The Nitrogen ransomware group was first detected in September 2024 and initially it targeted organizations in the United States and Canada before expanding operations into parts of Africa and Europe.
While ransomware.live currently reports 21 known victims, security researchers believe many compromised organizations remain unlisted on Nitrogen’s public blog.
Notably, indicators of this malware family were observed as early as 2023, suggesting possible connections to earlier ransomware campaigns.
.png
)
The threat actors have demonstrated sophisticated tactics, employing targeted malvertising campaigns that bundle malicious code within seemingly legitimate software downloads.
These deceptive packages masquerade as popular utilities such as Advanced IP Scanner, FileZilla, and WinSCP, creating a convincing facade for unsuspecting users seeking legitimate software.
Nextron analysts identified this threat during a recent investigation where they uncovered the complete attack chain, from initial compromise to lateral movement and eventual log deletion attempts.
Their forensic analysis revealed how the attackers leveraged Cobalt Strike beacons for network persistence and established pivot systems to facilitate movement between compromised hosts.
In the observed attack, a user searching for “WinSCP download” using Microsoft Edge clicked on a suspicious advertisement served through Bing.
The ad redirected the victim from a deceptive domain (ftp-winscp.org) to a compromised WordPress site hosting a malicious WinSCP ZIP file, establishing the initial foothold in the organization’s network.
Infection Mechanism Through DLL Sideloading
The attack’s technical sophistication becomes evident when examining the infection mechanism.
The malicious ZIP archive (WinsCP-6.3.6-Setup.zip with SHA-256: fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2) contained several files: a malicious python312.dll, three legitimate DLLs, and a renamed python.exe labeled as setup.exe.
When executed, the setup process employed DLL sideloading-a technique where Windows’ DLL search order is exploited to load a malicious library before finding the legitimate one.
The setup.exe process loaded the malicious python312.dll from the current directory while installing the legitimate WinSCP application in the foreground, effectively masking the infection.
The malicious DLL, referred to as “NitrogenLoader,” mimicked the authentic Python DLL by implementing the same exports and ordinals, including the Py_Main export referenced in setup.exe’s import table.
However, its malicious functionality resided in the DllMain export, where packed connect-back logic established communication with the attacker’s command and control infrastructure.
Once inside the network, the attackers deployed Cobalt Strike beacons across multiple systems.
Analysis of Windows Error Reporting (WER) crash dumps revealed detailed Cobalt Strike configurations, including team server information and HTTP response structures.
The threat actors also attempted to conceal their presence by clearing critical Windows event logs, including Security, System, and PowerShell logs.
#!/usr/bin/env python3
def main():
str_input = ["@%windir%\syswow64\gpupdate.exe"]
for string in str_input:
for key in range(256): # 0x00 through 0xFF
xored_bytes = [ord(ch) ^ key for ch in string] # XOR encoding
xored_hex = "".join(f"{byte:02x}" for byte in xored_bytes)The discovered Cobalt Strike watermark 678358251 has been previously associated with multiple threat actors, including the Black Basta ransomware group, highlighting how attack tools are frequently reused across different criminal operations.
This connection underscores the evolving ecosystem of ransomware operations, where techniques and infrastructure are shared between different threat actors.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy