Makop ransomware group sharpens tools in India focus
Researchers at cyber protection company Acronis have reported new techniques in Makop ransomware attacks, including greater use of local privilege escalation exploits and the GuLoader malware, with most observed incidents affecting organisations in India.
Makop is a strain of ransomware linked to the Phobos family and has circulated since around 2020. Analysts at the Acronis Threat Research Unit (TRU) examined recent Makop incidents involving GuLoader samples and a wide range of privilege escalation tools. They observed that the operators rely on exposed remote desktop protocol (RDP) services, commodity software and known vulnerabilities instead of bespoke malware frameworks.
The group's approach remains relatively simple. Attackers focus on RDP systems that use weak or reused credentials and lack multifactor authentication. They then deploy a set of widely available tools for network discovery, privilege escalation, security software tampering and credential theft before attempting data encryption.
RDP-focused entry
Makop operators gain initial access by brute forcing or running dictionary attacks against publicly exposed RDP services, often on the default port. The investigation identified use of NLBrute, an older password-guessing tool that circulates in cracked form on cyber crime forums. NLBrute requires a list of target IP addresses and username and password combinations, which attackers use in large-scale attempts.
Once attackers obtain valid RDP credentials, they pivot within the victim environment. They deploy network scanners and other utilities to identify additional systems, locate high-value machines and prepare the ground for encryption.
Off-the-shelf toolset
The research shows extensive reliance on legitimate or easily available software. Attackers favour network scanners such as NetScan and Advanced IP Scanner. They combine these with Advanced Port Scanner and Masscan for port scanning activity. This combination enables detailed mapping of hosts and services across local networks.
The same tools are commonly used by administrators. The overlap makes malicious activity harder to distinguish from routine IT work.
Makop operators deploy their toolset in predictable locations. The binaries often appear on network-mounted RDP shares such as \\tsclient\ or in user profile folders such as Music, Downloads, Desktop, Documents or the root of the C: drive. Subfolder names such as "Bug" or "Exp" are typical. The encryptor uses filenames including bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe and mc_hand.exe, along with dotted variants such as .taskmgr.exe.
Security tool disruption
The campaign relies heavily on disrupting antivirus and endpoint security software. The researchers observed the use of utilities such as Defender Control and Disable Defender. These tools switch off Microsoft Defender features for a period and clear the way for further activity.
Attackers also adopted bring-your-own-vulnerable-driver techniques. They load signed but vulnerable drivers such as ThrottleStop.sys and hlpdrv.sys. ThrottleStop.sys is associated with the ThrottleStop application and contains a memory access flaw tracked as CVE-2025-7771. Attackers exploit this flaw to gain higher privileges and interfere with security tools. The hlpdrv.sys driver grants kernel-level access when registered as a service, which allows termination of some endpoint detection and response products.
Previous ransomware operations, including MedusaLocker, Akira and Qilin, have used the same drivers. The overlap suggests that Makop operators draw on a wider shared ecosystem of tools rather than maintaining their own unique stack.
The investigation also recorded the use of custom uninstallers against Indian antivirus product Quick Heal AV. The software is widely used by consumers and businesses in India. A tailored removal tool indicates that the attackers adapt elements of their toolkit for regional conditions.
Operators supplement these measures with legitimate utilities such as Process Hacker and IOBitUnlocker. These applications can terminate processes and delete files and are popular with system administrators. Ransomware groups repurpose them for security evasion and clean-up tasks.
Escalation and credentials
The team documented multiple local privilege escalation exploits in active use. The list includes CVE-2016-0099, CVE-2017-0213, CVE-2018-8639, CVE-2019-1388, CVE-2020-0787, CVE-2020-0796, CVE-2020-1066, CVE-2021-41379 and CVE-2022-24521.
These vulnerabilities affect Windows components such as BITS, Win32k, SMB, Windows Installer and device drivers. Many have public proof-of-concept code, which lowers the bar for operational use. The researchers said Makop actors keep several such exploits in reserve.
"The range of exploited CVEs shows that Makop operators are pragmatic. They assemble a toolkit of reliable exploits, many with public proof-of-concept code, and combine them with commodity software rather than investing in bespoke frameworks," said Ilia Dafchev, Senior Malware Researcher, Acronis.
On the credential side, the group adopts well-known tools. Operators use Mimikatz for in-memory credential harvesting, LaZagne for local password extraction from applications and NetPass for recovering network-related credentials such as VPN and remote desktop passwords. They deploy brute force utilities such as CrackAccount and AccountRestore when they need to guess additional passwords.
GuLoader involvement
One of the notable developments in the recent cases is the presence of GuLoader. GuLoader is a downloader-type trojan first identified in 2019. It is known for delivering a range of second-stage payloads including AgentTesla, FormBook, XLoader and Lokibot.
The research indicates that in some Makop-related incidents, GuLoader appeared in the same folders as other tools. It then fetched additional malware components. Previous ransomware operations by groups such as Qilin, Ransomhub, BlackBasta and Rhysida have used loaders. Acronis said this is the first documented case of Makop distribution through a loader in its telemetry.
GuLoader's presence points to a shift in Makop's delivery chain. The group can outsource parts of the infection process to loader infrastructure. This modular approach allows more flexible staging of payloads and makes detection more difficult.
Indian focus
The majority of observed Makop incidents in the dataset affected organisations in India. These accounted for about 55% of cases. Researchers also recorded smaller clusters in Brazil and Germany, along with scattered activity in other regions.
Acronis notes that this spread aligns with telemetry showing frequent use of Quick Heal AV in victim environments. The pattern suggests that attackers focus on networks with exposed services, weaker authentication and patching gaps.
The Makop cases highlight continued reliance on basic misconfigurations and long-known vulnerabilities in ransomware operations. They also show how threat actors mix legitimate software, older hacking tools and public exploits with newer elements such as loaders and tailored uninstallers. Dafchev said the team expects Makop and similar groups to expand these hybrid techniques in future campaigns.
