Osiris Ransomware Uses Fake Malwarebytes Driver

A newly emerged threat known as the Osiris ransomware struck a major Southeast Asian food service company in November 2025, leveraging a blend of built-in system utilities and dual-use tools. Cybersecurity researchers identified the malware as unrelated to a similarly named 2016 variant, highlighting its distinct and advanced nature.

The attackers combined common Windows tools with malicious software to evade defenses and deploy an ECC and AES-128-CTR-based encryption payload. Data was exfiltrated using Rclone and transferred to Wasabi cloud storage. Tools like Mimikatz, disguised as kaz.exe, and the Poortry driver enabled privilege escalation and security bypass in a BYOVD-style attack.

Additional infiltration tools included Netexec, Rustdesk masquerading as WinZip, and Netscan. The ransomware targeted backups and databases, deleting volume snapshots to prevent recovery. These strategic capabilities point to highly skilled operators behind this campaign.

Read the full report on the Osiris ransomware at:

New Osiris Ransomware Using Wide Range of Living off the Land and Dual-use Tools in Attacks