Ransomware - NullBulge

NullBulge
Aliases
Applebotzz
Decryptor Available
No
Description

NullBulge is a self-proclaimed hacktivist group targeting the artificial intelligence (AI) tech space. The group began operations in May 2024, allegedly masquerading as a legitimate developer named "AppleBotzz." This user developed programs for AI visual tools and game mods and hosted the code on GitHub. The user embedded malware in mods for a game named Beam.NG, a driving simulator, and an AI visualization extension called ComfyUI_LLMVision, which allows developers to integrate ChatGPT and Claude models into ComfyUI. After downloading these trojans, users were infected with additional malware, primarily ASyncRAT and Xworm. RATs, or Remote Access Trojans, allow malware operators to perform additional commands on the victim's machine, including downloading more malware. Researchers from SentinelOne documented additional payloads, such as LockBit 3.0 ransomware variants. Therefore, NullBulge leveraged the leaked LockBit 3.0 builder and tailored it to their needs. Although, they hardly tweaked the encryptor much.

The group wasn't well-known until they leaked internal documents and communication chats from Disney. Allegedly, a Disney employee downloaded a RAT-infected file that allowed the operators to exfiltrate data before access was cut. The group claims they either had an insider threat or named the individual they infected before being discovered in the network. They also claim to have breached a non-profit in the United States that led to further breaches, an AI and cryptocurrency-related company, to which the group claims to be anti-cryptocurrency, and finally, an individual streamer based in India. After that, the group either went dormant or seized operations because, as of this writing, there has been no action from the group.

Ransomware Type
Crypto-Ransomware
Data Broker
First Seen
Last Seen
Lineage
Threat Actors
Type
Actor
Hacktivist
NullBulge Group
Extortion Types
Blackmail
Direct Extortion
Double Extortion
Free Data Leaks
Medium
Identifier
4chan
BreachForums
CRACKED.io
GitHub
Sellix
Twitter | X
Encryption
Type
Hybrid
Files
AES-256
Key
RSA-2048
Crypto Wallets
Blockchain Type
Crypto Wallet
XMR
45i7kjWZuzJ4PdSbandaaE8S6mQATmneTYEpgsaaCqDmc7foEJDXwxd3ABR8bn6YE4c7hZ2dYEEr1CwG48gAknPL6zUpYyV
File Extension
<file name>.<file extension>.<9 random alphanumeric characters>
Ransom Note Name
<9 random alphanumeric characters>.README.txt
Samples (SHA-256)
f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
Industry Sector Country Extortion Date Amount (USD)
ConglomerateUnited States
Charity & NonprofitsUnited States
Sex & Adult EntertainmentUnited States
Food & BeverageUnited States
ReligionUnited States
ReligionUnited States
Information TechnologyUnited States
IndividualIndia