Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses
Essential information
- Published
- 09/12/2025 17:09
- Modified
- 21/12/2025 18:52
- Tags
- 2025-12-09 CVE-2016-0099 CVE-2017-0213 CVE-2018-8639 CVE-2019-1388 CVE-2020-0787 CVE-2020-0796 CVE-2020-1066 CVE-2021-41379 CVE-2022-24521 CVE-2025-7771 credential dumping guloader lazagne makop network scanning privilege-escalation ransomware rdp exploitation
- Related entities
- 10 vulnerabilities (cve), 62 observables, 1 intrusion sets (apt), 18 techniques (mitre), 4 malware, 6 others
Description
Makop, a ransomware strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated GuLoader, a downloader trojan, to deliver secondary payloads and bypass security measures. The attack chain typically involves RDP exploitation, followed by network scanning, lateral movement, and privilege escalation before encryption. The majority of attacks (55%) target organizations in India. Makop operators use off-the-shelf tools and multiple local privilege escalation vulnerabilities to maximize their impact. The inclusion of a tailored Quick Heal AV uninstaller indicates adaptation to specific regional targets.