Balletspistol

Description

BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals its delivery through a malicious ISO file hosted on a now‑removed public GitHub repository
tinextacyber.com+1
. The infection chain begins when the ISO (named Invoice.iso) is downloaded and mounted, revealing a batch script (MAIN.BAT) and supporting components—including a password-protected ZIP and shortcut (.lnk) for execution. The malware performs privilege escalation (via UAC bypass using fodhelper.exe), persistence via registry and scheduled tasks, and then extracts an executable from the ZIP to commence the main payload. This binary encrypts user files with a hybrid AES + RSA scheme, adding the .iDCVObno extension to encrypted files; it also drops ransom notes (RESTORE-MY-FILES.TXT or .HTA) and changes the victim’s wallpaper.

External Analysis
https://www.tinextacyber.com/wp-content/uploads/2025/06/Dissecting-a-Python-Ransomware-distributed-through-GitHub-repositories-1.pdf

Mail
RestoreMyData@protonmail.com

Other
Discord:ballets4

Urls	Screen

File servers	Screen

Chat servers	Screen

Admin servers	Screen