Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor

The Russian-speaking ransomware gang continues to update its tactics while managing to steal highly sensitive information from its victims.

Researchers have uncovered fresh malware samples attributed to
ransomware group Cuba
, representing new versions of BurntCigar malware, which offers next-level stealth to the group.
Researchers at Kaspersky uncovered the malware in an ongoing investigation, after first detecting an incident on a clients system in December. The attack chain ultimately led to the loading of a library called komar65 — otherwise known as BugHatch. This custom downloader is a sophisticated backdoor that deploys in process memory, according to Kaspersky.
It executes an embedded block of shellcode within the memory space allocated to it using the Windows API, Kaspersky researchers noted in an analysis. Subsequently, it connects to a command-and-control (C2) server, awaiting further instructions. It can receive commands to download software like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests Cubas involvement.
The security firm added, Notably, the PDB file references the komar folder, a Russian word for mosquito, indicating the potential presence of Russian-speaking members within the group.
Kaspersky also found additional modules distributed by the Cuba group, enhancing the malwares functionality. One such module is responsible for collecting system information, which is then sent to a server via HTTP POST requests. And, the researchers discovered that BugHatch now has the capability of evading detection from security vendors by way of encrypted data. As Cubas second proprietary malware, BURNTCIGAR is able to exploit I/O control codes and terminate kernel-level processes.
Cuba has in the past used a
classic double extortion model
to pressure its victims, with a hybrid encryption that provides a secure method of preventing decryption without the necessary key. But the latest findings prove that groups such as these are growing and evolving, making it all the more difficult to stay ahead of these newly refined, malicious tactics, warns Gleb Ivanov, SOC analyst at Kaspersky.
This group poses a serious threat to businesses and will steal sensitive data that is used within the organization — source, code, software, etc., he notes. The innovation of this malware has not [been] seen before by attacks by this group.
The Russian-speaking ransomware group has targeted a variety of industries across North America, Europe, Oceania, and Asia, proving that it has a wide reach and the skill to target a diverse range of organizations, though most of its targets are of US origin.
A notable feature of the Cuba gangs operation is its ability to deceive those that are investigating it by altering compilation timestamps — an example of such behavior is when older malware samples found in 2020 had timestamps of that year, while newer versions of the samples had timestamps dating back to 1992.
With the gangs ability to manipulate its pursuers, remain dynamic in its tactics, and extract sensitive information such as financial documents, bank records, and the like, it is essential that vendors and organizations remain vigilant. As ransomware gangs like Cuba evolve and refine their tactics, staying ahead of the curve is crucial to effectively mitigate potential attacks. With the ever-changing landscape of cyber threats, knowledge is the ultimate defense against emerging cybercriminals, according to
Kasperskys research report
.
It is important to make regular updates, close critical vulnerabilities and keep up with cybersecurity trends, and have a good defense team that can quickly detect and stop such threats, Ivanov says. Even if you are surrounded by every possible defense, the threat may still get around you.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor