cyber security

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond, LockBit, and Chaos to launch DDoS and ransomware attacks against targets opposing Russian interests. 

The highly skilled members of the group modify and improve these tools, which results in an increase in their level of sophistication and makes it more difficult to track them down. 

June 2024 Release of AzzaSec Ransomware

A pro-Russia hacktivist group emerged in May 2024, leveraging the AzzaSec ransomware code, leaked in June 2024, which was originally developed by a pro-Russia, anti-Israel, and anti-Ukraine group and was adopted and modified by various aligned groups, including CyberVolk.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operations of CyberVolk consist of a variety of distributed denial of service attacks, defacements, and ransomware, and they frequently target entities in countries that are in alliance with Russia. 

CyberVolk wallpaper with countdown timer

CyberVolk, a ransomware-as-a-service (RaaS) group, emerged in late June 2024, leveraging modified AzzaSec ransomware, as their Windows-specific payloads, written in C++, employ encryption algorithms like AES and SHA512. 

A countdown timer is displayed, files are encrypted, and the extension.CyberVolk is appended to the filename. 

It has recently targeted entities in Japan, including government agencies and research institutions, as part of their “#OpJP” campaign, as their operations involve ransomware distribution, victim extortion, and active promotion on social media platforms.

CyberVolk-encrypted files

Invisible/Doubleface ransomware, a variant of AzzaSec ransomware, emerged from a collaboration between CyberVolk and Doubleface Team, which employs AES-256 encryption for files and RSA-2048 for key wrapping. 

The ransomware imposes a 5-hour timeout for victim action, enforced by a timer mechanism.

Its source code, publicly leaked, reveals details about its encryption methods, timeout implementation, and ransom note generation.

HexaLocker, a ransomware group associated with LAPSUS$, emerged in July 2024 with the goal of “Lock. Demand. Dominate.”

The group’s Golang-based ransomware targeted Windows systems and was actively developed and promoted within the CyberVolk community. 

HexaLocker Telegram message

In October 2024, HexaLocker’s lead developer, ZZART3XX, announced the group’s shutdown and offered to sell the ransomware source code and infrastructure, signaling a potential shift in the threat landscape. 

CyberVolk, an active threat actor, has recently introduced Parano Ransomware, a new ransomware variant featuring strong anti-analysis measures and AES-128/RSA-4096 encryption.

The group has also released Parano Stealer, a Python-based infostealer that targets browser data, Discord credentials, cryptocurrency wallets, and system information. 

CyberVolk Stealer Python Script

It has developed a PHP-based webshell for remote access and control of compromised systems, which combined with their ongoing activities demonstrate the group’s evolving capabilities and persistent threat to organizations worldwide.

CyberVolk and other hacktivist groups were recently banned from Telegram, which follows threats from an actor who claims to have the ability to manipulate Telegram’s Terms of Service to ban channels. 

According to Sentinel Labs, it is possibly associated with a former member of AzzaSec or Doubleface, who appears to be using these threats to extort other groups.

As a result, many hacktivist groups are migrating to more secure platforms, highlighting the increasing weaponization of Telegram’s platform policies.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing over…

34 seconds ago

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

10 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

11 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

11 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

11 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

14 hours ago