Makop

Makop is a human-operated ransomware strain first observed around 2020 and generally treated as a variant derived from the Phobos ransomware family. Reporting in the provided content describes Makop as a ransomware-as-a-service-style variant open to multiple threat actors and notes similarities to Dharma, Phobos, and Waiting. It has been associated with compromises of organizations in Europe and Italy, and more recent telemetry cited in the content shows a high concentration of observed attacks in India, with additional victims in Brazil, Germany, South Korea, and the United States water and wastewater sector.

The primary initial access vector repeatedly cited is exposed Remote Desktop Protocol (RDP). Makop operators are described as exploiting publicly exposed and insecure RDP services and using brute-force or dictionary attacks against weak or reused credentials; one report specifically observed use of NLBrute v1.2 for large-scale RDP password guessing. The content also notes a shift from earlier delivery via fake resumes or copyright-themed emails to RDP-focused intrusions in South Korea. Makop attacks are characterized as hands-on-keyboard intrusions in which operators stage tooling, perform network scanning and lateral movement, dump credentials, evade defenses, escalate privileges, and then deploy the encryptor.

Makop operators use a mix of custom-developed and off-the-shelf tools. Custom tools directly mentioned include ARestore, a .NET executable used after initial access to generate and test local Windows credential combinations, and PuffedUp (identified as data.exe), a persistence utility that establishes a Windows RUN registry key and reads configuration data from a local text file. During recent intrusions, PuffedUp was paired with another executable named c.exe that attackers later deleted. Off-the-shelf and legitimate tools observed with Makop include PsExec, PuTTY, Mimikatz, LaZagne, NetPass, Process Hacker, IOBit Unlocker, Advanced Port Scanner, Advanced IP Scanner/NetScan, Masscan, Everything, Defender Control, Disable Defender, and YDArk. Process Hacker is specifically described as a favored tool of Makop operators.

The malware’s operational behavior includes credential theft, local and network discovery, lateral movement, persistence, and defense evasion. Makop operators have used brute-force utilities such as CrackAccount and AccountRestore, abused legitimate applications to terminate processes and delete programs, and in some cases stopped attacks when their tooling was detected. The content also describes use of VMProtect-packed variants of tools to bypass detections and tailored uninstallers to remove Quick Heal AV. Persistence through a RUN registry key is explicitly attributed to PuffedUp.

Defense evasion and privilege escalation are prominent in the reporting. Makop operators are described as disabling Microsoft Defender, using BYOVD techniques with vulnerable drivers including hlpdrv.sys and ThrottleStop.sys, and leveraging YDArk for kernel-level process hiding and potential EDR evasion. Multiple Windows local privilege escalation exploits are listed in observed Makop attacks, including CVE-2016-0099, CVE-2017-0213, CVE-2018-8639, CVE-2019-1388, CVE-2020-0787, CVE-2020-0796, CVE-2020-1066, CVE-2021-41379, and CVE-2022-24521, with CVE-2017-0213, CVE-2018-8639, CVE-2021-41379, and CVE-2016-0099 noted as especially frequent in telemetry.

The content states that Makop has evolved by incorporating GuLoader and BYOVD-based EDR-killer capabilities in attacks against RDP-exposed networks. Acronis described this as the first documented case of Makop being distributed via a loader, with GuLoader used to deliver additional payloads including Makop ransomware payloads.

Makop has also been referenced in critical infrastructure incidents. The provided content states that in September 2020, personnel at a New Jersey-based water and wastewater system facility discovered that potential Makop ransomware had compromised files within their system. AhnLab also identified Makop attacks targeting South Korean users via RDP.

Family and variant relationships are explicitly mentioned. Makop is described as derived from Phobos, and CYFIRMA identified Ndm448 as a ransomware strain belonging to the Makop family. The content also notes that more than 350 new ransomware strains discovered in 2025 were mostly based on MedusaLocker, Chaos, and Makop families.

Indicators and filenames directly mentioned in the content include ARestore.exe (MD5: 7f86b67ac003eda9d2929c9317025013), data.exe / PuffedUp (MD5: e245f8d129e8eadb00e165c569a14b71), Advanced_Port_Scanner_2.5.3869.exe (MD5: 6A58B52B184715583CDA792B56A0A1ED), Everything.exe (MD5: b69d036d1dcfc5c0657f3a1748608148), and YDArk.exe (MD5: 9fd28d2318f66e4fe37a9a5bc1637928). Observed Makop encryptor filenames include bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe, mc_hand.exe, and dot-prefixed variants such as .taskmgr.exe. Tool staging locations mentioned include \tsclient\ shares, Music, Downloads, Desktop, Documents, and the root of C:, with subfolder names such as Bug or Exp.