Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Dec. 21, 2025, 6:52 p.m.

Description

Makop, a ransomware strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated GuLoader, a downloader trojan, to deliver secondary payloads and bypass security measures. The attack chain typically involves RDP exploitation, followed by network scanning, lateral movement, and privilege escalation before encryption. The majority of attacks (55%) target organizations in India. Makop operators use off-the-shelf tools and multiple local privilege escalation vulnerabilities to maximize their impact. The inclusion of a tailored Quick Heal AV uninstaller indicates adaptation to specific regional targets.

External References

https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses
https://otx.alienvault.com/pulse/693857c7124842e89ec8bfed
Tags
ransomware
guloader
privilege escalation
CVE-2020-0787
lazagne
credential dumping
network scanning
rdp exploitation
CVE-2025-7771
2025-12-09
CVE-2016-0099
CVE-2017-0213
CVE-2018-8639
CVE-2019-1388
CVE-2020-0796
CVE-2020-1066
CVE-2021-41379
CVE-2022-24521
makop

Date

  • Created: Dec. 9, 2025, 5:09 p.m.
  • Published: Dec. 9, 2025, 5:09 p.m.
  • Modified: Dec. 21, 2025, 6:52 p.m.

Indicators

  • 6e95adda5f24fdf805ad10ae70069484def3d47419db5503f2c44b130eedf591
  • 5ff803269d6491dd3f0267f6f07b8869e3f08d62cf2110b552bba2cc3d75d26a
  • 37d2a1626dc205d60f0bec8746ab256569267e4ef2f8f84dff4d9d792aa3af30
  • 92c65b58c4925534c2ce78e54b0e11ecaf45ed8cf0344ebff46cdfc4f2fe0d84
  • 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
  • b5c2474397fb38a4dd9edab78b6e5178832074ba5bab9bac3f0cad7bc0660cf2
  • ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4
  • 3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05
  • 5b9407df404506219bd672a33440783c5c214eefa7feb9923c6f9fded8183610
  • 01f34180bb635022681723eef73c19adf330d7a32a2e6639c27b1ee5777312be
  • 0745633619afd654735ea99f32721e3865d8132917f30e292e3f9273977dc021
  • 3da3b704547f6f4a1497107e78856d434a408306b92ba7c6e270c7c9790aa576
  • 37ff328175acd45ef27d3d339c3127a7612ad713fccd9c9aae01656dfbf13056
  • 76f88afe7a18e3583bfcc4aed3b3a0ca8a9c18c62ee5f4d746f8da735c47a5e3
  • aac0c5ad612fb9a0ac3b4bbfd71b8931fc762f8e11fdf3ffb33ef22076f9c4bc
  • 5cdabf41672241798bcca94a7fdb25974ba5ab2289ebadc982149b3014677ae3
  • c8e8cca4ee3c4f4ce4f2076ed93cca058fa1ff88d5ffe49d8d293b27ad25ef68
  • bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
  • 6cf6dd6119abcb2751c2692fb93a623b5b4bd290cb3dc217fa9fe09dd721fcdd
  • 8ccb30606e3229ff88b3b67a5f4b2b087cab290ce7eedfcb24d1d3954b01d5f9
  • 5994db4362ded8bf15f81f134e14b9ed581cd2e073709b5fae6b2363bae455e9
  • 3fa65f17518d10af9ed316fbd0395bf39b3b75a63a5374ff071cbba4b642e4a3
  • feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
  • 3902165d0645afdb4b7d95f5cc55d65ecee17d3b77a31d51170e0beae3fd296a
  • 0d468fa92767ca1abe881155224d94879b575860e403636d3dbb550e9b9a6a7a
  • 8315327f22eff069457c02ddda1ea32a31964e1b8ab688709bcb96c6ccbb6212
  • dd748db20e3909596ab18ce3f0b1264e2cfe9f67dfb4bce7d4f9c085ec1fce0a
  • 10c0dd2878bd0ab9732cd593febf61d94bb2b798bf0aa1c8fa45ddf8c7092cbc
  • 8f7569e82bd339f3e24431884687b095f678971f20053787d93359672bb9f687
  • c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4
  • 8c57b97b04d7eabbae651c3400a5e6b897aea1ae8964507389340c44b99c523a
  • 5caacdc577c27110f639d4d7c0241607c1bc53ee6f5dbd337793d05cc57e703f
  • 0e3c6b3366640989979ae059b768586ff1d8ba4c4b96b49b40609cdaa871363c
  • 7470ae5b55ca282695d2f7c4896344622c94292a915aa63e55000beeb2c1350e
  • 5b7b280b53ff3cf95ead4fd4a435cd28294c5fce6a924ec52e500a109deb868b
  • a1a6005cc3eb66063ae33f769fc2d335487b2ed7f92c161e49ad013ffed11ec8
  • a8bf7da7e2f62296985e1aadbac8373f5ac813ac158047f5b5579a3f900fd85b
  • 1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
  • de903a297afc249bb7d68fef6c885a4c945d740a487fe3e9144a8499a7094131
  • 41a328c3bb66e94d73e861699a5ebc4a5c0c7fcee2129e5ecd98c7bde1f95e8e
  • 1845fe8545b6708e64250b8807f26d095f1875cc1f6159b24c2d0589feb74f0c
  • c8afb68260b9036d8e65811927c379112274a2526cc161c7f1502457a501a0d3
  • f181b8ae88f6c657c3ec3d1d5e8420fbf340c543b3d9292947ae035e3591b664
  • 6752d24da3565761c94ab10d3010e1be702221783f9b509209f97a8e32003767
  • c7e471218b00cdec4f7845a80f1c5b069ee97bf270f878ea45b2dd53aad14798
  • 51fd557a7325dd58cfcabebbbc33ef452d93f812c189360d4f2bf87c6df0a59c
  • 17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180
  • fb1dd40577af7ac4d8c32506e78e39841ff6d05ee643c18270ef26eac798df3f
  • f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
  • a903f4d8f126a830b8f12e05c035b86e4dfd65cb1fd64d0d0b503035b49d0cb7
  • 10ea5ac09ec72101c6f8656f3f08f6f9495f8b43849f27928efd6485cee04913
  • 0a4a0f0df5eea57f16a76bff6489dd95a7089afba8e9e5c8bcadc46870af33fb
  • e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef
  • eaa9dc1c9dc8620549fee54d81399488292349d2c8767b58b7d0396564fb43e7
  • ca08299002fa6181d249115907ee29356e698d72ff06afdca05431c1ed38db35
  • b044c6dbd55747c3592ac527215c3dbf71f92aa4bd8eee5e29ddad571b9335b4
  • 43c3b5dbc18ebbc55c127d197255446d5f3e074fdac37f3e901b718acbe7c833
  • 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
  • bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
  • 4c6cf8dda0c55fafab37569d2e11621c42e17f37a290b13087215190f7518d73
  • a332f863da1709b27b62f3a3f2a06dca48c7dabe6b8db76ec7bb81ce3786e527
  • 20c730c7033b5bdc0a6510825e90449ba8f87942d2d7f61fa1ba5f100e98c141
Download all indicators here!

Attack Patterns

  • GuLoader - S0561
  • LaZagne
  • Makop
  • Mimikatz
  • Makop

Additional Informations

  • Manufacturing
  • Technologies
  • Brazil
  • India
  • British Indian Ocean Territory
  • Germany

Linked vulnerabilities

CVE-2016-0099

None
Published:

CVE-2017-0213

None
Published:

CVE-2018-8639

None
Published:

CVE-2019-1388

None
Published:

CVE-2020-0787

None
Published:

CVE-2020-0796

None
Published:

CVE-2020-1066

None
Published:

CVE-2021-41379

None
Published:

CVE-2022-24521

None
Published:

CVE-2025-7771

8.7
    Kaspersky
  • Throttlestop
Published: August 6, 2025