{ "id": "e9cf73c5-77fc-4147-ae98-61e3c827a958", "created_at": "2026-04-06T00:20:18.696962Z", "updated_at": "2026-04-10T03:24:24.311458Z", "deleted_at": null, "sha1_hash": "eea6ef271c53563d5e71d31d047c026ff1c35ebc", "title": "Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1927045, "plain_text": "Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone\r\n- SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-11-25 · Archived: 2026-04-05 15:42:09 UTC\r\nOverview\r\nEgregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September\r\n2020. The ransomware operates by compromising organizations, stealing sensitive user data, encrypting said data,\r\nand demanding a ransom to exchange encrypted documents. Egregor is ransomware associated with the\r\ncyberattacks against GEFCO and Barnes \u0026 Noble, Ubisoft, and numerous others.\r\nMultiple intelligence and security companies believe that there are ties between past, now defunct, Maze affiliates\r\nand Egregor. There have been reports of ties to Sekhmet, ProLock, and LockBit as well (both of which have also\r\nbeen tied to Maze). With regard to Sekhmet, there are deep similarities in the configuration format and\r\nobfuscation style. SentinelOne-affiliated security researcher Vitali Kremez noted these similarities in an early\r\nNovember tweet.\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 1 of 10\n\nAs with other modern ransomware groups, the actors behind Egregor exfiltrate victim data and theaten to expose\r\nit publically should the victim fail to comply with the ransom demands.\r\nEgregor Distribution Methods\r\nThe primary distribution method for Egregor is Cobalt Strike. Targeted environments are previously compromised\r\nthrough various means (RDP exploit, Phishing) and once the Cobalt Strike beacon payload is established and\r\npersistent, it is then utilized to deliver and launch the Egregor payloads.\r\nThat being said, since Egregor is a RaaS with multiple affiliates, delivery and weaponization tactics can therefore\r\nvary. There have been limited and uncorroborated reports of Egregor utilizing CVE-2020-0688 (a remote code\r\nexecution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174\r\n(VBScript Engine), CVE-2018-4878 (Adobe Flash Player) \u0026 CVE-2018-15982 (Adobe Flash Player). They have\r\nalso been shown to use LOTL (Living off the Land) tools  such as bitsadmin to download or update DLL\r\ncomponents. In addition, some larger malware families and frameworks such as QBot have been observed\r\ndistributing Egregor in recent campaigns.\r\nEgregor Payload Analysis\r\nEgregor payloads (DLLs) are highly obfuscated, including Salsa20 encrypted configuration data. File encryption\r\nis achieved via a combination of the ChaCha stream cipher and RSA. Each payload contains a RSA-2048 public\r\nkey.\r\nDLL-based payloads require a key/password upon launch, with that key being specific to each sample. The -p\r\nparameter is passed to the payload concatenated with said key. For example, if the key is 123EVILBADGUYS the\r\nparameter -p123EVILBADGUYS is required to successfully launch the payload.\r\nThis methodology also adds to the malware’s ability to evade analysis by way of humans and dynamic systems.\r\nWithout the valid key passed, the payload will decrypt incorrectly and fail to launch or terminate. This is a critical\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 2 of 10\n\npoint to consider in the context of static and dynamic analysis of Egregor payloads. With no key, voluntary\r\ndetonation and dynamic analysis become far more complex if not infeasible.\r\nAdditional parameters appear to be present in memory when the payloads are launched. Some of these are\r\nborderline self-explanatory, while others are still undergoing analysis. We have summarized the parameter usage\r\nbelow where possible.\r\nInitial analysis of Egregor payloads indicates that the ransomware will avoid encrypting  systems where the\r\nprimary device language is one of the following:\r\nArmenian\r\nAzerbaijani\r\nBelarusian\r\nGeorgian\r\nKazakh\r\nKyrgyz\r\nRomanian\r\nRussian\r\nTajik\r\nTatar\r\nTurkmen\r\nUkrainian\r\nUzbek\r\nThe primary method of data exfiltration appears to be Rclone, which is an open source utility that can be used to\r\nmanage remote storage. Egregor payloads depost their own copy of Rclone along with unique configuration data,\r\ncontrolling the exfiltration process.\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 3 of 10\n\nPost-Compromise Behavior\r\nEgregor maintains a victim blog, which they use to threaten victims and post exfiltrated data in the event that\r\nvictims fail to comply with their ransom demands. As of November 24th, 2020 there were 152 companies listed\r\non the Egregor blog, spanning numerous industries across the globe. They do not appear to discriminate when it\r\ncomes to industry or geography. The most frequently represented industries are:\r\nInformation Technology and Services\r\nConstruction\r\nRetail\r\nConsumer Goods\r\nAutomotive\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 4 of 10\n\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 5 of 10\n\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 6 of 10\n\nThe Egregor ransom notes follow a familiar template as other ransomware families. Victims are instructed to visit\r\ntheir TOR-based payment portal for further instructions. There is also an encrypted blob at the bottom of each\r\nransom note containing victim-specific system data, along with the encoded RSA public key.\r\nExample:\r\npWEzuKkw9nY82VRKYfrw4f4wvrnfnKEApQ5JTkf/YQPzxJtJmwKUjXV759aYQnPIZdGN1RUckdpMZWiYGmsWFYzkNJZpsPihvk9c1\r\nThis ‘blob’ includes data pertaining to the victim’s available local drives, the space and total size of those drives,\r\nthe hostname, the names of any AV or Security products discovered, and the user/domain context. The ‘blob’ is\r\nprimarily base64-encoded. When decoded the pertinent data is visible at the end of the plaintext.\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 7 of 10\n\nConclusion\r\nEgregor is one of the more aggressive and complex ransomware families to hit in the last 6 to 8 months. As with\r\nother contemporary threats, the damage being done extends well beyond the cost of the ransom (which you should\r\navoid), and now also includes any penalties associated with data breaches, public posting of private data, GDPR /\r\ncompliance fallout, and beyond.\r\nThe SentinelOne Singularity Platform fully protects our customers from this ransomware and related families.\r\nIndicators of Compromise\r\nSHA256 Hashes\r\n8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9\r\n3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f\r\n2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf\r\n444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459\r\nc3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1\r\n004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a\r\n608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9\r\n3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63\r\n4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97\r\n9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44\r\nee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541\r\n765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab\r\n14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4\r\n3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55\r\nf0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c\r\na9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436\r\n3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07\r\n6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780\r\n932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e\r\nSHA1 Hashes\r\n3c03a1c61932bec2b276600ea52bd2803285ec62\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 8 of 10\n\nf0215aac7be36a5fedeea51d34d8f8da2e98bf1b\r\n948ef8caef5c1254be551cab8a64c687ea0faf84\r\n50c3b800294f7ee4bde577d99f2118fc1c4ba3b9\r\n38c88de0ece0451b0665f3616c02c2bad77a92a2\r\n95aea6b24ed28c6ad13ec8d7a6f62652b039765e\r\n3cc616d959eb2fe59642102f0565c0e55ee67dbc\r\n5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9\r\nbeb48c2a7ff957d467d9199c954b89f8411d3ca8\r\n03cdec4a0a63a016d0767650cdaf1d4d24669795\r\nc9da06e3dbf406aec50bc145cba1a50b26db853a\r\nceca1a691c736632b3e98f2ed5b028d33c0f3c64\r\nf6ad7b0a1d93b7a70e286b87f423119daa4ea4df\r\n56eed20ea731d28d621723130518ac00bf50170d\r\nfa33fd577f5eb4813bc69dce891361871cda860c\r\nf7bf7cea89c6205d78fa42d735d81c1e5c183041\r\nf1603f1ddf52391b16ee9e73e68f5dd405ab06b0\r\n8768cf56e12a81d838e270dca9b82d30c35d026e\r\nac6d919b313bbb18624d26745121fca3e4ae0fd3\r\nIP Addresses\r\n45[.]153.242.129\r\n217[.]8.117.148\r\n45[.]153.242.129\r\n45[.]11.19.70\r\n49[.]12.104.241:81\r\n185[.]238.0.233\r\nFull URL Examples\r\nh t t p://185.238.0[.]233/p.dll\r\nh t t p://185.238.0[.]233/b.dll\r\nh t t p://185.238.0[.]233/sed.dll\r\nh t t p://185.238.0[.]233/hnt.dll\r\nh t t p://185.238.0[.]233/88/k057.exe\r\nh t t p://185.238.0[.]233/newsvc.zip\r\nVictim Blog / Archive\r\nh t t p://egregoranrmzapcv[.]onion\r\nh t t p s://egregornews[.]com/\r\nPayment Portal\r\nh t t p://egregor4u5ipdzhv[.]onion/\r\nMITRE ATT\u0026CK\r\nIndicator Removal on Host: File Deletion T1070.004\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 9 of 10\n\nModify Registry T1112\r\nQuery Registry T1012\r\nSystem Information Discovery T1082\r\nNative API T1106\r\nHijack Execution Flow: DLL Side-Loading T1574.002\r\nProcess Injection T1055\r\nMasquerading T1036\r\nSystem Time Discovery T1124\r\nArchive Collected Data T1560\r\nVirtualization/Sandbox Evasion T1497\r\nSoftware Discovery: Security Software Discovery T1518.001\r\nPeripheral Device Discovery T1120\r\nInhibit System Recovery T1490\r\nCreate or Modify System Process: Windows Service T1031\r\nExfiltration TA0010\r\nMiscellaneous\r\nRansom Note example (RECOVER-FILES.txt)\r\nSource: https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/" ], "report_names": [ "egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eea6ef271c53563d5e71d31d047c026ff1c35ebc.pdf", "text": "https://archive.orkl.eu/eea6ef271c53563d5e71d31d047c026ff1c35ebc.txt", "img": "https://archive.orkl.eu/eea6ef271c53563d5e71d31d047c026ff1c35ebc.jpg" } }