HOMETHREATSPHOTOFORK
APT / THREAT GROUP

PHOTOFORK

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.

Threat Analysis

PHOTOFORK is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.photoforkPHOTOFORK

External Intelligence

Malpedia: win.photofork

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.