Article
Egregor: The Ghost of Soviet Bears Past Haunts On
Arete Analysis
Combating Ransomware
Threat Actors

Summary
Egregor ransomware, a sophisticated RaaS platform, uses data exfiltration and brazen negotiation tactics to target major sectors like manufacturing and retail and caters to experienced affiliates.
Ransomware variants come. Ransomware variants go. And while Egregor may have only recently surfaced, it is by no means a fly-by-night operation. In fact, one could argue that the foundation upon which Egregor operates has been around since Stalin and Beria’s secret police, and it is been lurking, watching, waiting for the right time to strike.
As a mature and exclusive Ransomware-as-a-Service (RaaS) platform, Egregor poses a serious threat to both public and private organizations. Not only is it supported by seasoned cybercriminal software developers, but it also caters to experienced affiliates who effectively target and compromise organizations, executing enterprise-wide deployment to maximize the monetization of their efforts.
In particular, Egregor plagues the manufacturing and retail sectors, with recent targets including well-known brands like Kmart, TransLink, Embraer, Randstad, Barnes & Noble, and Ubisoft. While the ransomware impacted more than 100 organizations across France, Italy, Germany, the U.K., Asia-Pacific, the Middle East, and Latin America in the final quarter of 2020, U.S. organizations remained top targets, accounting for roughly 50 percent of attacks in that timeframe.
Given the observed consistency of broad, opportunistic targeting, an attack is more a matter of when for organizations that remain unprepared.
Statistical data on Egregor ransomware from Arete metrics
The information listed below is based on Egregor cases investigated by Arete IR since October 2020. Our IR and Data Analytics practices work together to track key data points for every ransomware engagement. Our IR practice tracks data points on the ransomware variant and collects statistics based on handled engagements:
Sectors of clients affected by this threat:
Healthcare | Finance | Professional Services | Manufacturing | Public Service
Malware precursor: Qbot and IcedID
Average ransom demand: $3,407,119
Highest ransom paid: $1,000,000
Lowest ransom paid: $100,000
Average business downtime: 12 days
Data exfiltration has been observed in 99 percent of the cases. In one outlier case, where there was no data exfiltration, Arete assisted the client with data restoration.
From whence the brazen Egregor came
Egregor is a label inspired by the occult, signifying the collective “energy” or “force” of a group of individuals — perhaps befitting an affiliate-serving RaaS platform. It was first publicly identified as early as September 2020, closely following the alleged cessation of Maze ransomware operations the month prior. Both ransomware platforms evolved from the Sehkmet ransomware family, and code analysis of each has provided high-confidence indications that Egregor ransomware is most likely a successor to Maze, whose developers and operators have not ceased operations but merely “re-branded.”
Egregor developers and operator affiliates are likely Russian and/or Eastern European cybercriminals. Security researchers have noted observations of deployment script comments in Russian, and Egregor performs language checks in similar sequence and fashion to its predecessor Maze; it will not execute on systems with a regional designator for Russia or Commonwealth of Independent States (CIS) signatories.
The affiliates operating Egregor are also infamous for their brazen intimidation — for example, allegedly printing ransom demands from victim network printers — and hardline negotiating, executing on the ultimatum that they will leak victim data within 72 hours if they do not receive a response following the encryption of victims’ systems. In many cases, they will leak the entirety of the data they exfiltrate.
Egregor high-level technical overview
While tactics, techniques, and procedures (TTPs) may vary amongst operators, it’s important to note that Egregor caters to semi-exclusive affiliates, likely of Russian or Eastern European origin.
The broader research community has observed consistent commonalities between Egregor and ProLock intrusion cycles. Given their similarities in TTPs, supported by multiple open-source confirmations of our own observations, we assess with high confidence that Qakbot operators have likely transitioned from ProLock to Egregor.
Egregor operators are known to exploit vulnerable and internet-accessible RDP gateways and phish victims with targeted, convincing lures. They also commonly deploy Egregor through Qakbot (Qbot), Ursnif (Gozi/ISFB), IcedID (Bakbot) infostealer/loader hybrid Trojan malware. Cobalt Strike has also been used to deliver Egregor in select instances.
The Egregor payload was likely designed to be portable, serving various affiliate tools, and is commonly encountered as a PE in dynamic linked library (DLL) form. Open-source Intelligence (OSINT) indicates that the DLL contains code and data, natively supporting multiple bot loader functions. The payload will not be decrypted and loaded without the proper key phrase provided to the DLL in the command line.
Egregor operators perform several evasive maneuvers during to the intrusion cycle, including disabling antivirus and endpoint protection (e.g., Windows Defender) via automated scripts (e.g., PowerShell+WMI) executed under elevated privileges.
OSINT reporting reveals that operators have uploaded batch files to victim system that, when executed, will take advantage of the BITSAdmin (bitsadmin.exe) utility to download the ransomware from a remote server and automatically execute it in the system.
The malware supports the following command-line arguments:
–fast: targets files within a size-limit range for encryption
–full: full encryption of the host (including mapped/mounted network drives)
–multiproc: multi-threading for speed
–nomimikatz: switch off Mimikatz module; Mimikatz is an open-source OST credential-harvesting tool
–nonet: do not encrypt network drives
–path: encrypt only specified folder(s)
–target: encrypt file(s) that have a specific extension
–append: select file extension to append to encrypted files
–norename: do not rename encrypted files
–greetings: prepend a name to the ransom note, likely used for directly addressing victims
–samba: establish file-, printer-, and serial port-sharing between compromised nodes
–killrdp: terminate RDP session
During breach response investigations, Arete has observed the following artifacts associated with the ransomware execution:
exe C:%USERNAME%Downloadsclang.dll,DllRegisterServer -pigbutt5 –multiproc
exe \Domain_ControllerIntelmsvc.dll,DllRegisterServer -passegr17 –multiproc
exe C:Windowsmsvc.dll,DllRegisterServer -passegr13 –full
exe C:Windowsdog.dll,DllRegisterServer -pclassified13 –full
exe \Domain_Controllerintelfasm.dll,DllRegisterServer -pbiden17 –multiproc
C:Windowssystem32cmd.exe /c eb2.bat -passegr13
C:Windowssystem32cmd.exe /c eb.bat -pclassified13
The last two artifacts show the threat actor using a batch file to pass the key phrase and properly execute the ransomware with the “–full” option.
The following tools have also been found to be associated with the threat actor activity:
Advanced Port Scanner: A network scanner that enumerates networked hosts and open ports.
ADFind: A tool that is used to enumerate Active Directory.
Lazange: A password recovery tool to harvest credentials.
PsExec: A lightweight tool that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
Security recommendations
Implement a sophisticated endpoint detection and response (EDR) solution that will rely on behavior analysis, instead of just malware signatures, and have tamper-proof capabilities.
Implement multi-factor authentication (MFA).
Implement an email security solution to detect and protect against known and unknown threats.
Lock down and tighten privileges around Microsoft PowerShell in your environment. Apply and enforce PowerShell Constrained Language Mode (CLM) throughout your environments. Consider Just Enough Administration (JEA) policies to allow select PowerShell host administrative capabilities while disabling others.
Hunt for unusual RDP connections.
Prevent users from executing any program or any of the 31 currently known Windows executable filetypes (e.g., .exe, .dll, .hta, .bat, .scr) from the AppDataLocalTemp path of Office365, Microsoft Word, Excel, and Outlook. Alternatively, also inspect C: C:Users[current user]AppDataRoamingMicrosoft as it’s another popular method that achieves the same results.
Develop and implement a user security education program to assist with identifying threats like those in phishing emails.
Implement an off-site backup solution and test it regularly.
Summary of indicators from OSINT and Arete investigations
Egregor filenames
clang.dll | fasm.dll | sed.dll | q.dll |
dog.dll | msvc.dll | b.dll |
Key phrases to decrypt and execute the ransomware
-passgregor10 | -passgregor1313 | -pass2police | -peguard6 | -pclassified13 |
-passengr13 | -passgregor9999 | -pbiden17 | -passengr17 | -websitecounterficker |
Note: ‘dubisteinmutterficker’ is a German profanity: You’re a motherf*****
Bitcoin [BTC] wallet addresses
1MPdDiRhWFawgN2GVi1Jamm8DdC4qypoGL | 112yZpAs3Va6az6JTKZ7iQZEAWdvD5DYoj |
1Mk96FcixjayGZgdPgo4GrnPPSn7rL1jpE | 1D2ZiHwE4pQb8X6NncXdfHwncHa3yrDdYr |
13ELQVGgkM79nW34ncBe7Jz7xhXsXmrRuM | 1PDSGRqkBF7yEjHTNDaxNm6UQT63rrzTGk |
1LdrbQEaersWLi6A83JrCzERyXEZWD4hBP | 1GJ4dp5wwK2E9P74eF7FVujjTHERDTFJX |
1GZV41rSAHAj63pNjLCBwo7rfioxU8JPE9 |
URLs hosting Egregor
hxxp://185.238.0[.]241:81/78.bin | hxxp://49.12.104[.]241:81/sm.dll |
hxxp://49.12.104[.]241/sm.dll | hxxp://49.12.104[.]241:81/78.bin |
Egregor SHA256 hashes
5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 4139c96d16875d1c3d12c27086775437b26d3c0ebdcdc258fb012d23b9ef8345 38b155b6546db882189cc79bcac0b0284d3f858e0feb1e5dbc24b22f78cdfb68 f1ba626b8181bd1cd84f47f70838d9fa4d8117fac3bd07cbd73cb6f73b1297f8 b9b71eb04d255b21e3272eef5f4c15d1c208183748dfad3569efd455d87879c6 6dbe1d2de299359036520f15490834a6ac40b665cf5cd249379d65242af00b44 3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6 7222c8acc69a7598989c335d528b366f801a41b434cbf928c6aef01f8e54f57a a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436 14da004cc96b910fb75abb86df09e318d92f4fb8dda39c8bd6a8e0601b6605d8 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a 311baa4d4229a8d6802d82a8d9935592bf9a7b6aaf0949f0fa0b094592f5e8a7 ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541 2d563dd113a02fdf452544ae2fd7c94162be6db8fb7a287a3474a6ab998159fd 2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946 9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44 af538ab1b8bdfbf5b7f1548d72c0d042eb14d0011d796cab266f0671720abb4d aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7 e6b9d0d356223ed81e635c5702dd47bca1aaeae3471827db03470713e453d5b4 3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55 319ec80eae65c1d39df27c80b52fe7fe1fadc6e9ceabf72f57d1b29e0467ac02 932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e 3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab b027467332243c8186e59f68ff7c43c9e212d9e5074fedf003febcfedad4381a 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321 42ac07c5175d88d6528cfe3dceacd01834323f10c4af98b1a190d5af7a7bb1cb e53ab9a892321f651b73c8468db43b1d82c8c9d7fb8d0131199f501c6a0bafa7 1399e4b4ec1c7f3e38048d526f85472c466421dcd00ecd4515605af191ac61ee 6675c204844476dd8ce59ead0eac082754ded599036551526a8e2c509a1407e4 605c2047be7c4a17823ad1fa5c1f94fd105721fce3621dc9148cd3baf352938e 7fe8d3e63bad6a1628376643a4fe43b9858af5426da808576900b7753bce7614 34c84f171cd6c627d116f9c571b35e11541d68abfce36c852d2d787149f44672 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18 6a441734b34cdee31a01164140b0c88966fbb4358dcb63a14ae6824f09e9476f 81afd15e8c4d3ae0e34ede646551fe2ed6872d2142f642835cbbbf7dc524131b df5d9251afabd579f85de2f4d0c90150693fa73631317a39d08749d366bf37fd 9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb 967422de1acc14deb7e7ce803d86aff44e2652bfcd550e3a34c2e37abc883dee a7940b9e8ad2a54368999366fe2c50f429008dfb0817000693077e1d1f107d6e c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906 a5989c480ec6506247325652a1f3cb415934675de3877270ae0f65edd9b14d13 a376fd507afe8a1b5d377d18436e5701702109ac9d3e7026d19b65a7d313b332
Back to Blog Posts
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus (although, like its namesake, Icarus’s longevity may be short-lived, as detailed below).

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal
Article
Europol Disrupts AudiA6 Crypto Laundering Service
European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.
What’s Notable and Unique
Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.
On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms.
Analyst Comments
Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.
Sources
Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline
Article
Threat Actors Leverage AI for EDR Evasion
A threat actor has developed and deployed a ransomware attack toolkit enhanced with AI-assisted development workflows, enabling automated Active Directory (AD) discovery and improved EDR evasion capabilities. The toolkit leverages agent-based AI systems, such as Claude’s Opus and Cursor agents, for iterative malware development, testing, and refinement.
What’s Notable and Unique
Researchers have highlighted that this toolkit can not only generate ransomware code but also bypass sophisticated security defenses and identify AD networks for malware distribution.
The framework incorporates multiple capabilities, including automated AD discovery and reconnaissance mechanisms, iterative EDR testing environments to refine evasion techniques, and a command-and-control (C2) infrastructure that leverages Telegram APIs and Cloudflare redirectors for stealth.
Additionally, some agents were tasked with checking security research and technical posts for various bypass techniques. The agents recognized what was required for reproduction, extracted the techniques, mapped them to the MITRE ATT&CK knowledge base of adversary behaviors, set up a test lab, carried out the methodology, and reported the results.
After a few repetitions, the modules seemed to avoid nearly all EDR solutions, despite the agent’s initial suggestion of a high failure rate. Although researchers found no evidence that AI was embedded in deployed malware or was operating independently in victim environments, the technology was still used to accelerate the iterative process of developing, testing, and refining payloads against security products, shortening the period between the publication of offensive security research and its practical implementation by threat actors.
Analyst Comments
AI-driven tools like this could accelerate the pace and sophistication of ransomware attacks, enabling even relatively inexperienced actors to launch high-impact campaigns. This development underscores the urgent need for security solutions to adapt to AI-assisted threats. Organizations must respond by strengthening detection engineering, improving visibility across environments, and maintaining robust security fundamentals.
Sources
AI-built ransomware toolkit automates EDR evasion, AD discovery
Pointing a Cursor at evading detection
Article
Arete's 2026 Q1 Crimeware Report
Harness Arete’s unique data and expertise on extortion and ransomware to inform your response to the evolving threat landscape.



