{ "id": "70ece3ec-9e64-4efe-a620-5f96b62d6519", "created_at": "2026-04-06T00:19:03.222066Z", "updated_at": "2026-04-10T03:25:27.240051Z", "deleted_at": null, "sha1_hash": "42b02a0dcc4875973a4e544afd2f7bc0d22bd4ca", "title": "Threat Signal Report | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38521, "plain_text": "Threat Signal Report | FortiGuard Labs\r\nArchived: 2026-04-02 11:50:39 UTC\r\nFortiGuard Labs is aware of a report that the Blacktail threat actor exploited the recently patched PaperCut\r\nvulnerability (CVE-2023-27350) to distribute the Windows version of Buhti ransomware. The IBM Aspera Faspex\r\ncode execution vulnerability (CVE-2022-47986) is also being reportedly exploited by the same threat actor.\r\nWhy is this Significant?\r\nThis is significant because the Blacktail threat actor reportedly exploited the recently patched PaperCut\r\nvulnerability to deploy the Windows version of Buhti ransomware. As such the patch should be applied as soon as\r\npossible.\r\nWhat is Buhti Ransomware?\r\nBuhti is a ransomware variant that was first spotted in February 2023 and is designed to encrypt files on\r\ncompromised machines. Blacktail, a threat actor behind the Buhti ransomware, is believed to use a unique data\r\nexfiltration tool to steal various files prior to ransomware deployment. The group demands ransom from victims\r\nfor file decryption tostop the stolen files from being made available to the public.\r\nBlacktail reportedly exploited the PaperCut MF/NG Improper Access Control vulnerability (CVE-2023-27350) to\r\ndistribute the Windows version of Buhti ransomware, which is believed to be based on leaked Lockbit 3.0\r\nransomware code. Another Buhti variant supports Linux platforms and is based on the leaked Babuk ransomware\r\ncode.\r\nAnother report indicates that the Blacktail group also exploited the IBM Aspera Faspex code execution\r\nvulnerability (CVE-2022-47986).\r\nWhat is the PaperCut Vulnerability (CVE-2023-27350)?\r\nCVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG due to improper access control in the\r\nvulnerable application. An unauthenticated, remote attacker may be able to exploit this via a crafted request.\r\nSuccessful exploitation could lead to arbitrary code execution within the security context of the affected system.\r\nCISA added CVE-2023-27350 to the Known Exploited Vulnerabilities catalog on April 21st, 2023.\r\nFortiGuard Labs published an Outbreak Alert for the PaperCut vulnerability. Please see the Appendix for a link to\r\n\"Oubreak Alert: PaperCut MF/NG Improper Access Control Vulnerability\".\r\nWhat is the IBM Aspera Faspex code execution vulnerability (CVE-2022-47986)?\r\nCVE-2022-47986 is a code execution vulnerability in IBM Aspera Faspex stemmed from improper handling of\r\nuser request. A remote attacker could exploit this vulnerability by sending a crafted message to the target system.\r\nSuccessfully exploiting this vulnerability could result in remote code execution.\r\nhttps://fortiguard.fortinet.com/threat-signal-report/5170\r\nPage 1 of 2\n\nCISA added CVE-2022-47986 to the Known Exploited Vulnerabilities catalog on February 21st, 2023.\r\nFortiGuard Labs published Outbreak Alert for the IBM Aspera Faspex code execution vulnerability. Please see the\r\nAppendix for a link to \"Outbreak Alert: IBM Aspera Faspex Code Execution Vulnerability\".\r\nWhat is the Status of Protection?\r\nFortiGuard Labs has the following AV signatures in place for the known Buhti ransomware samples:\r\nLinux/Filecoder.BQ!tr\r\nW32/Lockbit.K!tr.ransom\r\nFortiGuard Labs has the following IPS signatures in place for CVE-2023-27350 and CVE-2022-47986\r\nrespectively:\r\nPaperCut.NG.SetupCompleted.Authentication.Bypass\r\nIBM.Aspera.Faspex.CVE-2022-47986.Remote.Code.Execution\r\nOutbreak Alert\r\nIBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML\r\ndeserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to\r\nexecute arbitrary code on the system.\r\nCVE-2023-27350 allows for an unauthenticated attacker to execute Remote Code Execution (RCE) on a PaperCut\r\nApplication Server. Vulnerability exists within the SetupCompleted class and according to the vendor, this could\r\nbe achieved remotely and without the need to log in.\r\nView the full Outbreak Alert Report\r\nSource: https://fortiguard.fortinet.com/threat-signal-report/5170\r\nhttps://fortiguard.fortinet.com/threat-signal-report/5170\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://fortiguard.fortinet.com/threat-signal-report/5170" ], "report_names": [ "5170" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a9670e60-de2b-4c77-97ea-28e73f92902a", "created_at": "2023-11-30T02:00:07.264397Z", "updated_at": "2026-04-10T02:00:03.480707Z", "deleted_at": null, "main_name": "Blacktail", "aliases": [], "source_name": "MISPGALAXY:Blacktail", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434743, "ts_updated_at": 1775791527, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/42b02a0dcc4875973a4e544afd2f7bc0d22bd4ca.pdf", "text": "https://archive.orkl.eu/42b02a0dcc4875973a4e544afd2f7bc0d22bd4ca.txt", "img": "https://archive.orkl.eu/42b02a0dcc4875973a4e544afd2f7bc0d22bd4ca.jpg" } }