Donex

Malware updated 7 hours ago (2024-11-21T10:31:22.224Z)

Download STIX

Preview STIX

DoNex is a form of malware, specifically ransomware, known for its harmful effects on computer systems and data. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, subsequently stealing personal information, disrupting operations, or holding data hostage for ransom. DoNex typically targets data sources that store administrative files like PDFs and document scans containing sensitive information, thereby intensifying the pressure on victims. During its operation, DoNex was found to be running a data leak site on TOR, listing five victims in Europe and North America. The security company Avast released a decryptor for DoNex Ransomware and its predecessors, providing some relief for affected users. The origins and affiliations of DoNex are not entirely clear, but there are suggestions it may have been rebranded from other forms of ransomware. One such candidate is Darkrace, a LockBit variant that first surfaced in August 2023. There's also a possibility that Helldown, another malware strain, is a rebrand of Donex, according to cybersecurity firm Sekoia. Sekoia also notes that Helldown's tactics and code share similarities with other ransomware strains, including Darkrace and Donex, both linked to the LockBit 3.0 lineage. Despite these links, it remains unclear whether the same developer or operators are behind Muse, DarkRace, or DoNex. Other new operators include groups using names like Space Bears, Rabbit Hole, Qiulong, DoNex, and Arcus Media. Understanding the relationships between these various strains and operators is crucial in developing effective countermeasures against these pervasive threats.

Description last updated: 2024-11-21T10:29:41.259Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Darkrace is a possible alias for Donex. DarkRace, a malicious software (malware), emerged in mid-2023 as a ransomware variant using tactics similar to the LockBit lineage. This was after the LockBit source code was leaked by a developer from the ransomware group in September 2022. DarkRace employed a double extortion method, holding stole	5
Helldown is a possible alias for Donex. Helldown, a malware intrusion set that first surfaced in August 2024, is causing significant concern in the cybersecurity community. Initially known for targeting Windows systems, the Helldown group has expanded its operations to include VMware ESX servers and Linux environments. According to a repo	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Vulnerability

Malware

Ransom

Encrypt

Encryption

Tool

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Donex. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	3

Source Document References

Information about the Donex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	9 hours ago	Linux Variant of Helldown Ransomware Targets VMware
InfoSecurity-magazine	9 hours ago	Helldown Ransomware Expands to Target VMware and Linux Systems
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	3 months ago	New Ransomware Groups Emerge Despite Crackdowns
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Fortinet	7 months ago	Ransomware Roundup - KageNoHitobito and DoNex
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Avast released a decryptor for DoNex Ransomware and its predecessors
InfoSecurity-magazine	4 months ago	Avast Provides DoNex Ransomware Decryptor to Victims
BankInfoSecurity	4 months ago	What's the Best Strategy for Exploiting Flaws in Ransomware?
CERT-EU	8 months ago	New DoNex Ransomware Observed in the World Targeting Enterprises
CERT-EU	8 months ago	DoNex Ransomware Observed in the Wild Targeting Enterprises \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	New DoNex Ransomware Observed in the Wild Targeting Enterprises