Stampedo
Malware⚠️ Overview
Stampedo is a Golang-based ransomware family first documented by the Zscaler ThreatLabz team in early March 2025. Operated by an unknown initial-access broker group, it is categorized as a double-extortion ransomware that encrypts files and exfiltrates data for leverage. According to Zscaler's report published on March 13, 2025, Stampedo operators focus on large-scale enterprise compromises.
🔧 Technical Capabilities
The ransomware uses AES-256-CTR for file encryption combined with RSA-2048 for key protection, appending the extension .stampedo to encrypted files. Propagation occurs through PsExec, SC.exe, and WMI for lateral movement across Windows domains. The binary, compiled with Go 1.22, employs ETW patching and AMSI bypass techniques to evade detection. C2 communication is over HTTPS using a custom protocol with JSON payloads, hosted on bulletproof VPS providers in Russia. Persistence is achieved via scheduled tasks named "StampedoUpdater" and service installations under the name "StampSvc".
📜 History & Notable Incidents
Stampedo was first observed in July 2024 targeting North American financial services firms, with a second wave in October 2024 hitting healthcare organizations in Europe. A notable incident involved a UK logistics company in March 2025 where attackers claimed to have exfiltrated 4 TB of data. No CVEs are associated with Stampedo as it uses commodity exploitation tools for initial access. No law enforcement actions have been publicly recorded as of April 2025.
🔍 Detection Indicators
Known SHA-256 hash for a Stampedo sample from Zscaler's analysis: a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (example from report). Behavioral indicators include creation of ransom note files named !RECOVER_README.txt in every directory and network connections to IP ranges 185.165.29.0/24 (identified by Zscaler). Registry persistence uses key HKCUSoftwareMicrosoftWindowsCurrentVersionRunStampedoUpdate.
☠️ Risk & Impact
Stampedo causes complete encryption of local and mapped network drives, leading to operational downtime. Zscaler's report notes the group demands ransoms ranging from $500,000 to $2 million in Bitcoin, with victims from the finance, healthcare, and logistics sectors. Data exfiltration is performed prior to encryption using a custom tool called "ExfilGrabber" that targets database files and document repositories.
🛡️ Mitigation
Organizations should implement application whitelisting to block Go-based binaries, enable Sysmon logging for ETW patching events (MITRE ATT&CK T1562.006), and deploy YARA rules provided in Zscaler's March 2025 advisory to detect Stampedo's RSA-2048 key distribution strings. Regular patching of initial access vectors like VPN appliances and enabling LSA protection are recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.