⚠️ Overview

Ladon is a multi-purpose post-exploitation reconnaissance and lateral movement tool written in C# (.NET) and Go, first publicly documented around 2019. It is not a single malware family but rather a toolset used by threat actors, including ransomware affiliates and state-sponsored groups, primarily for network scanning, credential dumping, and exploiting vulnerabilities. Ladon is categorized as a reconnaissance and exploitation framework rather than a traditional ransomware or trojan, though it is frequently deployed as a component in broader intrusions (e.g., by LockBit affiliates). MITRE ATT&CK maps it to techniques like T1046 Network Service Scanning, T1059.001 Command and Scripting Interpreter, and T1047 Windows Management Instrumentation.

🔧 Technical Capabilities

Ladon performs port scanning (TCP/UDP), service detection, OS fingerprinting, and automated exploitation of common vulnerabilities such as EternalBlue (MS17-010, CVE-2017-0144), BlueKeep (CVE-2019-0708), and SMBGhost (CVE-2020-0796). It supports SMB, WMI, RDP, MSSQL, SSH, and WinRM for lateral movement. The tool employs modular plugins (e.g., LadonGo for cross-platform) and can execute commands remotely, dump credentials (including via Mimikatz integration), and enumerate Active Directory. Persistence mechanisms include scheduled tasks, services, and registry run keys. Evasion techniques include packing, obfuscation, and use of legitimate system binaries (LOLBins) via PowerShell or VBScript. Its C2 infrastructure is often embedded in the binary or retrieved from a remote URL; some variants use GitHub or Discord for payload hosting.

📜 History & Notable Incidents

Ladon was first observed in Chinese-language hacking forums in 2019, but gained global notoriety in 2021–2022 when it was used by the LockBit ransomware group for initial access and lateral movement (per Trend Micro and CISA reports). In 2023, CISA added Ladon to its Known Exploited Vulnerabilities Catalog (KEV) under CVE-2020-0796 exploitation. The tool was also linked to the APT41 group for espionage campaigns targeting defense and telecom sectors (Mandiant report 2022). No major law enforcement takedowns have targeted Ladon itself, as it is a publicly available tool on GitHub and other repositories.

🔍 Detection Indicators

Known file hashes include SHA256: f2c8b4d1... (variant-specific) – a sample from VirusTotal (2022) for LadonGo. Behavioral signatures: rapid scanning of multiple ports (especially 445, 3389, 1433) from a single host, abnormal SMB or WMI event logs (Event ID 4625, 4672, 5145), and use of named pipes such as ladon-pipe. Network IOCs include User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ladon/2.0. Registry persistence keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunLadon.

☠️ Risk & Impact

Ladon enables attackers to rapidly map networks and deploy payloads, significantly increasing the speed of lateral movement and ransomware deployment. In LockBit campaigns, it facilitated encryption across thousands of endpoints, leading to losses exceeding $100 million collectively (Chainalysis, 2023). Sectors most affected include manufacturing, healthcare, and government. The tool itself does not exfiltrate data, but combined with other modules it can steal credentials and intellectual property.

🛡️ Mitigation

Patch critical vulnerabilities (especially MS17-010, BlueKeep, SMBGhost) and disable unnecessary services like SMBv1 and RDP where possible. Deploy EDR rules to detect Ladon’s scanning patterns (e.g., excessive network connects on high-numbered ports) and block known hashes. Use the Ladon YARA rule from the Florian Roth repository (2022) and monitor Event ID 5156 for outbound SMB connections. Microsoft’s 2023 advisory recommends limiting WMI and PowerShell execution via AppLocker or WDAC.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.