{
	"id": "56dc66be-4f0e-43f9-afc1-8fe3e326f178",
	"created_at": "2026-04-06T01:30:07.313026Z",
	"updated_at": "2026-04-10T03:21:00.608Z",
	"deleted_at": null,
	"sha1_hash": "d3fd2939e1df970bd29b7545413e85d6d8ae0935",
	"title": "Dharma Ransomware Uses AV Tool to Hide Activities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62573,
	"plain_text": "Dharma Ransomware Uses AV Tool to Hide Activities\r\nBy Raphael Centeno ( words)\r\nPublished: 2019-05-08 · Archived: 2026-04-06 00:06:25 UTC\r\nThe Dharma ransomware has been around since 2016news- cybercrime-and-digital-threats, but it has continued to target and\r\nsuccessfully victimize users and organizations around the world. One high profile attack happened in November 2018 when\r\nthe ransomware infected a hospital in Texas, encrypting many of their stored records; luckily the hospital was able to\r\nrecover from the attack without paying the ransom. Trend Micro recently found new samples of Dharma ransomware using\r\na new technique: using software installation as a distraction to help hide malicious activities.\r\nDharma ransomware actors abuse AV tool\r\nNew samples of Dharma ransomware show that it is still being distributed via spam mail. Typical of spam, the message\r\npressures users into downloading a file. If a user clicks on the download link, they will be prompted for a password\r\n(provided in the email message) before getting the file.\r\nintel\r\nFigure 1. Dharma ransomware infection chain\r\nThe downloaded file is a self-extracting archive named Defender.exe, which drops the malicious file taskhost.exe as well as\r\nthe installer of an old version of ESET AV Remover renamed as Defender_nt32_enu.exe. Trend Micro\r\nidentifies taskhost.exe as a file connected to the Dharma ransomware (detected as\r\nRANSOM.WIN32.DHARMA.THDAAAI)\r\nDharma2-2.png\r\nFigure 2. Spam mail for Dharma ransomware\r\nDharma-3-2.png\r\nFigure 3. Running the self-extracting archive (Defender.exe)\r\nThe ransomware uses this old ESET AV Remover installer, which appears unmodified based on initial scanning, to divert\r\nattention as it encrypts files on the victim’s device. When the self-extracting archive runs, Dharma starts encrypting files in\r\nthe background and the ESET AV Remover installation begins. The user will see the ESET GUI onscreen, a distraction from\r\nDharma’s malicious activities.\r\nDharma-4-2.jpg\r\nFigure 4. Software installation distracts from the ransomware’s activities\r\nDharma-5-2.png\r\nFigure 5. Software installation runs on a different instance than malware\r\nThe AV Remover is a working tool that goes through the familiar installation routine if it is executed. However, the\r\nransomware will still encrypt files even if the installation is not started. The malware runs on a different instance than the\r\nsoftware installation, so their behavior is not related.\r\nThe tool is legitimate software bundled with the malware, so user interaction is necessary to fully install it. The ransomware\r\nwill run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The\r\ninstallation process seems included just to trick users into thinking no malicious activity is going on.\r\nDharma-6-2.png\r\nFigure 6. The ESET installer file also has a valid digital signature, so this also helps it stay under the radar\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/\r\nPage 1 of 3\n\nCybercriminals have a history of abusing authentic toolsnews- cybercrime-and-digital-threats, and this recent Dharma tactic\r\nof using an installer as a diversion or screen of legitimacy is simply another method they are experimenting with. This new\r\nversion is designed to trick users and allow the ransomware to stealthily operate in the background. As malware authors\r\ncontinue to adopt layered evasion tactics and malicious techniques, users also have to adopt stronger and smarter security\r\nsolutions to protect their assets.\r\nESET was informed of this research before publishing and issued this response:\r\nThe article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case\r\nTrend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could\r\nbe used this way. The main reason is to distract the user, this application is used as a decoy application. ESET threat\r\ndetection engineers have seen several cases of ransomware packed in self-extract package together with some clean files or\r\nhack/keygen/crack recently. So this is nothing new.\r\nIn the specific case described by Trend Micro, the ransomware is executed right after our remover application, but the\r\nremover has a dialogue and waits for user interaction, so there is no chance to remove any AV solution before the\r\nransomware is fully executed.\r\nHow to defend against ransomware\r\nThere has been a growing awareness about ransomware as well as improved solutions for organizations and users, which\r\ncontributes to ransomware’s continuing decline. However, as proven by the new samples of Dharma, many malicious actors\r\nare still trying to upgrade old threats and use new techniques. Ransomware remains a costly and versatile threat; earlier this\r\nmonth a ransomware family was spotted targeting vulnerable Samba serversnews- cybercrime-and-digital-threats. This\r\nparticular ransomware first emerged as a threat targeting victim’s network-attached storage device before it evolved to target\r\nother devices.\r\nUsers and organizations should prepare for Dharma and similar threats by adopting good cybersecurity hygiene. Some best\r\npractices to follow include:\r\nSecure email gatewaysnews- cybercrime-and-digital-threats to thwart threats via spam and avoid opening suspicious\r\nemails.\r\nRegularly back up filesnews article.\r\nKeep systems and applications updated, or use virtual patchingnews article for legacy or unpatchable systems and\r\nsoftware.\r\nEnforce the principle of least privilege: Secure system administrations toolsnews- cybercrime-and-digital-threats that\r\nattackers could abuse; implement network segmentationnews article and data categorizationnews article to minimize\r\nfurther exposure of mission-critical and sensitive data; and disable third-party or outdated components that could be\r\nused as entry points.\r\nImplement defense in depth: Additional layers of security like application controlproducts and behavior\r\nmonitoringproducts helps thwart unwanted modifications to the system or execution of anomalous files.\r\nFoster a culture of security in the workplace\r\nIndicators of Compromise\r\nFile Name SHA256 Detection\r\nDefender.exe a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4 Ransom.Win32.DHARMA.T\r\ntaskhost.exe1          703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe Ransom.Win32.DHARMA.T\r\nDefender_nt32_enu.exe1 0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83 normal ESET AV remover    \r\npackager.dll 083b92a07beebbd9c7d089648b1949f78929410464578a36713033bbd3a8ecea normal                     \r\npanmap.dll 9ada26a385e8b10f76b7c4f05d591b282bd42e7f429c7bbe7ef0bb0d6499d729 normal                     \r\nsspisrv.dll f195983cdf8256f1d1425cc7683f9bf5c624928339ddb4e3da96fdae2657813d normal                     \r\nsstpsvc.dll 39d3254383e3f49fd3e2dff8212f4b5744d8d5e0a6bb320516c5ee525ad211eb normal                     \r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/\r\nPage 2 of 3\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/"
	],
	"report_names": [
		"dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities"
	],
	"threat_actors": [],
	"ts_created_at": 1775439007,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3fd2939e1df970bd29b7545413e85d6d8ae0935.pdf",
		"text": "https://archive.orkl.eu/d3fd2939e1df970bd29b7545413e85d6d8ae0935.txt",
		"img": "https://archive.orkl.eu/d3fd2939e1df970bd29b7545413e85d6d8ae0935.jpg"
	}
}