FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

Mar 07, 2025Ravie Lakshmanan

Threat hunters have shed light on a “sophisticated and evolving malware toolkit” called Ragnar Loader that’s used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil).

“Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations,” Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News.

“While it’s linked to the Ragnar Locker group, it’s unclear if they own it or just rent it out to others. What we do know is that its developers are constantly adding new features, making it more modular and harder to detect.”

Ragnar Loader, also referred to as Sardonic, was first documented by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. It’s said to have been put to use since 2020.

Then in July 2023, Broadcom-owned Symantec revealed FIN8’s use of an updated version of the backdoor to deliver the now-defunct BlackCat ransomware.

The core functionality of Ragnar Loader is its ability to establish long-term footholds within targeted environments, while employing an arsenal of techniques to sidestep detection and ensure operational resilience.

“The malware utilizes PowerShell-based payloads for execution, incorporates strong encryption and encoding methods (including RC4 and Base64) to conceal its operations, and employs sophisticated process injection strategies to establish and maintain stealthy control over compromised systems,” PRODAFT noted.

“These features collectively enhance its ability to evade detection and persist within targeted environments.”

The malware is offered to affiliates in the form of an archive file package containing multiple components to facilitate reverse shell, local privilege escalation, and remote desktop access. It’s also designed to establish communications with the threat actor, allowing them to remotely control the infected system through a command-and-control (C2) panel.

Typically executed on victim systems using PowerShell, Ragnar Loader integrates a bevy of anti-analysis techniques to resist detection and obscure control flow logic.

Furthermore, it features the ability to conduct various backdoor operations by running DLL plugins and shellcode, as well as reading and exfiltrating the contents of arbitrary files. To enable lateral movement within a network, it makes use of another PowerShell-based pivoting file.

Another critical component is a Linux executable ELF file named bc that’s designed to facilitate remote connections, permitting the adversary to launch an and execute command-line instructions directly on the compromised system.

“It employs advanced obfuscation, encryption, and anti-analysis techniques, including PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities,” PRODAFT said. “These features exemplify the increasing complexity and adaptability of modern ransomware ecosystems.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!