\n\nClamAV detections are available for this threat:\r\nWin.Ransomware.Hydracrypt-9878672-0\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nhttps://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/\r\nPage 6 of 6\n\nnetwork. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\navailable for purchase on Snort.org. Snort SIDs for this threat are 62131-62143 and 300633 -300638.\n   Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/"
	],
	"report_names": [
		"new-threat-actor-using-yashma-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791241,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d171d4144f92afffa19026e43f5375b0d72d81de.pdf",
		"text": "https://archive.orkl.eu/d171d4144f92afffa19026e43f5375b0d72d81de.txt",
		"img": "https://archive.orkl.eu/d171d4144f92afffa19026e43f5375b0d72d81de.jpg"
	}
}