{
	"id": "9237d65d-7e1e-4921-b6de-250b868e58b1",
	"created_at": "2026-04-06T00:11:51.566983Z",
	"updated_at": "2026-04-10T03:21:42.193042Z",
	"deleted_at": null,
	"sha1_hash": "deced0ae2d68194712e564b4126b7a623f164696",
	"title": "Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 386565,
	"plain_text": "Negasteal Uses Hastebin for Fileless Delivery of Crysis\r\nRansomware\r\nArchived: 2026-04-02 12:00:53 UTC\r\nBy Matthew Camacho, Raphael Centeno, and Junestherry Salvador\r\nWe recently encountered a Negasteal (also known as Agent\r\nTesla) variant that used hastebin for the fileless delivery of the Crysis (also known as Dharma) ransomware. This\r\nis the first time that we have observed Negasteal with a ransomware payload.\r\nOnly a few months ago, Deep Instinct published the first reported caseopen on a new tab of a Negasteal variant\r\nthat used hastebin[.]com, a paste site for online content. Negasteal is a spyware trojan that was discoveredopen on\r\na new tab in 2014. It offers its services in the form of paid subscriptions in cybercriminal underground forums,\r\nwith its developers constantly making changes to improve its evasion tactics and remain relevant in their market.\r\nThe Crysis ransomware, meanwhile, is behind several high-profile attacksopen on a new tab, with variants that\r\ncontinuously demonstrate different techniquesopen on a new tab. Similar to Negasteal, Dharma works on a\r\nransomware-as-a-service (RaaS)open on a new tab model that makes it accessible for other cybercriminals to pay\r\nfor.\r\nBehavior\r\nThis is the first time that we have observed these two malware services being used together. According to the\r\nsample that we encountered, the variant arrives through a phishing email, as seen in Figure 1.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware\r\nPage 1 of 5\n\nFigure 1. An image of the phishing email that was used\r\nAs part of its evasion tactics, it tries to exclude itself from debugging by Windows Defender, which it can also try\r\nto disable as a possible alternative evasion method. These tactics are shown in Figures 2 and 3.\r\nFigure 2. The malware excludes itself from being debugged.\r\nFigure 3. The malware disables Windows Defender.\r\nFor persistence, it adds itself to the startup folder and CurrentVersion\\Run. Eventually, the loader will connect to\r\n“hastebin[.]com” and decode the binary (Crysis) from the command-and-control (C\u0026C) server, thereby allowing\r\nfileless delivery of the ransomware.\r\nFigure 4. A snippet of the malware adding itself to the startup folder\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware\r\nPage 2 of 5\n\nFigure 5. The malware connects to hastebin[.]com\r\nFigure 6. The Crysis ransomware payload\r\nSecurity Recommendations\r\nThis campaign shows the potential of Negasteal to deliver other malware filelessly through its hastebin C\u0026C\r\nserver. The combination of these two active malware services demonstrates how cybercriminals can cobble\r\ntogether accessible malware in hopes of a successful campaign. Fileless delivery also adds a further challenge in\r\nremoving this threat, as it leaves no trace after execution.\r\nFor organizations, following security best practices will help minimize the success of similar campaigns. As with\r\nthis campaign, stopping threats from their initial entry can prevent larger problems caused by their payloads. In\r\nthis case, the campaign has a ransomware payload that can encrypt important files and freeze operations.\r\nHere are some general security practices to implement:\r\nSecure email gatewaysopen on a new tab.  Secured email gateways thwart threats that are delivered via\r\nspam and phishing. They also help users to avoid opening suspicious emails and attachments.\r\nRegularly back up filesopen on a new tab. This also serves as a good precaution against ransomware\r\nattacks.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware\r\nPage 3 of 5\n\nKeep systems and applications updated. Use virtual patchingopen on a new tab for legacy or unpatchable\r\nsystems and software.\r\nEnforce the principle of least privilege. Implement network segmentationopen on a new tab and data\r\ncategorizationopen on a new tab to minimize further exposure of mission-critical data.\r\nImplement defense in-depth. Additional layers of security like application controlopen on a new\r\ntab and behavior monitoringopen on a new tab help prevent the execution of anomalous files.\r\nA multilayered securityopen on a new tab approach is advised to protect all possible threat entry points. The\r\nfollowing solutions can help secure against a variety of threats:\r\nTrend Micro Apex One™open on a new tab and Apex One Endpoint Sensoropen on a new tab – Employ\r\nbehavioral analysis that protects against malicious scripts, injection, ransomware, and memory and browser\r\nattacks related to fileless threats.\r\nTrend Micro XDRopen on a new tab – Connects email, endpoints, servers, cloud workloads, and networks\r\nto detect and respond to threats earlier.\r\nTrend Micro™ Email Securityopen on a new tab – Uses enhanced machine learning and dynamic sandbox\r\nanalysis for file and URL to stop email threats.\r\nIndicators of Compromise (IOCs):\r\nFiles\r\n2adb3505038e73bc83e5c5d9a60b725645fb65a7b0a781a5aadde50c942d13dc (detected as\r\nTrojanSpy.MSIL.NEGASTEAL.DYSHPF)\r\nb524398df66d04ac28e7461e7c7ff97c6d69343d13d7f3fdd11e26729813ae5c (detected as\r\nTrojan.MSIL.NEGASTEAL.BGO)\r\nPayload\r\nf3587884456922ffd42c8189e111c1184d74e12f (detected as Ransom.MSIL.DHARMA.ACopen on a new\r\ntab)\r\nC\u0026C\r\nhxxps://hastebin[.]com/raw/avucapadey\r\nhxxps://hastebin[.]com/raw/molijokewe\r\nhxxps://hastebin[.]com/raw/sijifewopi\r\n199[.]193[.]7.228\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware\r\nPage 4 of 5\n\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-cry\r\nsis-ransomware\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware"
	],
	"report_names": [
		"negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434311,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deced0ae2d68194712e564b4126b7a623f164696.pdf",
		"text": "https://archive.orkl.eu/deced0ae2d68194712e564b4126b7a623f164696.txt",
		"img": "https://archive.orkl.eu/deced0ae2d68194712e564b4126b7a623f164696.jpg"
	}
}