Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants.
Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family.
In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina.
The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality.
The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants.
This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.
Threat actors in the cyberespionage ecosystem are using ransomware for financial gain, disruption, distraction, misattribution, and the removal of evidence.
Two apparently separate North Korean crypto theft campaigns targeting macOS users appear to be linked as threat actors mix and match droppers and payloads.
Threat actors are using increasingly sophisticated forms of evasion and anti-analysis as they respond to increased attention to macOS security in the enterprise.