--- title: "Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats? | DuoCircle" description: "Attachment-based malware threats are not dying out, they are now a persistent threat." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/" --- Quick Answer MortalKombat (a Xorist commodity ransomware variant first seen early 2023, distributed alongside the Laplas Clipper) and Tengyun Snake are two phishing-borne malware families with different kill chains. MortalKombat uses a malicious ZIP attachment that drops the payload directly; Tengyun Snake impersonates government agencies in spear-phishing and exploits a DDE vulnerability via Word or PDF. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdata-privacy%2Fare-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Are%20MortalKombat%20Ransomware%20and%20Tengyun%20Snake%20Attacks%20Emerging%20Email%20Threats%3F&url=undefined%2Fblog%2Fdata-privacy%2Fare-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdata-privacy%2Fare-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdata-privacy%2Fare-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats%2F&title=Are%20MortalKombat%20Ransomware%20and%20Tengyun%20Snake%20Attacks%20Emerging%20Email%20Threats%3F "Share on Reddit") [ ](mailto:?subject=Are%20MortalKombat%20Ransomware%20and%20Tengyun%20Snake%20Attacks%20Emerging%20Email%20Threats%3F&body=Check out this article: undefined%2Fblog%2Fdata-privacy%2Fare-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats%2F "Share via Email") ![Email Threats](https://media.mailhop.org/duocircle/images/2023/07/hosted-email-server-3175.jpg) _**Attachment-based malware** threats are not dying out, they are now a persistent threat. Researchers discovered a new ransomware threat, MortalKombat, in early 2023 that spreads through [phishing emails](/content/email-phishing-protection/what-do-phishing-emails-do) and targets victims worldwide. MortalKombat and Tengyun Snake are the **emerging email threats** that made experts wonder whether detection-based approaches are enough today._ Researchers discovered another emerging threat in February 2023, when they found out [cyber criminals](https://www.computerweekly.com/news/252529367/Fraudsters-and-cyber-criminals-stole-more-than-4bn-in-the-UK-through-2022) planning the latest financially motivated campaign were using ‘MortalKombat,’ a Xorist commodity ransomware variant. _They were using it in conjunction with the **Laplas Clipper** in cyberattacks._ The experts opine that the MortalKombat is a ransomware-type designed similarly to the **Xorist commodity ransomware** family, which uses a builder and enables cybercriminals to customize the [malware](/resources/malware-and-its-defense-mechanism). Xorist has been decryptable since 2016 for free. The victims of the attack were located in the United States, the UK, Turkey, and the Philippines. ## The Difference Between MortalKombat and Tengyun Snake Although both _MortalKombat and Tengyun Snake_ use a similar threat vector, **phishing emails**, their [kill chains](https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/) are different. The MortalKombat kill chain starts when a hacker sends a **malicious ZIP attachment** containing the malicious payload. After the victim downloads the attachment, the ransomware will quickly deploy and launch the multi-stage attack. In contrast, Tengyun Snake has a more sophisticated kill chain. Cybercriminals first employ social engineering techniques by **impersonating governmental departments**. Then they send [spear-phishing](/content/phishing-prevention/spear-phishing-examples) emails to selected targets, which contain compressed packages (a [DDE vulnerability exploit](https://www.sentinelone.com/blog/malware-embedded-microsoft-office-documents-dde-exploit-macroless/)) having malicious Word or PDF documents. _The victims click on the custom malware and deploy it, and it silently exfiltrates data_. ### The Persistence of Attachment-Based Malware Threats: A Growing Concern [![ransomware](https://media.mailhop.org/duocircle/images/2023/07/365-to-365-migration-9246.jpg)](https://media.mailhop.org/duocircle/images/2023/07/365-to-365-migration-9246.jpg) Attachment-based malware threats continue to pose a persistent and **escalating danger** in the digital landscape. Recent discoveries by researchers in early 2023 unveiled a new [ransomware](/resources/ryuk-ransomware-attacks) threat known as MortalKombat. This malicious software spreads through phishing emails and targets victims on a global scale. Alongside MortalKombat, another emerging email threat called Tengyun Snake has experts questioning the **adequacy of detection-based approaches** in today’s cybersecurity landscape. ## How did The Attacks Unfold? In both emerging email threats, the victims receive an email containing a malicious ZIP attachment (that has a **BAT loader script**). The malicious attachment downloads another archive from a remote resource that includes either of the two [malware payloads](https://hothardware.com/news/hackers-using-pngs-with-malware-payloads). When the victim opens the malicious attachment, the loader script executes the downloaded payload in the compromised system. Furthermore, the malware cleverly **deletes the downloaded files** and minimizes the chances of detection. ### Understanding the Unique Characteristics of MortalKombat and Tengyun Snake Experts describe MortalKombat as a ransomware-type that closely resembles the Xorist commodity ransomware family. It employs a builder that enables cybercriminals to **customize the malware** according to their malicious intent. It is noteworthy that [Xorist](https://www.pcrisk.com/removal-guides/9905-xorist-ransomware#:~:text=Xorist%20%28EnCiPhErEd%29%20is%20a%20family,encrypted%20file%3A%20....) has been decryptable since 2016. The victims of MortalKombat attacks have been identified across various countries, including the United States, the UK, Turkey, and the Philippines. On the other hand, Tengyun Snake takes a more sophisticated approach, utilizing [social engineering techniques](https://www.itvoice.in/netskope-attackers-double-down-on-social-engineering-techniques-and-malicious-functionalities-leading-to-sharp-increase-in-malware-downloads) and spear-phishing emails to target specific individuals or high-value organizations. ## Why Does Detection-Based Approach Not Work For These Emerging Threats? Experts say _MortalKombat and Tengyun Snake_ present different objectives and kill chains. MortalKombat aims to extract **financial gains** from its victims. At the same time, Tengyun Snake focuses on retrieving **sensitive data**, like [intellectual property](https://www.cbsnews.com/texas/news/dallas-fbi-warns-texas-universities-about-intellectual-property-theft-by-chinese-government/), from a specific target or other high-value organizations, including military, energy, government, and technology sectors. _However, with all the different kill chains and objectives, there is one similarity between the emerging email-based threats: Detection-based security measures **cannot detect** them._ It is so because hackers deploy this malware through an attachment inside phishing emails. Since such mechanisms allow [threat actors](/email-security/threat-actors-attack-thousands-of-computers-following-the-ion-incident/) to create new variants easily, there are **no signature patterns** for them. Hence, traditional antivirus engines cannot detect them easily. Additionally, blocking email addresses linked to phishing emails is not an ideal solution because **spoofing techniques** enable threat actors to bypass all traditional detection mechanisms. [![phishing trends](https://media.mailhop.org/duocircle/images/2023/07/spf-validator.jpg)](https://media.mailhop.org/duocircle/images/2023/07/spf-validator.jpg) ### Unveiling the Attack Unfolding: How MortalKombat and Tengyun Snake Operate In both MortalKombat and Tengyun Snake attacks, victims receive emails containing malicious ZIP attachments. These attachments, which often include a BAT loader script, download further archives from **remote sources** containing the actual [malware payloads](https://cybersecuritynews.com/malware-delivered-via-google-ads/). Once the victim opens the malicious attachment, the loader script executes the downloaded payload, initiating the compromised system’s **multi-stage attack**. The malware operates covertly, cleverly deleting the downloaded files to minimize the chances of detection. ## Final Words Thus, we saw that advanced malware threats like MortalKombat and Tengyun Snake are [emerging threats](https://www.jpost.com/business-and-innovation/all-news/article-739142) that can cost organizations millions. They are more dangerous because traditional detection-based methods are unable to detect them. However, it does not mean that your business needs to be vulnerable. Preventing such advanced email threats requires something more. They can be addressed with a **prevention-based** [cybersecurity](/) solution that proactively disarms all active content from triggering. Thus, organizations can ensure that their employee’s mailboxes remain protected from unknown advanced threats. ## Topics NewsSecurityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Privacy 6m Hacker Taunts TikTok After Stealing Over 2 Billion Records in a Massive Data Breach Sep 19, 2022 ](/blog/data-privacy/hacker-taunts-tiktok-after-stealing-over-2-billion-records-in-a-massive-data-breach/)[ Privacy 7m IntelBroker Threat Actors Steal Sensitive Data of 11 Million Weee Customers Feb 20, 2023 ](/blog/data-privacy/intelbroker-threat-actors-steal-sensitive-data-of-11-million-weee-customers/)[ Privacy 4m Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs May 25, 2023 ](/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/)[ Privacy 4m Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants Jun 19, 2023 ](/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?","description":"Attachment-based malware threats are not dying out, they are now a persistent threat.","url":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/","datePublished":"2023-07-20T07:00:33.000Z","dateModified":"2025-05-26T12:34:18.000Z","dateCreated":"2023-07-20T07:00:33.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":818,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/07/hosted-email-server-3175.jpg","caption":"Email Threats","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Privacy"},{"@type":"ListItem","position":3,"name":"Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?","item":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Privacy","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?","item":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?","description":"Attachment-based malware threats are not dying out, they are now a persistent threat.","url":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/","datePublished":"2023-07-20T07:00:33.000Z","dateModified":"2025-05-26T12:34:18.000Z","dateCreated":"2023-07-20T07:00:33.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":818,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/07/hosted-email-server-3175.jpg","caption":"Email Threats","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```