Mallox Ransomware Variant Targets Privileged VMWare ESXi Environments

Novel attack vector uses a custom shell for payload delivery and execution — and only goes after systems with administrative privileges.

The Mallox ransomware group
is targeting VMWare ESXi environments with a fresh Linux variant that employs a new technique, to deliver and execute its payload only in machines with high-level user privileges.
The variant — discovered by researchers at Trend Micro who track Mallox as TargetCompany — specifically determines if a targeted system is running in a VMWare ESXi environment and has administrative rights, and wont proceed with an attack if these requirements are not met,
according to a blog post
published June 5.
Mallox, which is also known by the monikers Fargo and Tohnichi, first surfaced in June 2021 and claims to have
infected hundreds of organizations
worldwide. Specific sectors targeted by the group include manufacturing, retail, wholesale, legal, and professional services. This year Mallox has been most active in Taiwan, India, Thailand, and South Korea, according to Trend Micro.
The Linux variant is the first time
Mallox has been seen using a custom shell script
to deliver and execute ransomware on virtualized environments — activity likely aimed at creating more disruption and, thus, increasing chances of a ransom payout.
Moreover, the adversary responsible for wielding the variant is a Mallox affiliate called “vampire,” which indicates the groups involvement in broader campaigns involving high ransom demands and expansive IT system targeting, Trend Micros Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.
The use of a custom shell also demonstrates that Mallox has been continuously evolving to employ more sophisticated methods in its future attacks, the researchers noted.
This recently found Linux variant
aligns with the recent trend
of
ransomware groups extending their attacks
to critical Linux environments, thereby potentially increasing the range of target victims, they observed.
In addition to delivery and execution, the custom shell also exfiltrates the victims information to two different servers so the ransomware actors have a backup of the information. Mallox is known to use a leak site by the same name to expose data stolen from its ransomware attacks.
This latest variant first checks a system to see whether the executable is running with administrative rights and, if this is not the case, it wont continue its activity.
After execution, the variant drops a text file named
TargetInfo.txt
that contains victim information that is sent to a command-and-control (C2) server, behavior that is similar to the Windows version of Mallox ransomware.
The IP address used to exfiltrate this info as well as later execute the payload is one not seen used by Mallox before, the researchers noted. Its hosted by China Mobile Communications, a Chinese ISP, and was likely rented for short-term use by the threat actor to host its malicious payload, they said.
The binary also performs a check to determine whether the machine is running in a
VMWare ESXi environment
by seeing if the system name matches “vmkernel, which indicates that the machine is running in VMware’s ESXi hypervisor. If so, it deploys its encryption routine, appending the extension .locked on encrypted files and dropping a ransom note named
HOW TO DECRYPT.txt
. Both the extension and note deviate from the Windows variant, the researchers noted.
The custom shell script used to download and execute the payload also can exfiltrate data to a different server. It does this by reading the contents of the dropped text file and uploading it to another URL once the ransomware performs its routine. The variant also notably exfiltrates victim information to two different servers, possibly to improve redundancy and have a backup in case a server goes offline or is compromised, the researchers wrote.
After the ransomware performs its routine, the script deletes the TargetCompany payload, creating an added challenge for defenders to understand the overall impact of the attack, thus making investigation and incident response difficult.
Malloxs sophisticated expansion of its attack activity into Linux environments running VMware ESXi requires renewed vigilance on the part of organizations that fit this description, the researchers noted.
Implementing tried-and-tested cybersecurity measures can mitigate the risk of falling victim to ransomware attempts and protect the data integrity of an organizations assets, they wrote.
Best practices that the researchers suggested organizations should take include
enabling multifactor authentication (MFA)
to prevent attackers from performing lateral movement inside a network.
They also should adhere to whats called the 3-2-1 rule for backing up important files; that is, creating three backup copies on two different file formats, with one of the copies stored in a separate location, the researchers noted. Finally, the researchers said, patching and updating systems regularly can deter malicious actors from exploiting software vulnerabilities.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mallox Ransomware Variant Targets Privileged VMWare ESXi Environments