5 days ago · Mora_001’s relationship to the broader Lockbit’s ransomware operations underscore the increased complexity of the modern ransomware landscape – where specialized teams collaborate to leverage complementary capabilities. We recently highlighted this trend in our research on zero-day exploits targeting DrayTek routers.

3 days ago · The Mora_001 campaign underscores the increasing trend of exploiting perimeter security appliances for initial access, with attackers rapidly weaponizing disclosed vulnerabilities. As of the report’s writing, the United States (7,677), India (5,536), and Brazil (3,201) host the highest numbers of exposed FortiGate firewalls , making them ...

2 days ago · Mora_001's ties to existing ransomware operations are based on its consistent post-exploitation patterns, ransomware customization, and its ransom note, which includes the same TOX ID used by LockBit.

3 days ago · Mora_001 steals data using a custom tool before encrypting files for double extortion, prioritizing file and database servers and domain controllers. After the encryption process, ransom notes are ...

4 days ago · A newly identified ransomware group, Mora_001, has emerged as a significant cybersecurity threat by exploiting two Fortinet vulnerabilities to infiltrate firewall appliances. These vulnerabilities, CVE-2024-55591 and CVE-2025-24472, allow attackers to bypass authentication and gain unauthorized access. Despite How the Attack Works

Mora_001 was no different. It made small tweaks to the ransom note, removed the LockBit branding from everything, and used a custom data exfiltration module. Forescout calls this variant SuperBlack.

3 days ago · Mora_001’s use of the Fortinet vulnerabilities is particularly concerning because it highlights a vulnerability that many organizations may have overlooked or underestimated. The fact that these attacks began shortly after a proof-of-concept exploit was released signals how quickly threat actors can adapt and weaponize new vulnerabilities.

3 days ago · A new ransomware group known as 'Mora_001' has been identified exploiting two authentication bypass vulnerabilities in Fortinet's security appliances to deploy a custom ransomware strain named SuperBlack. The attack begins with the exploitation of two authentication bypass vulnerabilities, CVE-2024-55591 …

2 days ago · Mora_001’s Franken-malware based on LockBit 3.0. Researchers at Forescout are tracking a new ransomware coterie using payloads linked to the LockBit group. The new gang, known as Mora_001, has ...

3 days ago · A new ransomware group called 'Mora_001' is using two Fortinet vulnerabilities to access firewall systems and deploy a ransomware called SuperBlack. The vulnerabilities, CVE-2024-55591 and CVE-2025-24472, were disclosed by Fortinet earlier this year. Fortinet initially reported CVE-2024-55591 as exploited since November 2024.