Ransomware - NullBulge

NullBulge is a self-proclaimed hacktivist group targeting the artificial intelligence (AI) tech space. The group began operations in May 2024, allegedly masquerading as a legitimate developer named "AppleBotzz." This user developed programs for AI visual tools and game mods and hosted the code on GitHub. The user embedded malware in mods for a game named Beam.NG, a driving simulator, and an AI visualization extension called ComfyUI_LLMVision, which allows developers to integrate ChatGPT and Claude models into ComfyUI. After downloading these trojans, users were infected with additional malware, primarily ASyncRAT and Xworm. RATs, or Remote Access Trojans, allow malware operators to perform additional commands on the victim's machine, including downloading more malware. Researchers from SentinelOne documented additional payloads, such as LockBit 3.0 ransomware variants. Therefore, NullBulge leveraged the leaked LockBit 3.0 builder and tailored it to their needs. Although, they hardly tweaked the encryptor much.

The group wasn't well-known until they leaked internal documents and communication chats from Disney. Allegedly, a Disney employee downloaded a RAT-infected file that allowed the operators to exfiltrate data before access was cut. The group claims they either had an insider threat or named the individual they infected before being discovered in the network. They also claim to have breached a non-profit in the United States that led to further breaches, an AI and cryptocurrency-related company, to which the group claims to be anti-cryptocurrency, and finally, an individual streamer based in India. After that, the group either went dormant or seized operations because, as of this writing, there has been no action from the group.