Netskope Threat Labs has recently uncovered a highly sophisticated and rapidly evolving ransomware campaign dubbed “DOGE Big Balls,” a variant of the Fog ransomware family.
This malware campaign, notable for combining open-source offensive tools with custom PowerShell scripts, demonstrates advanced attack techniques designed to compromise enterprise environments with a deliberate multi-phase infection chain.
Sophisticated Multi-Stage Infection Chain
Initial entry into targeted environments appears to occur via a malicious MSI installer, though the exact infection vector remains speculative-likely delivered, as in other observed campaigns, through phishing emails or exploitation of exposed network services.
The MSI file’s core function is to initiate a heavily obfuscated PowerShell script (wix.ps1), which leverages both XOR and base64 encoding for payload concealment.
This script checks user privileges, deploys persistence mechanisms through scheduled tasks and Windows Startup folder LNK files, and forces the download and execution of subsequent malicious scripts such as stage1.ps1.
The unfolding infection chain employs a range of both open-source and custom utilities.
Tools like Mimikatz and Rubeus-staples of red team operations-are combined with custom droppers and lateral movement scripts.
Through the exploitation of a known vulnerable driver (iQVW64.sys, CVE-2015-2291), the attackers achieve kernel-level execution, using Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security controls and escalate privileges.
Exploit Vulnerable Drivers and Cloud Services
Persistence and propagation are meticulously engineered. PowerShell scripts are used to create hidden directories, evade detection, and repeatedly check for and disable Windows Defender protections.
Registry Run keys and LNK-based startup entries ensure that the payloads retain control across system reboots.
The attackers also utilize cloud services, notably Netlify, to host and frequently update their payloads, making tracking and mitigation more challenging.
Credential harvesting is executed through advanced use of Mimikatz (for pass-the-hash attacks) and Rubeus (for Kerberos ticket operations), feeding directly into lateral movement scripts capable of traversing both local networks and Active Directory environments.
The attackers systematically scan for valuable credentials, attempt domain-wide propagation, and in some cases, automate the creation of new privileged accounts (e.g., “svcadmin”) to maintain long-term access.
Distinctive to DOGE Big Balls is its arsenal of scripts designed for condition-specific execution.
The worm.ps1 module, for example, leverages PsExec for rapid proliferation across networked hosts, while stage2.ps1 and dcstage1.ps1 focus on escalating privileges and extracting credentials from Domain Controllers, incorporating DCSync attacks to exfiltrate password hashes straight from Active Directory.
Additional payloads observed in this campaign include cryptomining modules (via XMRIG), remote network access installers (using ZeroTier), and various watchdog scripts ensuring the uninterrupted execution of key processes.
The infrastructure supporting the malware is persistent and dynamic, with payload URLs and binaries frequently changing to evade signature-based detection.
The DOGE Big Balls campaign is also marked by its intent to provoke, with payloads containing political statements, references to public figures, and embedded media links-an unusual hallmark for financially motivated ransomware but indicative of a layered and possibly multi-motivated operator.
According to the Report, Netskope’s detection mechanisms have flagged these activities under multiple signatures, such as Generic.ShellCode.Marte and Script-PowerShell.Trojan.Powdow, underscoring the polymorphic and modular nature of the threat.
The continuous adaptation and deployment of new payloads reinforce the critical need for proactive threat detection, layered security controls, and robust incident response strategies in enterprise environments.
Continued vigilance is recommended, as the DOGE Big Balls operators demonstrate both the technical agility and the intent to expand their attack surface, leveraging a mix of public and private tooling to maximize impact against both infrastructure and personnel.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
