Malware descriptions

Nyxem.e’s dreaded 32 bytes

Somewhere, deep inside Nyxem.e’s 100K+ body, there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block to overwrite all *.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and *.dmp files on your disks.

Once this has happened, your 6MB presentation for the CEO, your vacation pictures and all the RAR and ZIP backups will look like this:

Or, in ASCII:

With the activation date drawing near, just make sure your system is not infected. Unlike GPCode, once the payload has hit, the chances of you getting your data back will be practically zero.

Nyxem.e’s dreaded 32 bytes

Your email address will not be published.

 

Reports

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox