Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

ZEPPELIN

Zeppelin is a ransomware family active in attacks observed between at least 2019 and 2022. Reporting in the provided content links it to a ransomware operation led by a Russian national who pleaded guilty in the U.S. to leading the Zeppelin ransomware group and admitted targeting individuals, businesses, and organizations in the United States and other parts of the world. Zeppelin has also been used as a third-party locker by the Vice Society/Vanilla Tempest threat actor, which deployed Zeppelin alongside other ransomware families such as Hello Kitty/Five Hands, BlackCat, Quantum Locker, and later Rhysida/INC depending on period.

In the supplied reporting, Vice Society actors are explicitly described as not relying on a unique ransomware family and instead deploying variants including Zeppelin. Their intrusions involved initial access via exploitation of internet-facing applications or compromised valid accounts/RDP credentials, followed by lateral movement and staging with tools such as Cobalt Strike, SystemBC, PowerShell Empire, WMI, Rubeus, Mimikatz, and PowerShell. In one Trend Micro-observed intrusion, Zeppelin ransomware was deployed on 2022-11-12 from C:\mnt\smile.exe before Vice Society also deployed its own payloads. The broader attack workflow described for these actors included data exfiltration prior to encryption for double extortion, deletion of shadow copies, termination of security and business-critical processes, and impact to sectors including education, healthcare, manufacturing, and virtualized environments such as Microsoft Hyper-V.

The content also notes infrastructure overlap/intelligence associations involving Zeppelin: OTX associated IP 34.41.139.193 with Zeppelin ransomware along with NetWire RAT, ClearFake, AsyncRAT, XWorm, Formbook, and StealC-related activity. Mandiant additionally noted reported overlaps between COLDDRAW and Zeppelin, including reporting that Zeppelin had been distributed via CHANITOR. A technical behavior specifically mentioned for Zeppelin is that it queries the Windows MachineGUID. High-confidence indicators directly mentioned in the content include the observed deployment path C:\mnt\smile.exe and the infrastructure association with 34.41.139.193.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2021-34527PrintNightmareExploited in the wild

Vice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges.

via cisacisa.gov
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Vanilla Tempest

While active as Vice Society, the threat actor was known for using multiple ransomware strains during attacks, including Hello Kitty/Five Hands and Zeppelin ransomware.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.001DomainsEvidence1
TacticResource Development

MITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: Domains T1583.001 joscramp[.]top + 7 co-hosted domains via Dynadot

T1583.004ServerEvidence1
TacticResource Development

MITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: Server T1583.004 Google Cloud VM with custom DNS/mail infrastructure

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2
TacticImpact

Data Encrypted for Impact T1486 ... Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability.

INDICATORS OF COMPROMISE

IOCs tracked for this family

20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
20 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

29 SOURCESView more in app
the hacker newsNews
Mar 27, 2026
Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

A third-party ransomware locker delivered in Vice Society attacks.

Read more
breakglass intelNews
Mar 12, 2026
StealC v2 Hidden in Candy Crush: A Multi-Campaign Crime Server on Google Cloud Running 6 Malware Families Across 3,778 Ports - Breakglass Intelligence - Breakglass Intelligence

Zeppelin is identified as ransomware associated with the same shared IP infrastructure in February 2026.

Read more
the hacker newsNews
Jan 26, 2026
⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

Ransomware used by the Zeppelin group in a multi-year campaign targeting dozens of victims (at least 50 mentioned).

Read more
risky biz rssNews
Jan 25, 2026
EU readies new anti-spyware group, but with even less powers than PEGA

Ransomware used to compromise victims and extort payments; referenced in the context of law-enforcement action against its leadership.

Read more
+23 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching20

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.