Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomware

InfernoGrabber

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

The technique uses a phishing lure to persuade the victim to grant file-system access to a web page; once access is granted, the page can enumerate local files, read and exfiltrate their contents, encrypt and overwrite them, and display a ransom-style message.

Execution

1 technique
T1204User ExecutionEvidence1

The workflow on Android looks very natural. The user opens a web page that promises to enhance a photo, selects an image, and is then asked to choose a directory for saving the 'enhanced' results.

Credential Access

1 technique
T1056.001KeyloggingEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging... In this sample, the keylogger observes keystrokes only while the user interacts with the page.

Collection

6 techniques
T1005Data from Local SystemEvidence1

Once access is granted, the page can enumerate local files in the selected folder, read and exfiltrate their contents, encrypt and overwrite them.

T1056.001KeyloggingEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging... In this sample, the keylogger observes keystrokes only while the user interacts with the page.

T1113Screen CaptureEvidence1

In this sample, the 'desktop screenshot' routine captures the rendered web page.

T1115Clipboard DataEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging, clipboard monitoring...

T1123Audio CaptureEvidence1

Webcam and microphone capture depend on browser permission prompts.

T1125Video CaptureEvidence1

Webcam and microphone capture depend on browser permission prompts.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Once access is granted, the page can enumerate local files in the selected folder, read and exfiltrate their contents, encrypt and overwrite them.

Impact

2 techniques
T1486Data Encrypted for ImpactEvidence1

During the fake processing step, the PoC encrypts pictures inside the selected directory.

T1491DefacementEvidence1

After a fake processing step, the page is intended to display a ransomnote-style overlay under the name InfernoGrabber v9.0.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in apptoday
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.