THREAT ACTOR

Cloak

7.2
THREAT LEVEL
EMERGENCE DATE
Nov 2022
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Connected to Good Day ransomware through shared data leak platform infrastructure; technical lineage traced to leaked Babuk ransomware source code through ARCrypter family.

DEscription

Derived from leaked Babuk source code in late 2022, the threat actor achieves a 91-96% victim payment rate through surgical SME targeting. Distinguished by advanced Virtual Hard Disk (VHD) evasion techniques and HC-128 encryption with Curve25519 cryptography, the group purchases pre-compromised credentials from Initial Access Brokers rather than exploiting vulnerabilities.

Following organizational instability in mid-2024, activity surged in early 2025 with geographic expansion into North America and Asia, including the first documented U.S. government agency breach.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Cloak runs a RaaS platform since February 2024 offering above-market 85/15 profit split with no upfront payment requirements, positioning competitively for displaced affiliate recruitment.

The group employs double extortion tactics through Tor-based data leak sites, encrypting victim data while exfiltrating sensitive information. Infrastructure overlap with Good Day ransomware indicates potential collaboration or use of common backend systems within the broader ARCrypter ecosystem.

Current Status: Active through Q4 2025 with renewed surge, positioned as notable force showing increasing technical maturity.

Threat Level:
7.2

Origins and Methodology

The threat actor employs VHD-based execution, embedding ransomware payloads within mounted virtual disks for rapid infrastructure detachment after compromise. This technique remains uncommon in commodity ransomware.

Combined with legacy Neshta file infector integration, this provides self-propagating network compromise capabilities. The group uses credential-based access through Initial Access Brokers, purchasing pre-compromised RDP, VPN, and domain administrator access months after info-stealer campaigns harvest corporate credentials.

What is the Evolution of Cloak Ransomware?
0.1
Formation

Initial appearance in late 2022 established the threat actor derived from leaked Babuk ransomware source code released September 2021, providing professional-grade cryptographic implementations.

Early activity focused on European small-to-medium businesses, gaining momentum through attacks across Germany, Italy, and France while refining technical capabilities.

0.2
EVOLUTION

Initial months following emergence focused on technical refinement and integration with ARCrypter family infrastructure, with connection to Good Day ransomware established by mid-2023 through shared Tor-based platforms. Data leak site launched August 2023 formalized victim publication strategy.

Around February 2024, formal RaaS affiliate program launched through underground forum recruitment, offering above-market 85/15 profit split targeting displaced affiliates. Mid-2024 period marked by organizational instability including operator financial crisis and attempted source code sale.

Current activity since Q1 2025 shows renewed surge with geographic expansion beyond European focus, incorporating North American and Asian targets including documented U.S. government agency breach. Technical evolution includes enhanced VHD extraction capabilities, Neshta integration, and refined anti-analysis techniques.

0.3
Lineage/Connections

Direct derivation from leaked Babuk ransomware source code established through cryptographic library import strings, shared file extension patterns, and matching registry modification commands.

Operational connection to Good Day ransomware variant within ARCrypter family confirmed through shared Tor-based data leak platform infrastructure, identical victim portal systems, and overlapping technical implementations.

Potential Russian-speaking operational elements suggested by Neshta malware integration with Belarusian origin attribution strings and purchases from Russian Market IAB marketplace, though actual operator location remains uncertain.

Which Unique Techniques Does Cloak Use?

The operation uses credential-based access through Initial Access Broker purchases rather than vulnerability exploitation, combined with VHD-based execution for evasion, HC-128 stream cipher encryption with Curve25519 cryptography, and comprehensive security tool termination.

TECHNIQUE

DETAILS

Infection Vectors

Purchases pre-compromised credentials from Initial Access Brokers on underground marketplaces, particularly Russian Market, obtaining access derived from info-stealer campaigns (Lumma Stealer, Aurora Stealer, RedLine Stealer); secondary vectors include phishing with malicious attachments disguised as legitimate software and exploitation of public-facing applications followed by RDP brute-force

Target Selection

Focuses on small-to-medium enterprises across Europe (nearly three-quarters of victims), with Germany representing highest concentration, expanding into North America and Asia through 2024-2025; targets manufacturing, healthcare, professional services, IT, education, government, real estate, and construction through opportunistic access purchases

Operational Complexity

High technical maturity through VHD-based execution requiring multi-stage loader with LZMS compression and XTEA encryption, professional-grade cryptographic implementation using HC-128, Curve25519, and SHA512, anti-debugging capabilities, comprehensive process termination targeting security vendors, and dual encryption modes optimizing performance

Key Features & Technical Details

Technical architecture uses professional-grade cryptographic implementations derived from leaked Babuk source code, implementing HC-128 stream cipher with Curve25519 key exchange and SHA512 hashing, combined with innovative VHD-based execution.

FEATURE

DETAILS

Encryption Method

HC-128 stream cipher with multi-stage key generation: CryptGenRandom generates 32-byte Curve25519 private keys, SHA512 hashing produces 64-byte outputs split into 32-byte keys and initialization vectors; dual encryption modes optimize performance with full encryption for smaller files, intermittent chunk encryption for larger files

File Extension

.crYpt with alphabetical variants (.crYptA through .crYptF) appended to encrypted files

Ransom Note

Desktop wallpaper modified to display ransom message saved as C:\ProgramData\wallpaper.bmp; text file readme_for_unlock.txt with date-stamped variants deployed in every encrypted directory

Double Extortion

Data exfiltration ranges from under 100GB to 271GB per incident using WinRAR archives; unusual practice of exfiltrating already-encrypted data documented; Tor-based data leak site implements three-tier victim classification

Communication Channels

Tor infrastructure with main data leak site launched August 2023; multiple individualized victim negotiation portals; shared contact email appearing across affiliated operations

Deployment Speed

Rapid encryption through dual-mode implementation; VHD-based execution enables quick infrastructure detachment; comprehensive security tool termination precedes encryption deployment

Payment Method

Monero (XMR) mandatory for ransom payments with 10-20% increases imposed for Bitcoin attempts; initial demands in mid-five-figure range escalating to high-six and seven-figure amounts by 2024-2025

Operational Model

RaaS platform launched February 2024 offering above-market 85/15 profit split with no upfront payment requirements; 91-96% victim payment success rate substantially exceeds industry averages

Activities

Following emergence in late 2022, activity steadily expanded with consistent monthly tempo. Data leak site launched August 2023 formalized victim publication strategy, with activity fluctuating throughout 2024 before renewed surge in early 2025.

Nearly three-quarters of documented incidents occur within Europe, with Germany representing highest attack concentration. Geographic expansion from primary European focus into North American and Asian markets documented through 2025, with February 2025 attack on U.S. government agency representing first confirmed government breach.

Which Industries Are Most Vulnerable to Cloak?

Primary targeting focuses on manufacturing, healthcare, professional services, information technology, education, government, real estate, and construction sectors across small-to-medium enterprises.

HAL Most Recent Attacks

Modus Operandi

Attack methodology prioritizes credential-based access through Initial Access Broker purchases, followed by AnyDesk installation, comprehensive reconnaissance, and rapid VHD-based ransomware deployment.

Details

Valid Accounts (T1078) through purchases of pre-compromised credentials from Initial Access Brokers on Russian Market, obtaining validated RDP, VPN, or domain administrator access derived from info-stealer campaigns (Lumma Stealer, Aurora Stealer, RedLine Stealer).

Phishing (T1566) with malicious attachments disguised as legitimate software; Exploit Public-Facing Application (T1190) followed by RDP brute-force; External Remote Services (T1133).

Details

File and Directory Discovery (T1083) using FindFirstFile/FindNextFile APIs for systematic enumeration across all volumes, directories, and network shares; System Information Discovery (T1082) through WNetOpenEnum for volume enumeration.

Process Discovery (T1057) via GetCurrentProcess API identifying running security services; Security Software Discovery (T1518.001) targeting debuggers, reverse engineering tools, and security software.

Details

AnyDesk remote administration software installed to establish persistent control independent of initial access vector; WinRAR deployed for data staging and lateral tool transfer.

Details

Obfuscated Files or Information (T1027) through Neshta injection, LZMS compression, and XTEA encryption; Modify Registry (T1112) implementing extensive modifications disabling security features; Impair Defenses: Disable or Modify Tools (T1562.001) terminating Sophos, McAfee, Veeam, Checkpoint, antivirus services, and backup applications.

Virtualization/Sandbox Evasion (T1497) detecting debugger presence; Execution Guardrails (T1480) requiring UAC elevation; Hide Artifacts: Hidden Files and Directories (T1564.001) through VHD-based execution from mounted virtual disks.

Details

OS Credential Dumping (T1003) employing credential theft tools harvesting authentication credentials for lateral movement, targeting LSASS memory and NTDS.dit domain controller databases.

Details

Application Layer Protocol: Web Protocols (T1071.001) using Tor-based victim negotiation portals for anonymous C2 communication; Encrypted Channel (T1573) implementing encrypted channels using .onion domains.

Details

Remote Services: Remote Desktop Protocol (T1021.001) through AnyDesk installation; Lateral Tool Transfer (T1570) using WinRAR for staging and transferring tools.

Neshta file infector enabling worm-like propagation across networks through infected executables on shared drives.

Details

Archive Collected Data: Archive via Utility (T1560.001) employing WinRAR creating archives before transmission.

Exfiltration Over C2 Channel (T1041) conducting data theft via command and control channels before encryption deployment.

Details

Boot or Logon Autostart Execution: Registry Run Keys (T1547.001) modifying HKLM\Software\Microsoft\Windows\CurrentVersion\Run with SecurityUpdate value.

Event Triggered Execution: Application Shimming (T1546.011) through Neshta modification of HKLM\SOFTWARE\Classes\exefile\shell\open\command registry key.

Details

Data Encrypted for Impact (T1486) deploying HC-128 stream cipher; Inhibit System Recovery (T1490) executing vssadmin delete shadows /all /quiet command; Service Stop (T1489) terminating backup services, database services, and security services.

Defacement (T1491) modifying desktop wallpaper and legal notice registry modifications; System Shutdown/Reboot (T1529) prevented through registry modifications.

Details

Dual-mode encryption deployment: full encryption for files under 5MiB, intermittent chunk encryption for larger files.

Selective file targeting preserves system operability by whitelisting system-critical directories and executable extensions.

Details

Graduated escalation through three-tier data leak site classification: recent victims with password-protected data, non-paying victims with freely downloadable stolen data, sold status indicating payment or third-party data sale.

Details

Empties Recycle Bin through SHEmptyRecycleBinA function; terminates own process and removes loader from original execution path.

VHD infrastructure rapidly detached after malicious activities complete.

Indicators of Compromise (IOCs)

Network and host-based indicators enable identification within compromised environments, particularly Tor infrastructure patterns, VHD mounting activities, and distinctive file system artifacts.

INDICATOR

DETAILS

File Hashes

SHA256 hashes documented for dropper and payload components; Neshta file infector identifiable through attribution strings: "Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus"; randomized VHD file names in C:\ProgramData

IP Addresses

No persistent C2 IPs documented; relies on Tor infrastructure for command and control

Domains/URLs

cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion (main data leak site)
47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion (victim portal)
dcpuyivlbzx56hqwsvey33bxobxw3timjgljjy3index6qvdls5bjoad[.]onion (victim portal)
wwwieqvblhnel7wsb6jpxeen3dbmsqyozj2gzl2oyn6swrkq27jtusqd[.]onion (victim portal)
zxzs677rphmjznqgqzlsmjtqwqlydq47rwjesrt4dkkh6cc2ftlfhuqd[.]onion (victim portal)
MikLYmAklY555@cock.li (contact email)

File Paths

C:\ProgramData\[random].vhd (virtual hard disk files)
C:\ProgramData\wallpaper.bmp (ransom wallpaper)
C:\Windows\svchost.com (Neshta injector)
%APPDATA%\[random folder]\Host Process for Windows Services (payload in VHD mount)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate (persistence key)

File Extensions

.crYpt (primary encrypted file extension)
.crYptA through .crYptF (alphabetical variants)
readme_for_unlock.txt (ransom note with date-stamped variants)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

No CVE Exploitation

N/A

N/A

The threat actor does not exploit specific CVE vulnerabilities for initial access, instead purchasing pre-compromised credentials from Initial Access Brokers on underground marketplaces, particularly Russian Market, obtaining validated RDP, VPN, or domain administrator credentials derived from info-stealer campaigns

Additional Attack Vectors: Access purchased from IABs derives from info-stealer malware campaigns (Lumma Stealer, Aurora Stealer, RedLine Stealer) harvesting corporate credentials through malicious browser extensions, phishing, or trojanized software.