Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Lucky_Gh0$t

Lucky_Gh0$t is a Windows ransomware family identified in early 2025 and described as a Yashma variant, with Yashma itself being the sixth iteration of the Chaos ransomware series. Reporting cited in the content characterizes Lucky_Gh0$t as a Chaos/Yashma-family ransomware variant with only minor modifications to the ransomware binary, and notes it marked a shift toward more destructive behavior. It is explicitly distinct from the separate 2025 ransomware-as-a-service group also named Chaos.

Observed distribution involved fake AI-tool installers, especially a self-extracting archive masquerading as a ChatGPT installer, including filenames such as "ChatGPT 4.0 full version - Premium.exe." The campaign used SEO poisoning, Telegram, and social media or messenger channels to lure victims. The malicious package contained a ransomware executable named dwn.exe, chosen to resemble the legitimate Windows process name dwm.exe, and also bundled legitimate Microsoft open-source AI tools from GitHub to appear trustworthy and potentially evade detection. The malware was also referenced in reporting on fake "ChatGPT 4.0 Premium" installers targeting Windows users.

Lucky_Gh0$t retains Yashma capabilities including evasion techniques, deletion of volume shadow copies and backups, and hybrid AES-256 plus RSA-2048 encryption. Its file handling is size-dependent: files smaller than approximately 1.2 GB are encrypted and renamed with a random 4-character alphanumeric extension. For files larger than approximately 1.2 GB, Lucky_Gh0$t creates a same-sized replacement file containing a single question mark character, appends a random 4-character extension, and deletes the original file, causing destructive data loss rather than conventional encryption. Ransom notes include a personal ID and instruct victims to contact the operator through getsession[.]org using a unique session ID.

The malware has been documented in campaigns abusing interest in AI tools and was highlighted alongside other threats such as CyberLock and Numero. Reporting noted elevated risk to users and organizations in B2B sales, technology, and marketing sectors because the impersonated AI tools are popular in those environments.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583Acquire InfrastructureEvidence1

Seven campaigns used paid search ads or search engine poisoning. The technique is straightforward: buy an ad for "install [AI tool]" and serve a convincing clone.

T1608.006SEO PoisoningEvidence1

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence2

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers... as well as platforms such as Telegram or social media messengers.

Execution

1 technique
T1204.002Malicious FileEvidence1

Fake "ChatGPT 4.0 Premium" installer Lucky_Gh0$t ransomware Windows Telegram/social distribution.

Stealth

1 technique
T1036MasqueradingEvidence2

Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers.

Collection

1 technique
T1560Archive Collected DataEvidence1

When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’.

Impact

3 techniques
T1485Data DestructionEvidence2

For the targeted files with a size larger than 1.2GB, the ransomware creates a new file the same size of the original file and writes a single character “?” as the file content... deletes the original file, exhibiting destructive behavior.

T1486Data Encrypted for ImpactEvidence3

It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.

T1490Inhibit System RecoveryEvidence1

Lucky_Gh0$t ransomware is the Yashma ransomware variant with most features unchanged, including the evasion techniques, deleting the volume shadow copies and backups...

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
pillarNews
Mar 10, 2026
AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem

Windows ransomware delivered via a fake ChatGPT installer; uses AES-256 and RSA-2048 encryption.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Ransomware family distributed via fake AI tool installers (as referenced).

Read more
fortinet threat researchNews
Oct 8, 2025
The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous | FortiGuard Labs

A Chaos variant (early 2025) using AES + RSA that encrypts targeted files and replaces the contents of files larger than 1.3GB with identical bytes (destructive/wiper-like behavior) rather than traditional encryption for those large files.

Read more
fortinet threat research blogNews
Oct 8, 2025
The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous

A Chaos variant (early 2025) using AES + RSA that introduces destructive behavior by replacing contents of files larger than 1.3GB with identical bytes (rapid irreversible data destruction) while still encrypting smaller/medium files.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.