Tag: chacha20

11 Attack Reports | 0 Vulnerabilities

Attack reports

VECT: Ransomware by design, Wiper by accident

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves o…
lateral movement
wiper
chacha20
esxi
raas
multi-platform
teampcp
2026-04-28
encryption flaw
vect
Published: April 28, 2026
Downloadable IOCs: 7

Technical Analysis of Matanbuchus 3.0

Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an…
backdoor
ransomware
rhadamanthys
matanbuchus
downloader
chacha20
netsupport rat
2025-12-03
Published: December 3, 2025
Downloadable IOCs: 5

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery …
ransomware
encryption
chacha20
defense evasion
sharepoint
vulnerabilities
CVE-2025-53770
CVE-2025-53771
warlock
curve25519
2025-10-30
volume shadow copies
Published: October 30, 2025
Downloadable IOCs: 1

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-re…
ransomware
encryption
chacha20
double extortion
self-deletion
dire wolf
2025-09-03
curve25519
anti-recovery
data leakage
Published: September 3, 2025
Downloadable IOCs: 2

Gunra Ransomware Group Unveils Efficient Linux Variant

Gunra ransomware, first observed in April 2025, has expanded its capabilities with a new Linux variant. This cross-platform move broadens the group's attack surface and demonstrates their intent to grow beyond their initial scope. The Linux variant features advanced capabilities, including parallel…
linux
ransomware
chacha20
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 6

Gunra Ransomware Emerges with New DLS

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure techniq…
ransomware
encryption
conti
chacha20
dls
2025-07-24
volume shadow copy
gunra
Published: July 24, 2025
Downloadable IOCs: 3

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in va…
linux
windows
encryption
chacha20
2025-05-20
hypervisor
sarcoma ransomware
rsa
network propagation
Published: May 20, 2025
Downloadable IOCs: 2

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography
Published: July 10, 2024
Downloadable IOCs: 8
Click here to see more Attack Reports