Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

MrAgent

MrAgent is a management, deployment, and persistence utility used by the RansomHouse ransomware-as-a-service operation, also associated in the provided content with Jolly Scorpius. It is used alongside the Mario ESXi ransomware and is designed to automate and track ransomware deployment at scale, particularly across VMware ESXi hypervisors and virtualized environments; the content also states it has been used to target both Windows and Linux-based systems. Reported behavior includes establishing persistent connections to attacker command-and-control servers, identifying hosts, retrieving local IP and host inventory, collecting hypervisor and virtual machine information, disabling the ESXi firewall, executing received commands, and orchestrating Mario ransomware execution to encrypt critical VM files. Described C2 communications use JSON over sockets with a passphrase and heartbeat messages, and documented commands include info, config, exec, run, remove, abort, abort_f, quit, and welcome. The content further notes that Exec-related actions can include changing the root password, stopping vCenter remote management via /etc/init.d/vpxa stop, and starting VM encryption. A Windows variant with broadly similar logic is also described, with some ESXi-specific functionality removed and several functions implemented through PowerShell, including log clearing and file removal. MrAgent is central to large-scale attacks against ESXi infrastructure, which RansomHouse affiliates target to encrypt many virtual machines simultaneously. Associated indicators explicitly mentioned in the content are the ESXi MrAgent SHA-256 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973 and the Windows MrAgent SHA-256 bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce70f82f2c.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RansomHouse

RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence2

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

T1190Exploit Public-Facing ApplicationEvidence1

“The threat actor eventually revealed the attack on the victim's network started with an exploit in CITRIX remote access software…” / “Exploit Public-Facing Application Initial compromise through an exploit in Citrix”

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

“Run… used to run arbitrary commands on the ESXi host… written to the file ‘./shmv’ … executed.” / “several functions… replaced by PowerShell alternatives… wevtutil… Remove-Item… Get-WmiObject…”

Persistence

2 techniques
T1078Valid AccountsEvidence2

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

T1098Account ManipulationEvidence1

“When configured to do so; the binary will start by changing the root password of the local hypervisor.”

Privilege Escalation

2 techniques
T1078Valid AccountsEvidence2

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

T1098Account ManipulationEvidence1

“When configured to do so; the binary will start by changing the root password of the local hypervisor.”

Stealth

3 techniques
T1070.004File DeletionEvidence1

“Remove… remove a file… ‘rm -rf FILE’” / “Files are removed… PowerShell Remove-Item” / “Quit… kill and remove the binary… ‘rm -f’”

T1078Valid AccountsEvidence2

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

T1497.001System ChecksEvidence1

The group typically targets VMware ESXi infrastructure ... alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

Discovery

2 techniques
T1016System Network Configuration DiscoveryEvidence1

“Retrieve the local IP address… Retrieve the MAC address…” / “System Network Configuration Discovery Retrieves MAC and IP address…”

T1497.001System ChecksEvidence1

The group typically targets VMware ESXi infrastructure ... alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

Lateral Movement

1 technique
T1210Exploitation of Remote ServicesEvidence1

“…started with an exploit in CITRIX remote access software and VMware ESXi infrastructure… They exploited vulnerabilities in the virtualisation servers…”

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

“Messages to and from the command & control server are transmitted as JSON encoded strings…” / “Application Layer Protocol Utilized MrAgent for bot communication”

Other

1 technique
T1562.004Disable or Modify System FirewallEvidence1

“Disable the ESXi firewall by executing the command ‘esxcli network firewall set --enabled false’”

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyber security newsNews
May 8, 2026
Trellix Breach - RansomHouse Claims Access to Parts of Source Code

A tool used alongside Mario ESXi to target Windows and Linux-based virtualized environments.

Read more
cso onlineNews
Jan 7, 2026
Neue Ransomware-Bedrohung zielt auf deutsche Unternehmen

MrAgent is a tool used by the Ransomhouse group to automate attacks on VMware ESXi hypervisors, enabling rapid and large-scale encryption of virtualized environments.

Read more
polyswarmNews
Dec 29, 2025
RansomHouse Upgrades Its Encryption

MrAgent is a management utility used by the RansomHouse operation to establish persistent C2 connections on compromised ESXi hosts, automate deployment of ransomware payloads (such as Mario), and execute system commands for lateral movement and persistence.

Read more
cso onlineNews
Dec 22, 2025
Think you can beat ransomware? RansomHouse just made it a lot harder

MrAgent is a deployment and persistence utility used by RansomHouse to facilitate ransomware deployment and maintain access within compromised environments, particularly targeting virtual infrastructure.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.