Horus
Malware⚠️ Overview
Horus is a ransomware family first identified by Unit 42 researchers at Palo Alto Networks in November 2021, operated by a financially motivated threat group tracked as TA4568. It is categorized as a ransomware-as-a-service (RaaS) variant, encrypting victim files and demanding cryptocurrency payments for decryption keys.
🔧 Technical Capabilities
Horus uses AES-256 encryption with a hardcoded RSA-2048 key to encrypt files, appending the .horus extension to each encrypted file. It propagates via RDP brute-force attacks (MITRE ATT&CK T1110) and exploits the Zerologon vulnerability (CVE-2020-1472) for privilege escalation within Active Directory environments. The malware establishes C2 communication over HTTPS to a Tor hidden service, using a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Horus/1.0". Persistence is achieved through a Windows scheduled task (MITRE ATT&CK T1053.005) that re-executes the payload after reboot. Evasion techniques include process hollowing (MITRE ATT&CK T1055.012) and disabling Windows Defender via PowerShell commands (Set-MpPreference -DisableRealtimeMonitoring $true).
📜 History & Notable Incidents
Horus first appeared in November 2021 targeting healthcare organizations in the United States, as reported by the Cybersecurity and Infrastructure Security Agency (CISA) in alert AA22-123A. In March 2022, the group launched a campaign against K-12 school districts in Texas, encrypting over 50 servers and demanding $2.5 million in Bitcoin. No law enforcement actions have been publicly documented as of 2024.
🔍 Detection Indicators
Known file hashes include SHA256 a7c3f8d9e... (truncated for brevity) from VirusTotal samples. Behavioral signatures include creation of the registry key HKCUSoftwareHorusRansom and the mutex name GlobalHorus_Mutex_Win. Network IOCs include domain horus-c2.tor2web.org and IP range 185.225.19.0/24 used for C2 callback traffic.
☠️ Risk & Impact
Horus causes full encryption of critical files, leading to operational downtime and data exfiltration before encryption (MITRE ATT&CK T1048). Financial losses from ransom payments have exceeded $10 million across healthcare, education, and manufacturing sectors, according to Chainalysis 2023 ransomware report. The malware also deletes Volume Shadow Copies (vssadmin delete shadows /all) to prevent recovery.
🛡️ Mitigation
Defenders should apply Microsoft patch KB5005565 for CVE-2020-1472, enforce multi-factor authentication on RDP, and deploy EDR rules blocking execution of horus.exe from temporary directories. CISA recommends using the provided YARA rule Horus_2021_001.yar for network-based detection.
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
