{
	"id": "f1785b3e-73ac-46f6-85b1-e6d90b33a743",
	"created_at": "2026-04-06T00:07:06.388693Z",
	"updated_at": "2026-04-10T03:20:25.501093Z",
	"deleted_at": null,
	"sha1_hash": "e889e82b243772eefff0ef5486a51e605d841981",
	"title": "Avaddon: Ransomware-as-a-Service \u0026 Extortion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 569853,
	"plain_text": "Avaddon: Ransomware-as-a-Service \u0026 Extortion\r\nBy DomainTools\r\nPublished: 2020-08-13 · Archived: 2026-04-05 21:19:30 UTC\r\nAvaddon: The Latest RaaS (Ransomware-as-a-Service) to Jump on the Extortion\r\nBandwagon\r\nIf you would prefer to listen to Tarik discuss his analysis, it is featured in our recent episode of Breaking Badness,\r\nwhich is included at the bottom of this post.\r\nDissecting the Avaddon Ransomware Loader \u0026 Further Operations\r\nAvaddon is a new “Ransomware-as-a-Service” (RaaS) malware that uses an affiliate revenue system as part of\r\nhow this threat group achieves it’s financial goals.\r\nAvaddon is being actively advertised on various cybercriminal forums, and has been associated with recent\r\nmassive email spam campaigns for its distribution.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 1 of 13\n\nAvaddon Victimology\r\nThe ransom note for Avaddon supports 9 different languages: English, German, French, Italian, Spanish,\r\nPortuguese, Chinese, Japanese and Korean.\r\nWe can also analyze the victim distribution by looking at Avaddon binaries caught in the wild and correlating\r\nthem with the country they were submitted from on VirusTotal.\r\nTo really account for the broader Avaddon binaries in the wild, I went ahead and searched for fuzzy hashes that are\r\nsimilar to the original binary detected. This is similar to leveraging imphashes or other fuzzy hash matching tactics\r\nfor malware, but using VirusTotal’s built-in feature VHASH. Taking these Avaddon binaries and sorting them by\r\nthe country that submitted them we can see the parallels with those advertised by the Avaddon threat group.\r\nAvaddon is for sale on the CIS (Commonwealth of Independent States) Russian language cybercriminal forums\r\nand it’s noteworthy that Russian is not a supported language for victims. Parsing the advertisement of Avaddon’s\r\npost on one of the cybercrime forums, we can infer that the authors clearly operate out of a CIS country.\r\nIt’s likely that the very small percentage of Avaddon binaries submitted from a Russian network are security teams\r\ninvestigating the threat, or Avaddon customers breaking the EULA and submitting their binaries to VirusTotal to\r\ndetermine if it would be detected by common anti-virus vendors.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 2 of 13\n\nIn addition to specific countries, Avaddon is written in C++ and accesses only Windows APIs. Thus, the\r\nvictimology for Avaddon should include the above countries running Windows 7 or Windows 10.\r\nThe Avaddon author doesn’t provide a means of distributing the ransomware, however according to their forum\r\nposts, they recommend purchasing your foothold from other sources such as “dediks” (attackers that have already\r\ncompromised several computers and sell access to them).\r\nAdmin panels for Avaddon customers are all automatically generated and hosted on TOR network (.onion) sites.\r\nThe landing page for Avaddon’s ransom onion page is online and located here:\r\nhttp://avaddonbotrxmuyl[.]onion/\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 3 of 13\n\nAs of last Saturday (August 8th 2020), the Avaddon authors published their extortion site\r\n(http://avaddongun7rngel[.]onion/). When victims don’t pay the ransom, the Avaddon authors will publish some\r\nof their data in an effort of public extortion efforts.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 4 of 13\n\nWe can look to Avaddon’s extortion efforts as an example template of how future ransomware will operate.\r\nExtortion and leaking of private victim data will be the new norm.\r\nInitial Presentation of Avaddon\r\nAvaddon’s initial loader is a compressed JavaScript attachment being distributed via email malspam attacks in the\r\nwild. The loader presents itself as a compressed (ZIP) JavaScript file masquerading as a JPG picture using file\r\nextension spoofing.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 5 of 13\n\nIn order to better understand the Avaddon ransomware threat, let’s start off with the loader code that gets executed\r\nby the victim.\r\nWith most JavaScript droppers or loaders, we usually see several layers of complex obfuscation techniques. Some\r\nof these common techniques are string concatenation, string splitting, various encodings, junk code and even\r\nencryption.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 6 of 13\n\nWith this initial Avaddon loader JavaScript, we only see junk code which we can remove to move to the next stage\r\nof analysis. The purpose of junk code is generally to confuse human or machine analysis, depending on the\r\nsituation.\r\nFor example, junk code such as random math routines are added to malware to throw off anti-malware behavioral\r\nsystems to make the binary appear to be benign. Junk code in this specific Avaddon JavaScript loader threat is\r\nineffective at throwing off humans or machines because it’s just random values assigned to random variables. It’s\r\nunclear why the authors went this route with their design.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 7 of 13\n\nRight out of the gate we can glean some interesting information about the Avaddon ransomware authors: they’re\r\ntargeting older/outdated Windows specific systems with this initial loader. ActiveXObjects have been long\r\ndeprecated and are only used in the now outdated Internet Explorer web browser for automation purposes.\r\nActiveXObjects have been a commonly abused feature used by threat actors in malicious web and document\r\nbased attacks. This speaks to our victimology for Avaddon as well.\r\nHere, we see Avaddon’s JavaScript loader creating an object to call an instance of a Windows shell allowing\r\ncommands to be executed.\r\nFrom there, let’s break down how Avaddon loads its next attack stages.\r\nPowerShell is still actively being used, although it is becoming less effective due to Microsoft implementing more\r\naggressive technology in their ATP/Defender services. One example of this trend is the PowerShell Empire\r\nframework being abandoned due to the progress the security industry is making against flagging malicious\r\nPowerShell scripts.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 8 of 13\n\nWhat we can learn from Avaddon using PowerShell here is that it’s likely targeting outdated Windows systems\r\nrunning Internet Explorer that might not have ATP/Defender enabled.\r\nThis specific PowerShell command is also, interestingly enough, not obfuscated. The PowerShell command is\r\nrequesting to bypass the default execution policy (which by default on Windows systems is set to not allow\r\nPowerShell scripts to run), download a 2nd stage PE file to the users temp directory with a new filename and then\r\nproceed to execute it silently.\r\nOne interesting point about bypassing the default PowerShell execution policy is that Microsoft never designed\r\nthis to be a security barrier, but more or less a control to prevent sysadmins from accidentally breaking systems\r\nwith incorrect PowerShell. In addition, the likelihood that the victim of the Avaddon loader is running with\r\nadministrative privileges to enable PowerShell execution is likely high.\r\nFrom a tactics perspective, we see the same pattern as we did with PowerShell except this time the Avaddon\r\nJavaScript loader is leveraging the BITSadmin binary. We see the same C2 being called, the same 2nd stage\r\nbinary being downloaded and executed except with a slightly different filename nomenclature.\r\nAdding in the documentation as comments in the Avaddon loader code, we can see how the BITSadmin command\r\noperates. Avaddon transfers (if the download stream is interrupted BITSadmin will resume when able) the 2nd\r\nstage binary with the job name (“twetaeihwuwe”) at a high priority, drops it into the users temp directory, renames\r\nit to “75365357.exe” and finally silently executes it using the “start” command.\r\nRedundancy in loaders are very common, and important in an attacker strategy. Your victim machine might not\r\nsuccessfully execute the PowerShell command, but the BITSadmin fork process might.\r\nSome of the malware design choices for this loader are interesting, such as using very minor junk code and also\r\nrunning unobfuscated PowerShell. One thing to remember is that just because this loader is not sophisticated,\r\ndoesn’t mean it’s not effective.\r\nMonitoring Ransomware Operations by Threat Group\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 9 of 13\n\nKeep in mind that the Avaddon ransomware is RaaS (Ransomware as a Service), and therefore the binaries we see\r\nin the wild are not necessarily attacks from that specific group but rather from customers of theirs.\r\nWe can leverage Passive DNS (pDNS) counts as a means to measure how effective ransomware operations are.\r\nThese counts represent the amount of times a global DNS sensor gets hit with these domain queries, so we can use\r\nthese as metrics for operations tracking such as when campaigns are spun up, shut down or are growing. From a\r\nblue team perspective, it’s a great idea to set up monitoring dashboards to keep an eye on these metrics.\r\nWe can see in the above pDNS table snapshot from Iris Investigate the activity levels (934 DNS requests detected\r\nby pDNS sensor counts) of the original domain spotted in the wild with this specific Avaddon campaign.\r\nWhat Else Does This Threat Actor/Group Do? Not Just Ransomware\r\nWe can see the operators behind the IP address \u0026 domain of this specific Avaddon ransomware threat are not just\r\none trick ponies.\r\nI was able to observe an admin panel for “Predator The Thief” hosted on the same infrastructure as this Avaddon\r\nC2.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 10 of 13\n\nPredator The Thief is a no-longer-supported C++ RAT (Remote Access Trojan) that was for sale on various\r\ncybercriminal marketplaces. The capabilities of Predator were Steam account hijacking, dumping of local SQLite\r\nvarious web browser databases, cookie theft of Google Chrome, Opera and Yandex as well as other various RAT\r\nfunctionality.\r\nWe can now say that the threat group behind the widely distributed Avaddon ransomware campaign also deals in\r\nother malware related attacks.\r\nOne interesting note is that both Predator the Thief and Avaddon ransomware have the same “Anti-CIS” features\r\nor EULA agreements. This indicates that the threat group behind this specific build of Avaddon is likely in a CIS\r\nnation.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 11 of 13\n\nWe can infer how successful these domains owned by the same threat actor/group have been. Generally speaking,\r\nthe more resolution counts we see in the wild, the more we can infer historic and current activity levels broken\r\ndown by weaponized domain.\r\nThis threat group caters its operations to information theft, account hijacking and password stealing to victims in\r\nnon-CIS countries.\r\nMapping Avaddon Infrastructure\r\nIn a previous blog post, I wrote up how you can leverage the DomainTools API and Jupyter notebooks to map out\r\nthe infrastructure associated with the Avaddon ransomware/threat actor.\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 12 of 13\n\nPrevention and Monitoring\r\nIn conclusion, security teams need to treat the Avaddon threat with the same controls as they do for all\r\nransomware threats:\r\nHaving a strong EDR solution deployed to Windows OS assets is critical to mitigating the multiple ways\r\nransomware can end up on your machines.\r\nThreat Hunting teams should continue to monitor for all TOR related traffic egressing their network to\r\ndetermine any potential Avaddon compromised machines.\r\nNever pay the attackers ransom.\r\nNo items found.\r\nSource: https://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nhttps://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon"
	],
	"report_names": [
		"avaddon-the-latest-raas-to-jump-on-the-extortion-bandwagon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e889e82b243772eefff0ef5486a51e605d841981.pdf",
		"text": "https://archive.orkl.eu/e889e82b243772eefff0ef5486a51e605d841981.txt",
		"img": "https://archive.orkl.eu/e889e82b243772eefff0ef5486a51e605d841981.jpg"
	}
}