Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Authors: Ilia Dafchev, Darrel Virtusio

Summary

Makop, a ransomware strain derived from Phobos, continues to exploit exposed RDP systems while adding new components such as local privilege escalation exploits and loader malware to its traditional toolkit.

The attack typically begins with RDP exploitation, followed by the staging of network scanners, lateral movement tools and privilege escalation exploits, before moving to encryption or stopping if the attackers cannot bypass the security solution in place.

The attackers use a mix of off-the-shelf tools including network scanners, AV killers and numerous local privilege escalation exploits, along with deceptive file naming to avoid detection.

GuLoader, a downloader type of trojan, is used to deliver secondary payloads, indicating an evolution in Makop’s methodology by integrating more techniques to bypass security measures and additional malware delivery mechanisms.

The majority of attacks (55%) target organizations in India, while incidents are also reported in Brazil, Germany and other regions.

Introduction

Makop is a ransomware strain first observed around 2020 and is generally treated as a variant of the Phobos family. Recently, Acronis TRU researchers identified new activity and tooling associated with Makop, prompting a deeper investigation into several recent ransomware cases to better understand how its operators conduct their attacks.

The pattern which emerged was that attackers prefer to work in a low complexity and low effort manner. Most victims were compromised through RDP and frequently after that attackers use off-the-shelf tools for discovery and lateral movement such as network scanners, local privilege escalation exploits (LPE) for privilege escalation, AV killers such as vulnerable drivers, process terminators, targeted uninstall software, credential access tools such as Mimikatz, and other steps from the kill chain.

What was interesting to see was their collection of local privilege escalation exploits and that on a few occasions we saw GuLoader being used. GuLoader is a loader type of malware that was first discovered in late 2019 and is known for delivering different types of second-stage malware. It is known to drop malware such as AgentTesla, FormBook, XLoader, Lokibot and more.

Makop’s toolbox

The flow of Makop’s attacks generally follows a familiar pattern. The ransomware operators gain initial access by exploiting publicly exposed and insecure remote desktop protocol (RDP) services. They commonly rely on brute-force or dictionary attacks to crack weak or reused credentials. Once inside, the attackers stage their tools for network scanning, privilege escalation, disabling security software, credential dumping, then ultimately deploying the encryptor.

Following the initial staging phase, attackers proceed with discovery, defense evasion, privilege escalation and lateral movement, although the steps do not always occur in a specific order. In some incidents, attackers quit after their tooling gets detected by the security solution. But sometimes they show an additional effort to bypass the security solution by using VMProtect packed samples of the same tools or disable the security solution, either by manually trying to uninstall it or by using hacking tools. If at this point they also fail, they then quit and leave the victim.

The observed execution chain used by Makop operators in their recent attacks is illustrated in the diagram below.

Makop’s toolbox

Makop’s tool is most frequently dropped either in network-mounted RDP shares (like “\\tsclient\”) or inside user’s Music directory. Although in some cases attackers also used Downloads, Desktop, Documents directory or in the root of the C: drive. Frequently subfolders had names like “Bug” or “Exp.” The encryptor binary itself also typically uses one of the following filenames: bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe, mc_hand.exe and variants of those prefixed with a dot (e.g. “.taskmgr.exe”).

Initial access

Makop operators are known to exploit weak RDP credentials to gain access to victims’ environment. RDP is a favored way by cybercriminals to compromise organizations because many of these organizations are still using weak credentials and are lacking multifactor authentication (MFA), making them susceptible to brute force attacks, one of the common tactics by ransomware groups.

During our investigation, we specifically spotted the use of NLBrute. It is an old hacking tool that was being sold on cybercrime forums way back in 2016. Not too long after its debut, a cracked version of NLBrute appeared which made it become widely used by cybercriminals.

NLBrute requires information such as a list of target IP addresses that have exposed RDP (often on the default port 3389, though this may be custom) alongside lists of known usernames and passwords to be used for brute force attacks like dictionary attacks or password spraying. Although RDP exploitation isn’t the most sophisticated intrusion, it is still one of the most effective techniques that enable ransomware attacks. Once Makop operators successfully gain access through RDP, they can begin to laterally move through the organization’s infrastructure and maximize its impact.

Network scanning and lateral movement

For discovery and lateral movement, multiple tools appeared in our telemetry. NetScan was used most often, with Advanced IP Scanner serving as an alternative in other cases.

Advanced IP Scanner scans local networks to identify active hosts and open services, helping attackers map targets for lateral movement.

Threat actors have combined these tools with Advanced Port Scanner and Masscan for port scanning tools. These tools are commonly used by the threat actors to enumerate network and infrastructure and locate high-value hosts and services to support lateral movement activities. It’s not only that these tools are highly effective, but they can also blend in with legitimate admin activity.

Defense evasion

Several AV killers were spotted being used by the operators, including tools like Defender Control and Disable Defender to disable Windows Defender. Both tools are lightweight and effective tools for temporarily disabling Microsoft Defender features.

BYOVD techniques are also leveraged by using vulnerable drivers such as hlpdrv.sys and ThrottleStop.sys. ThrottleStop.sys is a legitimate, signed driver developed by TechPowerUp for the ThrottleStop application, a utility designed to monitor and correct CPU throttling issues. The ThrottleStop vulnerability (CVE-2025-7771) comes from the way the driver handles memory access. Attackers can exploit this to gain control, ultimately leading to disabling security tools.

Another vulnerable driver is the hlpdrv.sys. This driver, when registered as a service, is known to gain kernel-level access and potentially terminate EDR solutions. Both drivers have been used on previous ransomware campaigns — specifically by MedusaLocker, Akira and Qilin.

We also discovered that the threat actors deployed a tailored uninstall software to remove Quick Heal AV. Quick Heal AV is an antivirus and endpoint-security product from Quick Heal Technologies (India) that provides malware protection for its both consumer and enterprise customers.

The use of a tailored Quick Heal AV uninstaller aligns with our telemetry data showing that victims were predominantly located in India. This targeted removal indicates that the attackers adapted parts of their toolkit depending on the target victim’s region.

Lastly, they also abused applications such as Process Hacker and IOBitUnlocker. Both applications are legitimate but are abused by threat actors to easily terminate processes and delete programs.

Privilege escalation

Multiple local privilege escalation (LPE) vulnerabilities spanning from older disclosures to the latest have been exploited.

CVE-2016-0099

CVE-2017-0213

CVE-2018-8639

CVE-2019-1388

CVE-2020-0787

CVE-2020-0796

CVE-2020-1066

CVE-2021-41379

CVE-2022-24521

The vulnerabilities abused in these cases exploit Windows components, such as BITS, Win32k, KS/SMB drivers, Windows installers, vendor IOCTL, etc. Makop operators used these specific vulnerabilities as they all focused on targeting the same platform, many have publicly available PoCs that make weaponization straightforward, and they reliably grant system privileges which exactly what ransomware needs to maximize its impact. The range of exploited CVEs also shows the group keeps multiple LPE primitives in its toolkit to fall back on if one fails. In our telemetry, the vulnerabilities CVE-2017-0213, CVE-2018-8639, CVE-2021-41379 and CVE-2016-0099 were among the most frequently used by the attackers, indicating that these vulnerabilities are reliable and effective in the attacks.

Credential access

Attackers use credential dumpers and brute force tools to gather sensitive data. They rely on tools such as Mimikatz, LaZagne and NetPass to extract saved passwords, cached credentials and authentication tokens. They also use brute force utilities like CrackAccount and AccountRestore to break into additional accounts. The stolen credentials enable lateral movement and give the attackers access to more systems within the victim’s infrastructure, which increases the impact of the ransomware. Many ransomware groups follow the same pattern, which highlights how effective these tools are for achieving the attackers’ objectives.

Among the credential dumping tools, Mimikatz is the most widely used. This post‑exploitation tool extracts credentials directly from Windows’ memory, including plaintext passwords, NTLM hashes, Kerberos tickets and other sensitive information managed by the Local Security Authority (LSA).

Meanwhile, LaZagne complements Mimikatz by focusing on locally stored credentials across applications. This open‑source tool supports browsers, Wi‑Fi profiles, email clients, databases and Windows credential stores.

Network password recovery (NetPass) targets network-related credentials, recovering passwords for mapped drives, VPN connections, remote desktop sessions and other Windows networking features. This allows attackers to gain quick access to passwords saved by the operating system.

Lastly, other brute force tools like AccountRestore work differently compared to the credential dumpers mentioned above. These tools test multiple password combinations to gain access to accounts.

GuLoader

In addition to the tools mentioned above, there were instances where GuLoader was dropped in the same directory as other tools and used to deliver additional payloads. The use of loaders to deploy ransomware encryptors is a common tactic among ransomware groups. Ransomware groups such as Qilin, Ransomhub, BlackBasta and Rhysida have leveraged loaders in previous campaigns, but this appears to be the first documented case of Makop being distributed via a loader.

Once GuLoader has been successfully installed in the system, it will now be able to deploy its payloads.

File path

Command line

Description

%USERPROFILE$\Music\1\BUG\TreasureRoberts.exe

“%USERPROFILE$\Music\1\BUG\TreasureRoberts.exe”

Execution of GuLoader, drops a VBS script to install the malware.

%WINDIR%\System32\WScript.exe

"%USERPROFILE%\Music\1\BUG\67138435cf99c.vbs”

Installation of GuLoader

%USERPROFILE%\Music\1\BUG\.mc_fxt.exe

Makop ransomware

%USERPROFILE%\Music\1\BUG\.mc_n1tro.exe

Makop ransomware

%USERPROFILE%\Music\1\BUG\.mc_p1z.exe

Makop ransomware

Victim countries

The largest share of attacked organizations (55% of all Makop attacks) was located in India, with smaller numbers in Brazil and Germany and isolated incidents across other countries. This distribution doesn’t necessarily mean that Makop targets a specific country more than others but could be the result of more businesses with lower security posture. Makop’s operators appear to act opportunistically, focusing on networks where weaknesses reduce the effort needed for initial entry, subsequent compromise and encryption.

Conclusion

Makop ransomware campaigns underline the threat posed by attackers who exploit well-known vulnerabilities and weak security practices. By leveraging exposed RDP systems together with an array of off-the-shelf tools, from network scanners to local privilege escalation exploits, the adversaries demonstrate a low effort yet highly effective approach. The integration of techniques, such as using GuLoader for secondary payload delivery and tailoring tactics based on target regions, further emphasizes the need for organizations to adopt robust security measures, including strong authentication and regular patch management.

Overall, seemingly mundane entry points like unsecured RDP can lead to significant breaches. Organizations across the globe, particularly those with known security gaps, should continuously reassess and fortify their defenses against ransomware and other cyberthreats.