{ "id": "59339837-bae9-411f-97db-1f51d0f6b1fb", "created_at": "2026-04-06T00:12:22.474126Z", "updated_at": "2026-04-10T03:20:03.455168Z", "deleted_at": null, "sha1_hash": "d39cdb78a4b29bcc77995726cf7b91dd55ffb27b", "title": "New Avaddon Ransomware launches in massive smiley spam campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3440615, "plain_text": "New Avaddon Ransomware launches in massive smiley spam campaign\r\nBy Lawrence Abrams\r\nPublished: 2020-06-08 · Archived: 2026-04-05 18:14:43 UTC\r\nWith a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users\r\nworldwide.\r\nAvaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread\r\nthe ransomware by any means possible.\r\nAs its first known attack, the Avaddon Ransomware is being distributed in a spam campaign reminiscent of February's\r\nNemty Ransomware Love Letter campaign.\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 1 of 10\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 2 of 10\n\nVisit Advertiser websiteGO TO PAGE\r\nYou like my photo?\r\nIn a wave of emails using subjects like \"Your new photo?\" or \"Do you like my photo?\" containing nothing but a winking\r\nsmiley face, a JavaScript downloader for the Avaddon ransomware is being distributed.\r\nExample Avaddon spam email\r\nIn a related report shared with BleepingComputer, the cybersecurity firm Appriver stated that the Phorphiex/Trik Botnet is\r\ndistributing the malicious emails.\r\nThis campaign is not small, as AppRiver security researcher David Picket told us that they had blocked over 300,000 emails\r\nin just a short period.\r\nAttached to these emails is a JavaScript file masquerading as a JPG photo with names like IMG123101.jpg.\r\nBefore you ask why someone would open a JavaScript file that was emailed to them, it is important to remember that\r\nWindows hides file extension by default, even though it is a known security risk.\r\nThat means to the recipient, it would just appear as a .jpg file, as shown  below.\r\nJavaScript file displayed as a JPG\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 3 of 10\n\nWhen executed, the JS attachment will launch both a PowerShell and Bitsadmin command to download the Avaddon\r\nransomware executable to the %Temp% folder and run it.\r\nAvaddon JScript downloader\r\nIn the sample tested by BleepingComputer, once executed, the ransomware will search for data to encrypt and append the\r\n.avdn extension to encrypted files.\r\nFiles encrypted by Avaddon\r\nIn each folder, a ransom note named [id]-readme.html will also be created. This ransom note contains a link to the TOR\r\npayment site and a unique victim ID used to login to the site.\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 4 of 10\n\nAvaddon Ransom Note (Click to enlarge)\r\nThis TOR payment site includes the ransom amount, which in our cause was $900, and instructions on how to pay for a\r\ndecryptor.\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 5 of 10\n\nAvaddon TOR payment site\r\nOther sections of the TOR site include a support chat, free test decryption, and a help page illustrated by Harry Potter\r\ncharacters.\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 6 of 10\n\nAvaddon TOR help page\r\nUnfortunately, ID-Ransomware creator Michael Gillespie has analyzed the ransomware and stated that it is secure and\r\ncannot be decrypted for free.\r\nMore to come\r\nIn advertisements posted to Russian-speaking hacker forums at the beginning of the month, Avaddon has stated that they are\r\na new Ransomware-as-an-Affiliate (RaaS) program.\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 7 of 10\n\nAvaddon advertisement on dark web\r\nA RaaS program is when the ransomware creator is responsible for the development of the malware and the operation of the\r\nTOR payment site.\r\nAffiliates who join the program are responsible for distributing the ransomware via spam, compromising networks, and\r\nexploit kits.\r\nAs part of this arrangement, Avaddon is paying affiliates 65% of any ransom payments they bring in, and the Avaddon\r\noperators will receive 35%. Larger affiliates are commonly able to negotiate a higher revenue share depending on the size of\r\ntheir attacks.\r\nAs is typical with RaaS programs, Avaddon has a series of rules that affiliates must follow when distributing the\r\nransomware. The most common rule is that they cannot target victims in the Commonwealth of Independent States (CIS).\r\nIt is forbidden to work in the CIS countries (AZ, AM, BY, KZ, KG, MD, RU, TJ, UZ, UA, GE , TM)\r\nIt is forbidden to indicate or pass on to third parties the address of the admin panel on the .onion network.\r\nIt is forbidden to upload .exe to unverified scanners that merge AV labs.\r\n \r\nNow that the Avaddon creators have started accepting applications, we should expect to see distribution increase and more\r\nadvanced attacks to occur.\r\nIOCs\r\nHashes:\r\nAttachment: 94faa76502bb4342ed7cc3207b3158027807a01575436e2b683d4816842ed65d\r\nAvaddon: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2\r\nAssociated files:\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 8 of 10\n\nIMG123101.jpg.js.zip\r\nIMG123101.jpg.js\r\n%temp%\\97459754.exe\r\n%temp%\\646246465.exe\r\n[id]-readme.html\r\nRansom note text:\r\nYour network has been infected by Avaddon\r\nAll your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by\r\nThe only way to restore your files is to buy our special software - Avaddon General Decryptor. Only we can give you this s\r\nYou can get more information on our page, which is located in a Tor hidden network.\r\nHow to get to our page\r\nDownload Tor browser - https://www.torproject.org/\r\nInstall Tor browser\r\nOpen link in Tor browser - avaddonbotrxmuyl.onion\r\nFollow the instructions on this page\r\nYour ID:\r\nXXX\r\nDO NOT TRY TO RECOVER FILES YOURSELF!\r\nDO NOT MODIFY ENCRYPTED FILES!\r\nOTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER!\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 9 of 10\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nhttps://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/" ], "report_names": [ "new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign" ], "threat_actors": [], "ts_created_at": 1775434342, "ts_updated_at": 1775791203, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d39cdb78a4b29bcc77995726cf7b91dd55ffb27b.pdf", "text": "https://archive.orkl.eu/d39cdb78a4b29bcc77995726cf7b91dd55ffb27b.txt", "img": "https://archive.orkl.eu/d39cdb78a4b29bcc77995726cf7b91dd55ffb27b.jpg" } }