MrAgent
MrAgent is a management, deployment, and persistence utility used by the RansomHouse ransomware-as-a-service operation, also associated in the provided content with Jolly Scorpius. It is used alongside the Mario ESXi ransomware and is designed to automate and track ransomware deployment at scale, particularly across VMware ESXi hypervisors and virtualized environments; the content also states it has been used to target both Windows and Linux-based systems. Reported behavior includes establishing persistent connections to attacker command-and-control servers, identifying hosts, retrieving local IP and host inventory, collecting hypervisor and virtual machine information, disabling the ESXi firewall, executing received commands, and orchestrating Mario ransomware execution to encrypt critical VM files. Described C2 communications use JSON over sockets with a passphrase and heartbeat messages, and documented commands include info, config, exec, run, remove, abort, abort_f, quit, and welcome. The content further notes that Exec-related actions can include changing the root password, stopping vCenter remote management via /etc/init.d/vpxa stop, and starting VM encryption. A Windows variant with broadly similar logic is also described, with some ESXi-specific functionality removed and several functions implemented through PowerShell, including log clearing and file removal. MrAgent is central to large-scale attacks against ESXi infrastructure, which RansomHouse affiliates target to encrypt many virtual machines simultaneously. Associated indicators explicitly mentioned in the content are the ESXi MrAgent SHA-256 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973 and the Windows MrAgent SHA-256 bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce70f82f2c.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
“The threat actor eventually revealed the attack on the victim's network started with an exploit in CITRIX remote access software…” / “Exploit Public-Facing Application Initial compromise through an exploit in Citrix”
Execution
1 technique“Run… used to run arbitrary commands on the ESXi host… written to the file ‘./shmv’ … executed.” / “several functions… replaced by PowerShell alternatives… wevtutil… Remove-Item… Get-WmiObject…”
Persistence
2 techniquesThe group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
Privilege Escalation
2 techniquesThe group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
Stealth
3 techniques“Remove… remove a file… ‘rm -rf FILE’” / “Files are removed… PowerShell Remove-Item” / “Quit… kill and remove the binary… ‘rm -f’”
Discovery
2 techniques“Retrieve the local IP address… Retrieve the MAC address…” / “System Network Configuration Discovery Retrieves MAC and IP address…”
Lateral Movement
1 technique“…started with an exploit in CITRIX remote access software and VMware ESXi infrastructure… They exploited vulnerabilities in the virtualisation servers…”
Command and Control
1 technique“Messages to and from the command & control server are transmitted as JSON encoded strings…” / “Application Layer Protocol Utilized MrAgent for bot communication”
Other
1 techniqueRecent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A tool used alongside Mario ESXi to target Windows and Linux-based virtualized environments.
MrAgent is a tool used by the Ransomhouse group to automate attacks on VMware ESXi hypervisors, enabling rapid and large-scale encryption of virtualized environments.
MrAgent is a management utility used by the RansomHouse operation to establish persistent C2 connections on compromised ESXi hosts, automate deployment of ransomware payloads (such as Mario), and execute system commands for lateral movement and persistence.
MrAgent is a deployment and persistence utility used by RansomHouse to facilitate ransomware deployment and maintain access within compromised environments, particularly targeting virtual infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.