• Latest
  • Trending
Hello XD ransomware now drops a backdoor while encrypting

Hello XD ransomware now drops a backdoor while encrypting

June 13, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Hello XD ransomware now drops a backdoor while encrypting

by ITECHNEWS
June 13, 2022
in Infosec, Leading Stories
0 0
0
Hello XD ransomware now drops a backdoor while encrypting

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

First observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

According to a new report by Palo Alto Networks Unit 42, the malware’s author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.

This marks a significant departure from the Babuk code and highlights the author’s intention to develop a new ransomware strain with unique capabilities and features for increased attacks.

Hello XD ransomware operation

The Hello XD ransomware operation is not currently using a Tor payment site to extort victims but instead instructs victims to enter negotiations directly through a TOX chat service.

In the latest version, the malware operators have added an onion site link on the dropped ransom note, but Unit 42 says the site is offline, so it might be under construction.

Hello XD ransom notes, old left, new right
Hello XD ransom notes, old left, new right (Unit 42)

When executed, Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extension to file names.

Besides the ransomware payload, Unit 42 also observed Hello XD operators now using an open-source backdoor named MicroBackdoor to navigate the compromised system, exfiltrate files, execute commands, and wipe traces.

This MicroBackdoor executable is encrypted using WinCrypt API and embedded within the ransomware payload, so it’s dropped to the system immediately upon infection.

Decrypting and dropping Microbackdoor
Decrypting and dropping Microbackdoor (Unit 42)

Crypter and encryption

The custom packer deployed in the ransomware payload’s second version features two layers of obfuscation.

The author has derived the crypter by modifying UPX, an open-source packer that numerous malware authors have widely abused in the past.

UPX packing (right) and custom packing (left)

The embedded blobs decryption involves using a custom algorithm containing unconventional instructions like XLAT, while the API calls in the packer are weirdly not obfuscated.

The most interesting aspect of the second major version of Hello XD is switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.

Babuk encryption (left) and HelloXD 2.0 encryption (right)
Babuk encryption (left) and Hello XD 2.0 encryption (right) (Unit 42)

Additionally, the file marker in the second version was changed from a coherent string to random bytes, making the cryptographic result more powerful.

What we should expect

At this time, Hello XD is a dangerous early-stage ransomware project currently being used in the wild. Even though its infection volumes aren’t significant yet, its active and targeted development lays the ground for a more dangerous status.

Unit 42 traced its origins to a Russian-speaking threat actor using the alias X4KME, who uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.

Samples of X4KME online presence
Samples of X4KME online presence (Unit 42)

Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services.

All in all, the particular threat actor appears knowledgeable and in a position to move Hello XD forward, so analysts need to monitor its development closely.

Source: Bill Toulas
Via: bleepingcomputer
Tags: Hello XD ransomware now drops a backdoor while encrypting
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version