New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through a highly sophisticated phishing-based attack.

Cybersecurity researchers have uncovered a multi-stage infection chain that begins with a deceptive PDF document titled “Pay Adjustment.”

This document lures victims into downloading a malicious ZIP file hosted on Netlify, a popular web hosting platform.

Inside the ZIP, a .lnk (shortcut) file acts as the initial dropper, triggering a cascade of PowerShell scripts and executables designed to compromise the target system.

The attack not only aims for financial gain through ransomware deployment but also embeds satirical and political commentary, including mockery of Elon Musk and his associated projects.

Phishing Campaign with Satirical Undertones

The infection process is orchestrated through a series of meticulously crafted components.

Upon execution of the .lnk file, it invokes a PowerShell script named Pay.ps1, which serves as the entry point for further malicious activities.

This script subsequently calls stage1.ps1, acting as the primary loader and orchestrator for deploying additional payloads.

Among the payloads are cwiper.exe, identified as a variant of the Fog ransomware, and ktool.exe, a tool exploiting Intel’s Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level access on compromised systems.

Additionally, two obfuscated PowerShell scripts, trackerjacker.ps1 (XOR-encrypted) and lootsubmit.ps1, perform reconnaissance and geolocation tasks using the Wigle API to map victims’ locations.

Technical Breakdown of the Infection Chain

The ransomware note, dubbed RANSOMNOTE.txt, impersonates an individual named “Edward Coristine” affiliated with DOGE (a reference to Dogecoin, often associated with Musk).

The note bizarrely lists .gov email addresses as tech support contacts and includes satirical content mocking Musk’s initiatives.

In a peculiar distraction tactic, the attack launches a YouTube video ridiculing Elon Musk during execution, likely to confuse or delay the victim’s response while reinforcing the campaign’s parody-driven motive.

However, beneath this trolling exterior lies a clear financial objective, as evidenced by the inclusion of a Monero wallet address for ransom payments.

According to the Report, This campaign’s use of Netlify for hosting malicious payloads highlights the growing abuse of legitimate cloud platforms for malware distribution, making detection and mitigation more challenging.

The combination of phishing, PowerShell-based scripting, and kernel-level exploits underscores the technical sophistication of the threat actors.

While the satirical elements and political commentary add a layer of psychological manipulation, the ultimate goal remains monetary extortion through data encryption.

Organizations and individuals are urged to remain vigilant against phishing attempts, scrutinize email attachments, and deploy robust endpoint protection to counteract such multi-vector attacks.

Indicators of Compromise (IOCs)