{ "id": "1612819b-03d1-4cf3-8e25-d9231aae0345", "created_at": "2026-04-06T00:09:09.998458Z", "updated_at": "2026-04-10T13:11:25.761406Z", "deleted_at": null, "sha1_hash": "1c58bbeefa92023a0cd20d96b4bdeb0de4ff2268", "title": "BlackCat (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111332, "plain_text": "BlackCat (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:43:32 UTC\r\nALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a\r\nService (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on\r\nWindows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV\r\nis marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an\r\nicon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks\r\nsince November 18, 2021.\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize\r\nthe amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop\r\nvirtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other\r\nhosts on the local network.\r\n2025-12-30 ⋅ US Department of Justice ⋅ Office of Public Affairs\r\nTwo Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware\r\nBlackCat BlackCat 2025-11-03 ⋅ Breached Company ⋅ Breached Company\r\nWhen the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations\r\nBlackCat BlackCat 2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue\r\nExposing FakeBat loader: distribution methods and adversary infrastructure\r\nBlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer\r\nNetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar 2023-12-03 ⋅ Twitter\r\n(@vxunderground) ⋅ VX-Underground\r\nTweet about ALPHV group compromising Tipalti to pressure its clients.\r\nBlackCat BlackCat 2023-11-16 ⋅ CISA ⋅ CISA\r\nScattered Spider\r\nBlackCat Ave Maria Raccoon Vidar 2023-10-25 ⋅ Microsoft ⋅ Microsoft Incident Response, Microsoft Threat Intelligence\r\nOcto Tempest crosses boundaries to facilitate extortion, encryption, and destruction\r\nBlackCat BlackCat Lumma Stealer 2023-07-13 ⋅ MSSP Lab ⋅ cocomelonc\r\nMalware analysis report: BlackCat ransomware\r\nBlackCat BlackCat 2023-05-30 ⋅ IBM Security ⋅ IBM Security X-Force Team\r\nBlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration\r\nBlackCat BlackCat 2023-05-15 ⋅ CrowdStrike ⋅ CrowdStrike\r\nHypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks\r\nBlackCat SystemBC 2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft\r\nCracked Cobalt Strike (1:23-cv-02447)\r\nBlack Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit\r\nMount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader 2023-03-21 ⋅ Github (rivitna) ⋅ Andrey Zhdanov\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat\r\nPage 1 of 3\n\nBlackCat v3 Decryptor Scripts\r\nBlackCat BlackCat 2022-09-28 ⋅ vmware ⋅ Giovanni Vigna\r\nESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)\r\nAvoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna\r\nRansomEXX RedAlert Ransomware REvil 2022-09-22 ⋅ ComputerWeekly ⋅ Alex Scroxton\r\nALPHV/BlackCat ransomware family becoming more dangerous\r\nBlackCat BlackCat FIN7 2022-08-22 ⋅ Microsoft ⋅ Microsoft\r\nExtortion Economics - Ransomware’s new business model\r\nBlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount\r\nLocker Nokoyawa Ransomware REvil Ryuk 2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames\r\nThe Increase in Ransomware Attacks on Local Governments\r\nBlackCat BlackCat Cobalt Strike LockBit 2022-07-14 ⋅ Sophos ⋅ Andrew Brandt, Andy French, Bill Kearney, Elida Leite,\r\nHarinder Bhathal, Lee Kirkpatrick, Peter Mackenzie, Robert Weiland, Sergio Bestulic\r\nBlackCat ransomware attacks not merely a byproduct of bad luck\r\nBlackCat BlackCat 2022-06-29 ⋅ Group-IB ⋅ Andrey Zhdanov, Oleg Skulkin\r\nFat Cats - An analysis of the BlackCat ransomware affiliate program\r\nBlackCat BlackCat 2022-06-07 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nBlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive\r\nBlackCat BlackCat Cobalt Strike 2022-06-01 ⋅ Jorge Testa ⋅ Jorge Testa\r\nKilling The Bear - Alphv\r\nBlackCat BlackCat 2022-05-11 ⋅ Kaspersky ⋅ GReAT\r\nNew ransomware trends in 2022\r\nBlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender\r\nThreat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-04-21 ⋅\r\nForescout ⋅ Vedere Labs\r\nAnalysis of an ALPHV incident\r\nBlackCat 2022-04-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nResearchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity\r\nBlackCat BlackMatter BlackCat BlackMatter 2022-04-07 ⋅ Kaspersky ⋅ GReAT\r\nA Bad Luck BlackCat\r\nBlackCat BlackCat 2022-03-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nHive ransomware ports its Linux VMware ESXi encryptor to Rust\r\nBlackCat Hive Hive 2022-03-22 ⋅ The Register ⋅ Jeff Burt\r\nThis is a BlackCat you don't want crossing your path\r\nBlackCat BlackMatter 2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira\r\nFrom BlackMatter to BlackCat: Analyzing two attacks from one affiliate\r\nBlackCat BlackMatter BlackCat BlackMatter 2022-02-23 ⋅ Emsisoft ⋅ Senan Conrad\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat\r\nPage 2 of 3\n\nRansomware Profile: ALPHV\r\nBlackCat 2022-02-08 ⋅ Trellix ⋅ Arnab Roy\r\nBlackCat Ransomware as a Service - The Cat is certainly out of the bag!\r\nBlackCat BlackCat 2022-02-02 ⋅ ZDNet ⋅ Jonathan Greig\r\nBlackCat ransomware implicated in attack on German oil companies\r\nBlackCat BlackCat 2022-01-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nWho Wrote the ALPHV/BlackCat Ransomware Strain?\r\nBlackCat BlackCat 2022-01-26 ⋅ Intrinsec ⋅ Intrinsec\r\nALPHV ransomware gang analysis\r\nBlackCat BlackCat 2021-12-21 ⋅ Twitter (@sisoma2) ⋅ sisoma2\r\nBlackCat Ransomware Linux variant\r\nBlackCat\r\n[TLP:WHITE] elf_blackcat_auto (20251219 | Detects elf.blackcat.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat" ], "report_names": [ "elf.blackcat" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434149, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c58bbeefa92023a0cd20d96b4bdeb0de4ff2268.pdf", "text": "https://archive.orkl.eu/1c58bbeefa92023a0cd20d96b4bdeb0de4ff2268.txt", "img": "https://archive.orkl.eu/1c58bbeefa92023a0cd20d96b4bdeb0de4ff2268.jpg" } }