Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

TargetCompany (Mallox, FARGO) – Threat Actor

August 6, 2024
Reading Time: 24 mins read
in Ransomware Group, Threat Actors
TargetCompany (Mallox, FARGO) – Threat Actor

TargetCompany

Other Names

Mallox, FARGO, Tohnichi, Water Gatpanapun

Country of Origin 

Unknown

Date of initial activity

2021

Suspected Attribution 

RaaS

Associated Groups

Unknown

Associated tools

AnyDesk, mallox ransomware, Remcos RAT, ChaCha20, AES-128, Curve25519

Motivation

Financial Gain

Overview

TargetCompany is a relatively small and closed group. However, in 2023, the group appears to be working to expand its operations by recruiting affiliates. TargetCompany ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization’s files, and then threatening to publish the stolen data on a leak site to pressure victims into paying the ransom fee. Each victim is given a private key to interact with the group and negotiate terms and payment. While the actual number of victims remains unknown, the TargetCompany ransomware group claims hundreds of victims worldwide across multiple industries, including manufacturing, professional and legal services, and wholesale and retail. Since the beginning of 2023, there has been an approximate 174% increase in TargetCompany attacks compared to the latter half of 2022. Since its emergence in 2021, the Mallox group has maintained the same approach to gaining initial access: targeting unsecured MS-SQL servers to infiltrate a network. According to one of its members in an interview in January 2023, TargetCompany is a relatively small and closed group. A few days after this interview, a user named Mallx posted on the hacking forum RAMP that the TargetCompany ransomware group was recruiting affiliates for a new TargetCompany ransomware-as-a-service (RaaS) affiliate program.

Common targets

Worldwide victims, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.

Attack Vectors

The group targets unsecured MS-SQL servers to infiltrate a network.

How they operate

Initial Access
Since its emergence in 2021, the Mallox group has maintained the same approach to gaining initial access: targeting unsecured MS-SQL servers to infiltrate networks. These attacks begin with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. Once they successfully log into the SA account, they install the Remcos RAT. Four hours after the initial infection, the threat actors use Remcos RAT to install additional malware that adds remote control functionality. After gaining access, the attackers use command line and PowerShell to download the Mallox ransomware payload from a remote server. The command line performs the following actions: Downloads the ransomware payload from: hxxp://80.66.75[.]36/aRX.exe and saves it as tzt.exe Runs a PowerShell script named updt.ps1 The payload then performs the following actions: Downloads another file named system.bat and saves it as tzt.bat The tzt.bat file creates a user named SystemHelp and enables the remote desktop (RDP) protocol Executes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI)
Ransomware Execution
Before encryption begins, the ransomware payload attempts several actions to ensure successful execution: Attempts to stop and remove SQL-related services using sc.exe and net.exe, allowing the ransomware to access and encrypt the victim’s file data. Attempts to delete volume shadows, making it harder to restore files once they are encrypted. Attempts to clear the application, security, setup, and system event logs using Microsoft’s wevtutil command line utility to thwart detection and forensic analysis efforts. Modifies file permissions using the Windows built-in takeown.exe command, denying access to cmd.exe and other key system processes. Prevents the system administrator from manually loading the System Image Recovery feature using bcdedit.exe. Attempts to terminate security-related processes and services using taskkill.exe to evade security solutions. Attempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key. Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information.

Mitigation

Mitigation Methods :
  • Patch and Update Systems Regularly
  • Implement Strong Access Controls and Multi-Factor Authentication (MFA)
  • Backup Data Regularly and Store Backups Securely Offline
  • Deploy Endpoint Protection with Antivirus and Anti-Malware
  • Segment Networks and Restrict Access Based on User Roles
  • Use Email and Web Filtering to Block Malicious Content
  • Conduct Cybersecurity Training for Employees
  • Develop and Test an Incident Response Plan
  • Implement Logging and Monitoring Solutions
  • Encrypt Sensitive Data at Rest and in Transit
  • Apply Security Patches Promptly for Known Vulnerabilities
  • Use Behavioral Analysis to Detect Ransomware Activity
  • Subscribe to Threat Intelligence Services
  • Limit User Permissions and Administrative Privileges
  • Consider Cyber Insurance Coverage
References:
  • Threat Group Assessment: Mallox Ransomware
  • Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
  • Decrypted: TargetCompany Ransomware
  • OODA: X-Ops Takes On Burgeoning SQL Server Attacks
  • FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers
  • Mallox Ransomware
  • Mallox Ransomware showing signs of Increased Activity
  • A Victim of Mallox Ransomware: How Truesec CSIRT Fought Back
  • Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns
  • TargetCompany’s Linux Variant Targets ESXi Environments
  • Interview with Mallox ransomware group
Tags: FARGOMalloxMS SQLPowerShellprofessionalRansomwareRansomware GroupSQLTargetCompanyThreat ActorsThreat IntelligenceTohnichiWater GatpanapunWindowsWorldwide
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial