Security Affairs
U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Watch out the Satana ransomware is comining

A newly emerging strain of malware dubbed Satana, which was first spotted last week, appears to be basing itself on crypto-lockers Petya and Mischa. Experts from Malwarebytes Labs have described the malicious software to be in the stage of “malware-in-development” with expected growth and evolution to occur over the coming weeks as its popularity and use […]

Watch out the Satana ransomware is comining

A newly emerging strain of malware dubbed Satana, which was first spotted last week, appears to be basing itself on crypto-lockers Petya and Mischa.

Experts from Malwarebytes Labs have described the malicious software to be in the stage of “malware-in-development” with expected growth and evolution to occur over the coming weeks as its popularity and use increases.

Similar to Petya and Mischa, Satana – Italian for devil, has two methods of operation; the first works like Petya, initiating a dropper which writes a bootloader with a custom kernel to the start of the disk, the second stage, displays characteristics of Mischa, acting in a typical cryptoware fashion by encrypting user’s files, in this case using AES.

Unlike Petya and Mischa, this latest variant employs both methods back to back in order to compromise the system bootloader then subsequently the user data.

Satana’s installation mode is silent and patiently waits for a system reboot whereupon it displays the ransom note, confirming the compromise and detailing the instructions for decryption. This differs from Petya’s more aggressive, forcing of a fake BSOD prompting the user to reboot.

Satana malware

Satana’s ransom note which appears on the first reboot following successful infection

The second stage of operation see’s the malware work its way through the infected system, encrypting users files one by one and leaving a ransom note in each folder, labelled !satana!.txt. !satana!.txt.

All of the user’s files are renamed with the hard-coded email address which is to be used in the unlocking process, under the format <email address>_<original file name>.users files are renamed with the hard-coded email address which is to be used in the unlocking process, under the format <email address>_<original file name>.

Targeted file extensions include: .bak .doc .jpg .jpe .txt .tex .dbf .db .xls .doc .jpg .jpe .txt .tex .dbf .db .xls .cry .xml .vsd .pdf .csv .bmp .tif .1cd .tax .gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn .stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt .ods .rar .zip .7z .cpp .pas .asm

Malwarebytes Labs has reported that the encryption key is randomly generated and sent to Command and Control (C2) Servers along with other info on the infected client machine.

Much of this particular exploit seems unfinished and researchers have speculated that this particular variant has been released into the wild accidentally. Several key features of the analyzed code, including the low-level attack segments as well as erroneous bitcoin wallet details, points to the fact that this may be in a pre-production stage of development.

The expectation is however that we will see a coming evolution of this variant, which seems to employ the most aggressive features of two of the most successful cryptowarez presently available.

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

 

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Satana, cybercrime)