CatB
CatB is a ransomware family first observed in late 2022, also referred to as CatB99 or Baxtoy, with campaigns seen since at least November 2022. It has been linked in reporting to the Chinese espionage cluster ChamelGang based on technical overlaps with other tools used by that group, and was reportedly used in 2022 attacks against the Presidency of Brazil and the All India Institute of Medical Sciences. Reporting also notes CatB payloads signed with the same stolen "coolschool" certificate associated with broader China-linked activity.
Technically, CatB uses a two-DLL infection chain and abuses DLL hijacking/phantom DLL loading via the Microsoft Distributed Transaction Coordinator (MSDTC) service. The initial dropper is a UPX-packed DLL named versions.dll, which writes a second-stage payload, oci.dll, to the target host, including placement in C:\Windows\System32. The malware manipulates MSDTC service permissions and startup parameters, terminates msdtc.exe with taskkill.exe, and upon service restart causes the malicious oci.dll to be loaded into msdtc.exe. CatB performs anti-sandbox and anti-VM checks, including checks of RAM, disk characteristics, and anomalous processor/core combinations.
For encryption, CatB targets selected local paths and volumes, by default attempting to encrypt C:\users and the D:, E:, F:, G:, H:, and I: volumes, while excluding .msi, .dll, .sys, .iso, and NTUSER.DAT. Unlike many ransomware families, it typically does not drop a separate ransom note, change the desktop wallpaper, or append a new extension to encrypted files. Instead, it inserts the ransom note at the beginning of each encrypted file. The note instructs victims to contact the operators via catB9991@protonmail.com; some earlier variants used fishA001@protonmail.com or both addresses. A reported Bitcoin payment address is bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz. The note states the ransom increases daily for five days and threatens permanent data loss after that period. CatB also drops a key file in C:\Users\Public\ to serve as a victim identifier.
Beyond encryption, CatB attempts to steal data from Mozilla Firefox, Google Chrome, Microsoft Edge, Internet Explorer, and Windows Mail. Reported targeted data includes bookmarks, blocklists, crash logs, browsing history, profile data, autofill data, environment settings, browser session keys, and Windows Mail profile data under \AppData\Local\Microsoft\Windows Mail. Researchers also noted similarities to Pandora ransomware, suggesting CatB may be a rebrand or evolution of Pandora.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The researchers said both attacks involved the CatB ransomware, which they attributed to ChamelGang based on technical overlaps in malware code with other tools used by the group.
"Its ransomware payload, known as CatB, had been signed with the same coolschool certificate."
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. | Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
5 techniquesFirst, the dropper is distributed in the form of a UPX-packed DLL (versions.dll). This dropper deposits the second DLL payload (oci.dll) onto the target host.
The ChamelGang group repeatedly deployed ransomware and encryptors “for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence” ... The specific use of ransomware also allows APT groups to destroy evidence of their espionage efforts and force organizations to focus on data restoration instead of investigating how hackers gained initial entry.
As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted.
CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. | Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.
Credential Access
2 techniquesData extracted from browsers includes bookmarks, blocklists, crash logs, history, user profile data, autofill data, environmental settings, browser session keys, and more.
In addition to file encryption and obfuscation, the CatB malware will attempt to gather specific, sensitive information from targeted systems. This includes browser session and credential data.
Discovery
2 techniquesCatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
Collection
1 techniqueThe ransomware contains functionality to discover and extract user data from Mozilla Firefox, Google Chrome, Microsoft Edge as well as Internet Explorer... CatB malware will also attempt to locate and extract sensitive information from Windows Mail profile data.
Impact
2 techniquesCatB ransomware excludes the following files and extensions from the encryption process... By default, the oci.dll payload will attempt to encrypt C:\users (crawl whole tree), I:, H:, G:, F:, E:, and D:.
Taskill.exe is used to terminate the msdtc.exe process once the service configuration changes have been made.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware payload attributed by TeamT5 to the China-linked group CamoFei; notable for being signed with the stolen 'coolschool' certificate also seen in later Warlock-adjacent tooling.
Ransomware that the content says exploits DLL hijacking vulnerabilities for improved concealment.
Ransomware used in the 2022 attacks on the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS), attributed by the researchers to ChamelGang based on malware code overlaps with other tools used by the group.
Ransomware delivered via phantom DLL loading by planting a malicious oci.dll for msdtc.exe to load; includes a dropper DLL with anti-sandbox/anti-VM checks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.