216.73.217.86

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

· Published 09/12/2025 17:09 · Modified 21/12/2025 18:52

Export JSON

Essential information

Published
09/12/2025 17:09
Modified
21/12/2025 18:52
Tags
2025-12-09 CVE-2016-0099 CVE-2017-0213 CVE-2018-8639 CVE-2019-1388 CVE-2020-0787 CVE-2020-0796 CVE-2020-1066 CVE-2021-41379 CVE-2022-24521 CVE-2025-7771 credential dumping guloader lazagne makop network scanning privilege-escalation ransomware rdp exploitation
Related entities
10 vulnerabilities (cve), 62 observables, 1 intrusion sets (apt), 18 techniques (mitre), 4 malware, 6 others

Description

, a strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated , a downloader trojan, to deliver secondary payloads and bypass security measures. The attack chain typically involves , followed by , lateral movement, and privilege escalation before encryption. The majority of attacks (55%) target organizations in India. operators use off-the-shelf tools and multiple local privilege escalation vulnerabilities to maximize their impact. The inclusion of a tailored Quick Heal AV uninstaller indicates adaptation to specific regional targets.

External references