{ "id": "997b3a7b-dcb2-463e-8655-8aff01d1614e", "created_at": "2026-04-06T00:12:07.445699Z", "updated_at": "2026-04-10T03:21:09.407674Z", "deleted_at": null, "sha1_hash": "fa9ba839b2156146be08b6f06e5c895c2680dd32", "title": "Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3071120, "plain_text": "Distribution of LockBit Ransomware and Vidar Infostealer\r\nDisguised as Resumes - ASEC\r\nBy ATCP\r\nPublished: 2023-11-02 · Archived: 2026-04-05 14:58:22 UTC\r\nThe distribution method involving the impersonation of resumes is one of the main methods used by the LockBit\r\nransomware. Information related to this has been shared through the ASEC Blog in February of this year. [1] In\r\ncontrast to the past where only the LockBit ransomware was distributed, it has been confirmed that an Infostealer\r\nis also being included in recent distributions. [2] (This link is only available in Korean.)\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 1 of 7\n\n‘Resume16.egg’ holds the LockBit ransomware disguised as a PDF file (left) and the Vidar Infostealer disguised\r\nas a PPT file (right).\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 2 of 7\n\nThe executed ransomware is LockBit 3.0, which encrypts files on the user’s PC environment, excluding PE files.\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 3 of 7\n\nThe Vidar Infostealer, which is distributed alongside the LockBit ransomware, connects to a Telegram website\r\nbefore engaging in C2 communication. The website is the Telegram channel called “twowheelfun”. It uses a\r\ncertain string mentioned on the page as the C2 server address. This method can often be observed from the Vidar\r\nInfostealer, and it allows bypassing network detection by periodically changing C2 servers.\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 4 of 7\n\nFollowing this, it connects to the actual C2 server to download the necessary DLL files for performing malicious\r\nactivities and tranfers the exfiltrated information to the C2 server.\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 5 of 7\n\nMalware disguised as resumes target corporations and are distributed along with not only the LockBit ransomware\r\nbut an Infostealer as well. Therefore, companies must update their anti-malware software to the latest versions,\r\nand users must take extra caution. AhnLab’s anti-malware software, V3, detects and blocks the malware using the\r\nfollowing aliases:\r\n[File Detection]\r\nTrojan/Win.Generic.R613812\r\n[Behavior Detection]\r\nRansom/MDP.Event.M4353\r\nWin-Trojan/MalPeP.mexp\r\nMD5\r\n0d4967353b6e48ab671aed24899827aa\r\n92350da914ba55c3137c9a8a585f7750\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//128[.]140[.]96[.]230/\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 6 of 7\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/58750/\r\nhttps://asec.ahnlab.com/en/58750/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/58750/" ], "report_names": [ "58750" ], "threat_actors": [], "ts_created_at": 1775434327, "ts_updated_at": 1775791269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa9ba839b2156146be08b6f06e5c895c2680dd32.pdf", "text": "https://archive.orkl.eu/fa9ba839b2156146be08b6f06e5c895c2680dd32.txt", "img": "https://archive.orkl.eu/fa9ba839b2156146be08b6f06e5c895c2680dd32.jpg" } }