01flip Multi-Platform Ransomware Written in Rust #1658
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Basic Forensic Methodology (Anti-Forensic Techniques) and Windows Hardening -> Antivirus (AV) Bypass / Windows Local Privilege Escalation (post-exploitation TTPs). A short cross-referenced note could also go under Linux Hardening -> Linux Post-Exploitation for Sliver TCP Pivot and self-wiping patterns, and under Binary Exploitation or Reversing -> Common API used in Malware for the Rust string-obfuscation and hybrid crypto design.". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
This blog provides a detailed technical analysis of 01flip, a new Rust-based multi-platform ransomware used in targeted attacks (cluster CL-CRI-1036) against a small set of victims in the Asia-Pacific region, including critical infrastructure organizations in Southeast Asia. Victim reports include a Zimbra email server compromise, and a dark web forum post suggests additional victims in Taiwan and the Philippines. Attackers are financially motivated, demand one bitcoin (BTC) per victim, and c...
🔧 Technical Details
1. Exploiting public RCEs on internet-facing services to bootstrap ransomware campaigns.
The campaign illustrates a generalizable pattern: attackers scan for internet-facing enterprise services with known RCEs (e.g., Atlassian Crowd CVE-2019-11580) and exploit them to gain initial access. Once a foothold is established on a perimeter or management server, they deploy C2 tooling (like Sliver) to pivot further inside. Defenders should treat exposed management/identity systems as high-value attack surfaces, aggressively patch RCEs, and monitor anomalous process spawns and outbound connections from such hosts.
2. Using Sliver beacons with TCP Pivot profiles for stealthy lateral movement.
Sliver (open source C2 framework) is used to maintain access and perform lateral movement. Operators deploy Linux ELF beacons configured as