Skip to content
Ransomware group

Pandora

Pandora is ransomware reported in 2022, including activity targeting the automotive sector and deployment by the Microsoft-tracked actor DEV-0401.

Profile source: Ransomware.live opens in a new tab

Pandora

Family profile

Pandora is ransomware reported in 2022, including activity targeting the automotive sector and deployment by the Microsoft-tracked actor DEV-0401. This profile excludes the unrelated Windows backdoor and rootkit that also uses the Pandora name.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning Pandora

Dec 22
Rapid7 Velociraptor

Memory Analysis with Velociraptor - Part 2

20 Pandora yes

Apr 11
Sentinelone Labs

Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector | SentinelOne

Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora.

Apr 25
Mitre Attack Website

Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®

Pandora can start and inject code into a new svchost process.

Mar 13
Sentinelone

CatB Ransomware: File Locker Steals Data via MSDTC DLL Hijacking

String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry.

May 9
Microsoft General

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.

Apr 9
Trend Micro Research

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

On two occasions (in March and October 2020), we found a kernel rootkit that had been deployed. After analysis, it appears that this rootkit’s behavior is very similar to that of the NDISProxy driver and remote access trojan (RAT). We chose to call it “Pandora” based on the program database (PDB) path of the unpacked stage 2.

Mar 8
Mitre Attack Website

Create or Modify System Process: Windows Service, Sub-technique T1543.003 - Enterprise | MITRE ATT&CK®

Pandora has the ability to gain system privileges through Windows services.

Aug 7
Mitre Attack Website

Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®

Pandora can start and inject code into a new svchost process.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.