By rssfeeds-admin 
Security researchers have identified this wave of attacks as leveraging social engineering techniques and PowerShell-based payloads, embedding an unusual mix of technical skill, social parody, and financial motivation.
Parody and Political Satire Blend
The initial infection vector begins with a phishing PDF titled “Pay Adjustment,” designed to ensnare victims through a supposed compensation update.
When opened, the document links to a Zip file hosted on Netlify, a legitimate cloud platform often abused by threat actors for payload delivery.
This archive contains a shortcut (LNK) file, which, upon execution, triggers a PowerShell script (Pay.ps1) that acts as the first-stage dropper.
The chain continues with execution of stage1.ps1, a script responsible for orchestrating subsequent payloads and escalating the attack.
An in-depth technical analysis reveals the campaign’s modular architecture. The first-stage PowerShell script, stage1.ps1, operates as a loader and orchestrator, deploying a range of components.
Among these, “cwiper.exe” stands out as a ransomware binary exhibiting characteristics similar to the “Fog” ransomware family.
Its ransom note, named RANSOMNOTE.txt, not only demands payment in Monero but also parodies the cryptocurrency community.
The note impersonates “Edward Coristine” of DOGE and bizarrely lists U.S. government email addresses as support contacts, underlining the campaign’s satirical underpinnings.
We’ve observed a ransomware campaign likely mocking Elon Musk supporters, using phishing-based .lnk droppers, multi-stage PowerShell, and Netlify-hosted payloads to execute a full infection chain.
A phishing PDF (“Pay Adjustment”) → links to… pic.twitter.com/7ix7eUlekz— KrakenLabs (@KrakenLabs_Team) April 16, 2025
Technical Sophistication in New Attack
Further enhancing the attack’s sophistication, the campaign includes “ktool.exe,” which leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, granting the adversaries kernel-level access to the target system.
The attackers utilize “trackerjacker.ps1,” an XOR-obfuscated script, to maintain stealth and avoid detection.
Meanwhile, “lootsubmit.ps1” performs reconnaissance and geolocation using the Wigle Wi-Fi geolocation API, helping the operators profile infected systems more effectively.
Interestingly, as the ransomware executes, it launches a YouTube video mocking Elon Musk-likely serving as both a distraction and a reinforcement of the campaign’s parodic messaging.
This combination of technical execution and deliberate mockery points to a hybrid motivation: blending cybercriminal financial incentive with trolling and political commentary.
Despite the apparent satire, the presence of a Monero wallet in the ransom note confirms that profit remains a primary motive.
The campaign’s use of cloud-hosted infrastructure, multi-stage PowerShell attack chains, and BYOVD techniques highlights both a high level of technical proficiency and an evolving threat landscape where social and political narratives are weaponized alongside malware.
Researchers urge organizations to be wary of unsolicited emails containing PDF attachments and to monitor for suspicious PowerShell activity, especially when linked to cloud-hosted payloads.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Domain | hilarious-trifle-d9182e[.]netlify[.]app |
| PDF SHA256 | 6eb8b5986ea95877146adc1c6ed48ca2c304d23bc8a4a904b6e6d22d55bceec3 |
| cwiper.exe | ecfed78315f942fe0e6762acd73ef7f30c34620615ef5e71f899e1d069dabd9e |
| ktool.exe | 335411c83e1419c7a9074c1fe0775244e020ccebad76582d12898a3f8c2778a0 |
| trackerjacker.ps1 | 82137b80c2d59095e18330b1793c38b4358ae3b9f8ef2ff96656637cd2d0c891 |
| lootsubmit.ps1 | 0100a169f6b2008f7884b7685f9b71e68fe62de13be045dfabe6dc699a7f1f4d |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post New Ransomware Campaign Mocks Elon Musk Supporters Deploys Payloads via PowerShell appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.