Makop ransomware operators are expanding their toolkit and increasing their activity, with new analysis from Acronis researchers detailing how the group continues to exploit weak remote desktop protocol systems while integrating privilege escalation exploits, loader malware and a wider array of off-the-shelf tools. The report also highlights the emergence of GuLoader in Makop campaigns for the first time, signalling a shift toward more sophisticated payload delivery techniques.
Makop, considered a derivative of the Phobos ransomware family, has been active since around 2020. Acronis’ latest investigation found that attackers overwhelmingly favour low-effort, low-complexity intrusions, with 55 per cent of observed attacks targeting organisations in India and additional activity in Brazil, Germany and other regions. Initial access almost always occurs through exposed or poorly secured RDP services, with attackers commonly using brute-force tools such as NLBrute to compromise accounts lacking strong authentication.
Once inside a network, operators stage a series of familiar tools to support lateral movement, discovery and disruption. Network scanners such as NetScan and Advanced IP Scanner are widely used, often paired with port scanners like Masscan and Advanced Port Scanner to map internal systems. Attackers deploy multiple antivirus-disabling tools, including Defender Control and Disable Defender, as well as vulnerable drivers used in bring-your-own-vulnerable-driver attacks. Notably, the ThrottleStop.sys and hlpdrv.sys drivers—previously abused by groups such as MedusaLocker, Akira and Qilin—were seen in Makop environments to disable security defences.
Acronis researchers reported a substantial collection of privilege escalation exploits being used by Makop operators, ranging from older issues such as CVE-2016-0099 to more recent disclosures including CVE-2021-41379 and CVE-2022-24521. These exploits target Windows components like BITS, Win32k and SMB drivers, and many have widely available proof-of-concept code, making weaponisation straightforward.
Credential access is achieved through tools such as Mimikatz, LaZagne and NetPass, supplemented by brute-force utilities. These allow attackers to extract stored and in-memory credentials, enabling further spread across target environments.
The most notable development in recent campaigns is the appearance of GuLoader, a well-known downloader trojan typically used to deliver secondary malware. Its deployment alongside Makop toolsets suggests the group is adopting more flexible delivery methods and expanding its ability to bypass detection. GuLoader is capable of delivering a wide range of payloads, including RATs and information stealers such as AgentTesla, FormBook and Lokibot.
Makop’s operational pattern remains consistent: if tools are detected or blocked, operators often abandon the attack; however, in some cases they attempt to bypass defences using packed variants or by manually disabling security software. If successful, the ransomware encryptor—often disguised with deceptive filenames—is deployed from RDP-accessible directories.
Acronis concludes that Makop campaigns demonstrate the ongoing risks posed by attackers leveraging exposed RDP systems and unpatched vulnerabilities. The combination of weak authentication, outdated software and readily available hacking tools continues to create low-barrier pathways for compromise. The addition of GuLoader points to continued evolution and diversification of Makop’s methods, reinforcing the need for robust access controls, multifactor authentication and proactive patching to mitigate ransomware threats.
