Gacrux

Malware

⚠️ Overview

Gacrux is a ransomware family first documented by the AhnLab Security Emergency Response Center (ASEC) in March 2025. It is attributed to a cybercriminal group that operates the malware under a Ransomware-as-a-Service (RaaS) model, specifically targeting Korean-language users in South Korea. The malware is categorized as a loader and information stealer that deploys secondary payloads, including ransomware variants such as LockBit and Magniber, making it a multi-stage threat.

🔧 Technical Capabilities

Gacrux propagates via phishing emails containing malicious Microsoft Compiled HTML Help (CHM) files, disguised as shipping, shopping, or payment notifications. Upon execution, Gacrux drops a JavaScript-based loader that downloads and decrypts an encrypted payload hosted on legitimate compromised websites using AES-256-CBC. The malware establishes persistence by creating a scheduled task or modifying the Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It employs evasion techniques including code obfuscation, process hollowing into legitimate processes like RegAsm.exe, and disables Windows Defender via PowerShell commands. Gacrux uses hardcoded C2 servers with fallback domain generation algorithms (DGA) and communicates over HTTPS with custom User-Agent strings mimicking Google Chrome. It also collects system information, including keyboard layout, locale, and running processes, before deploying the final ransomware payload.

📜 History & Notable Incidents

First discovered in early 2025, Gacrux primarily targeted South Korean users through Korean-language phishing lures referencing Coupang, Naver, and other local e-commerce platforms. No high-profile victims or CVEs have been publicly associated with Gacrux itself, as it relies on existing vulnerabilities in older software for initial access. Law enforcement actions have not been reported against the group as of mid-2025, though ASEC has published detailed IoCs.

🔍 Detection Indicators

Network indicators include outbound HTTPS connections to IP addresses in South Korea and Hong Kong, with User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". File indicators include the creation of suspicious CHM files with names like "delivery_notice.chm" and subsequent decrypted payloads with the extension .enc. Behavioral signatures include the execution of PowerShell to disable real-time monitoring and the creation of scheduled tasks named "WindowsUpdateTask" or similar. ASEC-provided SHA-256 hashes for sample filenames are available in their report (AhnLab ASEC, March 2025). Registry persistence can be found under Run keys pointing to %AppData%RoamingMicrosoftWindowsStart MenuProgramsStartup.

☠️ Risk & Impact

Gacrux poses a high risk of data exfiltration and ransomware encryption, leading to significant financial losses for affected organizations. The primary sectors impacted are small-to-medium businesses and individuals in South Korea, particularly those using Korean e-commerce services. The malware's ability to deploy LockBit and Magniber increases the severity of damage, potentially causing irreversible data loss without payment of the ransom, which is typically demanded in Bitcoin.

🛡️ Mitigation

Defenders should block execution of CHM files from email attachments, enforce application whitelisting to prevent RegAsm.exe and other LOLBins from being used maliciously, and deploy YARA rules provided by ASEC for detecting Gacrux loaders. Endpoint detection and response (EDR) tools with behavioral analytics for process hollowing and PowerShell abuse are critical for early detection. Regular patching of software vulnerabilities that ransomware groups exploit and maintaining offline backups are recommended to mitigate impact.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.