CatB
CatB is a ransomware family first observed in late 2022, also referred to as CatB99 or Baxtoy. Reporting cited in the source material links CatB to the suspected Chinese espionage group ChamelGang (also called CamoFei), with researchers attributing its use in late-2022 attacks on the Presidency of Brazil and India’s All India Institute of Medical Sciences based on overlaps in code, staging mechanisms, certificates, strings, icons, and other malware artifacts. The broader reporting frames CatB as part of a pattern in which espionage-linked actors use ransomware for disruption, misattribution, evidence removal, and possible financial gain, particularly against government and critical infrastructure targets.
Technically, CatB is delivered as a two-DLL chain. The initial dropper is a UPX-packed DLL named versions.dll, which drops a second DLL payload named oci.dll. CatB performs sandbox- and VM-evasion checks, including checks on RAM, disk characteristics, and processor/core combinations. It abuses DLL search order hijacking / phantom DLL loading through the Microsoft Distributed Transaction Coordinator (MSDTC) service: the dropper writes oci.dll into C:\Windows\System32, manipulates MSDTC service permissions and startup parameters, kills msdtc.exe via taskkill.exe, and relies on service restart so msdtc.exe loads the malicious oci.dll as the ransomware payload.
CatB encrypts selected local data, by default targeting C:\Users and the D: through I: volumes, while excluding .msi, .dll, .sys, .iso, and NTUSER.DAT. Unlike many ransomware families, it typically does not drop a separate ransom note, change the desktop wallpaper, or append a new extension; instead, it inserts the ransom note at the beginning of each encrypted file. The note instructs victims to contact the operators at catB9991@protonmail.com; some November 2022 samples used fishA001@protonmail.com, and some variants contained both addresses. The note includes the Bitcoin wallet bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz, states that the ransom increases daily for five days, and threatens permanent data loss after that period. CatB also drops a key file in C:\Users\Public\ intended to serve as a victim identifier.
Beyond encryption, CatB attempts to steal data from Mozilla Firefox, Google Chrome, Microsoft Edge, Internet Explorer, and Windows Mail. Reported targeted data includes bookmarks, blocklists, crash logs, browsing history, profile data, autofill data, environment/settings data, browser session keys, and Windows Mail profile data under AppData\Local\Microsoft\Windows Mail. Researchers also noted similarities between CatB and Pandora ransomware, suggesting CatB may be a rebrand or evolution of Pandora.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We discovered strong indicators pointing to these institutions as being targeted using ChamelGang’s CatB ransomware.
"Its ransomware payload, known as CatB, had been signed with the same coolschool certificate."
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. | Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
First, the dropper is distributed in the form of a UPX-packed DLL (versions.dll). This dropper deposits the second DLL payload (oci.dll) onto the target host.
The ChamelGang group repeatedly deployed ransomware and encryptors “for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence” ... The specific use of ransomware also allows APT groups to destroy evidence of their espionage efforts and force organizations to focus on data restoration instead of investigating how hackers gained initial entry.
As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted.
CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. | Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.
Credential Access
2 techniques
Credential Access
Discovery
2 techniques
Discovery
CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.
Collection
1 technique
Collection
Impact
2 techniques
Impact
Threat actors in the cyberespionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence. | We discovered strong indicators pointing to these institutions as being targeted using ChamelGang’s CatB ransomware.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware payload attributed by TeamT5 to the China-linked group CamoFei; notable for being signed with the stolen 'coolschool' certificate also seen in later Warlock-adjacent tooling.
Ransomware associated with ChamelGang and used in attacks against the Presidency of Brazil and India’s AIIMS.
Ransomware that the content says exploits DLL hijacking vulnerabilities for improved concealment.
Ransomware used in the 2022 attacks on the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS), attributed by the researchers to ChamelGang based on malware code overlaps with other tools used by the group.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.