TRJ CYBERSECURITY INTEL REPORT
Category: Financially Motivated Ransomware Attack
Features: LockBit 3.0 Deployment, Russian-language Phishing, No Exfiltration Detected, Same Contact Info as 2023 Attacks
Delivery Method: Russian-targeted Phishing Campaigns (Financial Dept. Lures)
Threat Actor: DarkGaboon (Independent, LockBit-Aligned) — Attribution Unknown, Russian-Speaking
The Shift: LockBit Turns Inward
In a rare turn of cyber-hostility aimed directly at Russian interests, a previously unreported threat actor calling itself DarkGaboon has been caught deploying a leaked variant of LockBit 3.0 ransomware against multiple industries inside Russia — including banking, retail, tourism, and public service sectors.
Originally exposed by Russian cybersecurity firm Positive Technologies in January 2025, the group’s activity reportedly dates back to early 2023, raising questions about how long this adversary has operated undetected within Russian borders. While LockBit ransomware has plagued Western institutions for years, this reversal of targeting signals a deeper fragmentation within the cybercrime ecosystem — and possibly even an internal protest or financially motivated blowback.
Not Just Another Affiliate: The Independence of DarkGaboon
Unlike traditional LockBit affiliates that operate under the now-fractured ransomware-as-a-service (RaaS) model, DarkGaboon appears to act autonomously, reusing the publicly leaked LockBit 3.0 builder that surfaced in 2022.
Positive Technologies notes that the group does not communicate through typical RaaS infrastructure and that their ransom notes are locally tailored, written in Russian and laced with direct contact emails. These addresses were previously traced back to LockBit-based campaigns that hit Russian financial institutions between March and April 2023 — signaling operational continuity.
The attacker’s phishing campaigns are notably written in native Russian, designed to appear as financial requests or payment clarifications aimed squarely at employees in finance departments. Embedded documents are often disguised as invoices or tax filings — but contain malicious loaders for Revenge RAT, XWorm, and eventually the LockBit payload.
The Decoys: Russian Templates, Minimal Evolution
DarkGaboon uses decoy templates sourced directly from legitimate Russian-language websites. Researchers emphasize that the design and layout of the lure documents have barely changed in over a year — possibly due to their continued effectiveness or a calculated effort to minimize operational fingerprints.
Once inside a target environment, the ransomware launches swiftly, locking down systems and issuing custom ransom notes. Notably, no signs of data exfiltration have been observed in the latest incidents, which could suggest a purely extortion-focused model — or indicate failed exfil attempts due to local defenses.
Ghosts in the Network: No Attribution, But Russian Fluency Confirmed
While DarkGaboon’s exact origin remains unknown, Positive Technologies asserts that the group is fluent in Russian, suggesting either internal dissidents, regional cyber mercenaries, or possibly a foreign actor mimicking local language to avoid detection.
What makes this case particularly complex is the use of open-source malware like Revenge RAT and XWorm, which blend into the noise of broader cybercriminal activity. This operational camouflage frustrates attribution efforts, enabling groups like DarkGaboon to hide within the chaotic global ransomware landscape.
Flashback: When LockBit Hit Siberia
This isn’t the first time Russia has seen LockBit turn against its own soil. In December 2024, one of the largest dairy processing plants in southern Siberia was hit by a LockBit-based ransomware attack. The strike came just days after the company had donated drones and humanitarian aid to Russian soldiers in Ukraine — leading to speculation about possible retaliatory motives behind the breach.
Though no group publicly claimed responsibility, parallels in technique and tools suggest that such rogue actors — possibly including DarkGaboon — may be growing bolder.
TRJ VERDICT: The Inversion Has Begun
While the West has long been the primary hunting ground for LockBit-style ransomware, this campaign marks a sharp geopolitical and cyber-structural shift. As Russia continues to face economic strain and mounting sanctions, its internal digital threat landscape is evolving rapidly.
DarkGaboon’s emergence is a signal: the ransomware ecosystem is eating itself.
And with leaked code, fractured affiliate networks, and rising unrest even within underground forums, the boundary between attacker and target is no longer ideological — it’s opportunistic.
TRJ BLACK FILE ADDENDUM
Indicators of Compromise (IOCs):
- Email addresses from ransom notes matched to 2023 LockBit attacks
- MD5 hashes of XWorm variants used in payload delivery
- C2 addresses embedded in Revenge RAT configs
- Decoy document signatures traced to Russian tax and invoice template archives
Entities Affected:
- Undisclosed financial institutions
- Tourism service vendors
- State-aligned infrastructure hubs
Mitigation:
- Proactive phishing defense drills in Russian-speaking environments
- Disable macros by default in all financial departments
- Monitor for reused LockBit 3.0 builder components
- Track Russian-language spear-phishing patterns
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
