Published in


Haron Season2: Rebranding in progress

Reference: Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)

We know what you are doing, Haron

The main page of the newly rebranded site
  • Haron currently seems to be preparing to rebrand the extortion site.
  • Haron’s servers, the current server and newly rebranded one are located on the same country and using the same hosting service.
  • The newly rebranded site posted 7 more victims than the current Haron’s site and mentioned the same infected companies as Haron.
The comparison between Haron’s current site and the newly rebranded site
  • They used FinalLogo.png which contains “RANSONWARE” based on mw-com-logo-removebg-preview.png which was used in the article regarding .com ransomware. We are not sure that misspelled RANSONWARE is intended or not.
Comparison between the original image and “FinalLogo.png”
  • As part of the onion domain, Haron will likely rebrand under the name Midas.
“Midas” included in the onion domain

Newly rebranded site including the same resources of Avaddon & Haron

The logo of Avaddon
The logo of Haron
  • The negotiation credential given to the victim is the same as Haron.
The login page of the newly rebranded site and Haron’s



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store