D0Glun

Description

D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@ or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.

External Analysis
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/d0glun
https://www.pcrisk.com/removal-guides/31986-d0glun-ransomware
https://bazaar.abuse.ch/browse/signature/D0glun/
https://cs.beta.fletch.ai/p/d0glun
Telegram
@CXL13131
Other
QQ ID: 424714982
Urls
Screen
http://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
File servers
Screen
Chat servers
Screen
Admin servers
Screen