New Ransomware Spotted: White Rabbit and Its Evasion Tactics<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html\"><br \/>\n<meta property=\"og:title\" content=\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics\"><br \/>\n<meta property=\"og:description\" content=\"We analyze the ransomware White Rabbit and bring into focus the familiar evasion tactics employed by this newcomer.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\/new_ransomware_spotted_white_rabbit_and_its_evasion_tactics.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics\"><br \/>\n<meta name=\"twitter:description\" content=\"We analyze the ransomware White Rabbit and bring into focus the familiar evasion tactics employed by this newcomer.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\/new_ransomware_spotted_white_rabbit_and_its_evasion_tactics.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.879222825136\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"443389289\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7230769230769\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.892307692308\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">We analyze the ransomware White Rabbit and bring into focus the familiar evasion tactics employed by this newcomer.<\/p>\n<p class=\"article-details__author-by\">By: Arianne Dela Cruz, Bren Matthew Ebriega, Don Ovid Ladores, Mary Yambao <time class=\"article-details__date\">January 18, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"39.860724233983\">\n<div readability=\"25.589600742804\">\n<p>We spotted the new <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Ransomware\">ransomware<\/a> family White Rabbit discretely making a name for itself by executing an attack on a local US bank in December 2021. This newcomer takes a page from <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/l\/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html\">Egregor<\/a>, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the advanced persistent threat (APT) group FIN8.<\/p>\n<p><span class=\"body-subhead-title\">Use of a command-line password<\/span><\/p>\n<p>One of the most notable aspects of White Rabbit\u2019s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis. <\/p>\n<p>White Rabbit\u2019s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity. The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\/systracer.jpg\" alt=\"Figure 1. SysTracer showing the command line used to execute the ransomware\"><figcaption>Figure 1. SysTracer showing the command line used to execute the ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>The sample we analyzed used the password or passphrase \u201cKissMe,\u201d as can be seen in Figure 1, although other samples might use a different password. Figure 1 also shows the arguments accepted by the ransomware, which we surmise as standing for the following:<\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">-p: password\/passphrase<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">-f: file to be encrypted<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">-l: logfile<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">-t: malware\u2019s start time<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Arrival and relation to an APT<\/span><\/p>\n<p>Our internal telemetry shows traces of Cobalt Strike commands that might have been used to reconnoiter, infiltrate, and drop the malicious payload into the affected system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\/cobalt%20strike%20white%20rabbit.PNG\" alt=\"Figure 2. Evidence showing traces of Cobalt Strike\"><figcaption>Figure 2. Evidence showing traces of Cobalt Strike<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.984756097561\">\n<div readability=\"18.658536585366\">\n<p>Meanwhile, <a href=\"https:\/\/lodestone.com\/insight\/white-rabbit-ransomware-and-the-f5-backdoor\/\" target=\"_blank\" rel=\"noopener\">researchers<\/a> from Lodestone have pointed out that the malicious URL connected to the attack is also related to the APT group called FIN8. They have likewise noted White Rabbit\u2019s use of a never-before-seen version of Badhatch, an F5 backdoor that is also associated with FIN8. Unfortunately, at the time of the analysis, files from the said URL were no longer available.<\/p>\n<p><span class=\"body-subhead-title\">The ransomware routine<\/span><\/p>\n<p>The ransomware routine itself is not complicated. Like many <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them\">modern ransomware<\/a> families, White Rabbit uses <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them\">double extortion<\/a> and threatens its targets that their stolen data will be published or sold, as seen in their ransom note.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\/ransom%20note%20white%20rabbit.jpg\" alt=\"Figure 3. White Rabbit ransom note\"><figcaption>Figure 3. White Rabbit ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"48.533404787424\">\n<div class=\"responsive-table-wrap\" readability=\"44.20864594498\">\n<p>The ransomware creates a note for each file it encrypts. Each note bears the name of the encrypted file and is appended with \u201c.scrypt.txt.\u201d Prior to the ransomware routine, the malware also terminates several processes and services, particularly antivirus-related ones.\u202f<\/p>\n<p>The malware then tries to encrypt files (if the -f argument is not given) in fixed, removable, and network drives, as well as resources. It also tries to skip the following paths and directories to avoid crashing the system and destroying its own notes:<\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">*.scrypt.txt<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.scrypt<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">c:\\windows\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\sysvol\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\netlogon\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">c:\\filesource\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.exe<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.dll<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*\\desktop.ini<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\windows\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">c:\\programdata\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\programfiles\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\program files (x86)\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*:\\program files (x64)\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.lnk<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.iso<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.msi<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.sys<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">*.inf<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">%User Temp%\\*<\/span><\/li>\n<li><span class=\"rte-circle-bullet\"> *\\thumbs.db<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit\u2019s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.<\/p>\n<p>White Rabbit is thus likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring.<\/p>\n<p>A multilayered defense can help guard against modern ransomware and prevent the success of the evasion tactics they employ. Organizations can mitigate risks by taking these steps and employing these solutions:<\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/vision-one.html\">Trend Micro Vision One\u2122\ufe0f<\/a> helps detect and block ransomware components to stop attacks before they can affect an enterprise.<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-circle-bullet\">Create a playbook for attack prevention and recovery. Both an incident response (IR) <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-61\/rev-2\/final\">playbook<\/a> and IR <a href=\"https:\/\/www.cynet.com\/incident-response\/incident-response-sans-the-6-steps-in-depth\/\">frameworks<\/a> allow organizations to plan for different attacks, including ransomware.<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-circle-bullet\"><span>Conduct attack simulations. Expose employees to a <a href=\"https:\/\/www.nytimes.com\/2021\/06\/03\/us\/politics\/ransomware-cybersecurity-infrastructure.html\">realistic cyberattack simulation<\/a> that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and atta<\/span>cks.<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>URL:<\/p>\n<p>hxxps:\/\/104-168-132-128[.]nip[.]io\/cae260<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyze the ransomware White Rabbit and bring into focus the familiar evasion tactics employed by this newcomer. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44869,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9539,9509],"class_list":["post-44868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-18T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics\",\"datePublished\":\"2022-01-18T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\"},\"wordCount\":1011,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\",\"name\":\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg\",\"datePublished\":\"2022-01-18T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg\",\"width\":487,\"height\":346},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Ransomware Spotted: White Rabbit and Its Evasion Tactics\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/","og_locale":"en_US","og_type":"article","og_title":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-01-18T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/new-ransomware-spotted--white-rabbit-and-its-evasion-tactics-","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics","datePublished":"2022-01-18T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/"},"wordCount":1011,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/","url":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/","name":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg","datePublished":"2022-01-18T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.jpg","width":487,"height":346},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44868"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44868\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44869"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44868,"date":"2022-01-18T00:00:00","date_gmt":"2022-01-18T00:00:00","guid":{"rendered":"urn:uuid:f23c3a6b-e7eb-0d5a-4d08-8c3b41f04d71"},"modified":"2022-01-18T00:00:00","modified_gmt":"2022-01-18T00:00:00","slug":"new-ransomware-spotted-white-rabbit-and-its-evasion-tactics","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics\/","title":{"rendered":"New Ransomware Spotted: White Rabbit and Its Evasion Tactics"},"content":{"rendered":"