{
	"id": "4daf7da9-4b34-49be-963b-0be0b748e927",
	"created_at": "2026-04-06T00:21:14.402887Z",
	"updated_at": "2026-04-10T03:35:52.786953Z",
	"deleted_at": null,
	"sha1_hash": "02ddb0f91d9998840a475540ca2a07d9827e8613",
	"title": "BlackCat : New Rust based ransomware borrowing BlackMatter’s configuration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3277162,
	"plain_text": "BlackCat : New Rust based ransomware borrowing BlackMatter’s\r\nconfiguration\r\nBy S2W\r\nPublished: 2021-12-10 · Archived: 2026-04-05 23:41:24 UTC\r\nPress enter or click to view image in full size\r\nWhy Rust?\r\nRust is a multi-paradigm programming language, developed by Mozilla in 2010, which is aimed at achieving\r\nhigher performance and better safety levels in comparison to C++. Rust has been Stack Overflow’s most loved\r\nlanguage for five years in a row. For this reason, malware developers are also probably trying to develop malware\r\nusing Rust.\r\nIn fact, Rust-based MaaS(Malware-as-a-service) such as RustyBuer and FickerStealer has been appearing on the\r\nDeep and Dark web.\r\n1.2. Borrow BlackMatter’s configuration\r\nBlackCat ransomware performs malicious actions by referring to the internal configuration like other RaaS\r\nransomware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 1 of 10\n\nHowever, we have confirmed the values of the following BlackCat’s configuration fields completely match\r\nBlackMatter’s.\r\nkill_services\r\nkill_processes\r\nexclude_directory_names\r\nexclude_file_names\r\nexclude_file_extensions\r\nand the configuration field like “credentials” is also used by BlackMatter V1 and Darkside. In this field, it\r\nincludes the victim’s domain credentials.\r\n1.3. Different from BlackMatter\r\nAfter comparing BlackCat and BlackMatter, we found it difficult to conclude that they are the same group.\r\n1) Too similar\r\nWhen Darkside, known to be used by the FIN7 group, was rebranded to BlackMatter, it did not use the same\r\nconfiguration.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 2 of 10\n\n2) Based on Rust\r\nThe BlackCat ransomware is based on Rust programming language. However, both DarkSide ransomware and\r\nBlackMatter were written in C/C++.\r\n3) Too soon\r\nIt’s too soon for BlackMatter to have rebranded as BlackCat ransomware using a different programming language,\r\nRust.\r\nPress enter or click to view image in full size\r\nDarkside: from August 2020 to May 2021\r\nBlackMatter: from August 2021 to November 2021\r\nBlackCat: from Late November (PE timestamp based)\r\n4) Lots of execution options\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 3 of 10\n\nRemember me for faster sign in\r\nUnlike Darkside and BlackMatter, which used two or three options, BlackCat ransomware supports various\r\noptions.\r\nPress enter or click to view image in full size\r\n5) Leak site\r\nWhen accessing the DarkSide and BlackMatter ransomware negotiation sites, the key was needed to enter in the\r\nnegotiation page, but in the case of BlackCat, the access key is used as a GET parameter and no input box is\r\ndisplayed on the page. In addition, BlackCat has added a private leak site, probably a pre-published leak site.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 4 of 10\n\n2. The negotiation site and leak sites\r\nFive onion domains used by BlackCat have been identified so far. They are currently categorized as the\r\nnegotiation site, public leak site, private leak site, and seem to use favicons on the same site. It seems that they\r\ninitially operated a private preview page, and then moved it to the Alphv leak site. (Unfortunately, private leak site\r\nwas not accessible at the time)\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\n2.1. Alphv leak site\r\nTwo victims were posted on the Alphv leak site recently.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 5 of 10\n\n2.2. Two victims on the Alphv leak site seems to be attacked by the BlackCat\r\nransomware\r\nWe have confirmed that the configuration within the BlackCat ransomware contains the victim’s credentials.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 6 of 10\n\nWe also have confirmed that the victim was included in the filename of the BlackCat ransomware posted to the\r\nleak site during the analysis.\r\nPress enter or click to view image in full size\r\n3. Activities\r\nWe have analyzed their recent activities and it seems to have been active since November.\r\n3.1. Timeline\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 7 of 10\n\nPress enter or click to view image in full size\r\n3.2. Looking for pentesters and affiliates\r\nThe BlackCat ransomware operator has been using the “alphv” as a username in XSS and Exploit, but using\r\n“ransom” as a username in RAMP forum.\r\n[Exploit forum] We are looking for WINDOWS / LINUX / ESXI pentesters\r\nPosted on 12/04/2021\r\nPress enter or click to view image in full size\r\n[RAMP forum] ALPHV-ng RaaS new generation.\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 8 of 10\n\nPosted on 12/09/2021\r\nPress enter or click to view image in full size\r\n3.3. Warning messages posted on Alphv\r\nAfter information about the BlackCat ransomware and Alphv leak site was revealed on Twitter, they\r\ndeleted all information of both two victims and added their warning message on Alphv leak site.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 9 of 10\n\nSource: https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809"
	],
	"report_names": [
		"blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775792152,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02ddb0f91d9998840a475540ca2a07d9827e8613.pdf",
		"text": "https://archive.orkl.eu/02ddb0f91d9998840a475540ca2a07d9827e8613.txt",
		"img": "https://archive.orkl.eu/02ddb0f91d9998840a475540ca2a07d9827e8613.jpg"
	}
}