mallox
Mallox is an enterprise-focused ransomware-as-a-service (RaaS) operation that emerged in 2021. It is also referred to in the provided content as TargetCompany, FARGO, XOLLAM, and BOZON. The group initially operated privately before launching an affiliate program in 2022. Its operators reportedly recruited Russian-speaking affiliates, did not welcome English-speaking affiliates or novices, and instructed affiliates to target organizations with at least $10 million in revenue while avoiding hospitals and educational institutions. The content states Mallox used affiliate IDs to track activity, had 16 active affiliates in 2023, and that only eight of those original affiliates remained active in 2024 with no newcomers. The content describes Mallox as a longstanding, enterprise-focused ransomware family used in big-game-hunting style attacks. Operators are known to target timely vulnerabilities, including Microsoft SQL Server flaws, and also use brute-force attacks for initial access. One reported leak from a Mallox-affiliated actor’s staging server in May 2024 showed that a Linux variant branded "Mallox v1.0" was built from a modified version of the open-source Kryptina Linux RaaS platform. The leaked infrastructure contained modified Kryptina source code, builder and campaign-management components, ransom note templates, and victim-specific build folders. Analysis cited in the content found that this Linux variant retained Kryptina’s core encryption and decryption routines, including AES-256-CBC file encryption, with most changes limited to rebranding, translated documentation, and minor edits. The same leak also showed the affiliate maintained broader intrusion tooling, including Windows droppers, a Kaspersky password reset utility, and exploit code for CVE-2024-21338. The content notes that Kryptina use appeared specific to one Mallox affiliate and that other Linux Mallox variants were not based on Kryptina. Mallox was observed in Q3 2023 but not Q4 2023 in one cited ransomware tracking context.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated with a staging server leak that revealed how the Kryptina platform was adapted for enterprise ransomware attacks, including extending operations into Linux and cloud environments.
Ransomware operation that began as a private group and later launched an affiliate program. It restricts participation to Russian-speaking, experienced affiliates and conducts big game hunting against larger organizations while excluding hospitals and educational institutions.
Enterprise-focused ransomware-as-a-service operation whose affiliates used a modified Kryptina-based Linux ransomware variant ('Mallox v1.0') and Windows droppers/tools. The content says Mallox operators opportunistically target timely vulnerabilities such as MSSQL Server and commonly use brute force attacks for initial access.
Ransomware group observed in Q3 2023 but not observed in Q4 2023 (per Dragos tracking of industrial-targeting ransomware).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.