{
	"id": "eaaee735-9973-48d9-abf0-d0be1ee08202",
	"created_at": "2026-04-06T00:10:10.402888Z",
	"updated_at": "2026-04-10T03:22:07.664112Z",
	"deleted_at": null,
	"sha1_hash": "ec6a96866954e18fa9c8abe8843e3a780c62ab02",
	"title": "Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1763888,
	"plain_text": "Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As\r\nVX-Underground\r\nBy Suraj Mundalik\r\nPublished: 2023-11-23 · Archived: 2026-04-05 17:21:53 UTC\r\nDuring a recent hunt, Qualys Threat Research has come across a ransomware family known as Phobos, impersonating VX-Underground. Phobos ransomware has been knocking on our door since early 2019 and is often seen being distributed via\r\nstolen Remote Desktop Protocol (RDP) connections. Strongly believed to be closely tied to the preceding Dharma malware,\r\nPhobos usually operates as a Ransomware-as-a-Service (RaaS) threat model.\r\nAbout VX-Underground\r\nVX-Underground is an open-source community with the largest collection of malware source code, samples, and papers on\r\nthe internet.\r\nVX-Underground is the most popular source among the threat research community to share malware samples across the\r\nglobe.\r\nFig 1. vx-underground\r\nTechnical Analysis\r\nAntiRecuvaAndDB.exe (763b04ef2d0954c7ecf394249665bcd71eeafebc3a66a27b010f558fd59dbdeb)\r\nThe sample is being distributed with a masqueraded name (AntiRecuvaAndDB.exe) of a legitimate software suite known as\r\nRecuva, which is a very popular data recovery software. This file name has been used multiple times in the past by threat\r\nactors to distribute malware samples and has recently been seen to be abused by the Phobos ransomware family.\r\nUPX Packed Payload\r\nIt is evident that this sample is packed with UPX Packer, as seen in the screenshot below that depicts the sections of the PE\r\nfile. The binary is compiled for the 32-bit architectures.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground\r\nPage 1 of 5\n\nFig 2. UPX Packed Binary\r\nThe Main Culprit – Phobos Ransomware\r\nAfter unpacking the sample, we can observe the indicators clearly pointing this to be a Phobos ransomware family. Phobos\r\nransomware is very closely related to CrySIS and Dharma malware families and tends to use a UNC Path to access network\r\nresources, as seen in the screenshot below.\r\nFig 3. UNC Path\r\nPhobos halts execution if the Cyrillic alphabets are present on the system, and this is done with the help of native API(s) like\r\nGetLocaleInfoW. It checks for the 9th bit, and if the bit is cleared, it detects Cyrillic characters and terminates the infection.\r\nFig 4. Cyrillic Detection\r\nThe ransomware makes sure that it kills a list of specific processes before it starts its operations, making sure that these\r\nprocesses don’t interfere with accessing the files to be encrypted onto the victim system.\r\nThe following processes are killed:\r\n“msftesql.exe,sqlagent.exe,sqlbrowser.exe,sqlservr.exe,sqlwriter.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,mydesktopq\r\nnt.exe,mysqld-opt.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,theba\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground\r\nPage 2 of 5\n\nFig 5. Process Kill Routine\r\nThe ransomware tries its best in order inhibit the system recovery by means of executing the following commands:\r\nDelete Shadow Copy\r\nvssadmin delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nDisables automatic Windows Recovery by modifying boot configuration data\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nDelete Windows Backup Catalog\r\nwbadmin delete catalog -quiet\r\nDisable Windows Firewall\r\nnetsh advfirewall set currentprofile state off\r\nnetsh firewall set opmode mode=disable\r\nRansomware Artifacts\r\nOnce the ransomware payload is executed successfully, it starts the regular encryption routine and encrypts the files on the\r\nvictim machine with a “.VXUG” extension. Clearly, the threat actor is trying to impersonate VX-Underground by using their\r\nshorthand, which is VXUG. The ransomware encrypts and renames the files by appending the following:\r\n.id[unique_id].[staff@vx-underground.org].VXUG\r\nFig 6. Phobos Encrypted Files\r\nThe ransomware achieves persistence by replicating the executable in the Startup directory and adding the Run registry key.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground\r\nPage 3 of 5\n\nFig 7. Startup Persistence\r\nFig 8. Run Registry Persistence\r\nPhobos also starts dropping the Ransom notes to different directories, starting with the Desktop directory. There are two\r\nransom notes dropped, hta and txt. HTA ransom note is used as a pop-up to push the victim into panic mode.\r\nFig 9. Ransom Notes on Desktop\r\nFig 10. Impersonating Ransom Pop-Up\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground\r\nPage 4 of 5\n\nFig 11. Text Ransom Note\r\nMITRE ATT\u0026CK\r\nTactic(s) Technique(s)\r\nPersistence\r\n(TA0003)\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\n(T1547.001)\r\nPrivilege Escalation\r\n(TA0004)\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\n(T1547.001)\r\nDefense Evasion\r\n(TA0005)\r\nSoftware Packing (T1027.002) File Deletion (T1070.004) Modify Registry\r\n(T1112) Indirect Command Execution (T1202) Disable or Modify Tools\r\n(T1562.001)\r\nDiscovery\r\n(TA0007)\r\nProcess Discovery (T1057) File and Directory Discovery (T1083)\r\nImpact (TA0034)   Inhibit System Recovery (T1490)\r\nHow Qualys EDR Protects Against These Attacks?\r\nQualys Threat Research has been proactively monitoring threat actors and their in-the-wild campaigns to deliver the best-in-class detections for all of its customers. Qualys detects this campaign with the following detections:\r\nWin32.Ransomware.Phobos\r\nPHOBOS_RANSOMWARE_VX_UNDERGROUND_DISGUISE_T1486\r\nWMIC_SHADOW_COPY_DELETION_T1490\r\nDISABLE_AUTOMATIC_WINDOWS_RECOVERY_VIA_BCEDIT_T1490\r\nDELETE_WINDOWS_BACKUP_CATALOG_T1490\r\nDISABLE_MICROSOFT_DEFENDER_VIA_REGISTRY_T1562_001\r\nPHOBOS_RANSOMWARE_VX_UNDERGROUND_DISGUISE_STARTUP_PERSISTENCE_T1547_001\r\nPHOBOS_RANSOMWARE_VX_UNDERGROUND_DISGUISE_REGISTRY_PERSISTENCE_T1547_001\r\nHunting queries for This Attack Using Qualys EDR\r\nQualys EDR customers can use the following hunting queries to look out for any possible indicators of this attack in their\r\nenvironment using the HUNTING tab on the Qualys EDR Cloud Platform:\r\nfile.extension:’VXUG’\r\nfile.fullPath:’\\\\Desktop\\\\Buy Black Mass Volume I.txt’\r\nfile.fullPath:’\\\\Desktop\\\\ Buy Black Mass Volume II.hta’\r\nfile.fullPath:’\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\AntiRecuvaAndDB.exe’ss\r\nregistry.key:’\\\\CurrentVersion\\\\Run’ and registry.value:’AntiRecuvaAndDB’\r\nContributors\r\nRavindra Deotare, Director, Threat Research, Qualys\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-undergr\r\nound\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground"
	],
	"report_names": [
		"unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground"
	],
	"threat_actors": [],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec6a96866954e18fa9c8abe8843e3a780c62ab02.pdf",
		"text": "https://archive.orkl.eu/ec6a96866954e18fa9c8abe8843e3a780c62ab02.txt",
		"img": "https://archive.orkl.eu/ec6a96866954e18fa9c8abe8843e3a780c62ab02.jpg"
	}
}