{"id":8868,"date":"2024-09-23T10:24:23","date_gmt":"2024-09-23T10:24:23","guid":{"rendered":"\/cybersecurity-blog\/?p=8868"},"modified":"2024-09-25T10:24:15","modified_gmt":"2024-09-25T10:24:15","slug":"kransom-abuses-rpg","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/","title":{"rendered":"Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG"},"content":{"rendered":"\n<p>Recently, our team of analysts discovered a sample of a yet-unknown ransomware that they dubbed Kransom. The malware employed the malicious DLL-sideloading technique to hijack the execution flow of an .exe file belonging to the popular game Honkai: Star Rail. Here is everything we have on the threat so far.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Initial Infection Vector<\/h2>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/9835858b-9f4c-4013-bad7-93ca6bf7645c\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the sandbox session for detailed analysis<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXe-JbzJs-qeYQtvc-_aQYGkaYzeP2b1Hz4ilUdkOo_ohuSg7TS-zUcnci9UQ_Lz92wX0f7CUe9k4XsKSNwHrn5YHzVNKbYUhC9bUK7vZZslkukjH4027NDuPKzI1AEcFhtwRGW9nVIXppwCTdU-tPbyH0ZE?key=YFuxOOksK5xcTx_NXFYhSQ\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The archive distributed as part of the Kransom attack analyzed in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The Kransom ransomware attack began with a deceptive archive containing two files: an executable and a DLL (Dynamic Link Library) file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcMkG6UuzNZRrUHOHHsWdoKc4-fRW7cd-HHVtfwsJx9lj4axg2Ws_F_QF_iUzvfW7l27ntrDWrpZuC3a6uGcWSLqBq8MB7knE1eJLX7sa5-vy_0oRWfWmchCfkHDtuCAm0WEUOF_TvZqGkaz0DUsqmj-Cg?key=YFuxOOksK5xcTx_NXFYhSQ\" alt=\"\" width=\"359\" height=\"487\"\/><figcaption class=\"wp-element-caption\"><em>The certificate of the executable found inside the archive<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The executable was signed with a valid certificate from COGNOSPHERE PTE. LTD, the publishing company for Honkai: Star Rail, a popular RPG.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze <span class=\"highlight\">malware and phishing<\/span> in ANY.RUN sandbox&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=mtt&#038;utm_medium=article&#038;utm_campaign=deerstealer&#038;utm_term=230924&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">DLL Side-Loading Technique<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-1024x576.jpeg\" alt=\"\" class=\"wp-image-8879\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-1024x576.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-300x169.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-768x432.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-370x208.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-270x152.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five-740x416.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/krans_five.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The .exe and .dll files extracted from the archive in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Kransom employs a technique known as DLL side-loading to evade detection and inject its malicious payload. The method involves loading a malicious DLL into the process of a legitimate application.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfzFsOzarr8CFefh1ggC4-z8BPyiPRZECSXMXvY38kd9w4B8gsd4ov4fxrsg96b9BRZ5Fd7ko6F4vXLqgJnoJ9-x7-6V3PXZFQPrQa8ENLXITRIcFG4TIcJpDWnpM_afBKidMUBYipaa5lYSVigpB7_3t1C?key=YFuxOOksK5xcTx_NXFYhSQ\" alt=\"\" width=\"604\" height=\"589\"\/><figcaption class=\"wp-element-caption\"><em>ANY.RUN sandbox lists all the malicious activities performed by the ransomware<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Upon launching the legitimate executable named \u201cStarRail.exe\u201d, the user triggers the loading of the malicious DLL (<a href=\"https:\/\/app.any.run\/tasks\/b6366c04-7527-4c13-a5f8-e0a496a84dc1\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">see analysis of StarRailBase.dll<\/a>), which is responsible for initiating the infection and encrypting the victim&#8217;s files.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">File Encryption Method<\/h2>\n\n\n\n<p>Kransom utilizes a simple XOR encryption algorithm with a weak key (0xaa) to encrypt files on the infected system.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcdL0BXZQXxgvZ1N0PO4JyF0cKndEArW-WhXtktELMeZcixVCfbhnZ6CfXph0ZNZaVh-bCHWdXni7FKlOYSmEUy7V5rwpeCNvD6O452oLSXu_aRGzMH4qf9gFvJh-GORVQI3sQHE4BFZ0boUHhQmQT-oT_R?key=YFuxOOksK5xcTx_NXFYhSQ\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The Static discovering window displaying one of the encrypted files<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN\u2019s sandbox helps you track all the encrypted files and see their contents.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ransom Note<\/h2>\n\n\n\n<p>Following successful file encryption, Kransom drops a ransom note that instructs the user to contact &#8220;hoyoverse&#8221; for solutions.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeDiV_sGXJjzU_yuZJ792K6_lPlVb3nDmYyxJffeHtdOQYTwzHltjfTR6i93BoUqHnAHAKIMOvkAgYX0OjCG7pT1zppdFOtWxL0SopsAAo3qVkiewtU1MamQCkkCuXhI01mDHEkQOpFcZAeWItwvzQtfCg?key=YFuxOOksK5xcTx_NXFYhSQ\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The ransom note shared with victims<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is a social engineering tactic designed to impersonate the game&#8217;s legitimate developer, Hoyoverse.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Collecting Threat Intelligence on Kransom Ransomware<\/h2>\n\n\n\n<p>To stay updated on the latest Kransom attacks and enrich your investigations to this and other threats, use <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat intelligence Lookup<\/a>.&nbsp;<\/p>\n\n\n\n<p>The <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">service<\/a> pulls threat data from thousands of public malware and phishing samples analyzed in the ANY.RUN sandbox on a daily basis. <\/p>\n\n\n\n<p>It lets you search its database using over <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">40 different parameters<\/a>, helping you zero in on threat using different details like registry keys, IP addresses, mutexes, and more.<\/p>\n\n\n\n<p>Here is an example of a query you can use to find more samples of Kransom that use the DLL-sideloading technique:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-169\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"169\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522fileName:%255C%2522StarRailBase.dll%255C%2522%2522,%2522dateRange%2522:180%7D%20\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522fileName:%255C%2522StarRailBase.dll%255C%2522%2522,%2522dateRange%2522:180%7D%20\" data-link-text=\"fileName:&quot;StarRailBase.dll&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">fileName:&quot;StarRailBase.dll&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-169'>\ntable#wpdtSimpleTable-169{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-169 td, table.wpdtSimpleTable169 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-1024x587.png\" alt=\"\" class=\"wp-image-8870\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-2048x1174.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/lookup_results_kransom-1-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>We can gather more intelligence using the name of the file used in the attack&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The service returns more than 20 sandbox sessions that you can explore along with synchronization events and files that match the query.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStart your first investigation in <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=mtt&#038;utm_medium=article&#038;utm_campaign=deerstealer&#038;utm_term=230924&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>The targeting of games like Honkai: Star Rail in ransomware attacks suggests a potential risk of threat actors using similar methods with other popular software. Organizations need to stay alert and take proactive steps to protect their systems. This includes being careful with downloads from unknown sources, receiving official software updates, and using reliable tools like ANY.RUN\u2019s Interactive Sandbox and Threat Intelligence Lookup as part of a layered security architecture.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=deerstealer&amp;utm_term=230924&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, our team of analysts discovered a sample of a yet-unknown ransomware that they dubbed Kransom. The malware employed the malicious DLL-sideloading technique to hijack the execution flow of an .exe file belonging to the popular game Honkai: Star Rail. Here is everything we have on the threat so far. Initial Infection Vector View the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8881,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,34,40],"class_list":["post-8868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG<\/title>\n<meta name=\"description\" content=\"Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG\",\"datePublished\":\"2024-09-23T10:24:23+00:00\",\"dateModified\":\"2024-09-25T10:24:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\"},\"wordCount\":661,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\",\"name\":\"Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-09-23T10:24:23+00:00\",\"dateModified\":\"2024-09-25T10:24:15+00:00\",\"description\":\"Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG","description":"Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG","datePublished":"2024-09-23T10:24:23+00:00","dateModified":"2024-09-25T10:24:15+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/"},"wordCount":661,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/","url":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/","name":"Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-09-23T10:24:23+00:00","dateModified":"2024-09-25T10:24:15+00:00","description":"Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/kransom-abuses-rpg\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8868"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8868"}],"version-history":[{"count":11,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8868\/revisions"}],"predecessor-version":[{"id":8958,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8868\/revisions\/8958"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8881"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}