Back to Intelligence

Adwind RAT, Warlock & Payouts King: Ransomware & EDR Evasion Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 17, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated ransomware operations utilizing diverse initial access vectors and evasion techniques. Intelligence highlights three distinct clusters: a resurgence of Adwind RAT (delivering JanaWare ransomware) specifically targeting Turkish entities via geofenced phishing; the Warlock group enhancing their attack chain with BYOVD (Bring Your Own Vulnerable Driver) using the NSec driver to disable security tools; and the emergence of Payouts King, a successor operation to BlackBasta, leveraging Microsoft Quick Assist and Teams for social engineering alongside direct system calls for EDR evasion. Collectively, these campaigns demonstrate a shift towards leveraging legitimate remote administration tools and kernel-level exploits to facilitate ransomware deployment.

Threat Actor / Malware Profile

Adwind RAT / JanaWare

  • Type: Java-based Remote Access Trojan / Ransomware.
  • Distribution: Malicious phishing attachments with geofencing checks (Locale/IP) to filter targets, focusing on Turkey.
  • Behavior: Polymorphic Java variants establishing C2 over non-standard ports. Delivers JanaWare ransomware payload.
  • C2: Dynamic DNS (duckdns.org) on high ports (49152, 49153).

Warlock

  • Type: Ransomware-as-a-Service (RaaS) / Affiliate Group.
  • Malware: LockBit, TightVNC, Yuze.
  • Persistence: Exploits vulnerable NSec driver (BYOVD) to terminate AV/EDR processes. Uses web shells and tunneling for lateral movement.
  • Targets: Technology, Manufacturing, Government (US, Germany, Russia).

Payouts King

  • Type: Ransomware Operation (BlackBasta Affiliate Successor).
  • Malware: Payouts King, BlackBasta, Cactus.
  • Distribution: Social engineering via Microsoft Teams and Quick Assist (Spam bombing).
  • Evasion: Uses direct system calls and unhooking techniques to bypass user-mode EDR hooks.

IOC Analysis

The provided indicators primarily consist of File Hashes (MD5, SHA1, SHA256) and Network Infrastructure (URLs, Hostnames).

  • File Hashes: High-confidence artifacts for existing files. The MD5 hashes in the Adwind campaign suggest polymorphism; SHA256s provided for Warlock and Payouts King are reliable for detection.
  • Network IOCs: The elementsplugin.duckdns.org domain indicates Dynamic DNS usage common in RAT C2 infrastructure. The use of high non-standard ports (49152, 49153) is a strong TTP for Adwind variants.
  • Operationalization: SOC teams should immediately block the duckdns.org domain and hunt for the specific file hashes on endpoints. Network logs should be queried for connections to high ports associated with Java processes.

Detection Engineering

YAML
title: Potential Adwind RAT C2 Connection via DuckDNS
id: 6c8a4e11-7f2c-4a9b-9e0c-3d8f1a9b4c5d
description: Detects connections to known Dynamic DNS providers often used by Adwind RAT, specifically DuckDNS, on non-standard high ports.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61938272c2f5a5238c2f523c/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        InitiatorProcessName|endswith: '\\java.exe'
        DestinationHostname|contains: 'duckdns.org'
        DestinationPort|between: 
            - 49152
            - 65535
    condition: selection
falsepositives:
    - Legitimate Java applications using custom DNS (rare)
level: high
---
title: Potential BYOVD via Vulnerable NSec Driver Load
id: 9d1b3e44-5a6f-4c8d-8e2f-0a1b2c3d4e5f
description: Detects the loading of the NSec.sys driver, often exploited by threat actors like Warlock to terminate AV/EDR processes via BYOVD techniques.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61938272c2f5a5238c2f523d/
tags:
    - attack.privilege_escalation
    - attack.t1068
logsource:
    category: driver_load
product: windows
detection:
    selection:
        ImageLoaded|endswith: '\\Nsec.sys'
        SignatureStatus: 'Unable to verify (Invalid or not signed)'
    condition: selection
falsepositives:
    - Legitimate driver loading (unlikely for this specific driver)
level: critical
---
title: Suspicious Quick Assist Remote Activity
id: 2f4e6a88-9b1c-4d3e-9f5a-1b2c3d4e5f6a
description: Detects the execution of msra.exe (Quick Assist) followed by suspicious child process spawning, a tactic used by Payouts King affiliates.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61938272c2f5a5238c2f523e/
tags:
    - attack.initial_access
    - attack.t1199
logsource:
    category: process_creation
product: windows
detection:
    parent:
        Image|endswith: '\\msra.exe'
    child:
        Image|endswith:
            - '\\powershell.exe'
            - '\\cmd.exe'
            - '\\pwsh.exe'
    condition: parent and child
falsepositives:
    - Legitimate IT support activities
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Adwind C2 domains and Payouts King/Warlock File Hashes
let IOC_Domains = dynamic(["elementsplugin.duckdns.org"]);
let IOC_Hashes = dynamic([
    "4f0444e11633a331eddb0deeec17fd69", "b2d5bbf7746c2cb87d5505ced8d6c4c6", // Adwind MD5
    "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", "335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4" // Warlock/Payouts SHA256
]);
DeviceNetworkEvents
| where RemoteUrl in (IOC_Domains) or RemotePort in (49152, 49153)
| extend Threat = "Adwind C2 Traffic"
| union (
    DeviceProcessEvents
    | where SHA256 in (IOC_Hashes) or MD5 in (IOC_Hashes)
    | extend Threat = "Malware Execution"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, Threat, RemoteUrl, SHA256, MD5

PowerShell Hunt Script

PowerShell
# IOC Hunt for Adwind, Warlock, and Payouts King Indicators
# Requires Admin privileges for certain checks

$AdwindMD5 = @("4f0444e11633a331eddb0deeec17fd69", "b2d5bbf7746c2cb87d5505ced8d6c4c6")
$RansomwareSHA256 = @("206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", `n                       "34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4", `n                       "335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4")

Write-Host "[+] Scanning for Warlock BYOVD Driver (Nsec.sys)..." -ForegroundColor Cyan
$Drivers = Get-WmiObject Win32_SystemDriver | Where-Object { $_.Name -like "*Nsec*" -or $_.PathName -like "*Nsec.sys*" }
if ($Drivers) { Write-Host "[ALERT] Nsec.sys driver found: $($Drivers.PathName)" -ForegroundColor Red } 
else { Write-Host "[INFO] Nsec.sys not found." -ForegroundColor Green }

Write-Host "[+] Scanning process memory for known IOCs..." -ForegroundColor Cyan
$Processes = Get-Process
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.MainModule.FileName
        if ($FilePath) {
            $Hash = Get-FileHash -Path $FilePath -Algorithm MD5 -ErrorAction SilentlyContinue
            if ($Hash -and $AdwindMD5 -contains $Hash.Hash) {
                Write-Host "[ALERT] Adwind RAT process detected: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
            }
            $Hash256 = Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($Hash256 -and $RansomwareSHA256 -contains $Hash256.Hash) {
                Write-Host "[ALERT] Ransomware process detected: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
            }
        }
    } catch {}
}

Write-Host "[+] Checking Hosts file for DuckDNS C2..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Select-String -Path $HostsPath -Pattern "duckdns.org" -SimpleMatch) {
    Write-Host "[ALERT] DuckDNS entry found in hosts file." -ForegroundColor Red
}

Response Priorities

  • Immediate:

    • Block network access to elementsplugin.duckdns.org and associated subdomains.
    • Block inbound/outbound traffic on non-standard ports 49152 and 49153 unless explicitly required.
    • Initiate a hunt for the specific MD5 and SHA256 hashes listed in the IOCs across all endpoints.

  • 24 Hours:

    • Review logs for msra.exe (Quick Assist) and msteams.exe execution patterns. Verify if any sessions correspond to legitimate support tickets or unauthorized access attempts.
    • Check driver logs for the loading of Nsec.sys or other vulnerable drivers associated with BYOVD attacks.

  • 1 Week:

    • Implement kernel-level driver signing policies and Block Rules (e.g., Microsoft ASR rules for blocking abused drivers) to mitigate BYOVD risks.
    • Update phishing awareness training to include scenarios involving "Tech Support" scams via Microsoft Teams or Quick Assist.
    • Restrict Java execution policies in the environment to prevent Adwind RAT variants.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareadwind-ratransomwarewarlockpayouts-kingbyovd

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action