D0glun shares similarities to the leaked Windows version of Babuk and is a descendant of Cheng Xilun (Babuk->Cheng Xilun->D0glun). The similarities are apparent when executing the ransomware: fast encryption, similar to Babuk, the same encryption type (AES-256), and the ransom notes dropped are uncanny (see ransom notes below). Both Cheng Xilun and D0glun drop three distinct ransom notes, including changing the desktop wallpaper. The communication mediums and identifiers also directly match, indicating that this is the same ransomware author or was copied from someone else with access to the Cheng Xilun ransomware. Interestingly, Cheng Xilun appeared in April 2020, and D0glun was first observed in January 2025, almost five years later. Both Cheng Xilun and D0glun are named after the alleged authors of their respective ransomware. So, it's either a different individual or the same person under various aliases. Unlike Cheng Xilun, the ransom note notifies users of an Onion domain that is either used for communicating and/or for double extortion attempts. However, the domain stated in the ransom note does not resolve, and we cannot determine what is hosted there.
Ransomware - D0glun
D0glun
Decryptor Available
No
Description
Ransomware Type
Crypto-Ransomware
Country of Origin
China
First Seen
Lineage
Threat Actors
Type
Actor
Individual
D0glun
Extortion Links
Medium
Link
TOR
http://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
Extortion Types
Direct Extortion
Extortion Price Increases
Communication
Medium
Identifier
QQ
424714982
Telegram
https://t.me/CXL13131
Encryption
Type
Symmetric
Files
AES-256
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
1M7JVws3HccTGd14CV3qX21G7gzcJj77UH
File Extension
<original file>.@D0glun@<original extension>
<original file>.<original extension>.@d0glun@<original extension>
<original file>.<original extension>.@zero_d0glun_<original extension>
Ransom Note Name
Ransom Note Image
Samples (SHA-256)
3eb7f1dd0274bd4ffcdf463876ab547503f9e6120db22c5e1923fe16cab71b50
a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a
d6d55a8fbd1c603719fe611e572e2431512e7063c44896f705524dab66234d45
f549ae8d509dab97f2d8b12ecf344c72ab2e715b2667e78d8fdd892eb6a459de
References & Publications
PCrisk: d0glun
Twitter | X: PaduckLee - d0glun