chacha8

Overview

A ransomware / file-encryptor family distinguished by use of the ChaCha20 stream cipher for in-place file encryption. Samples are small, self-contained PE32+ x64 binaries compiled with MinGW-w64 GCC, typically masquerading as Windows system processes (svchost.exe). No network C2, no ransom-note payload, and no extortion infrastructure are embedded — the binary is purely a destructive encryptor/wiper. The family label originates from OpenCTI consensus; the not_avaris label indicates prior confusion with an "Avaris" builder variant.

First-seen in this wiki: 2026-05-26.

Build-stack typically observed

• Compiler: GCC 15.1.0 (MinGW-W64, Brecht Sanders build or equivalent) ^[report.md]
• Language: C (un-obfuscated, compiled straight to native code)
• Linker: GNU ld (MinGW-w64)
• Packing: None — text entropy ~5.8, no compression or obfuscation layers
• Signing: Unsigned
• Resources: No .rsrc section — no embedded icons, config blobs, or ransom notes

Deploy / TTPs

Variants / Aliases

• not_avaris (OpenCTI label, disputed attribution)
• Possibly related to an "Avaris" ransomware builder or kit

Capabilities

• chacha20-stream-cipher-encryption
• in-place-file-overwrite
• original-file-deletion
• single-instance-mutex
• system-process-masquerade
• cwd-directory-walk
• self-contained-no-c2
• no-ransom-note-payload

Notable Analyses

• /intel/analyses/3485419b7a85123f50512ee04e29dfe1ad6d973118b073f16a57565251a4d2f0.html — svchost.exe masquerade, 53,760 bytes, ChaCha20 encryptor, mutex Global\Not_Avaris

Related Entities

• ransomware (concept stub — encryption-based extortion or destruction)
• unclassified-PE32 (if confidence on a future sample drops)