New 01flip Ransomware Hits APAC Critical Infra: Cross-Platform Rust Weapon Uses Sliver C2

A new and sophisticated ransomware player has entered the cybercrime arena, targeting critical infrastructure in the Asia-Pacific region with a custom-built, cross-platform weapon. Dubbed “01flip,” this ransomware family is written entirely in the Rust programming language, allowing it to strike both Windows and Linux systems with equal ferocity.

Unit 42 researchers at Palo Alto Networks have been tracking the activity under the cluster identifier CL-CRI-1036. While the campaign appears to be in its early stages, the threat actors have already claimed victims in the Philippines and Taiwan, signaling a dangerous new development in the financially motivated cybercrime landscape.

The investigation began in June 2025 when researchers intercepted a suspicious Windows executable that displayed unusual behavior. “The executable caught our attention because it is a Rust-based binary that exhibited ransomware-like behavior in our sandbox,” the report states.

Further analysis revealed a versatile threat. By leveraging Rust’s cross-compilation features, the attackers created a malware strain capable of compromising diverse environments. “01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust”.

Unlike automated “spray and pray” attacks, CL-CRI-1036 appears to favor a hands-on approach. The attackers likely compromised networks manually, exploiting older vulnerabilities such as CVE-2019-11580 to gain an initial foothold.

Once inside, they deployed Sliver, a widely used open-source adversary emulation framework, to maintain access and move laterally across the network. “In late May 2025, the threat actor behind CL-CRI-1036 successfully performed lateral movement to another Linux machine by downloading another Sliver implant,” researchers noted.

This manual methodology suggests a calculated operation. “These financially motivated attackers likely carried this out through manual means”.

One of the most intriguing findings in the malware’s code is a potential link—or a deliberate false flag—pointing to one of the world’s most notorious ransomware gangs.

The 01flip encryptor includes a hardcoded list of file extensions to ignore during encryption. Among standard system files, one entry stood out: “lockbit”.

“Avoiding encrypting files with a lockbit file extension implies a possible overlap of the threat actor behind CL-CRI-1036 and the group behind LockBit ransomware,” the report observes. However, researchers remain cautious, noting that “other than this odd bit of code, we can find no other connection between these two ransomware families”.

While the current victim count is low, the impact is significant. The group has already been linked to data leaks on the dark web, offering stolen information for sale. “We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack”.

As these groups continue to adopt modern programming languages like Rust to evade detection, defenders face an evolving challenge. “This activity highlights the challenges faced by defenders from attackers using modern programming languages in malware development,” Unit 42 concludes.

Related Posts:

• DLL Sideloading & Proxying: New Campaign Delivers Sliver Implants to German Targets
• Government Agencies in APAC Targeted by Fake PDF Login Phishing Emails
• Threat Actors Exploit SimpleHelp Vulnerabilities to Deploy Sliver Backdoor
• Fog Ransomware Group Exposed: Inside the Tools, Tactics, and Victims of a Stealthy Threat
• Rust Lands in Windows 11 Kernel: A New Era for OS Security?