To avoid being discovered and launch the payload, the threat actors behind the CatB ransomware operation have been seen employing a method called DLL search order hijacking. Based on code-level similarities, the late-2017 appearance of CatB, also known as CatB99 and Baxtoy, has led to claims that it is a “evolution or direct rebrand” of the Pandora ransomware outbreak.
It’s important to note that Bronze Starlight (also known as DEV-0401 or Emperor Dragonfly), a threat actor with a base in China, has been blamed for using Pandora. This threat actor is known to deploy ransomware families with short lifespans as a masquerade to mask its likely genuine goals.