Dire Wolf is a newly emerged ransomware group first observed in May 2025. This double-extortion threat encrypts files and threatens to leak exfiltrated data to pressure victims into payment. The malware is written in Golang, packed with UPX, and employs anti-forensics, in-memory process execution, and aggressive termination of security-related services and processes to evade detection and disable defenses.
Targeted Countries: US, Thailand, Taiwan, and 8 others
Active Leak Site: Tor-hosted leak site + gofile.io
3. Infection & Execution Flow
User or system executes packed Golang binary
Initial Checks:
Checks for runfinish.exe marker file
Checks for mutex Global\direwolfAppMutex
If infected → Self-deletes using:
cmd /C timeout /T 3 & del /f /q <path_to_self> & exit
Disables Windows Event Logging via PowerShell and taskkill
Terminates up to 75 services & 59 processes (AV, backups, DBs, productivity tools)
Deletes backups and disables recovery using commands like vssadmin, wbadmin, bcdedit, and wevtutil
Encrypts files (excludes system/critical files) using Curve25519 + ChaCha20
Appends .direwolf extension
Drops ransom note with leak proof link, chat portal login, and countdown timer
Self-deletes and optionally reboots system
4. Static Analysis
Packed With: UPX
Written in Golang – cross-platform and AV-evasive
Embedded Config:
Mutex: Global\direwolfAppMutex
runfinish.exe marker
Victim-specific ransom portal credentials
Leak proof sample links (e.g., gofile.io)
Encryption targeting avoids critical files and existing .direwolf extensions
5. Dynamic Analysis
5.1 Backup & Recovery Destruction (Updated)
This function is responsible for removing backup options, disabling recovery mechanisms, and clearing event logs, to prevent forensic investigation or system restoration post-encryption. The following Windows commands are used:
These actions make incident response and system recovery significantly more difficult, reinforcing Dire Wolf’s destructive capabilities before ransom negotiations.
5.2 Service & Process Termination
Stops and disables 75 hardcoded system services (AV, backups, DBs, etc.) and terminates 59 key processes repeatedly to disable defense and recovery tools.
Backup & Recovery: Enforce offline/immutable backups; isolate from production; regularly test restores
Network Defense: Block suspicious domains like gofile.io; segment networks; detect outbound Tor traffic
Detection Engineering: Monitor creation of mutex Global\direwolfAppMutex, UPX-packed Golang binaries, and specific ransomware commands
11. Conclusion
Dire Wolf represents a sophisticated, financially motivated ransomware threat leveraging robust encryption, process manipulation, and double-extortion tactics. Its use of Golang, UPX packing, process/service termination, and self-deletion makes it elusive to traditional defenses. Early detection and proactive containment are crucial.