Summary
The Howler Cell Threat Research Team conducted a detailed technical analysis of 0APT, a Rust-based ransomware family that recently surfaced alongside a coordinated bluff campaign. The operators publicly claimed to have compromised over 200 organizations within a short time span and advertised alleged victim access through their RaaS infrastructure.
However, no verifiable evidence of confirmed intrusions or operational encryption events has been observed. At the time of initial review, the group’s onion-based data leak site was accessible and displayed an extensive victim list. During later stages of the investigation, the onion site went offline.
Credibility on Leak Downloads
-
The exposed RaaS panel raises additional concerns regarding credibility. The leak section presented on the panel advertises downloadable file trees, each reportedly oversized GB's.
-
When initiating a download from the panel, the transfer attempts to pull a large archive immediately.
-
The download does not complete in a practical timeframe. This behavior suggests the content may not represent genuine exfiltrated datasets.
-
It appears structured to create the impression of large-scale data theft rather than to provide verifiable proof.
There are also no screenshots of compromised data hosted within the panel itself. The absence of preview evidence further weakens the credibility of the announced victims.
Credibility on Victim Claims
The scale and timing of the announcements also warrant scrutiny.
-
Claiming around 200 victims in a compressed time window, without supporting artifacts, is operationally inconsistent with observed ransomware group behavior.
-
Mature groups typically stagger disclosures and provide proof of compromise to strengthen negotiation leverage. In this case, the announcements appear rapid and unsupported.
0APT Building Actual Threat Capabilities and Attracting an Affiliate Force
While the group’s initial campaign appeared to be largely inflated, with public claims of more than 200 compromised victims unsupported by verifiable evidence, this should not be interpreted as a lack of real capability. Our investigation confirms that the operators behind 0apt are running an active RaaS platform with functional malicious payloads and a working affiliate model.
The early bluff may have been intended to quickly build a reputation and attract a larger pool of partners, but it likely had the opposite effect, damaging credibility rather than strengthening it. Regardless, the group is now clearly moving forward with efforts to establish a legitimate cybercriminal operation.
Howler Cell researchers successfully accessed and validated the group’s onion-hosted RaaS portal, generated ransomware samples directly from the platform, and conducted full reverse engineering of the payloads. Analysis shows the malware is operationally viable, with builds customized per affiliate using unique build keys and affiliate identifiers while maintaining a consistent core codebase. The platform is actively positioned to recruit collaborators, allowing prospective affiliates to engage with the operators, generate customized ransomware builds, and deploy them independently. Once infections occur, affiliates handle victim communications and negotiations, with profits from extortion shared between the operators and their partners.
Attacker Attribution
Embedded Hindi language strings within debug logs may suggest a possible Indian linguistic influence associated with at least one developer. This observation remains speculative and should not be treated as attribution.
APT Payload - Technical Analysis
Sha256: 3dc4593b14879cb0bb4dc19e85816f09ff6a5f4db8c2957331b557af1fa1a375
The team analyzed a 64‑bit binary compiled with Rust version 1.92.0, which included 32 crates as dependencies. Upon execution, it looks for a file named Config2.txt in its current working directory (see Figure 1 for a snippet). If the file is missing, it falls back to using default configuration values hardcoded within the binary.
Figure 1: Config2.txt read to memory
Configuration Initialization
The Config2.txt file is a plain text configuration file containing key–value pairs, each placed on a separate line. These parameters adjust the ransomware’s behavior, including specifying files or directories to exclude from encryption. The field types supported by the 0APT ransomware are listed below in Table 1.
Table 1: 0APT Ransomware Configuration
|
Field Name |
Default value |
Details |
|
extension |
".tmp", ".temp", ".log", ".cache", ".lnk", ".ini", ".bak", ".old", ".thumb", ".db", ".exe", ".dll", ".sys", ".msi", ".bat", ".com", ".vbs", ".0apt" |
File extension skipped from encryption |
|
filename |
"config2.txt", "README0apt.txt", "public_key.pem", "company.txt" |
File names skipped from encryption |
|
folder |
"/temp", "/tmp", "/cache", "/google/chrome", "/mozila/firefox", "/$recycle.bin", "/appdata/local/temp", "/windows", "/ProgramData", "/bin", "/sbin", "/proc", "/dev", "/sys", "/etc", "/lib", "/boot", "/system","/Program Files","/Program Files (x86)" |
Folders to skip |
|
max_size_gb |
1 GB |
Files larger than mentioned value will be skipped |
|
max_parallel |
No. of CPU Core |
No of threads utilized for encryption |
|
min_free_ram_mb |
500 MB |
Minimum RAM required for execution; otherwise, the ransomware waits for the duration specified by ram_refresh_ms until sufficient memory becomes available. |
|
ram_refresh_ms |
100 ms |
RAM check timer |
|
ab_start_min |
1 minute |
Sleep timer |
After initialization of configuration, the ransomware proceeds with public‑key assignment. It attempts to read a file named public_key.pem from the current execution directory; if the file is not found, it defaults to a hardcoded public key, the value of which is shown in Table 2.
Table 2: Hardcoded Public Key
| -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6IlqZ6K7oTFNZKE+IVqT HyKjFvg0SlmztLIfLwn6bKOHHEowT0+6rLWYdY0IysgxclC6hbn3/KA7VRp21flI E89x5X7SApalSc3Ok+KaWzWpV5opjAES7zHkprOS7FXwnke7Tm6uWy3qKI3cNyGa WrU29ZBW2Fy9g0uXOkX2u1DSigDqzs+EeoGroWiKfn0/3H1NESo2raUR1WBO72K0 yPGZh2ixMf4Vb0XrPJwaapC/4uh9UQ+amjqjLc4WQQfscq6EMhk4CDQYWgAdtokZ 39S6RXycSakxUUpJnAuIxnOPLaAJbZRTDoJ3s69jnJ3Miynz0bXBIvIZcgCA2a1t QR+mfiUE5i26F6l4qduYJtnibGI1y0HjvhVeI/pGtbTue3HYn+2KjhWvm8KwDXsR OukNUSh06SiHy/x36dltCXxjE7KMYrcg5n2oVUwDbkj9gWlFvgoDi5urXvf2f/V0 t6dZW2kU13pyawTTPLEZfI0OoNadDpQE/YjUJkws9etAToLp34OOMyMPGSc7KziD stPNb53y3lYJvQJIv8qwcQVI7/m1eF3334xyOKfvO7rx+dZc/2hbxmnvcsvynvFf r5PLYUEIsYhH2Mmt0r/hux8DUYyD9VUPN+9f1Cmp02Y03GiTRQY/SmkvJLAXrBtv 7L+vCqqk9vEx66M9jeuRj70CAwEAAQ== -----END PUBLIC KEY----- |
As shown in Figure 2, the ransomware leverages the DecodePublicKey function from the Rust spki crate to parse the embedded public key. In this instance, the hardcoded key resolves to a 2048‑bit RSA public key.
Figure 2: Public key Initialization
Before initiating encryption, the ransomware looks for a file named allpath.txt in its current working directory. If the file exists, only the file(s) listed inside it are encrypted. If it is absent, the ransomware proceeds to scan all folders for encryption targets.
File Encryption
The analyzed routine implements a hybrid file encryption scheme combining asymmetric and symmetric cryptography. The program first opens the target file, reads its full contents into memory. It generates two cryptographically secure random values using rand_core::os::OsRng: a 32-byte value used as an AES-256 key, and a 16-byte value used as an initialization vector (IV). The AES key is then encrypted using RSA with OAEP padding, producing an RSA-encrypted session key.
Figure 3: File Encryption using RSA+AES-256
The routine initializes AES-256 using the RustCrypto AES crate, and the file contents are encrypted using a stream-cipher abstraction (cipher::stream::AsyncStreamCipher::encrypt), strongly indicating AES in a stream-compatible mode such as CTR. After encryption, the file is reopened for writing and overwritten with a structured output consisting of:
-
a 4-byte big-endian length field
-
the RSA-encrypted AES key
-
the 16-byte IV
-
the AES-encrypted file data.
The file is flushed to disk using File::sync_all, ensuring persistence and is renamed with .0apt extension.
Readme and Wallpaper
For each directory, the ransomware drops a plaintext file named README0apt.txt.0apt, and the contents of this file are shown in Figure 4.
Figure 4: 0APT Ransomware Readme
Additionally, the ransomware contains a hardcoded static wallpaper image, which it drops as embedded_wallpaper.png in the %TEMP% directory and then sets as the system’s desktop wallpaper (Figure 5) upon completion of execution. No persistence mechanisms were observed to be employed by the ransomware.
Figure 5: Wallpaper set by ransomware
Hindi strings within the ransomware
The inclusion of Hindi language text, as shown in Figure 6, within the ransomware logs may suggest a possible Indian linguistic background associated with the developer, though it does not provide definitive evidence of origin.
Figure 6: Ransomware execution log
Conclusion
The 0APT ransomware demonstrates a clear focus on reliability, operator configurability, and secure cryptographic implementation, aligning with modern trends in Rust‑based ransomware development. Its robust fallback logic, hybrid encryption scheme, and careful exclusion mechanisms indicate a structured development approach rather than a low‑effort clone or commodity builder.
However, the absence of persistence, network propagation, or advanced evasion techniques suggests that 0APT is likely intended for targeted, manually controlled intrusions, where the operator has prior access and executes the payload in a controlled environment.
The inclusion of Hindi‑language strings provides meaningful, though not definitive, insight into potential developer origin or operator linguistic background. Continued monitoring is recommended to assess future evolutions of this strain, particularly if persistence, network spread, or automated lateral movement features are later introduced.
Appendix
TOR Link:
hxxp://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad[.]onion/
References
• https://theravenfile.com/2026/02/14/0apt-ransomware-the-real-fake/
Stay informed with Howler Cell
Receive the latest Howler Cell news and research directly to your inbox.
