New DOGE Big Balls ransomware attacks spotted.
Update, May 10, 2025: This story, originally published May 9, has been updated with further information regarding the newly confirmed DOGE Big Balls ransomware threat payloads as well as correcting a malformed link to the original threat research report.
Just as you were hoping the ransomware threat might have started to ebb, the bad news keeps flowing in. From government warnings as hackers target passwords and 2FA codes to use in their extortion attacks, one ransomware campaign dropping zero-days, and researchers indicating a 5,365 ransomware attack rampage. There has been some good news, such as the notorious LockBit group being hacked and details of their crypto wallets being leaked. But the good news is in the minority, as this latest report has confirmed: the DOGE Big Balls ransomware attackers are back with a new payload alongside that by now infamous Elon Musk-trolling $1 trillion ransom demand.
The DOGE-Trolling Ransomware Attack Recap
In case you missed it the first time around, the strange tale of the DOGE Big Balls ransomware attack is quite the oddball, even for the world of cybersecurity, where threats often border on the bizarre. It all started on April 15 when I reported how a ransomware group was weaving political conspiracy theory into malware code in an apparent attempt to throw cyber-defenders and law enforcement off the scent. That ransomware was given the name of DOGE Big Balls because it referenced software engineer and DOGE worker, who has an online nickname of Big Balls, and even included his home address and telephone number in the ransomware note.
Fast forward to April 23, and things started getting even more outlandish as the ransomware attackers upped the ante by including a $1 trillion demand in the ransomware note. This appeared, once again, to be a direct DOGE-trolling exercise, aimed at Elon Musk as much as anyone. “Give me five bullet points on what you accomplished for work last week, or you owe me a TRILLION dollars,” the note demanded.
It would be too easy to suggest you can’t take this bunch of cybercriminals seriously, but that would be a mistake, as threat intelligence has just landed regarding another twist and turn in the DOGE ransomware campaign, including dangerous new payloads and tools being used in ongoing attacks.
New DOGE Ransomware Attack Arsenal Revealed
The Netskope report describes new scripts and binaries, as well as custom and open-source tools, and new ransomware payloads. In all, Fróes detailed a total of 14 payloads that had been observed during the extensive investigation into the latest DOGE ransomware threat. The first was the aptly-named payload.msi, a Microsoft software installer file suspected of arriving by way of either that old chestnut, the phishing email, or possibly the exploitation of an exposed vulnerable service. Whatever the initial infection vector, Fróes said, the file executed a malicious PowerShell script. Next up is wix.ps1 which, it was reported, executes the real content by creating a Windows shortcut file in the startup directory so as to be sure it will execute once a user is logged in. This also makes the EdgeAutoUpdaterTask, which needs no user interaction as it is created in the Startup folder and forces “the download and execution of the stage1.ps1 script,” which is next in the payload queue. “It creates a directory named ‘hidden’ under the Windows Startup folder and modifies its attributes to hide the directory,” Fróes explained, and attempts to disable Windows Defender protections. A number of further scripts were then downloaded, with various payloads including one that bypasses anti-malware scan interface technology, a Windows standard that is designed to allow integration with anti-malware products to add further protections against attacks. Another collected useful information from the now infected machine to send back to the attackers, and looks for password hashes that can be used. Domain controllers are targeted, new users added to any Domain Admin machines found, and access to the infected computer enabled.
DOGE Ransomware Payloads Updated Frequently
“During our investigation,” Fróes said, “we noticed that both the payloads and the URLs used to download the payloads were updated quite often.” That there was a large number of payloads, and these were updated at an alarming frequency, Fróes said, it only goes to reinforce how “complex and dangerous attacks involving this ransomware can be, using many different tools to cover phases like lateral movement, privilege escalation, credential dumping, and more.” So, regardless of the DOGE-trolling and the frankly ridiculous $1 trillion demand, take note when Fróes concluded the report by stressing the “significant negative impact” that a successful DOGE Big Balls ransomware attack can have on a business. At the end of the day, no matter the bizarreness of the attacker, ransomware is no joke.