Phobos (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.phobos (Back to overview)

Phobos

VTCollection

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References

2025-07-17 ⋅ National Police Agency (Japan) ⋅ National Police Agency (Japan)
Phobos/8Base Decryption Tool
8Base Phobos

2024-11-20 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker, Phuc Pham
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now
8Base CryptXXXX Dharma Phobos

2024-05-30 ⋅ circleid ⋅ WhoisXML API
A DNS Investigation of the Phobos Ransomware 8Base Attack
8Base Phobos

2024-05-21 ⋅ S-RM ⋅ Frank de Korte
Phobos ransomware launches new leak site and pivots towards double extortion
Phobos

2024-03-18 ⋅ PCrisk ⋅ Tomas Meskauskas
FORCE (.FORCE) ransomware virus – removal and decryption options
Phobos

2024-02-19 ⋅ Cyber Geeks ⋅ CyberMasterV
A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania
Phobos

2024-02-15 ⋅ DNSC ⋅ Directoratul National de Securitate Cibernetica
Backmydata Ransomware
Phobos

2023-11-23 ⋅ Qualys ⋅ Suraj Mundalik
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
Understanding the Phobos affiliate structure and activity
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
A deep dive into Phobos ransomware, recently deployed by 8Base group
8Base Phobos

2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC

2023-07-17 ⋅ Acronis ⋅ Acronis Security
8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader

2023-06-30 ⋅ Twitter (@rivitna2) ⋅ @rivitna2
Twitter thread about relationship between 8Base and Phobos ransomware
8Base Phobos

2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC

2023-02-23 ⋅ CERT.PL ⋅ Jarosław Jedynak, Michał Praszmo
A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-03 ⋅ PARAFLARE ⋅ Bex Nitert
Luci Spools The Fun With Phobos Ransomware
Phobos

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void

2021-07-22 ⋅ ⋅ Serviciul Român de Informații ⋅ Serviciul Român de Informații
Cyber attack with PHOBOS ransomware application
Phobos

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-02 ⋅ Morphisec ⋅ Michael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2020-10-13 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-04-24 ⋅ Advanced Intelligence ⋅ Bridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2020-01-10 ⋅ Malwarebytes ⋅ Jovi Umawing
Threat spotlight: Phobos ransomware lives up to its name
Phobos

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

2019-07-24 ⋅ Malwarebytes ⋅ hasherezade
A deep dive into Phobos ransomware
Phobos

2019-01-29 ⋅ CodeWare ⋅ CoveWare
Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos

Yara Rules

[TLP:WHITE] win_phobos_auto (20260504 | Detects win.phobos.)

rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e8???????? eb1b 6a10 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   eb1b                 | jmp                 0x1d
            //   6a10                 | push                0x10

        $sequence_1 = { 89460c 0fbf4604 3bf8 7e18 8bcf 2bc8 03c9 }
            // n = 7, score = 100
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   0fbf4604             | movsx               eax, word ptr [esi + 4]
            //   3bf8                 | cmp                 edi, eax
            //   7e18                 | jle                 0x1a
            //   8bcf                 | mov                 ecx, edi
            //   2bc8                 | sub                 ecx, eax
            //   03c9                 | add                 ecx, ecx

        $sequence_2 = { ff36 ff15???????? 8bd8 f7db }
            // n = 4, score = 100
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   f7db                 | neg                 ebx

        $sequence_3 = { e8???????? 83c40c 8bc7 5f ebd2 55 8bec }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   ebd2                 | jmp                 0xffffffd4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_4 = { 53 56 57 8bf8 7505 e8???????? be???????? }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   be????????           |                     

        $sequence_5 = { 0fb692a8a44000 23ce 0fb689a8a44000 c1e108 33ca 0fb6501e }
            // n = 6, score = 100
            //   0fb692a8a44000       | movzx               edx, byte ptr [edx + 0x40a4a8]
            //   23ce                 | and                 ecx, esi
            //   0fb689a8a44000       | movzx               ecx, byte ptr [ecx + 0x40a4a8]
            //   c1e108               | shl                 ecx, 8
            //   33ca                 | xor                 ecx, edx
            //   0fb6501e             | movzx               edx, byte ptr [eax + 0x1e]

        $sequence_6 = { 51 53 56 8bf0 8b4508 33db 57 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi

        $sequence_7 = { ff75fc ff7508 e8???????? 59 59 eb01 4f }
            // n = 7, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   eb01                 | jmp                 3
            //   4f                   | dec                 edi

        $sequence_8 = { 85ff 7438 0fb70f 8bc7 eb11 83c002 }
            // n = 6, score = 100
            //   85ff                 | test                edi, edi
            //   7438                 | je                  0x3a
            //   0fb70f               | movzx               ecx, word ptr [edi]
            //   8bc7                 | mov                 eax, edi
            //   eb11                 | jmp                 0x13
            //   83c002               | add                 eax, 2

        $sequence_9 = { e8???????? 8bf0 33db 59 3bf3 0f84ab000000 68a00f0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   33db                 | xor                 ebx, ebx
            //   59                   | pop                 ecx
            //   3bf3                 | cmp                 esi, ebx
            //   0f84ab000000         | je                  0xb1
            //   68a00f0000           | push                0xfa0

    condition:
        7 of them and filesize < 139264
}

Download all Yara Rules

Phobos Propose Change

References

Yara Rules

Phobos