APT / THREAT GROUP

ostap

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe

anti-virus.EXE

BehaviorDumper

BennyDB.exe

ctfmon.exe

fakepos_bin

FrzState2k

gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)

ImmunityDebugger.exe

KMS Server Service.exe

ProcessHacker

procexp

Proxifier.exe

python

tcpdump

VBoxService

VBoxTray.exe

VmRemoteGuest

vmtoolsd

VMware2B.exe

VzService.exe

winace

Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

Threat Analysis

ostap is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

js.ostapostap

External Intelligence

Malpedia: js.ostap

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.