Threat Research

“New MedusaLocker Variant Linked to Ongoing Threat Actor Since 2022”

Talos

Cisco Talos attributes a financially motivated actor active since 2022 with distributing a MedusaLocker variant called BabyLockerKZ that leverages public tools and custom wrappers for credential theft and lateral movement. The actor repeatedly stores tools in user folders, uses a PDB string “paid_memes” linking multiple tools to a single developer, and leaves IOCs including file hashes, PDB paths, registry keys, mutex HOHOL1488, and the encryption key PUTINHUILO1337. #BabyLockerKZ #MedusaLocker

Keypoints

  • Actor active since late 2022 delivering a MedusaLocker variant named BabyLockerKZ.
  • Attacks use public tools (Mimikatz, Advanced Port Scanner, ProcessHacker) plus custom wrappers (Checker, PTH, MIMIK) to automate credential theft and lateral access.
  • Tools and artifacts are commonly stored in user folders (e.g., Music, Pictures, Documents) and in temporary/local appdata paths on compromised hosts.
  • Checker bundles RDP, PSEXEC, Mimikatz and Invoke-TheHash scripts, providing a GUI and credential database for automated lateral movement (SMB, WMI, RDP, PSEXEC).
  • PDB paths containing “paid_memes” link multiple binaries (checker, pth, mimik, encrypters) to the same developer/author.
  • IOCs include multiple file hashes, PDB file paths, registry keys under PAIDMEMES and a persistent Run key BabyLockerKZ, plus mutex HOHOL1488 and encryption key PUTINHUILO1337.

MITRE Techniques

  • [T1003] Credential Dumping – Uses Mimikatz to extract credentials from memory (‘Utilizes Mimikatz to dump Windows user credentials from memory.’)
  • [T1021] Lateral Movement – Employs PSEXEC and RDP to move laterally across network hosts (‘Uses PSEXEC and RDP for lateral movement within the network.’)
  • [T1021.001] Remote Services – Leverages RDP for remote interactive access to compromised systems (‘Leverages RDP for remote access to compromised systems.’)
  • [T1047] Windows Management Instrumentation (WMI) – Executes remote commands and operations via WMI to perform lateral actions (‘Executes commands on remote systems using WMI.’)
  • [T1218] Signed Binary Proxy Execution / Living off the Land Binaries – Uses LoLBins and built-in Windows tools to execute attack workflows and avoid detection (‘Uses living-off-the-land binaries (LoLBins) to execute attacks.’)

Indicators of Compromise

  • [File hashes] BabyLockerKZ sample hashes – 33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a, b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f, and 3 more hashes.
  • [File hashes] Checker/PTH/MIMIK samples – d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0, 9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7, and other hashes listed.
  • [PDB paths] Build/debug paths linking tools to one author – d:/projects/paid_memes/wmi_smb_rdp_checker/release/checker.pdb, d:/projects/paid_memes/pth/release/pth.pdb, and several other paid_memes PDBs.
  • [Registry keys] Persistence and key storage – HKEY_CURRENT_USERSoftwarePAIDMEMESPUBLIC, HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunBabyLockerKZ (autorun entry).
  • [File paths] Tool storage locations on victims – c:usersmusicadvanced_port_scanner_2.5.3869.exe; c:usersmusiccheckerinvoke-thehash.ps1 (attacker tools stored in user Music/Documents folders).
  • [Mutex / Encryption key] Malware markers – Mutex HOHOL1488; embedded encryption key/identifier PUTINHUILO1337.
  • [File extensions] Extensions used by encrypted files – examples: hazard11, crypto125, encrypted1, and many other extension variants observed.

The attacker delivers BabyLockerKZ using a toolchain that blends public offensive utilities (Mimikatz, Advanced Port Scanner, ProcessHacker, SoftPerfect Netscan) with custom wrappers and automation. Attack artifacts are often placed in user folders (Music, Documents, Pictures) or temp/appdata locations (e.g., c:usersmusic…, c:usersappdatalocaltemp…), and binaries contain PDB strings with “paid_memes” that tie multiple components—checker, pth, mimik, and encrypters—to a single developer profile.

Central to the intrusion workflow is the “Checker” application, which bundles Remote Desktop clients, PSEXEC, Mimikatz and Invoke-TheHash scripts into a GUI that scans hosts, validates credentials via PSEXEC/RDP/SMB/WMI, stores recovered credentials in a local database, and automates pass-the-hash and remote execution. Complementary tools include PTH (pass-the-hash wrappers invoking Invoke-TheHash scripts) and MIMIK (a Mimikatz wrapper that can exfiltrate credentials via rclone), enabling rapid credential harvesting and lateral movement across the network.

Post-compromise the actor persists and prepares encryption by creating registry entries under PAIDMEMES (PUBLIC/PRIVATE) and a Run key BabyLockerKZ, and deploys the MedusaLocker-derived BabyLockerKZ encrypter (notable mutex HOHOL1488 and embedded key PUTINHUILO1337). Defenders should hunt for the paid_memes PDB paths, the registry PAIDMEMES keys, the autorun Run key, the listed sample hashes, tool storage in user folders, and the GUI/tool behaviors that orchestrate Mimikatz, Invoke-TheHash, PSEXEC, RDP and WMI actions.

Read more: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint