The DOGE Big Balls ransomware group, previously known for bizarre demands and trolling references, has resurfaced with a significantly more sophisticated campaign, Forbes reports.
According to a new report by Netskope, the attackers are now leveraging a set of 14 updated payloads that demonstrate increased technical complexity and a high risk to enterprise environments. These include malicious scripts and binaries delivered via phishing emails or exploited vulnerabilities, initiating infection chains that evade detection and maintain persistence. The ransomware's key components include a Microsoft installer file that executes obfuscated PowerShell commands, scripts that create hidden startup tasks, and mechanisms to disable Windows Defender. The attack sequence includes a payload that circumvents anti-malware scan interfaces and another that harvests sensitive data, including password hashes. The malware also targets domain controllers, adds unauthorized domain admin users, and establishes remote access to compromised machines. Notably, both the payloads and their distribution infrastructure are frequently updated, which complicates detection and remediation. The tools support advanced functions such as lateral movement, privilege escalation, and credential dumping. While the groups branding may appear eccentric, analysts warn that the technical execution poses a serious threat to organizations and should be treated as a high-priority risk.
According to a new report by Netskope, the attackers are now leveraging a set of 14 updated payloads that demonstrate increased technical complexity and a high risk to enterprise environments. These include malicious scripts and binaries delivered via phishing emails or exploited vulnerabilities, initiating infection chains that evade detection and maintain persistence. The ransomware's key components include a Microsoft installer file that executes obfuscated PowerShell commands, scripts that create hidden startup tasks, and mechanisms to disable Windows Defender. The attack sequence includes a payload that circumvents anti-malware scan interfaces and another that harvests sensitive data, including password hashes. The malware also targets domain controllers, adds unauthorized domain admin users, and establishes remote access to compromised machines. Notably, both the payloads and their distribution infrastructure are frequently updated, which complicates detection and remediation. The tools support advanced functions such as lateral movement, privilege escalation, and credential dumping. While the groups branding may appear eccentric, analysts warn that the technical execution poses a serious threat to organizations and should be treated as a high-priority risk.
