{ "id": "efb8fa60-605d-475d-9334-b6422f97d0b5", "created_at": "2026-04-06T00:14:58.096995Z", "updated_at": "2026-04-10T03:35:02.892641Z", "deleted_at": null, "sha1_hash": "1d377ee130cef19e763baf5e5814ece14b4a47ca", "title": "CARBON SPIDER Embraces Big Game Hunting, Part 2 | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 698114, "plain_text": "CARBON SPIDER Embraces Big Game Hunting, Part 2 |\r\nCrowdStrike\r\nBy Eric Loui - Josh Reynolds\r\nArchived: 2026-04-05 19:18:11 UTC\r\nIn 2020, CARBON SPIDER began conducting big game hunting (BGH) ransomware campaigns with PINCHY\r\nSPIDER’s REvil before introducing Darkside. The adversary later opened up Darkside to affiliates through a\r\nransomware-as-a-service (RaaS) program, allowing other actors to use the ransomware while paying CARBON\r\nSPIDER a portion of the received ransom. The first part of this two-part blog series explored CARBON SPIDER’s\r\ninitial BGH campaigns in depth. This blog discusses the Darkside ransomware incident at U.S. oil pipeline system\r\nColonial Pipeline in May 2021 and how CARBON SPIDER responded to fallout from this event. Despite the\r\ntermination of the Darkside program, the adversary continued malware distribution campaigns and subsequently\r\nintroduced the BlackMatter RaaS. Due to numerous technical overlaps with Darkside, BlackMatter is attributed to\r\nCARBON SPIDER.\r\nColonial Pipeline Incident\r\nOn May 8, 2021, Colonial Pipeline disclosed that it had been the victim of a ransomware incident the day before;1\r\nhowever, it would be several days until the FBI indicated that Colonial Pipeline fell victim to Darkside\r\nransomware.2 On May 9, 2021, a ransom payment of approximately $4.4 million USD (75 BTC) was made to a\r\nprobable Darkside affiliate. The U.S. Department of Justice (DOJ) later announced the seizure of the affiliate’s\r\nportion of this payment.3\r\n On May 10, 2021, CARBON SPIDER posted a response to media attention to the\r\nColonial Pipeline incident on the Darkside dedicated leak site (DLS) stating they are “apolitical,” do not\r\nparticipate in “geopolitics,” and that their “goal is to make money, and not creating problems for society.” The\r\npost further mentioned a vetting process for all victims, providing further evidence that the Colonial Pipeline\r\nincident was conducted by an affiliate rather than the core CARBON SPIDER group. These statements were likely\r\nmade in an attempt to correct certain public speculation that the attack was politically motivated. A statement on\r\nMay 13, 2021 — purportedly from CARBON SPIDER — claimed the adversary group lost access to the Darkside\r\nDLS, payment servers and content delivery network (CDN) servers. The statement also claimed CARBON\r\nSPIDER servers had been blocked “at the request of law enforcement agencies.” Since then, CrowdStrike\r\nIntelligence has not observed any new valid Darkside samples, indicating this date marked the end of the\r\nDarkside RaaS. Separately on May 13, 2021, several forum administrators banned posts relating to ransomware,\r\nlikely to avoid media attention.\r\nSubsequent CARBON SPIDER Operations\r\nDespite Darkside’s termination, CARBON SPIDER did not cease their operations or entirely abandon prior\r\ntooling. On May 25, 2021, CrowdStrike Falcon® Complete and Falcon OverWatch detected a SQL injection\r\nincident that delivered a PowerShell (PS) stager tracked by CrowdStrike Intelligence as Demux. From May 31\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/\r\nPage 1 of 4\n\nthrough June 29, 2021, CARBON SPIDER used malicious Microsoft Excel and Word documents as well as Leo\r\nVBS to distribute an updated version of JSS Loader. This version of JSS Loader — written in C++, compared to\r\nits .NET progenitor — introduced a new packer.\r\nOn July 9 and 12, 2021, CARBON SPIDER used malicious Microsoft Word documents to distribute the Harpy\r\nbackdoor. These documents used Windows 11 Alpha-themed content identical to lure content used in a JSS Loader\r\ncampaign (Figure 1).\r\nFigure 1. JSS Loader/Harpy document content\r\nIn this campaign, after Harpy successfully contacted its command-and-control (C2) server, a JavaScript system\r\nenumeration module was delivered and executed by Harpy. This enumeration module strongly resembles a PS\r\nsystem enumeration module written for the Domenus suite, providing evidence that both tools share a common\r\ndeveloper. In June 2021, a probable CARBON SPIDER actor deployed the open-source Hidden Tear ransomware\r\nduring a ransomware operation. This incident was attributed to CARBON SPIDER based on prior use of the\r\nDemux stager and the Sekur Remote Access Tool (RAT) to establish persistent access, in addition to Cobalt Strike.\r\nThis incident marks the first known CARBON SPIDER ransomware campaign following the Colonial Pipeline\r\nincident; CARBON SPIDER likely chose to use Hidden Tear to avoid attracting additional attention.\r\nBlackMatter\r\nOn 21 July 2021, a Russian-language forum member named BlackMatter sought to purchase access to a variety of\r\ncorporate networks. The actor specifically expressed interest in the U.S., Canada, Australia and the UK, and\r\nexpressed disinterest in targeting medical or government institutions. Subsequent CrowdStrike Intelligence\r\nanalysis confirmed that BlackMatter is provided to affiliates via a RaaS program, similar to Darkside.\r\nWindows PE and Linux ELF versions of BlackMatter were subsequently obtained and analyzed. Extensive coding\r\nsimilarities indicate BlackMatter is highly likely the successor to Darkside. Windows version overlaps include:\r\nBuilding an import address table at runtime using dynamic function resolution\r\nUsing aPLib to decompress the embedded ransomware configuration\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/\r\nPage 2 of 4\n\nOverlaps in configuration formats and multiple configuration items\r\nUsing the same file encryption system, including using Salsa20 to encrypt files through a randomly\r\ngenerated state matrix and protecting the state matrix with an embedded RSA-1024 key\r\nUsing two HTTP C2 requests before and after file encryption containing system information and\r\nencryption statistics\r\nUsing Windows Management Instrumentation (WMI) for shadow copy deletion\r\nLinux version overlaps include:\r\nA Red Hat Linux build environment\r\nBeing written in C++ and compiled using GCC with statically linked libcurl, Boost and CryptoPP libraries\r\nUsing the CryptoPP RandomPool random number generator to produce symmetric keys\r\nUsing an embedded RSA-4096 public key to protect generated symmetric keys\r\nUsing an embedded configuration that specifies an RSA-4096 public key, an allowlist of file extensions to\r\nencrypt, a thread count to use during encryption, a debug log file path and C2 domains\r\nAll BlackMatter extension allowlist values exist within Darkside’s configuration\r\nPerforming a C2 request via cURL containing embedded system information\r\nPlacing a hard-coded URL containing a unique URL string within the ransom note to the victim payment\r\nportal\r\nThe ability to stop ESXi virtual machines using esxcli\r\nThe ability to enumerate ESXi volumes for encryption using esxcli\r\nBlackMatter ransom notes direct victims to communicate via a portal hosted on Tor. If victims do not pay ransom\r\ndemands, stolen files are typically posted on a DLS that is also hosted on Tor. CrowdStrike Intelligence has\r\nidentified BlackMatter victims spanning numerous sectors across North and South America, Asia and Europe.\r\nConclusion and Outlook\r\nCrowdStrike Intelligence assesses CARBON SPIDER is highly likely behind the development of BlackMatter and\r\noperating the BlackMatter RaaS. This assessment carries high confidence based on the extensive amount of\r\ntechnical overlaps between Darkside and BlackMatter. CARBON SPIDER’s resilience and launch of BlackMatter\r\nshortly following the termination of Darkside demonstrates how difficult it is to disrupt cybercrime adversaries\r\nand their operations. The potential profits from ransomware are evidently worth risking potential law enforcement\r\nactions. Without fundamental changes in the economics of cybercrime, CARBON SPIDER and other actors will\r\nlikely continue to provide RaaS programs to affiliates.\r\nIndicators of Compromise\r\nType SHA256 Hash\r\nJSS Loader C++ version 1414704797a7ecbbd0fb0ae48207bdef367697eafddd70fd646e4662a77a30d6\r\nBlackMatter Windows 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6\r\nBlackMatter Linux 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/\r\nPage 3 of 4\n\nTable 1. Exemplar SHA256 Hashes of CARBON SPIDER Malware\r\nCrowdStrike Confidence Assessment Definitions\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High\r\nconfidence in the quality and quantity of source information supporting a judgment does not imply that that\r\nassessment is an absolute certainty or fact. The judgment still has a marginal probability of being\r\ninaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not\r\nof sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of\r\nconfidence is used to express that judgments carry an increased probability of being incorrect until more\r\ninformation is available or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is\r\ntoo fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the\r\nsource is untested. Further information is needed for corroboration of the information or to fill known\r\nintelligence gaps.\r\nEndnotes\r\n1. https\u003c:\u003e//www.colpipe\u003c.\u003ecom/news/press-releases/media-statement-colonial-pipeline-system-disruption\r\n2. https\u003c:\u003e//www.fbi\u003c.\u003egov/news/pressrel/press-releases/fbi-statement-on-compromise-of-colonial-pipeline-networks\r\n3. https\u003c:\u003e//www.justice\u003c.\u003egov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside\r\nAdditional Resources\r\nFor more intel about CARBON SPIDER, visit the CrowdStrike Adversary Universe.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" ], "report_names": [ "carbon-spider-embraces-big-game-hunting-part-2" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775792102, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d377ee130cef19e763baf5e5814ece14b4a47ca.pdf", "text": "https://archive.orkl.eu/1d377ee130cef19e763baf5e5814ece14b4a47ca.txt", "img": "https://archive.orkl.eu/1d377ee130cef19e763baf5e5814ece14b4a47ca.jpg" } }