Malware Activity
Advancements in Ransomware and Malware Campaigns
Recent developments in cybercrime reveal that ransomware groups like RansomHouse are continuously enhancing their tools to evade detection and increase their destructive potential. Their latest encryption method, called ‘Mario,’ uses a two-step process with multiple keys, making it much harder for security experts to reverse-engineer or decrypt data. This upgrade also includes techniques that process files based on size, adding complexity and further challenging static analysis. Meanwhile, cybersecurity researchers have identified two highly sophisticated malware campaigns. CountLoader, a stealthy loader, spreads through cracked software and USB drives, executing malicious tools while avoiding detection by operating in memory. GachiLoader, distributed via compromised YouTube accounts, employs obfuscation and anti-security tricks to deliver additional malware, such as info stealers. These evolving threats underline the importance for organizations to implement strong, layered security measures and stay alert to new, advanced cyberattack methods. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: RansomHouse Upgrades Encryption With Multi-Layered Data Processing article
- TheHackerNews: Cracked Software And YouTube Videos Spread CountLoader And GachiLoader Malware article
Threat Actor Activity
RansomHouse RaaS Group Enhances Their Ransomware Encryption, dubbed “Mario”
RansomHouse, a ransomware-as-a-service (RaaS) operation, has enhanced its encryptor from a single-phase linear technique to a more complex, multi-layered method, as detailed by Palo Alto Networks Unit 42. This upgrade provides stronger encryption, faster speeds, and improved reliability in modern environments, boosting threat actors’ leverage during negotiations. Initially launched in December 2021 as a data extortion group, RansomHouse later integrated encryptors into its attacks and developed the MrAgent tool to lock multiple VMware ESXi hypervisors simultaneously. The latest encryptor variant, dubbed ‘Mario,’ employs a two-stage transformation with a 32-byte primary key and an 8-byte secondary key, increasing encryption entropy and complicating partial data recovery. It also introduces dynamic chunk sizing at an 8GB threshold with intermittent encryption, complicating static analysis due to non-linearity and complex math determining processing order. Additionally, ‘Mario’ enhances memory layout and buffer organization, using multiple dedicated buffers for each encryption stage. The upgraded version provides detailed file processing information and continues targeting VM files, renaming encrypted files with the ‘.emario’ extension and leaving ransom notes. Although RansomHouse remains mid-tier in attack volume, its advanced tooling development indicates a strategic focus on efficiency and evasion, posing a growing challenge for decryption and static analysis.
Vulnerabilities
Critical UEFI DMA Bypass Flaw Exposes Systems to Pre-Boot Memory Attacks
Researchers have disclosed a critical UEFI firmware vulnerability affecting various motherboards from ASUS, Gigabyte, MSI, and ASRock that allows direct memory access (DMA) attacks to bypass early-boot memory protections, potentially enabling malicious code to compromise systems before the operating system loads. Tracked under multiple CVEs (CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, and CVE-2025-14304) due to vendor implementation differences, the flaw stems from UEFI firmware incorrectly reporting that DMA protections are enabled even when the IOMMU (a hardware memory firewall designed to restrict device access to RAM) fails to initialize during early boot. Discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi and coordinated with CERT Taiwan, the issue allows a malicious PCIe device with physical access to read or modify system memory before OS-level safeguards activate, leaving no alerts, prompts, or logs for detection. While Riot Games highlighted the risk in the context of kernel-level game cheats (causing its Vanguard anti-cheat to block Valorant from launching on vulnerable systems) the underlying exposure extends to broader security threats capable of fully compromising the operating system. Carnegie Mellon’s CERT/CC confirmed broad impact across multiple vendors and warned that exploitation occurs in the system’s most privileged state, underscoring the importance of applying the vendor firmware updates promptly after backing up data.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
