GlobeImposter is a ransomware family, also referred to as LOLKEK, active since at least 2016 and named for its attempt to mimic Globe ransomware payloads. It has been distributed via phishing emails, malicious spam campaigns, and RDP brute-force intrusions rather than worm-like self-propagation. Multiple sources in the content associate large-scale GlobeImposter delivery with TA505, including campaigns beginning in mid-to-late 2017 and heavy TA505 use in December 2017; Necurs is also referenced as a distribution platform for GlobeImposter. The malware has also been discussed in connection with TA505 alongside Dridex and Locky campaigns.
Behaviorally, GlobeImposter scans available drives and files for encryption targets, modifies the Windows registry for persistence, and may disable antivirus or other OS security features and prevent system restoration. The analyzed 2018 variant was compiled in Visual C++, used an embedded AES implementation instead of standard cryptographic APIs, dynamically generated encrypted file extensions, saved command-line commands into a batch file, removed RDP login logs, and eventually deleted itself to reduce forensic artifacts. Some variants encrypt .exe and .dll files, making them more destructive and potentially disrupting analysis tools.
A 2021 GlobeImposter variant described in the content is substantially more complex and stealth-focused. It is a heavily obfuscated .NET sample, likely written in VB.NET, that stores encrypted payloads inside image resources, decodes them in memory, and loads additional stages via Assembly.Load and LoadLibrary. The execution chain includes delayed execution with Thread.Sleep and multiple resource-backed DLL stages, with the later-stage module containing file-encryption functionality using SymmetricAlgorithm and CryptoStream. The content states this variant relies on multi-stage in-memory execution, heavy obfuscation, and encoded resource-based payload delivery to evade static analysis and complicate reverse engineering. RDP brute force is specifically cited as an initial access method for GlobeImposter.
The content also notes that PSCrypt is based on GlobeImposter and has very similar functionality. High-confidence indicators from the analyzed samples include SHA-256 750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc for a 2018 GlobeImposter sample and SHA-256 5c3ce324ded0942df4b4cbf80cf195263f105daf5c729255c628bb3a4f8ab3de for a 2021 variant.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.
13 distinct techniques documented for this family, organized by ATT&CK tactic.
GlobeImposter ransomware has been active since 2016 and is typically distributed via phishing emails and RDP brute force attacks.
"FlawedAmmyy Admin appeared most recently as the payload in massive email campaigns... The messages in these campaigns contained zipped .url attachments..." and "Emails contained an attachment ...doc ... which used macros to download the FlawedAmmyy malware directly."
I opened the malware using dnSpy and realized that the malware is heavily obfuscated... I tried to use different de-obfuscators, such as de4dot and NETReactor Slayer, but all failed to de-obfuscate the malware.
I found out these image resources are not actual media content, but rather serve as containers for encrypted payloads. This technique helps evade static detection, as image resources are typically considered benign and may bypass superficial inspection.
Since GlobeImposter is installed by attackers after RDP brute force succeeds, the RDP login log file will be removed once the malware is successfully executed.
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family analyzed here as a 2021 variant written in .NET/VB.NET, using heavy obfuscation, multi-stage in-memory execution, encoded image-resource payload delivery, and anti-analysis delays before loading additional DLL payloads and performing file encryption.
Ransomware active since 2016 that is typically distributed via phishing emails and RDP brute force attacks. It mimics Globe ransomware payloads, may disable antivirus and OS security features, may prevent system restoration, uses an embedded AES implementation instead of standard crypto APIs, dynamically constructs encrypted file extensions, removes RDP login logs after execution, and removes itself to reduce forensic artifacts.
Ransomware family cited as a source of leaked code/builders used by newer variants.
Ransomware referenced as historically associated with TA505 (no additional technical details provided in this content).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.