0APT RANSOMWARE: The Real FAKE!

NOTE: This is the initial analysis of 0APT Group, which was later found to be fake. However, I have released 4 new samples along with the Linux Variant of 0APT Ransomware through this. 

INTRODUCTION

On January 28, 2026, this group started to appear on the Dark Web, listing many victims. In a short span of time, they have listed about 200 victims, which brought them into quick limelight of Ransomware Ecosystem.

But in reality, all those listed “victims” were fake, as no data were able to download as the file size is huge and is nearly impossible to complete a single download from their server. 

NOTE: Indrajit — The eldest son of Ravana (Antagonist of Ramayana), was the Master of Illusions and Deception. This image portrays the killing of Maya Sita (Illusionary Sita) by Indrajit to demoralize the army of Lord Rama. This image made as title as the nature of the 0APT Group is just fake though the group had setup a stable Onion Service.

Hence, we began to realize it’s a SCAM/Fake Claims, just to gain more traction. 

DATA LEAK SITE ANALYSIS

The Threat Actor had created a Vanity TOR Domain name to keep the professionalism like other Ransomware Groups. 

The DLS is hosted with NGINX Server, which can be accessed at:

• oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion

The Ransomware is notable to announce large number of victims on their DLS with unverified data. 

None of the files is downloadable due to their larger sizes.

The victim page looks like this, where the Leak Notice is found in the left pane with a message. 

The website is secured with Cloudflare and uses CDNJS for serving the contents.

The leak present in the right side cannot be possible to download due to the lower bandwidth, and all such file trees are sized at 4GB+, which is unusual for the size of File Tree (which usually are in KBs).

When attempting to download, a check is present:-

Then it initiates the download (but surely will not get completed).

WHAT MAKES THESE CLAIMS DUBIOUS?

There is no single screenshot of any hacked/compromised data on their Panel, unlike other Ransomware Group DLS (ATTOW). 

When the huge download is directly initiated, this signifies the fact that the files could not be genuine, as it won’t get completed even with a good bandwidth.

Moreover, the large number of companies (about 200 victims) are being announced in a short time-span, which makes this group less reliable. 

Once verified, the following screen is shown:-

It will open up to this :

http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion/jochat.php

The Chat Room is hosted with nginx/1.22.1

Another contact URL was:-

http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion/cochat.php

Here, we can see COCHAT and JOCHAT, which are used for:-

• COCHAT : Contact Chat
• JOCHAT : Join RAAS Chat

RAAS PANEL ACCESS

After verifying the RAAS Panel had been granted, which is accessible via:-

http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion/raasdash.php

Once logged in, we can see the following screen at home page of the RAAS Panel:-

Here is the complete version (As the screenshot is limited)

⚙ CONFIGURATION FILE (allpath.txt) — COMPLETE REFERENCE
    SPECIAL TARGETING (allpath.txt):
    To lock only specific selected files instead of scanning the whole disk:
    1. Create a file named allpath.txt in the same folder.
    2. Write the full path of each target file line-by-line.
    EXAMPLE (Content of allpath.txt):
    C:\Users\Admin\Documents\secret_plans.pdf
    D:\Backups\wallet.dat
    /home/user/Desktop/passwords.txt
    * Selective Mode: If allpath.txt exists, the program will ONLY encrypt the files listed inside it.
    ⚠ IMPORTANT: To encrypt the ENTIRE SYSTEM (scan all drives), do NOT create the 'allpath.txt' file.
⚙ CONFIGURATION FILE (config2.txt) — COMPLETE REFERENCE
    SYSTEM BEHAVIOR: If config2.txt is missing → program uses internal default settings. If config2.txt exists in same folder→ program reads and applies rules from the file.
    FILE FORMAT RULE: Each line must follow → key: value
    Example → extension: .exe
    EXTENSION FILTER: extension: .ext → Skips files with this extension.
    Multiple extension rules allowed.
    FILENAME FILTER: filename: name.ext → Skips exact filename match.
    FOLDER FILTER: folder: /text → Skips files if path contains this text.
    MAX FILE SIZE LIMIT: max_size_gb: number → Files larger than this are ignored.
    Default → 1 GB
    PARALLEL PROCESS LIMIT: max_parallel: number → Limits maximum parallel processing threads.
    Default → CPU thread count
    MINIMUM FREE RAM REQUIRED: min_free_ram_mb: number → Processing waits if RAM is lower.
    Default → 500 MB
    RAM REFRESH TIMER: ram_refresh_ms: number → Controls RAM check interval.
    Default → 100 ms
    BACKGROUND TASK DELAY: ab_start_min: number → Background task delay in minutes.
    Default → 1 minute
    DEFAULT SKIP EXTENSIONS:
    ".tmp", ".temp", ".log", ".cache", ".lnk", ".ini", ".bak", ".old", ".thumb", ".db", ".exe", ".dll", ".sys", ".msi", ".bat", ".com", ".vbs", ".0apt"
    DEFAULT SKIP FILENAMES:
    "config2.txt", "README0apt.txt", "public_key.pem", "company.txt"
    DEFAULT SKIP FOLDERS:
    "/temp", "/tmp", "/cache", "/google/chrome", "/mozila/firefox", "/$recycle.bin", "/appdata/local/temp", "/windows", "/program data", "/bin", "/sbin", "/proc", "/dev", "/sys", "/etc", "/lib", "/boot", "/system"
    VALID RULE BEHAVIOR: Multiple same keys allowed • Order does not matter • Case insensitive
    INVALID FORMAT EXAMPLES:
    extension=.exe ❌
    extension exe ❌

In the Panel, we can see there are 4 sections in the left pane, namely:-

• PAYMENT STATUS
• NEGOTIATION CHAT
• ADMIN SUPPORT
• HOW IT WORKS

Here is the NEGOTIATION CHAT:-

Here is the ADMIN SUPPORT:-

Here is the “HOW IT WORKS”:-

From the records, it is found that the threat actors had named it as RaaSDash.

The DLS uses “☠ 0APT” as logo.

BUILD GENERATION

As we can see “GENERATE NEW PAYLOAD MAX 5”, the current account is able to generate 5 samples of 0APT Ransomware. 

Using this feature, let’s generate the build.

When you need to generate a new build, it asks whether to choose Windows or Linux. 

NOTE: The Threat Actor had enabled both Windows and Linux Environment for my Test Profile, though they also supports Mac. 

Using this, I have generated 3 EXEs and 2 ELFs. It is found that all the Windows Executable files are sized at 5.6 MB while Linux Builds are sized at 1.3 MB.

Once executed, the payload utilizes AES256 encryption. Files are renamed with the .0apt extension. A README0apt.txt file is dropped on the desktop containing the unique VICTIM ID.

Victim IDs are 5-Part that appends with 0APT-KEY, such as EF72-BC3B-BBD4–0APT-KEY.

On a newer update, the group had added a new section called “SUBMIT DETAILS” where the compromised host’s details are to be fed to the RAAS Panel, which was not present initially. 

NOTE: On a deeper analysis, it is found that the SUBMIT DETAILS feature again got scrapped by the group as it were missing while re-testing the Panel Features. 

The hosted page is named “0aptraashdash.php”.

And the page title is “SECURE_UPLINK // XXXX–XXXX–XXXX–0APT-KEY”. This confirms the pattern as Build ID is appended with keywords “SECURE_UPLINK //”.

Upon digging deep, it is found that the actors had used a default package which is used in Website Widgets where “SECURE_UPLINK //” are part of a theme of the widget. 

This can be confirmed when we run it on a scanner such as:-

This scan lists similar website that uses the same theme as the 0APT Group, which confirms that the group is using the default setting and not a customized one. 

In between, the website went offline and came back with minor changes.

After the revamp, it is found that there is another layer of checkpoint added while generating the build. 

But this was again scrapped by the group (along with SUBMIT DETAILS feature). 

For each account, only 5 builds are rate-limited to generate. 

But somehow, I managed to generate 1 more build before hitting this error. 

Another fact found is: the initial ID assigned for the account is the initial filename of the generated Executable. 

For eg. if you have been assigned 9a4e7d978d72cbc700b as Login ID, the first generated Executable would also have the same ID as filename. 

From this, we can able to understand how many unique IDs (which means the number of Accounts) were assigned for this RAAS Panel. Then generated Executables/ELFs won’t count as 1 account can create 4 more builds. 

The following are PHP Page names used by the group:-

• raaslogin.php
• logout.php
• 0aptraaslogin.php
• 0aptraashdash.php
• api1.php

INTERACTION

During the interaction with the group, it was found that the actor had claimed builds for all 3 OS.

In the discussion, he also mentioned that the full potential of the Locker would only be accessible once a real victim gets infected. 

So this marks a genuine infection to be carried out for the attack by the affiliates, hence bringing more traction to this RAAS Project. 

It is also notable that the default message of “Admin is online” though the admin would be offline. This signals that the newly joined affiliates stick to the chat and the Threat Actor would try to respond to the message whenever he’s online (but he tries to reach promptly).

EXECUTABLE ANALYSIS — SHALLOW SURFACE

The Windows Executable is coded in Visual C++. Once the files are encrypted, .0apt is the extension appended to the encrypted files. And the ReadMe file is titled “README0apt.txt” is dropped to multiple locations 

• Data Hashing: murmur3, SHA1, SHA256, SHA512
• Data Encryption: RC4 PRGA, Salsa20/ChaCha, Speck, OpenSSL RSA, AES
• Data Encoding: Base64, XOR
• Random Number Generation: WinAPI, RtlGenRandom
• Compiler Used: Rust

In this, Speck is seen among Encryption, which is rare in Ransomware Encryption.

NOTE: Speck has one of the smallest code footprints among reasonably secure-looking block ciphers. The entire encryption routine (including key schedule) can be implemented in ~100–150 bytes of code.

But, Speck is seen in AI Generated Ransomwares such as PromptLock back in 2025. 

As it was seen in an AI-Generated Ransomware, there is a high-chance of getting an AI Match for 0APT Ransomware EXEs/ELFs. This pointer provides us a hint on usage of AI during Build Generation. 

Following are the MD5 hashes of the Samples I obtained from the Panel:-

MD5
===
0ec7d167c7ee8764e21c792d6a65d059
fb42dec2c39cd7884ca4cb6b76308f51
370fbcc6711fb983ae4679f02c5ac461
29144c2f5acd859adf08d42ffcd74f50

In another sample, I found that the Threat Actor had made use of InstallShield — A tool for creating, packaging, and deploying MSI, MSIX, and EXE installers for Windows applications. 

ELF Samples are compiled using the gcc utility, tested on Ubuntu 11.4.0. 

For more samples of 0APT, you can refer here.

One fact which stood out here is: Only 7 AV Engines were able to identify as Malicious (during the analysis) EXE, which is dangerous, and 4 AV Engines were able to detect malicious ELF. 

MITRE ATT&CK FRAMEWORK

As per the VT Map of MITRE, we can see that the following pattern is repeatedly observed among other samples as well.

Hereby listing the same in a consumable manner:-

T1047
T1059
T1129
T1027
T1036
T1222
T1562
T1012
T1016
T1057
T1069
T1082
T1083
T1087
T1518
T1614
T1213
T1560
T1090
T1486

Following is it for Linux (ELF File):-

Here are the MITRE TTPs in a consumable manner:-

T1064 
T1543 
T1546
T1543
T1546
T1064
T1070
T1222
T1564
T1003
T1033
T1082
T1083
T1518
T1005
T1090

NOTE: The observed TTPs do vary based on various Samples of the same ransomware. 

MODUS OPERANDI

It can be concluded that the Threat Actor is interested to recruit genuine Ransomware Affiliates through his program as “JOIN RAAS” was populated while loading the 0APT DLS. 

This attracts genuine Ransomware Affiliates in joining the network though the project is untrustworthy. 

CONCLUSION

Though the group is still active and DLS is online, we can expect more names on their list, which you should not worry about. 

However, the samples out in the wild and the signature would help you to stay abreast of any 0APT compromises. 

NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subject to be used/published anywhere without the Author’s consent.

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings!