Key Takeaways

• This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment.
• A vulnerable driver (CVE-2015-2291) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation.
• The payload is a customized version of Fog ransomware, branded as “DOGE BIG BALLS Ransomware,” reflecting an attempt to add psychological manipulation and misattribution.
• Ransomware scripts include provocative political commentary and the use of a real individual’s name and address, indicating intent to confuse, intimidate, or mislead victims.
• The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods.
• Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling.
• Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA’s) potential to maintain long-term access or conduct additional post-encryption activities.

Overview:

A recent ransomware operation has revealed a blend of technical sophistication and psychological manipulation, setting it apart from conventional attacks. Disguised under a finance-themed ZIP file, the campaign employs deceptive shortcut files and multi-stage PowerShell scripts to deliver custom payloads, including a kernel-mode exploit tool and reconnaissance modules. This layered approach allows attackers to gather in-depth system data while evading conventional defenses.

The ransomware itself, a modified version of Fog, is delivered with a provocative name— “DOGE BIG BALLS Ransomware.” The branding includes references to a known public figure, likely as a deliberate misdirection to draw attention or create confusion. By introducing conspiracy-laced commentary in the code and ransom notes, the TA demonstrates a psychological play designed to unsettle and distract victims during critical moments of response.

What makes this operation particularly notable is the use of a vulnerable Intel driver (CVE-2015-2291) in a Bring Your Own Vulnerable Driver (BYOVD) tactic. By exploiting this flaw, the TA gained kernel-level access, manipulated memory, escalated privileges, and disabled security logging mechanisms—all after deploying the ransomware. A built-in Havoc C2 beacon further signals the TA’s potential to expand into post-encryption activities, such as persistent access or lateral movement.

Geolocation tracking in this campaign is unusually precise. Instead of relying on IP addresses, the TA queries the Wigle.net API using the MAC address of the victim’s router (BSSID), allowing for granular physical location targeting. This technique reflects an advanced understanding of network telemetry and suggests a strong emphasis on tailoring attacks to specific victims.

Technical Analysis:

Cyble Research and Intelligence Labs (CRIL) has identified a campaign whose initial infection vector remains unknown. It is suspected to be delivered via spam emails containing ZIP attachments themed around payments. In this campaign, we observed a malicious ZIP file named “Pay Adjustment.zip” containing a shortcut file “Pay Adjustment.pdf.lnk.”

Opening the shortcut file silently executes Command Prompt and PowerShell commands. These commands use “Invoke-WebRequest” to download a PowerShell script named “stage1.ps1” from “hxxps://hilarious-trifle-d9182e.netlify[.]app/stage1[.]ps1”. The script is then executed in memory using Invoke-Expression (IEX), allowing it to run without leaving significant traces on the disk.

stage1.ps1

The PowerShell script “stage1.ps1” acts as a primary component for the attack, checking whether the user has administrative privileges and then downloading and executing other malicious files accordingly.

The PowerShell script stage1.ps1 begins by checking if the current user has administrative privileges. If admin access is detected, it creates a hidden folder named “hidden” within the system’s startup directory at “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\”. It then uses Invoke-WebRequest to download a binary from “hxxps://hilarious-trifle-d9182e.netlify.app/cwiper.exe”. “This binary, identified as modified Fog Ransomware, is saved under the name “Adobe Acrobat.exe” in the hidden folder, disguised to resemble a legitimate application, and executed using PowerShell’s “Start-Process” command.“            

The script proceeds to download “ktool.exe,” a kernel exploit tool, from “hxxps://hilarious-trifle-d9182e.netlify.app/ktool[.]exe” and saves it to the %TEMP% directory. It then executes the tool using the PID of the ransomware process along with a hardcoded key—but only if administrative privileges are available. If admin rights are not present, the ransomware binary is instead copied to a hidden subdirectory within the user-specific startup folder (AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hidden\). This location suggests it may be triggered later via an alternate mechanism, as Windows only executes files located directly in the root of the Startup folder.

After that, “stage1.ps1” downloads and executes a separate script named

“lootsubmit.ps1” from “hxxps://hilarious-trifle-d9182e.netlify.app/lootsubmit[.]ps1” using Invoke-WebRequest. The purpose of “lootsubmit.ps1” is to collect additional system and network-related information from the victim’s machine to aid in further profiling.

In the PowerShell script associated with the ransomware attack, the TAs have embedded provocative and unrelated statements, such as:

“The CIA didn’t kill Kennedy you idiot. Oswald is a very deranged person that felt ostracized by his own country. Even as a defector he assimilated poorly in the USSR.”

This inclusion appears to serve as a psychological tactic, aiming to confuse or unsettle the victim/analyst by introducing unrelated or emotionally charged content.

DOGE BIG BALLS Ransomware

Adobe Acrobat.exe is the customized Fog ransomware payload downloaded and executed by the “stage1.ps1” script. When executed, a confirmation message box prompts for user interaction. The ransomware then proceeds to open the RANSOMNOTE.txt and creates a file named “DbgLog.sys” in the current directory to log its activities in plain text format.

The RANSOMNOTE.txt file introduces the TA as Edward Coristine and provides his home address and phone number. The TA demands a payment of 4.721373 Monero (XMR) (~USD1000) to a specified wallet address and threatens a trillion-dollar penalty if the victim fails to submit a list of five work accomplishments from the previous week.

The ransomware, named “DOGE BIG BALLS Ransomware“, is a customized variant of Fog ransomware. The inclusion of “DOGE” in its name appears to be an attempt to associate the attack with Edward Coristine, a 19-year-old software engineer and college student known by the online alias “Big Balls.” Coristine is a prominent member of Elon Musk’s Department of Government Efficiency (DOGE). The use of Coristine’s name and the “DOGE” reference in the ransomware could be a tactic to malign him and the DOGE initiative.

The ransomware then begins collecting the victim’s system information by executing a series of reconnaissance commands, with the output being written to the previously created “DbgLog.sys” file. The specific commands used are listed in the table below.

After gathering system details, the ransomware begins encrypting files based on configuration parameters embedded within the ransomware binary. These include the RSA public key, targeted file extensions, ransom note filename, directories to skip, file name patterns to ignore, and a list of processes and services to terminate before encryption.

After successfully encrypting files with the “.flocked” extension, it drops a “readme.txt” ransom note in every affected folder and deletes the shadow volume copy using the command “vssadmin.exe delete shadows /all /quiet”.

The “readme.txt” ransom note includes a link to a “.onion” site that directs victims to a Tor-based chat site managed by the TA. This site is used for communication and ransom negotiations and may be shared among multiple victims.

Privilege escalation and Havoc C2:

ktool.exe is executed by the previously run PowerShell script “stage1.ps1”, which drops and loads the vulnerable driver (CVE-2015-2291) “iqvw64e.sys” as part of a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access. It also embeds the Havoc C2 beacon “demon.x64.dll” to enable post-exploitation control. To evade dynamic analysis and detection, it is equipped with execution guardrails.

Ktool.exe is launched with the PID of ransomware and a hardcoded key, which acts as an execution guardrail. This mechanism ensures that ktool.exe only runs as part of the intended attack flow by validating the key internally.

To evade automated detection, ktool.exe employs an additional execution guardrail by checking for the presence of the environment variable “NON_EXISTENT_ENV_VAR”, a common anti-analysis technique used by malware to detect and adapt to analysis or sandbox environments.

After completing its checks, ktool.exe drops a vulnerable driver named “iqvw64e.sys” into the %TEMP% directory and installs it as a kernel-mode service. The current process then enables the SeLoadDriverPrivilege and uses NtLoadDriver to load the driver into the Windows kernel.

Once the driver is loaded, “ktool.exe” gains direct read/write access to kernel memory through the “\.\Nal” device interface exposed by the vulnerable driver. It uses this access to escalate the privileges of the ransomware process by locating the SYSTEM process token in memory and assigning it to the ransomware process.

Additional Capabilities

• ktool.exe bundles a Havoc C2 beacon (demon.x64.dll)—a post-exploitation tool—configured with a local IP address. This indicates that the attacker may be testing or preparing to enable remote command and control capabilities following the ransomware deployment.
• The tool scans ETW kernel structures, specifically the “EtwpGuidHashTable”, to locate and tamper with “_ETW_REG_ENTRY” entries — a stealthy method used to disable or evade security logging.

Lootsubmit.ps1

Lootsubmit.ps1, executed by the stage1.ps1 script is designed to gather extensive information from a victim’s machine, including both system-related and network-related details. It then transmits the collected data to the TA via the cloud hosting platform “netlify[.]app“.

For system-related information, the script collects data such as the UUID, BIOS serial number, disk specifications, CPU details, core count, RAM size, and operating system information. Additionally, it logs system boot time, uptime, the top five CPU-consuming processes, currently logged-in users, and a timestamp to track system activity.

For network-related information, the script collects details such as the victim’s local and external IP addresses, the MAC address of the device, network adapters, the BSSID (MAC address of the connected router), and the gateway’s IP. This information helps the TA understand the victim’s network setup and connectivity.

Location Discovery:

Instead of relying on traditional location-tracking methods—such as extracting location data from system artifacts or using IP-based geolocation—the script employs a more accurate technique.

It queries the Wigle.net API “hxxps://api.wigle.net/api” for the BSSID (Basic Service Set Identifier, i.e., the MAC address of the victim’s wireless access point) location using hardcoded Wigle.net API credentials. By leveraging the router’s MAC address, it pinpoints the physical location of the victim’s network. This approach yields much more precise geolocation data compared to conventional IP-based tracking.

The collected information is URL-encoded into a form-style format and sent via a POST request to the cloud hosting platform at hxxps://hilarious-trifle-d9182e[.]netlify[.]app.

Conclusion

This sophisticated multi-stage attack demonstrates a well-orchestrated ransomware campaign that begins with a deceptive ZIP file containing a malicious LNK shortcut. The attack leverages PowerShell scripts to establish persistence, exfiltrate sensitive system and network data, and deploy ransomware with privilege escalation via a vulnerable driver “CVE-2015-2291”. The inclusion of a Havoc C2 beacon and anti-analysis techniques indicates advanced post-exploitation capabilities. Overall, the campaign reflects a highly evasive and persistent threat targeting both user-level and system-level environments.

Cyble’s advanced threat intelligence platforms, Cyble Vision and Cyble Hawk, utilize AI-powered analytics and proactive security measures to assist organizations in detecting, investigating, and defending against emerging cyber threats. By providing real-time insights, these solutions bolster defenses against targeted attacks such as the DOGE BIG BALLS Ransomware, enhancing overall cybersecurity resilience.

The Yara rule to detect this ransomware variant can be downloaded from the linked GitHub repository.   

Our Recommendations

• Implement strict execution policies using Group Policy or AppLocker to block .LNK files and untrusted PowerShell scripts.
• Log and monitor PowerShell usage through event logs (e.g., 4104) to detect suspicious activity in real-time.
• Deploy Endpoint Detection and Response (EDR) solutions that can detect fileless malware, suspicious process chains (e.g., PowerShell spawning executables), and command-line anomalies.
• Use behavior-based analytics to flag uncommon persistence techniques.
• Limit administrative rights across the organization using Role-Based Access Control (RBAC). Continuously monitor for privilege escalation attempts, especially loading of unsigned or vulnerable drivers, such as the one exploited in CVE-2015-2291.
• Restrict outbound traffic to unauthorized cloud services like Netlify via DNS and firewall rules. Monitor and block external API calls (e.g., Wigle.net) from endpoints to prevent unauthorized geolocation data exfiltration.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)