Phobos (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.phobos (Back to overview)

Phobos

VTCollection

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References

2025-07-17 ⋅ National Police Agency (Japan) ⋅ National Police Agency (Japan)
Phobos/8Base Decryption Tool
8Base Phobos

2024-11-20 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker, Phuc Pham
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now
8Base CryptXXXX Dharma Phobos

2024-05-30 ⋅ circleid ⋅ WhoisXML API
A DNS Investigation of the Phobos Ransomware 8Base Attack
8Base Phobos

2024-05-21 ⋅ S-RM ⋅ Frank de Korte
Phobos ransomware launches new leak site and pivots towards double extortion
Phobos

2024-03-18 ⋅ PCrisk ⋅ Tomas Meskauskas
FORCE (.FORCE) ransomware virus – removal and decryption options
Phobos

2024-02-19 ⋅ Cyber Geeks ⋅ CyberMasterV
A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania
Phobos

2024-02-15 ⋅ DNSC ⋅ Directoratul National de Securitate Cibernetica
Backmydata Ransomware
Phobos

2023-11-23 ⋅ Qualys ⋅ Suraj Mundalik
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
Understanding the Phobos affiliate structure and activity
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
A deep dive into Phobos ransomware, recently deployed by 8Base group
8Base Phobos

2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC

2023-07-17 ⋅ Acronis ⋅ Acronis Security
8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader

2023-06-30 ⋅ Twitter (@rivitna2) ⋅ @rivitna2
Twitter thread about relationship between 8Base and Phobos ransomware
8Base Phobos

2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC

2023-02-23 ⋅ CERT.PL ⋅ Jarosław Jedynak, Michał Praszmo
A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-03 ⋅ PARAFLARE ⋅ Bex Nitert
Luci Spools The Fun With Phobos Ransomware
Phobos

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void

2021-07-22 ⋅ ⋅ Serviciul Român de Informații ⋅ Serviciul Român de Informații
Cyber attack with PHOBOS ransomware application
Phobos

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-02 ⋅ Morphisec ⋅ Michael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2020-10-13 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-04-24 ⋅ Advanced Intelligence ⋅ Bridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2020-01-10 ⋅ Malwarebytes ⋅ Jovi Umawing
Threat spotlight: Phobos ransomware lives up to its name
Phobos

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

2019-07-24 ⋅ Malwarebytes ⋅ hasherezade
A deep dive into Phobos ransomware
Phobos

2019-01-29 ⋅ CodeWare ⋅ CoveWare
Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos

Yara Rules

[TLP:WHITE] win_phobos_auto (20251219 | Detects win.phobos.)

rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4f ff75fc e8???????? 59 8bc7 5f 5e }
            // n = 7, score = 100
            //   4f                   | dec                 edi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 6a0c 5b 53 8d442430 56 50 e8???????? }
            // n = 7, score = 100
            //   6a0c                 | push                0xc
            //   5b                   | pop                 ebx
            //   53                   | push                ebx
            //   8d442430             | lea                 eax, [esp + 0x30]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 7446 8b06 85c0 7440 8b0f 894e04 8b4f04 }
            // n = 7, score = 100
            //   7446                 | je                  0x48
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]

        $sequence_3 = { 33db 56 57 33c0 895c2428 8d7c242c ab }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   33c0                 | xor                 eax, eax
            //   895c2428             | mov                 dword ptr [esp + 0x28], ebx
            //   8d7c242c             | lea                 edi, [esp + 0x2c]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_4 = { 8bc6 8d3c08 8d8fb2000000 894df4 83c118 2bc8 81c100000400 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   8d3c08               | lea                 edi, [eax + ecx]
            //   8d8fb2000000         | lea                 ecx, [edi + 0xb2]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   83c118               | add                 ecx, 0x18
            //   2bc8                 | sub                 ecx, eax
            //   81c100000400         | add                 ecx, 0x40000

        $sequence_5 = { 5b c9 c3 56 6a1c }
            // n = 5, score = 100
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   56                   | push                esi
            //   6a1c                 | push                0x1c

        $sequence_6 = { 83c002 eb02 8bc7 8bc8 56 8d7102 }
            // n = 6, score = 100
            //   83c002               | add                 eax, 2
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   8bc8                 | mov                 ecx, eax
            //   56                   | push                esi
            //   8d7102               | lea                 esi, [ecx + 2]

        $sequence_7 = { 68ff000000 ff15???????? cc 55 8bec 8b4508 a3???????? }
            // n = 7, score = 100
            //   68ff000000           | push                0xff
            //   ff15????????         |                     
            //   cc                   | int3                
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   a3????????           |                     

        $sequence_8 = { 0f8452010000 3bf7 7420 8d44243c 50 ff15???????? 50 }
            // n = 7, score = 100
            //   0f8452010000         | je                  0x158
            //   3bf7                 | cmp                 esi, edi
            //   7420                 | je                  0x22
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { ff7708 8d442430 ff7704 ff37 50 56 e8???????? }
            // n = 7, score = 100
            //   ff7708               | push                dword ptr [edi + 8]
            //   8d442430             | lea                 eax, [esp + 0x30]
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff37                 | push                dword ptr [edi]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 139264
}

Download all Yara Rules

Phobos Propose Change

References

Yara Rules

Phobos