{
	"id": "d0a12c29-01f8-4bc4-a6e6-071e951a95d4",
	"created_at": "2026-04-06T00:10:38.346171Z",
	"updated_at": "2026-04-10T03:22:04.842271Z",
	"deleted_at": null,
	"sha1_hash": "e218e2c6e2afae691145028143deb4ea42a58cce",
	"title": "Maze Ransomware Now Delivered by Spelevo Exploit Kit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1042119,
	"plain_text": "Maze Ransomware Now Delivered by Spelevo Exploit Kit\r\nBy Sergiu Gatlan\r\nPublished: 2019-10-18 · Archived: 2026-04-05 16:52:05 UTC\r\nThe Spelevo exploit kit has been spotted by security researchers while infecting victims with Maze Ransomware payloads\r\nvia a new malicious campaign that exploits a Flash Player use after free vulnerability.\r\nMaze Ransomware, a variant of Chacha Ransomware, was initially found by Malwarebytes security researcher Jérôme\r\nSegura in May. \r\nThe researcher found that the ransomware was being distributed using the Fallout exploit kit via a fake site camouflaged as a\r\nlegitimate cryptocurrency exchange app.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nSegura told BleepingComputer that the attackers created a fake Abra cryptocurrency site to buy ad network traffic which\r\nwas later used to redirect visitors to the exploit kit landing page under certain conditions.\r\nNew Maze Ransomware campaign\r\nExploit kit expert nao_sec was the first to spot the new Maze Ransomware campaign yesterday, with GrujaRS also taking a\r\ncloser look at it one hour later.\r\nThis campaign is redirecting users to the Spelevo exploit kit, as shown in the web requests captured by nao_sec and as\r\nshown in the screenshot below.\r\nWhen redirected to the exploit, Spelevo will attempt to exploit the critical CVE-2018-15982 use after free vulnerability\r\nin the browser, with users of Flash Player versions 31.0.0.153 / 31.0.0.108 and earlier being the ones exposed.\r\nUpon successful exploitation, the exploit kit will automatically download and install the Maze Ransomware payload via\r\narbitrary code execution.\r\nSpelevo was previously seen by Cisco Talos while dropping the infamous IceD and Dridex banking trojans via a\r\ncompromised business-to-business (B2B) website.\r\nSpelevo exploit kit in action\r\nThe Maze Ransomware\r\nWhen the Maze Ransomware payload is installed and executed, it will start scanning for interesting files (e.g., documents,\r\nphotos, databases, and more) to encrypt them using RSA encryption and the ChaCha20 stream cipher, and append several\r\nextensions as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 3 of 6\n\nEncrypted files (Image: GrujaRS)\r\nThe ransomware will also create a ransom note named DECRYPT-FILES.txt in each of the scanned folders, instructing the\r\nvictims to open a website hosted on the TOR network for payment instructions to purchase a private key to decrypt the files.\r\nVictims are also provided with an online decryption interface which allows them to decrypt three of their now locked files as\r\nproof that decryption is indeed possible.\r\nAccording to the ransomware's support site, the ransom value automatically doubles if the victim does not pay within\r\napproximately a week after the ransom note was uploaded.\r\nA second website available over the clear web is also provided, with the mention that it might be blocked in some countries\r\nand thus leaving the TOR site as the only option.\r\nRansom note(Image: GrujaRS)\r\nOn this support website, the victims will be asked to upload their ransom note to get further instructions on how to recover\r\ntheir data.\r\nOnce the attackers' parser recognizes the ransom note, the victims will be redirected to a page where they can test the\r\nattackers' decryption tool (supports only BMP, JPG, GIF, and PNG image files) and get info on how to buy Bitcoins to pay\r\nthe ransom.\r\nThe Maze Ransomware 'support' site also comes with a live support chat as detailed in the ransom note and as GrujaRS also\r\nfound.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 4 of 6\n\nHe created a video to demo the attack, to show how Maze Ransomware encrypts its victims' files, how the live chat works,\r\nand to take a look at the Maze Ransomware test decrypt tool.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nAt this time, there is no way to decrypt for free the files that Maze Ransomware encrypts. If anything changes, we will\r\npublish a new article with additional findings.\r\nHow to protect yourself from Maze Ransomware\r\nTo protect yourself from Maze Ransomware, or from any other ransomware family, it is important to use good computing\r\nhabits and security software. The most important thing is to always have a reliable and tested backup of your data that you\r\ncan quickly restore in case of an emergency, like a ransomware attack.\r\nSince Maze is being dropped via exploit kits, you need to make sure that all the latest Windows security updates are installed\r\nand that all your software is up to date. By doing this you will prevent exploit kits from abusing previously patched\r\nvulnerabilities to infect your computer.\r\nGiven that ransomware is also known to be delivered via hacked Remote Desktop services, you should make sure that\r\ncomputers running remote desktop services in your network are not directly connected to the Internet by placing them\r\nbehind VPNs to only allow access to trusted users.\r\nRunning security software with a built-in behavioral detection engine like Emsisoft Anti-Malware and Malwarebytes Anti-Malware is also important when defending your data against ransomware infections. \r\nLast, but not least, you also need to follow good online security habits, since, in many cases, are the most important\r\nmeasures of all:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nIf you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only\r\nvia a VPN.\r\nFor a complete guide on how to protect your computer against ransomware infections, you can read our How to Protect and\r\nHarden a Computer against Ransomware article.\r\nIOCs\r\nHashes:\r\n91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1\r\nFile Names:\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 5 of 6\n\nDECRYPT-FILES.txt\r\nNetwork Communication:\r\n91.218.114.4\r\n91.218.114.11\r\n91.218.114.25\r\n91.218.114.26\r\n91.218.114.31\r\n91.218.114.32\r\n91.218.114.37\r\n91.218.114.38\r\n91.218.114.77\r\n91.218.114.79\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/"
	],
	"report_names": [
		"maze-ransomware-now-delivered-by-spelevo-exploit-kit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e218e2c6e2afae691145028143deb4ea42a58cce.pdf",
		"text": "https://archive.orkl.eu/e218e2c6e2afae691145028143deb4ea42a58cce.txt",
		"img": "https://archive.orkl.eu/e218e2c6e2afae691145028143deb4ea42a58cce.jpg"
	}
}