{
	"id": "c5a06970-cd1a-44f6-8e9a-6f49f2925ce3",
	"created_at": "2026-04-06T00:16:30.998903Z",
	"updated_at": "2026-04-10T03:20:52.603188Z",
	"deleted_at": null,
	"sha1_hash": "fa124e2ac9f804570c40683059eb2e40eada52e2",
	"title": "AXLocker, Octocrypt \u0026 Alice: New Wave Of Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2046494,
	"plain_text": "AXLocker, Octocrypt \u0026 Alice: New Wave Of Ransomware\r\nPublished: 2022-11-18 · Archived: 2026-04-05 19:55:13 UTC\r\nCyble analyzes a new wave of ransomware attacks being led by AXLocker, Octocrypt, and Alice ransomware and\r\nhow they target Discord tokens.\r\nAXLocker Ransomware Stealing Victim’s Discord Tokens\r\nRansomware is one of the most critical cybersecurity problems on the internet and possibly the most powerful form\r\nof cybercrime plaguing organizations today. It has rapidly become one of the most important and profitable\r\nmalware families among Threat Actors (TAs). In a typical scenario, the ransomware infection starts with the TA\r\ngaining access to the target system. Depending on the type of ransomware, it can infect the entire operating system\r\nor encrypts individual files. The TAs will then typically demand payment from the victim for the decryption of their\r\nfiles.\r\nWhile organizations are protecting themselves from ransomware attacks, new ransomware groups are also emerging\r\nproportionally every year. New ransomware groups are evolving by expanding the scope of their operations for\r\nfinancial gain. Multiple new ransomware groups have emerged recently, highlighting the widespread adoption of\r\nransomware attacks by TAs for monetary growth.\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research and Intelligence Labs (CRIL) came across three new ransomware families: AXLocker, Octocrypt,\r\nand Alice Ransomware.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 1 of 14\n\nRansomware operators now have one newer tool, named AXLocker, which can encrypt several file types and make\r\nthem completely unusable. Additionally, the ransomware steals Discord tokens from the victim’s machine and sends\r\nthem to the server. Later, a ransom note is displayed on the victim’s system to get the decryption tool used for\r\nrecovering the encrypted files.\r\nTechnical Analysis\r\nWe have taken the following sample hash for our analysis: (SHA256),\r\nc8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, which is a 32-bit GUI-based .NET\r\nbinary executable targeting Windows operating systems as shown below.\r\nFigure 1 – Static file details of AXLocker ransomware\r\nUpon execution, the ransomware hides itself by modifying the file attributes and calls the startencryption() function\r\nto encrypt files, as shown below.\r\nFigure 2 – AXLocker main function\r\nThe startencryption() function contains code to search files by enumerating the available directories in the C:\\ drive.\r\nIt looks for specific file extensions to encrypt and excludes a list of directories from the encryption process, as\r\nshown in the figure below.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 2 of 14\n\nFigure 3 – File extension to encrypt and directories to exclude from encryption\r\nAfter that, the ransomware calls the ProcessFile function, which further executes an EncryptFile function with the\r\nfileName as an argument to encrypt the victim’s system files.\r\nThis ransomware uses the AES encryption algorithm to encrypt files. The figure below shows a ransomware code\r\nsnippet searching and encrypting the victim’s files.\r\nFigure 4 – AXLocker ransomware searching and encrypting files\r\nThe image below shows the code snippet of the encryption function and the original/infected file content before and\r\nafter encryption.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 3 of 14\n\nFigure 5 – Encryption function and the original/encrypted file content\r\nWe observed that the ransomware does not change the file name or extension after the encryption. The image below\r\nshows the encrypted file of the ransomware after the successful infection on the victim’s machine. \r\nFigure 6 – Encrypted file by AXLocker ransomware\r\nAfter encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer\r\nname, Username, Machine IP address, System UUID, and Discord tokens to TA, as shown in the below figure.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 4 of 14\n\nFigure 7 – Exfiltrate stolen victim details\r\nFor stealing Discord tokens, the malware targets the following directories:\r\nDiscord\\Local Storage\\leveldb\r\ndiscordcanary\\Local Storage\\leveldb\r\ndiscordptb\\leveldb\r\nOpera Software\\Opera Stable\\Local Storage\\leveldb\r\nGoogle\\Chrome\\User Data\\\\Default\\Local Storage\\leveldb\r\nBraveSoftware\\Brave-Browser\\User Data\\Default\\Local Storage\\leveldb\r\nYandex\\YandexBrowser\\User Data\\Default\\Local Storage\\leveldb\r\nIt uses regex to find the Discord tokens in the local storage files and saves them in the list, then sends them to the\r\nDiscord server along with other information using the below URL:\r\nhxxps://discord[.]com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75[Redacted]DJimbA7xriJVmtb14gUP3VCBBZ0AZR\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 5 of 14\n\nFigure 8 – Grab function to Steal Discord tokens\r\nFinally, the AXLocker ransomware shows a pop-up window that contains a ransom note that gives instructions to\r\nvictims on contacting the TAs to restore their encrypted files, as shown below.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 6 of 14\n\nFigure 9 – AXLocker ransom note window\r\nOctocrypt Ransomware\r\nOctocrypt is a new ransomware strain that targets all Windows versions. The ransomware builder, encryptor, and\r\ndecryptor are written in Golang. The TAs behind Octocrypt operate under the Ransomware-as-a-Service (RaaS)\r\nbusiness model and surfaced on cybercrime forums around October 2022 for USD400.\r\nThe Octocrypt ransomware has a simple web interface for building the encryptor and decryptor, and the web panel\r\nalso displays the infected victim’s details.\r\nThe below figure shows a post made by the Octocrypt Ransomware Developer on a cybercrime forum\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 7 of 14\n\nFigure 10 – Post Made by the Octocrypt developer on Cybercrime Forum\r\nRansomware Builder: Octocrypt\r\nThe Octocrypt web panel builder interface allows TAs to generate ransomware binary executables by entering\r\noptions such as API URL, Crypto address, Crypto amount, and Contact email address.\r\nTAs can download the generated payload file by clicking the URL provided in the web panel under payload details.\r\nThe below figure shows the payload options to build the ransomware executable and generated URL to download\r\nthe file.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 8 of 14\n\nFigure 11 – Octocrypt builder and payload URL\r\nTechnical Details\r\nThe sample hash (SHA256), 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344,  was\r\ntaken for this analysis.\r\nBased on static analysis, we found that the ransomware is a console-based 64-bit GoLang binary executable. Upon\r\nexecution, the ransomware initially ensures the system’s internet connection and then checks the TCP connection to\r\naccess the API URL, as shown below.\r\nFigure 12 – Checking system internet and TCP connection\r\nAfter that, the malware starts the encryption process by enumerating the directories and encrypts the victim’s files\r\nusing the AES-256-CTR algorithm, appending the extension as “.octo”.\r\nThen, the ransomware drops the ransom note in multiple folders with the file name “INSTRUCTIONS.html”.\r\nFinally, the ransomware changes the victim’s wallpaper which displays a message that threatens the victim to send a\r\nransom amount to a specific Monero wallet address, as shown below.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 9 of 14\n\nFigure 13 – Octocrypt changing desktop background\r\nAlice Ransowmare\r\nOne more new ransomware dubbed “Alice” also appeared on cybercrime forums under the TAs project of “Alice in\r\nthe Land of Malware”. The Alice ransomware also works under the Ransomware-as-a-Service (RaaS) business\r\nmodel. The Indicators of Compromise of this ransomware strain are unavailable in the wild.\r\nThe figure below shows TA’s advertisements on a cybercrime forum.\r\nFigure 14 – Alice ransomware post shared by TA on a Cybercrime Forum\r\nThe TA sells this Alice ransomware builder for the prices listed below:\r\nFigure 15 – Alice ransomware price details\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 10 of 14\n\nAs specified by the developer on the forum, the below figure shows the functionality and advantages of Alice\r\nransomware.\r\nFigure 16 – Alice ransomware functionalities and advantages\r\nRansomware Builder: Alice\r\nThe Alice ransomware builder permits the TAs to generate ransomware binary files with a customized ransom note.\r\nAfter entering the ransom message and clicking the “New Build” button in the builder, it will generate two\r\nexecutable files named “Encryptor.exe” and “Decryptor.exe”, as shown in the figure below.\r\nFigure 17 – Alice ransomware builder\r\nSuccessful execution of Alice ransomware encrypts the victim’s files and appends the extension as “.alice”. Also,\r\nthe malware drops ransom notes named “How to Restore Your Files.txt” in multiple folders.\r\nThe below figure shows the encrypted files and dropped ransom note by Alice ransomware.\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 11 of 14\n\nFigure 18 – Encrypted files and dropped ransom note by Alice ransomware\r\nConclusion\r\nRansomware groups continue to pose a serious risk to firms, individuals, and even entire governments, as we\r\nrecently observed in the case of Costa Rica. The victims are at risk of losing valuable data as a result of such\r\nattacks, resulting in financial and productivity loss. In extreme cases, compromising government and law\r\nenforcement credentials can even result in cyberwarfare with grave implications for national security and\r\ndiplomatic relations. \r\nCRIL has also observed a considerable increase in cybercrime through Telegram channels and cybercrime forums\r\nwhere TAs sell their products without any regulation. TAs are increasingly attempting to maintain a low profile to\r\navoid drawing the attention of Law Enforcement agencies. Enterprises need to stay ahead of the techniques used by\r\nTAs and implement the requisite security best practices and security controls, or they will become the victims of\r\nincreasingly sophisticated and aggressive ransomware.\r\nRegularly monitoring the dark web and acting upon early warning indicators such as compromised credentials,\r\naccesses, and identifying vulnerabilities traded on cybercrime forums can forewarn enterprises of potential threats\r\nand allows them to take corrective action based on real-time, actionable threat intel. CRIL continuously monitors\r\nnew ransomware campaigns and will keep our readers updated.\r\nOur Recommendations\r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against attackers.\r\nWe recommend that our readers follow the best practices given below:\r\nSafety Measures Needed to Prevent Ransomware Attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.\r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers Should Take the Following Steps After the Ransomware Attack\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 12 of 14\n\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected.\r\nInspect system logs for suspicious events.\r\nImpact And Cruciality of Ransomware\r\nLoss of valuable data.\r\nLoss of the organization’s reputation and integrity.\r\nLoss of the organization’s sensitive business information.\r\nDisruption in organization operation.\r\nFinancial loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution\r\nT1204\r\nT1059\r\nT1047\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nWindows Management Instrumentation\r\nPersistence\r\nT1547.001\r\nT1053\r\nRegistry Run Keys / Startup Folder\r\nScheduled Task/Job\r\nDefense Evasion T1497 Virtualization/Sandbox Evasion\r\nCredential Access T1528 Steal Application Access Token\r\nDiscovery\r\nT1087\r\nT1082\r\nT1083\r\nAccount Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nImpact T1486 Data Encrypted for Impact\r\nCommand and Control T1071 Application Layer Protocol\r\nExfiltration T1020 Automated Exfiltration\r\nIndicators of Compromise\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nab2c19f4c79bc7a2527ab4df85c69559\r\n60a692c6eaf34a042717f54dbec4372848d7a3e3\r\nd51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0\r\nMD5\r\nSHA-1\r\nSHA256\r\nAXLocker\r\nRansomware\r\nexecutable\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 13 of 14\n\n07563c3b4988c221314fdab4b0500d2f\r\na5f53c9b0f7956790248607e4122db18ba2b8bd9\r\n0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224\r\nMD5\r\nSHA-1\r\nSHA256\r\nAXLocker\r\nRansomware\r\nexecutable\r\na18ac3bfb1be7773182e1367c53ec854\r\nc3d5c1f5ece8f0cf498d4812f981116ad7667286\r\nc8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c\r\nMD5\r\nSHA-1\r\nSHA256\r\nAXLocker\r\nRansomware\r\nexecutable\r\n9be47a6394a32e371869298cdf4bdd56\r\nca349c0ddd6cda3a53ada634c3c1e1d6f494da8a\r\n9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a\r\nMD5\r\nSHA-1\r\nSHA256\r\nAXLocker\r\nRansomware\r\nexecutable\r\nad1c2d9a87ebc01fa187f2f44d9a977c\r\n03d871509a7369f5622e9ba0e21a14a7e813536d\r\nd9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57\r\nMD5\r\nSHA-1\r\nSHA256\r\nAXLocker\r\nRansomware\r\nexecutable\r\n346e7a626d27f9119b795c889881ed3d\r\nce25203215f689451a2abb52d24216aec153925a\r\n9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344\r\nMD5\r\nSHA-1\r\nSHA256\r\nOctocrypt\r\nRansomware\r\nexecutable\r\n5a39a2c4f00c44e727c3a66e3d5948c2\r\n07e7341b86ace9935c4f1062d41a94f3b31f9bf6\r\n65ad38f05ec60cabdbac516d8b0e6447951a65ca698ca2046c50758c3fd0608b\r\nMD5\r\nSHA-1\r\nSHA256\r\nOctocrypt\r\nRansomware\r\nexecutable\r\n2afdbca6a8627803b377adc19ef1467d\r\n13a0ce1c3ac688c55ba3f7b57fb6c09ad0e70565\r\ne65e3dd30f250fb1d67edaa36bde0fda7ba3f2d36f4628f77dc9c4e766ee8b32\r\nMD5\r\nSHA-1\r\nSHA256\r\nOctocrypt\r\nRansomware\r\nUPX packed\r\nexecutable\r\nSource: https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nhttps://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/"
	],
	"report_names": [
		"axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa124e2ac9f804570c40683059eb2e40eada52e2.pdf",
		"text": "https://archive.orkl.eu/fa124e2ac9f804570c40683059eb2e40eada52e2.txt",
		"img": "https://archive.orkl.eu/fa124e2ac9f804570c40683059eb2e40eada52e2.jpg"
	}
}