PE32 Ransomware Operators Leverage RDP and Phishing to Breach Enterprise Systems

Threat Group: - Dmc
Threat Type: - Ransomware
Exploited Vulnerabilities: - None identified (Phishing and RDP compromise suspected)
Malware Used: - PE32 Ransomware
Threat Score: - 🔴 High (7.5/10) – Due to Telegram-based C2, data exfiltration, and rapid file encryption
Last Threat Observation: - 23 April 2025

Overview

PE32 ransomware emerged in early 2025 as a prominent threat actor targeting Microsoft Windows environments. Notable for its integration of Telegram's Bot API as a command-and-control (C2) channel, the ransomware blends malicious traffic with legitimate network activity, complicating detection efforts. PE32 executes a double extortion strategy: first encrypting data, then demanding separate ransom payments for decryption and non-disclosure of stolen data.

Ransom notes identify the actor as "Dmc" (seen in file headers as "Pe32 USER: dmc") and include contact details such as @Dmc_eze on Telegram and emmo[.]encrypt[@]onionmail[.]org. The malware encrypts files with extensions including .pe32s, .pe32l, .p32s, .p32l, and .p32c, often appending a 16-character hexadecimal string to filenames.

Key Details

Delivery Method:

• Phishing emails containing malicious attachments or links
• Exploitation of exposed or misconfigured RDP services

Target:

• Windows servers and endpoints across industries: healthcare, finance, retail, tech, and more

Functions:

• File encryption and renaming with unique extensions
• Claims of exfiltration and post-quantum resilient encryption (likely exaggerated)
• Utilizes Telegram Bot API for C2
• Drops ransom notes titled "Pe32 USER: dmc"
• Employs double extortion: ransom demanded for decryption and data suppression

Obfuscation:

• Conflicting reports: Some samples show basic libraries with minimal evasion, others exhibit more complex Telegram C2 interactions

Attack Vectors

Initial Access

• Phishing: Email-based delivery remains likely; attachments may disguise executables
• RDP: Brute-force attacks, weak credentials, or exposed ports often exploited
• Software Vulnerabilities: No CVE linked yet, but attackers may evolve tactics

Execution & Payload

• PE32 variants (e.g., v4.1.1 and v4.2.2) execute a ransomware payload, scan for files, and initiate encryption

C2 Communication

• Uses Telegram's Bot API to send and receive instructions through api.telegram.org
• Embeds bot token for secure channel control

Persistence & Privilege Escalation

• Unknown; may include registry modifications, scheduled tasks, or credential theft tools like Mimikatz

Lateral Movement & Exfiltration

• Methods unconfirmed, but typical ransomware tools include RDP pivoting, PsExec, or SMB exploitation
• Exfiltration may occur over Telegram or via FTP, MEGA, or Rclone

Encryption Strategy

• Likely hybrid encryption (e.g., AES for content, RSA/ECC for keys)
• Appends hexadecimal filename suffixes + extensions
• Leaves ransom notes in affected directories

Known Indicators of Compromise (IoCs)

FileHash-SHA256

• 098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a
• 15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a
• 5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b
• 9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b
• c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433

Encrypted File Extensions

• .pe32s, .pe32l, .p32s, .p32l, .p32c

Folders / File Names

• C:\PE32-KEY
• Pe32-v4.1.1.vexe.exe, Pe32-v4.2.2-dmc-win7.exe, Pe32-v4.2.2-dmc-win7-32.exe

Actor Contacts

• Telegram: @Dmc_eze
• Email: emmo.encrypt@onionmail[.]org

C2 Indicators

• api.telegram[.]org (Telegram Bot API endpoint)

Mitigation and Prevention

User Awareness:

• Conduct phishing awareness and response training

Email Filtering:

• Enforce attachment scanning and malicious domain filtering

Antivirus / EDR:

• Deploy EDR/XDR solutions capable of detecting Telegram API misuse
• Monitor execution of suspicious binaries

Two-Factor Authentication (2FA):

• Apply across VPN, RDP, and email systems

RDP Hardening:

• Disable if unnecessary
• Restrict IP access
• Use VPNs and enforce account lockout

Network Monitoring:

• Monitor for Telegram API anomalies
• Watch for high-volume traffic to api.telegram.org

Backup Strategies:

• Maintain offline, immutable backups and test recovery procedures

Threat Hunting:

• Search for PE32 extensions and C:\PE32-KEY directory

Risk Assessment

Threat Level: 🔴 High (7.5/10)

PE32 presents a significant operational and security risk to organisations across sectors due to a confluence of evasive, disruptive, and persistently evolving characteristics:

• Command and Control Evasion: The use of Telegram’s Bot API allows PE32 to bypass conventional security controls by masquerading malicious C2 traffic within encrypted, legitimate communication channels. This creates a detection blind spot in many environments relying on traditional firewall or proxy-based filtering.
• Double Extortion Model: The ransomware not only encrypts critical files but also exfiltrates data, leveraging threats of public exposure to extract additional payments. This increases legal, regulatory, and reputational risks.
• Active Development: Multiple observed versions (v4.1.1 and v4.2.2) indicate rapid iteration and adaptation by its developers. Variants with different obfuscation levels and potentially expanded capabilities suggest a threat actor capable of scaling operations and adjusting to countermeasures.
• Operational Impact: Infection can result in widespread data loss, system downtime, and financial extortion. With no public decryption tool available, organisations are forced to rely entirely on unaffected backups and incident response procedures.
• Attribution Notes: There are speculative associations between PE32 and the Proton ransomware family, based on shared indicators such as the email address emmo[.]encrypt[@]onionmail[.]org. However, there is currently no confirmed technical linkage. These similarities suggest a possibility of shared infrastructure or affiliate relationships within a ransomware-as-a-service (RaaS) ecosystem, but attribution remains unverified.
• Financial Motivation and Opportunism: The actor appears financially motivated with ransom demands ranging from $700 to over 2 BTC. Target selection appears opportunistic, spanning multiple verticals and geographies.

Overall, PE32's mix of stealth, extortion, adaptability, and impact places it among the more dangerous ransomware variants observed in 2025. Security teams should prioritise detection tuning, anomaly monitoring, and preparation for worst-case recovery scenarios.

PE32 ransomware exemplifies the evolving complexity of financially motivated ransomware campaigns. It stands out by leveraging legitimate services like Telegram for stealthy communication, applying a double extortion strategy, and adapting its tooling with multiple versions. Links to the Proton ransomware family and potential Iranian affiliations merit deeper investigation.

There are no public decryptors currently available for PE32. Restoration requires prepared backups and careful containment. Organizations should avoid ransom payments and instead focus on post-incident recovery and threat hardening.

Sources:

• Netskope - Telegram Abused as C2 Channel for New Golang Backdoor
• ANY.RUN - PE32 Ransomware: A New Telegram-Based Threat on the Rise
• OTX AlienVault - Indicators of Compromise