Egregor Ransomware Used Cobalt Strike and Rclone in Double-Extortion Attacks
The Egregor ransomware operation carried out double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish stolen information on a leak site if victims refused to pay. Researchers linked Egregor to an ecosystem associated with Sekhmet and possible former Maze affiliates, with additional reported ties to ProLock and LockBit. Victims cited in reporting included GEFCO, Barnes & Noble, and Ubisoft, while the group’s leak site reportedly listed 152 victim companies across industries including information technology, construction, retail, consumer goods, and automotive.
Intrusions commonly began with phishing or RDP exploitation, after which attackers used Cobalt Strike for payload delivery and in some cases leveraged QBot and living-off-the-land tools such as bitsadmin. The malware used heavily obfuscated DLL payloads with Salsa20-encrypted configuration data, required a sample-specific launch key passed with the -p parameter, and encrypted files with ChaCha and RSA-2048. Researchers also observed the group using Rclone with attacker-supplied configuration data to exfiltrate stolen files, while the ransomware appeared to avoid encrypting systems configured with several CIS-region languages.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Egregor ransomware becomes active
The Egregor ransomware family was active starting in mid-September 2020. The group was described as an offshoot of Sekhmet and linked by multiple security firms to former Maze affiliates, with possible ties to ProLock and LockBit.
Egregor leak site lists 152 victim companies
As of 2020-11-24, Egregor's leak site reportedly listed 152 victim companies across multiple industries worldwide. Information technology, construction, retail, consumer goods, and automotive were the most frequently represented sectors.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Maze Ransomware Expanded Double-Extortion Tactics and Targeted Intrusions
The **Maze** ransomware operation evolved from earlier exploit-kit activity associated with “ChaCha ransomware” into a prominent double-extortion threat that stole data before encrypting systems and then pressured victims by publishing stolen files on dedicated leak sites. Operators built a public reputation around naming victims, courting media attention, and using data exposure as leverage to increase the likelihood of ransom payments. Maze infections were delivered through multiple channels, including spam campaigns impersonating government tax agencies and later more targeted compromises through **Remote Desktop Protocol (RDP)** access and network exploitation. Sophos reported that the malware used heavy obfuscation, anti-analysis checks, persistence mechanisms, system and network reconnaissance, **HTTP POST** data exfiltration, and file encryption based on **RSA** and **ChaCha20**, while also showing selective behavior such as adjusting demands for home versus corporate systems and easing pressure in some medical-sector cases during COVID-19.
Jan 1, 2026
Crypt Ghouls Used Shared Ransomware Tooling Against Russian Organizations
Researchers reported that a ransomware group tracked as **Crypt Ghouls** targeted Russian businesses and government agencies across mining, energy, finance, retail, and public-sector organizations. The group reportedly gained initial access through compromised contractor VPN credentials, then established persistence with **NSSM** and **Localtonet**, harvested credentials using **XenAllPasswordPro** and **Mimikatz**, and expanded access with reconnaissance and lateral-movement tools including **PingCastle**, **SoftPerfect Network Scanner**, **WMI**, **Impacket** `WmiExec.py`, and **PAExec`. The attackers deployed **LockBit 3.0** on Windows systems and **Babuk** on Linux and **ESXi** environments, indicating a multi-platform ransomware capability. Researchers also found overlaps in tooling, infrastructure, and tactics with activity linked to **MorLock**, **BlackJack**, **Twelve**, and **Shedding Zmiy/(Ex)Cobalt**, suggesting collaboration, shared tooling, or intelligence exchange among multiple groups focused on Russian targets.
May 21, 2026
Maze Ransomware Expanded Double-Extortion Attacks Against Enterprises
The Maze ransomware operation escalated from file encryption to **double extortion**, stealing data from victims and threatening public leaks unless ransom demands were paid. Sophos reported that the group spent roughly a year refining this model, using intrusions against enterprise networks to maximize pressure on organizations already facing operational disruption from ransomware. The campaign helped normalize a tactic that later spread widely across the ransomware ecosystem: combining encryption with data theft and public shaming to force payment. Maze’s activity showed how ransomware groups were evolving into full-scale extortion operations, increasing legal, financial, and reputational risk for affected companies beyond the immediate impact of locked systems.
May 25, 2026