{
	"id": "e1b3c36e-f736-48e3-87f6-438730fc9786",
	"created_at": "2026-04-06T00:15:24.811821Z",
	"updated_at": "2026-04-10T03:20:52.746339Z",
	"deleted_at": null,
	"sha1_hash": "effcee097e1c26499a3a0752d42b52dc78b1699e",
	"title": "New Ryuk Info Stealer Targets Government and Military Secrets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1243090,
	"plain_text": "New Ryuk Info Stealer Targets Government and Military Secrets\r\nBy Lawrence Abrams\r\nPublished: 2020-01-24 · Archived: 2026-04-05 17:01:40 UTC\r\nA new version of the Ryuk Stealer malware has been enhanced to allow it to steal a greater amount of confidential files\r\nrelated to the military, government, financial statements, banking, and other sensitive data.\r\nIn September 2019, we reported on a new malware that included references to the Ryuk Ransomware and was used to steal\r\nfiles if the file's name matched certain keywords.\r\nIt is not known if this tool is created by the Ryuk Ransomware actors to be used for data exfiltration before encrypting a\r\nvictim's computer or if another actor simply borrowed from the ransomware's code.\r\nhttps://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this\r\nstealer,\" Head of SentinelLabs Vitali Kremez told BleepingComputer.\r\nWhat we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military\r\noperations, and law enforcement cases if the stolen files are exposed.\r\nNew features added to the Ryuk Stealer\r\nA new variant of the Ryuk Stealer malware was discovered today by MalwareHunterTeam that adds a new file content\r\nscanning feature and additional keywords that it targets for theft.\r\nIn the previous version, the Ryuk Stealer would scan a computer's files for Word (docx) and Excel (xlsx) documents.\r\nAccording to Kremez, this new version of the stealer will look for an additional seven file types related to C++ source code,\r\nfurther Word and Excel document types, PDFs, JPG image files, and cryptocurrency wallets.\r\nTargeted Extension\r\nThe full list of targeted extensions are:\r\n.cpp\r\n.h\r\n.xls\r\n.xlsx\r\n.doc\r\n.docx\r\n.pdf\r\nwallet.dat\r\n.jpg\r\nIf a file matches one of the above extensions, the stealer will check the contents of the file and see if they contain one of the\r\n85 keywords listed below.\r\n'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defe\r\nIn addition, the stealer will check if the filename contains any of the following 55 keywords:\r\n'SECURITY', 'N-CSR', '10-SB', 'EDGAR', ' spy ', 'radar', 'censored', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud',\r\nWhen a matching document is found, the malware will upload it to an FTP site that is under the attacker's control. The two\r\nembedded FTP sites currently being used by the malware are down.\r\nTargeting highly sensitive documents\r\nAs you can see, the targeted keywords are related to sensitive subjects for a variety of data categories such as:\r\nhttps://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nPage 3 of 5\n\nBanking: 'SWIFT', 'IBAN', 'balance', 'statement', 'checking', 'saving', 'routing'\r\nFinance: 'N-CSR', '10-SB', 'EDGAR', 'newswire', 'marketwired', '10-Q'\r\nLaw Enforcement: 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'victim', 'court'\r\nMilitary: 'NATO', 'operation', 'attack', 'spy', 'radar', 'tactical', 'tank', 'submarine'\r\nPersonal: 'personal', 'passport', 'Emma', 'Liam, 'Olivia, 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan'\r\nThe names in the Personal category are taken from the United States Social Security Department's list of top baby names.\r\nSome of the new search words that were added since the latest version include 'treason', 'NATO', 'convict',\r\n'traitor', 'embeddedspy', 'cyber', 'submarine', 'Submarinesecret', 'contraband', 'radio', 'suspect', 'operation', and 'bribery.'\r\nBased on the targeted keywords in this malware, it looks like the attackers are looking for confidential information to sell to\r\nforeign adversaries, corporations, or to be used as blackmail.\r\nAt this time, we do not know how this malware is being distributed and if its bundled with ransomware attacks or used\r\nindependently.\r\nWith data exfiltration becoming more common and increasingly being used by ransomware, it is important to make sure you\r\nhave good security measures in place to protect your network from compromise.\r\nThis includes being careful of phishing emails with malicious attachments, do not make Remote Desktop Services publicly\r\naccessible, make sure all software and operating systems are updated, and make sure to use security software and good\r\npassword policies.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nhttps://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/"
	],
	"report_names": [
		"new-ryuk-info-stealer-targets-government-and-military-secrets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/effcee097e1c26499a3a0752d42b52dc78b1699e.pdf",
		"text": "https://archive.orkl.eu/effcee097e1c26499a3a0752d42b52dc78b1699e.txt",
		"img": "https://archive.orkl.eu/effcee097e1c26499a3a0752d42b52dc78b1699e.jpg"
	}
}