Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareRansomwareUsed by 1 actor

Avaddon

Avaddon is a ransomware family/RaaS operation first observed in June 2020. The content describes it as initially distributed through large-scale spam campaigns, including four campaigns identified by Proofpoint in 2020 that accounted for about one million messages and 95% of first-stage ransomware email payloads observed in that period. Later reporting cited in the content states Avaddon operators increasingly obtained initial access through remote access portals such as RDP and VPN rather than direct email. Avaddon has also been executed through a malicious JScript downloader.

Behaviorally, Avaddon performs language and keyboard-layout checks to avoid targeting Commonwealth of Independent States (CIS) entities. It attempts to stop anti-malware solutions and has been associated with broader defense-impairment tradecraft, including abuse of legitimate rootkit-removal tooling. It deletes backups and shadow copies using native Windows tools, specifically including wmic.exe for shadow copy deletion. Technical reporting in the content states Avaddon stores host and encryption metadata in an in-memory JSON blob, and that early versions used a single AES-256 key per execution while later versions shifted to a unique AES key per file with per-file session keys stored in encrypted file footers using RSA. Earlier builds reportedly included a CMSTPLUA COM-interface UAC bypass that was later removed, and later versions added a "-safe" option to reboot victims into Safe Mode before encryption. Samples from April 2021 reportedly added IOCompletionPort-based multithreading.

The content further notes similarities between Avaddon and MEDUSALOCKER, Ako, ThunderX, and RANZY, including shared implementation characteristics and overlapping ransomware ecosystem features, though direct lineage remains unclear. Avaddon is described as having operated for about a year, gaining popularity across multiple regions and industries, and later shutting down while releasing victims’ private keys. It used a leak site referred to as "Avaddon Info," and the content places it among groups that used double- or triple-extortion tactics. Additional reporting cited in the content says Avaddon used First VPN Service infrastructure for network reconnaissance and intrusions, and one infrastructure analysis linked several IPs to prior Avaddon-associated activity in February 2023. The content also notes reporting that NoEscape was alleged to be a rebrand of Avaddon, but that claim is presented as reported attribution rather than established fact.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RIDDLE SPIDER

"June 1, 2020 RIDDLE SPIDER's Avaddon"

via crowdstrike bloggo.crowdstrike.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1133External Remote ServicesEvidence1

the ransomware operators obtained initial access via remote access portals such as RDP and VPN, a pivot away from direct email access.

Execution

2 techniques
T1047Windows Management InstrumentationEvidence2

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

T1059.007JavaScriptEvidence1

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

Persistence

3 techniques
T1112Modify RegistryEvidence5

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

T1133External Remote ServicesEvidence1

the ransomware operators obtained initial access via remote access portals such as RDP and VPN, a pivot away from direct email access.

T1547.001Registry Run Keys / Startup FolderEvidence4

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Privilege Escalation

2 techniques
T1547.001Registry Run Keys / Startup FolderEvidence4

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

T1548.002Bypass User Account ControlEvidence4

Avaddon modifies several registry keys for persistence and UAC bypass. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. Lokibot has modified the Registry as part of its UAC bypass process.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence4

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

T1140Deobfuscate/Decode Files or InformationEvidence4

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Defense Impairment

1 technique
T1112Modify RegistryEvidence5

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Discovery

4 techniques
T1016System Network Configuration DiscoveryEvidence3

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

T1057Process DiscoveryEvidence2

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

T1083File and Directory DiscoveryEvidence3

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

T1614.001System Language DiscoveryEvidence2

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

Impact

2 techniques
T1486Data Encrypted for ImpactEvidence2

Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."

T1490Inhibit System RecoveryEvidence3

Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'

Other

2 techniques
T1562Impair DefensesEvidence6

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

T1562.001Disable or Modify ToolsEvidence4

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities... killing security software processes or services, modifying / deleting Registry keys or configuration files... Adversaries may also disable updates...

ACTIVITY FEED

Recent activity

45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.