Makop Ransomware Evolves: GuLoader and BYOVD EDR Killers Used to Attack RDP-Exposed Networks

A familiar threat has returned with new tricks, proving that cybercriminals don’t need sophisticated custom code to cause widespread damage—they just need the right off-the-shelf tools. A new report from Acronis Threat Research Unit (TRU) reveals that operators of the Makop ransomware have evolved their tactics, integrating the notorious GuLoader and a suite of privilege escalation exploits to target organizations with weak defenses.

Makop, a variant of the Phobos ransomware family first observed in 2020, has built a reputation on simplicity. The group’s modus operandi relies heavily on exploiting the most common security oversight in the corporate world: unsecured Remote Desktop Protocol (RDP) ports.

According to the Acronis researchers, the group’s strategy hasn’t changed so much as it has refined its efficiency. “The pattern which emerged was that attackers prefer to work in a low complexity and low effort manner,” the report states.

Once inside a network via brute-forced RDP credentials—often using the cracked tool NLBrute—the attackers don’t deploy custom-built APT frameworks. Instead, they stage a “noisy” collection of commodity tools. This includes NetScan and Advanced IP Scanner for mapping the network, and Mimikatz for scraping credentials from memory.

While their entry method is basic, their toolkit for staying in the network has become more dangerous. The report highlights a significant shift: the integration of GuLoader, a sophisticated downloader traditionally used to drop infostealers like AgentTesla.

“GuLoader, a downloader type of trojan, is used to deliver secondary payloads, indicating an evolution in Makop’s methodology by integrating more techniques to bypass security measures and additional malware delivery mechanisms”.

Furthermore, the attackers are bypassing endpoint protection by bringing their own weapons. They utilize “AV killers” and vulnerable drivers, such as the legitimate ThrottleStop.sys and hlpdrv.sys, to gain kernel-level access and terminate security processes. The investigation even found a tailored uninstaller for Quick Heal AV, suggesting the attackers are customizing their toolkit based on the specific security software they encounter.

The choice of tools like the Quick Heal uninstaller is not coincidental. The campaign shows a distinct geographic focus. “The majority of attacks (55%) target organizations in India, while incidents are also reported in Brazil, Germany and other regions”.

This targeting appears to be opportunistic rather than strategic. The attackers are hunting for the lowest hanging fruit—networks with exposed RDP and insufficient patching. “Makop’s operators appear to act opportunistically, focusing on networks where weaknesses reduce the effort needed for initial entry, subsequent compromise and encryption”.

The evolution of Makop serves as a reminder that “low complexity” does not mean low impact. By combining brute force with a vast library of known exploits (ranging from CVE-2016-0099 to CVE-2022-24521), these actors can devastate organizations that fall behind on basic hygiene.

As the report concludes, “seemingly mundane entry points like unsecured RDP can lead to significant breaches,” urging organizations to enforce multi-factor authentication and patch management to close the doors these “lazy” attackers are walking through.

Related Posts:

• BYOVD Attack: A New AV Killer Exploits a Legitimate Driver to Neutralize Defenses for MedusaLocker Ransomware
• Russian IP Networks Fuel North Korea’s Global Cybercrime and Espionage Campaigns
• Massive RDP Botnet Unleashed: 100,000+ IPs in Coordinated Global Scanning Campaign Targeting US
• New TangleCrypt Packer Hides EDR Killer, But Coding Flaws Cause Ransomware to Crash Unexpectedly