.jpeg)
Threat Actor Profile: Payload Ransomware
ChaCha20 · Curve25519 · Double Extortion · Anti-Forensics
Payload Ransomware is a new Windows-targeting threat actor group that first appeared publicly on 15 February 2026. Within six weeks, it listed 50 victims on its dark web leak site , an unusually aggressive pace for a new ransomware operation. The group operates a classic double-extortion model: it exfiltrates sensitive data from victim organizations first, then encrypts their files, threatening to publish the stolen data unless a ransom is paid within strict time windows.
From a technical standpoint, Payload is a mature and well-engineered threat. Its ransomware uses ChaCha20 stream encryption with a per-file Curve25519 Elliptic Curve Diffie-Hellman (ECDH) key exchange, a cryptographic design that makes decryption without the operator's private key computationally infeasible. The malware also incorporates aggressive anti-forensics capabilities designed to destroy evidence, defeat security tools, and prevent data recovery before and during the encryption process.
Targeting is broad and opportunistic, with notable concentrations in Egypt and the MENA region, though victims span multiple continents. Logistics, real estate, manufacturing, and professional services are the most impacted sectors. The group's rapid global footprint and sophisticated tooling position it as a high-priority emerging threat that organizations worldwide must actively monitor and defend against.
Key Findings
Motivation
The group's motivation is unambiguously financial. All observed behaviours from double extortion, strict negotiation timelines, partial file decryption as proof of capability, and a formal leak site are consistent with profit-driven ransomware operations. There is no observed ideological, nation-state, or hacktivism motivation currently.
Branding and Identity
The group has deliberately embedded its brand identity throughout the malware. Four independent strings confirm the 'Payload' operator name:
Additionally, the mutex used for single-instance enforcement is named 'MakeAmericaGreatAgain', a political phrase embedded likely for psychological impact or as an attempt at misdirection, though no attribution to any specific nation or actor has been established based on this string alone.
Pre-Encryption Call Sequence
The malware follows a specific execution order before encryption begins. This sequence is important for defenders because it means the most destructive actions — shadow copy deletion, ETW disabling, log clearing — occur before any file is encrypted:
File Enumeration and Exclusion Logic
The ransomware excludes specific directories, filenames, and file extensions to avoid rendering the victim system unbootable and to preserve the mechanism for receiving payment. Notable exclusions include Windows system directories, browser data folders, Tor Browser (preserving the victim's ability to contact the attacker), and the .payload extension itself (to avoid re-encrypting already-encrypted files). The -i flag overrides all exclusion logic.
RANSOM NOTE & EXTORTION METHODOLOGY
Ransom Note Delivery
The ransom note is stored in the binary as an RC4-encrypted blob (decryption key: 'hQEPINuTY2lytufLDpJQdVkrWlovC1QR'). At runtime, it is decrypted and written as RECOVER_payload.txt to every affected directory. Key recovery data is also written to recovery.ini using the format g:<base64_victim_pubkey>, which embeds the victim's ephemeral ECDH public key needed for decryption.
Extortion Timeline
Victim Communication Process
The note instructs victims to:
- Install the Tor Browser to access the negotiation portal anonymously.
- Visit the Payload Tor blog/leak site to review their listing and understand the threat.
- Log in to the Payload Tor negotiation portal using victim-specific credentials embedded in the note.
- Request up to 3 files from the stolen file tree and up to 3 encrypted files (under 15 MB each) for free decryption as proof-of-capability.
The note explicitly warns victims against contacting law enforcement or recovery agencies; turning off, restarting, or sleeping the infected system; and modifying any encrypted files. These warnings are designed to prevent evidence preservation, third-party intervention, and self-recovery attempts.
Tor Infrastructure
MITRE ATT&CK MAPPING
The following table maps observed Payload ransomware behaviors to the MITRE ATT&CK framework for Windows (Enterprise), providing a structured reference for detection engineering and threat hunting.
INDICATORS OF COMPROMISE (IOCs)
The following IOCs are derived from analysis of the confirmed Payload ransomware binary. All network indicators are defanged to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
File-Based IOCs
Process and System IOCs
YARA Detection Rule
The following YARA rule, authored by Dark Atlas, can be used for detection of the confirmed Payload ransomware binary in file scanning, memory scanning, and sandbox environments:
DETECTION & DEFENSIVE RECOMMENDATIONS
Immediate Detection Priorities
- Hunt for mutex 'MakeAmericaGreatAgain' in process listings on all Windows endpoints.
- Alert on execution of: vssadmin.exe delete shadows /all, regardless of parent process.
- Deploy the provided YARA rule across file-based scanning, EDR, and sandbox platforms.
- Monitor for ntdll memory patch behavior: VirtualProtect calls targeting EtwEventWrite* functions from unexpected processes.
- Alert on the creation of files named RECOVER_payload.txt or recovery.ini in non-standard locations.
- Monitor for mass file renaming events (bulk addition of .payload extension) via file system auditing.
- Threat Intelligence Monitoring: Monitor Payload's leak site (via a threat intelligence service) for listings that may indicate your vendors, partners, or suppliers have been compromised as third-party breaches can expose your data even without a direct attack.
Block or alert on Tor .onion DNS resolution attempts at the network boundary.
.jpeg)
.jpeg)
.png)
.png)