4 malware families

MorLock

Also known asMorLock

MorLock is a threat actor referenced by Kaspersky as having significant similarities and overlaps with Crypt Ghouls and other groups targeting Russia, including BlackJack, Twelve, and Shedding Zmiy (aka ExCobalt). The reported overlap includes shared or similar tooling, utilities, file and folder naming conventions, and infrastructure, which Kaspersky said may indicate shared resources, collaboration, or shared knowledge and tooling, while also complicating attribution. Specifically, Kaspersky reported that Crypt Ghouls and MorLock used the same resocks utility, and that utilities seen across the overlapping campaigns included SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro. Based on the provided content, MorLock is associated with campaigns targeting Russia, but the content does not provide high-confidence standalone details on MorLock’s full victimology, intrusion chain, or whether it is a nation-state or cybercriminal actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics4 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1078

Valid Accounts

TA0003

Persistence

1 technique

T1078

Valid Accounts

TA0004

Privilege Escalation

1 technique

T1078

Valid Accounts

TA0005

Stealth

1 technique

T1078

Valid Accounts

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PingCastle"...utilities, including SoftPerfect Network Scanner, PingCastle..."1Mar 18, 2026

Resocks"...both Crypt Ghouls and MorLock used the same resocks utility..."1Mar 18, 2026

SoftPerfect Network Scanner"...utilities, including SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro..."1Mar 18, 2026

XenAllPasswordPro"The group’s arsenal includes well-known hacking tools such as Mimikatz, XenAllPasswordPro..."1Mar 18, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Oct 21, 2024

Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Referenced as a related ransomware intrusion cluster with overlapping tooling, naming conventions, and infrastructure with Crypt Ghouls, suggesting possible resource sharing or collaboration.

the hacker newsNews

Oct 19, 2024

Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Referenced as a separate group conducting similar recent campaigns targeting Russia with overlapping tools/infrastructure; no additional details provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.