Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
6 malware families

MorLock

Also known asMorLock

MorLock is a threat actor observed in reporting as part of a cluster of groups targeting Russian organizations. The provided content does not describe MorLock’s activity independently, but states that Kaspersky and F.A.C.C.T. identified significant overlaps and similarities between MorLock and the ransomware group Crypt Ghouls, as well as with BlackJack, Twelve, and Shedding Zmiy (aka ExCobalt). Reported overlaps include tools, infrastructure, file and folder naming conventions, and TTPs, suggesting possible collaboration, shared tooling, shared resources, or intelligence exchange among these groups. Based on the cited overlaps, MorLock-linked activity shares characteristics including use of Surfshark VPN infrastructure, VDSina-hosted infrastructure, the resocks utility, XenAllPasswordPro deployed in an "allinone2023" directory, SoftPerfect Network Scanner, PingCastle, LockBit 3.0, and Babuk. The broader campaign context in which MorLock is mentioned involves attacks against Russian businesses and government agencies, including organizations in mining, energy, finance, retail, and the public sector. No high-confidence attribution to a nation state is provided in the content, and MorLock is only described through these similarities rather than through a standalone profile.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇷🇺 Russia
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics15 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
2 techniques
T1078
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
TA0007
Discovery
2 techniques
T1018
Remote System Discovery
T1046
Network Service Discovery
TA0011
Command and Control
2 techniques
T1090
Proxy
T1090.002
External Proxy
T1219
Remote Access Tools
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ResocksResocks is a reverse SOCKS5 proxy for tunneling traffic.2Jun 14, 2026
XenAllPasswordProThe attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.2Jun 14, 2026
BabukAs the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.1Jun 14, 2026
LockBitAs the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.1Jun 14, 2026
PingCastle"...utilities, including SoftPerfect Network Scanner, PingCastle..."1Mar 18, 2026

1 additional family tracked in Mallory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

Group targeting Russia with a toolkit and infrastructure overlapping heavily with Crypt Ghouls, including shared utilities, ransomware families, naming conventions, and VPN/hosting providers.

Read more
security online infoNews
Oct 21, 2024
Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Referenced as a related ransomware intrusion cluster with overlapping tooling, naming conventions, and infrastructure with Crypt Ghouls, suggesting possible resource sharing or collaboration.

Read more
the hacker newsNews
Oct 19, 2024
Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Referenced as a separate group conducting similar recent campaigns targeting Russia with overlapping tools/infrastructure; no additional details provided in the content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.