Greenflash Sundown Ransomware

This ransomware was first observed in 2015. Greenflash Sundown (also known as Greenflash or GS) is an advanced exploit kit used in the ShadowGate malware campaign. Believed to have been created by ShadowGate’s operators as an evolution of the older Sundown exploit kit, it features updated exploit code as well as new delivery techniques.

Greenflash Sundown delivers payloads directly to targeted systems via malicious adverts hosted on previously compromised web servers. When a user visits a site with these adverts, Greenflash Sundown will identify their system before deploying a suitable exploit. If successful, it will then attempt to install and execute RC4 encrypted payloads.

At the time of publication, Greenflash Sundown is delivering an unnamed ransomware tool along with several secondary payloads, including cryptocurrency miners and the Pony spyware.

One of the affected publishers is onlinevideoconverter[.]com, a popular site to convert videos from YouTube and other platforms into files. According to SimilarWeb, it drives 200 million visitors per month.

For further information:

Indicators of Compromise

IP Addresses

  • 104.248.42[.]143
  • 172.105.66[.]231
  • 198.211.126[.]118


  • ad4989[.]world
  • adsfast[.]info
  • adsfast[.]site
  • cdn-cloud[.]club
  • fastimage[.]site


  • hp_3.exe
  • hp_6.exe

SHA256 File Hashes

  • aeb073b5ee2e083aba987c7fcaab7265aabe6e5e2cade821db6d46e406e21e95
  • 58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d767588be4e

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: