COOSEAGROUP is a sophisticated ransomware strain newly identified by CYFIRMA and Trend Micro in late December 2025. Technical analysis confirms that this group is not an entirely new entity but a specialized, aggressive evolution of the Beast Ransomware family.

The group distinguishes itself through high-pressure “double extortion” tactics and a unique geopolitical targeting profile, utilizing Russian-language phishing lures while deploying payloads that generate Chinese-language ransom notes. This hybrid signature suggests a complex operator nexus, potentially involving cross-border collaboration or deliberate false-flagging.

Victimology

Unlike broad-spectrum spam campaigns, COOSEAGROUP executes highly targeted operations.

• Primary Targets:
  • Financial Services & Brokerages: The group specifically targets finance-facing roles (accountants, comptrollers) within currency brokerages and banking institutions.
  • Database-Heavy Enterprises: The malware is engineered to hunt and kill heavy-duty database processes, making e-commerce and logistics firms prime targets.
• Geographic Focus:
  • APAC (Asia-Pacific): Primary operational zone.
  • CIS (Commonwealth of Independent States): Targeted via Russian-language social engineering, despite the group’s potential non-Russian origins.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access: The “Payment Verification” Chain

The attack vector is strictly social engineering, designed to bypass perimeter email gateways.

1. Phishing Lure: Victims receive a Russian-language email masquerading as a “Bank Transfer Confirmation” or “Currency Brokerage Statement.”
2. Payload Delivery: The email contains a ZIP archive (e.g., Statement_verification.zip).
3. ISO Mounting: Inside the ZIP is an ISO disk image. When the user double-clicks this, Windows automatically mounts it as a virtual drive. This technique allows the payload to evade “Mark-of-the-Web” (MotW) protections.
4. Loader Execution: The ISO contains a single executable (disguised as a PDF or document) that initiates an in-memory loader, minimizing disk artifacts.

2. Execution & Persistence (Beast DNA)

Once executed, the malware exhibits behaviors identical to the Beast lineage:

• Mutex Creation: It creates a mutex named BEAST HERE?. This is a critical artifact confirming the malware’s lineage.
• Privilege Escalation: Attempts to bypass User Account Control (UAC) to gain administrative rights.
• Defense Evasion:
  • Process Termination: aggressively kills security and backup processes, including sqlservr.exe, mysqld.exe, steam.exe (gaming/consumer testing), thunderbird.exe, and outlook.exe.
  • Service Stopping: Halts Volume Shadow Copy services (vssadmin.exe delete shadows /all /quiet) to prevent recovery.

3. Encryption & Extortion

• Encryption Algorithm: Utilizes the ChaCha20 stream cipher. This allows for extremely rapid encryption of large database files.
• File Renaming: Appends a complex, multipart extension to files: .[GUID].Cooseagroup.
  • Example: database.sql.1A2B3C-998877.Cooseagroup
• Ransom Note: Drops README.TXT in every infected directory. The note is notably written in Chinese, demanding contact via Session Messenger and offering a “discount” if the victim responds within 12 hours.

Indicators of Compromise (IOCs)

File Artifacts

• Ransom Note: README.TXT
• Extension Pattern: .*\.Cooseagroup$
• Mutex: BEAST HERE?
• Malicious ISOs: Look for ISO files mounted from %TEMP% or Downloads containing single .exe files.

Network Indicators

• Phishing Subjects:
  • “Подтверждение перевода” (Transfer Confirmation)
  • “Счет-фактура” (Invoice)
• Communication Channels:
  • Session Messenger: The primary negotiation channel (ID provided in README.TXT).
  • Tox Chat: Secondary backup channel.

Process & Behavioral Indicators

• Command Lines:
  • vssadmin.exe delete shadows /all /quiet
  • wbadmin DELETE SYSTEMSTATEBACKUP
  • bcdedit /set {default} recoveryenabled No
• Targeted Processes: Immediate termination of sqlservr.exe, sqlwriter.exe, oracle.exe.

Analyst Note: The presence of the BEAST HERE? mutex makes existing Beast Ransomware detection rules highly effective against this variant. Security teams should ensure their EDR is tuned to flag this specific mutex handle.