Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
11 malware families

Crypt Ghouls

Also known asCrypt Ghouls

Crypt Ghouls is a cybercriminal ransomware group identified by Kaspersky that has targeted Russian businesses and government agencies, including organizations in mining, energy, finance, retail, and the public sector. Researchers assessed the group’s goals as both operational disruption and financial gain. Observed initial access involved abuse of compromised contractor or subcontractor credentials to connect to victim environments via VPN, including connections traced to Russian hosting provider infrastructure and contractor networks. After access, the group maintained persistence and remote access using NSSM and Localtonet, and also used AnyDesk and resocks. Its post-compromise activity included credential theft, reconnaissance, and lateral movement. Reported tooling includes XenAllPasswordPro, Mimikatz, a renamed PowerShell ticket-dumping script (dumper.ps1), MiniDump tooling, PingCastle, SoftPerfect Network Scanner, WMI, Impacket WmiExec.py, PsExec, and PAExec. Researchers also observed a CobInt backdoor loader delivered as the VBScript Intellpui.vbs, which executed obfuscated PowerShell to load CobInt in memory. Additional activity included attempts to dump NTDS.dit and collection of browser-stored credentials. For impact, Crypt Ghouls deployed LockBit 3.0 on Windows systems and Babuk on Linux and ESXi systems. On ESXi, the attackers connected over SSH, uploaded Babuk, and encrypted files within virtual machines. The LockBit 3.0 sample was reported to encrypt local drives, terminate selected processes and services, disable Windows Defender, delete event logs, and exclude certain directories from encryption. Victims were instructed to contact the attackers via the Session messaging service. Kaspersky reported substantial overlaps in tools, file naming, infrastructure, and TTPs with MorLock, and additional overlaps with BlackJack, Twelve, and Shedding Zmiy/(Ex)Cobalt-linked activity. The report states these overlaps likely indicate collaboration, shared tooling, or intelligence exchange among multiple groups targeting Russian organizations. Known alias: crypt_ghouls.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Banks
  • Consumer Discretionary Distribution & Retail
  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇷🇺 Russia
MITRE ATT&CK

Tradecraft

30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics44 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078×2
Valid Accounts
T1133×2
External Remote Services
T1190
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.005
Visual Basic
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×2
Valid Accounts
T1133×2
External Remote Services
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0004
Privilege Escalation
3 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×2
Valid Accounts
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0005
Stealth
2 techniques
T1070
Indicator Removal
T1070.004
File Deletion
T1078×2
Valid Accounts
TA0006
Credential Access
3 techniques
T1003×2
OS Credential Dumping
T1003.001×2
LSASS Memory
T1003.002
Security Account Manager
T1003.003
NTDS
T1555×2
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1558
Steal or Forge Kerberos Tickets
TA0007
Discovery
3 techniques
T1018×2
Remote System Discovery
T1033
System Owner/User Discovery
T1046
Network Service Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002×2
SMB/Windows Admin Shares
T1021.004×2
SSH
TA0009
Collection
1 technique
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1090
Proxy
T1090.001
Internal Proxy
T1090.002
External Proxy
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ARSENAL

Associated malware families

11 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BabukAs the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.3Jun 14, 2026
CobIntIn one Crypt Ghouls attack, we discovered a malicious CobInt backdoor loader.3Jun 14, 2026
LockBitAs the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.3Jun 14, 2026
MimikatzWe detected the use of the Mimikatz utility in some of the investigated attacks.3Jun 14, 2026
XenAllPasswordProThe attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.3Jun 14, 2026

6 additional families tracked in Mallory.

IOCS

Observables

16 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

16 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

Ransomware-focused group targeting Russian businesses and government agencies, using compromised contractor VPN credentials, credential theft, WMI/RDP-based lateral movement, reconnaissance utilities, and deploying LockBit 3.0 on Windows and Babuk on Linux/ESXi systems.

Read more
security online infoNews
Oct 21, 2024
Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Ransomware intrusion activity leveraging compromised contractor/subcontractor credentials (VPN initial access), followed by lateral movement/persistence tooling and deployment of LockBit 3.0 (Windows) and Babuk (Linux/ESXi) to encrypt victim data.

Read more
the hacker newsNews
Oct 19, 2024
Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Ransomware-driven disruptive and financially motivated intrusions against Russian government and commercial organizations, using compromised contractor VPN credentials for initial access, followed by credential theft, remote access tooling, lateral movement, and deployment of LockBit 3.0 (Windows) and Babuk (Linux/ESXi).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping30

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal11

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables16

Domains, IPs, and hashes tied to this actor, refreshed continuously.