d0glun

Also known as: d0glun

D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@ or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.

Introduction

D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@ or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Small-Net:
  • DesktopNow:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.