Skip to content
Ransomware group

Mallox

Mallox is an enterprise-focused ransomware family and ransomware-as-a-service (RaaS) operation that emerged in 2021.

Profile source: Mallory opens in a new tab

Mallox

Family profile

Mallox is an enterprise-focused ransomware family and ransomware-as-a-service (RaaS) operation that emerged in 2021. It is also referred to in the provided content as TargetCompany, FARGO, XOLLAM, and BOZON, though Mallox is the most widely used name. The operation reportedly began as a private group and launched an affiliate program in 2022. Its recruitment was selective: it sought Russian-speaking affiliates, excluded English-speaking affiliates and novices, instructed affiliates to target organizations with at least $10 million in revenue, and to avoid hospitals and educational institutions. The content states Mallox had 16 active affiliates in 2023, with eight of those original affiliates still active in 2024 and no newcomers.

The malware is associated with enterprise attacks and big-game-hunting style targeting. The content states Mallox operators are known to exploit timely vulnerabilities, including Microsoft SQL Server flaws, and also use brute-force attacks for initial access. Separate reporting in the content describes WeaXor/Weaxor as a modified version or rebrand of Mallox, and notes Mallox activity associated with exploiting insecure Microsoft SQL servers.

A May 2024 leak from a Mallox affiliate staging server provided detailed insight into one affiliate’s tooling. According to the content, that affiliate’s Linux ransomware, branded "Mallox v1.0," was built from a modified version of the open-source Kryptina Linux RaaS platform. This Kryptina-derived Mallox Linux variant retained Kryptina’s core encryption and decryption routines, source structure, web interface, and builder components, with most changes limited to rebranding, translated documentation, and minor edits. The Linux variant used AES-256-CBC for file encryption, retained the krptna_process_file() encryption routine using OpenSSL APIs, and preserved Kryptina-style XOR-plus-base64 obfuscation for keys and configuration data. The builder supported parameters including demo, debug, symbols, arch32, xor, jobs, persist, maxsize, and secdel; the secdel option enabled a secure deletion or wiper-like capability.

The leaked affiliate server was hosted at 185[.]73.125[.]6 and contained modified Kryptina source files, a web interface, builder infrastructure, ransom note templates, and target-specific output folders. The content says 14 victim/output subfolders were present, with seven containing config.json files and compiled encryptor/decryptor binaries. Across those seven configured builds, the same Bitcoin address was used: 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3. They also shared the same encrypted-file extension, .lmallox, the same key value, smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4=, and the same ransom amount of 500.0. Ransom note configurations included the Tox ID 290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697.

The same affiliate server also hosted broader intrusion tooling associated with Mallox operations, including Windows-focused droppers, a Kaspersky password reset utility, and exploit code for CVE-2024-21338, indicating support for payload delivery, beachhead establishment, and privilege escalation. Specific artifacts mentioned in the content include Application.jar (SHA1 5cf67c0a1fa06101232437bee5111fefcd8e2df4), which launched PowerShell to download a Mallox payload as id.exe (SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119); KLAPR.ZIP / KLAPR.BAT (SHA1 43377911601247920dc15e9b22eda4c57cb9e743), identified as Kaspersky Lab AllProducts Password Reset v2.0; jre-8u401-windows-x64.exe (SHA1 dc3f98dded6c1f1e363db6752c512e01ac9433f3); Reader.lnk (SHA1 c20e8d536804cf97584eec93d9a89c09541155bc); and Java bytecode referencing grovik71.theweb[.]place. The x64 payload red.exe had SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 and was identical to id.exe and MSiedge.exe hosted on the same server.

The content also places Mallox in broader ransomware reporting, including observation in 2023 industrial-sector tracking and later reporting that WeaXor was a Mallox-derived or Mallox-rebranded strain. Overall, the provided material characterizes Mallox as a longstanding, enterprise-oriented ransomware family with affiliate-driven operations, known SQL-server-related intrusion activity, and at least one Linux branch derived from Kryptina.

Ransomware.live

Operational record

View group record ↗

Exfiltration

  • Dropmefiles
  • File[.]io
  • Sendspace

Reported operators

Threat actors

1 named in public reporting
Lazarus

Mallox ( aka TargetCompany ) ransomware is a longstanding, Enterprise-focused, RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON, due to the extension appended to encrypted files in some variants.

Exploited software

Vulnerabilities linked to Mallox

2 CVEs

MITRE ATT&CK

Mallox in ATT&CK

14 distinct techniques

Reporting

Research mentioning Mallox

Jun 11
Sentinelone Labs

LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware | SentinelOne

Jim Walter reveals how a recent leak from a Mallox ransomware-affiliated actor’s staging server provided insight into how Kryptina has been adapted for use in enterprise attacks.

May 21
Securelist

Leaked ransomware variants give rise to new cybercrime groups | Securelist

Mallox is another relatively new ransomware variant that first came to light in 2021 and kicked off an affiliate program in 2022.

Dec 30
F5 Community

F5 Threat Report - December 31st, 2025 | DevCentral

Threat Details and IOCs Malware: ... Mallox ...

Dec 20
Ctoatncsc Substack

CTO at NCSC Summary: week ending December 21st - nearly Christmas edition ❄️🎄🎅🤶🎄❄️

"Weaxor is reported to be a rebrand of Mallox ransomware strain. Mallox was active from 2021 and associated with exploiting insecure Microsoft SQL servers."

Nov 11
Sentinelone Labs

Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware | SentinelOne

Mallox ( aka TargetCompany ) ransomware is a longstanding, Enterprise-focused, RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON, due to the extension appended to encrypted files in some variants.

Apr 22
Hackread

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

"WeaXor ransomware, a modified version of Mallox..."

Jan 25
Dragos

Dragos Industrial Ransomware Analysis: Q4 2023 | Dragos

...observed in the third quarter but not in the fourth quarter of 2023... Mallox

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.