{
	"id": "6a41a2f9-b8aa-4886-992c-4d1713212eb2",
	"created_at": "2026-04-06T00:21:32.919998Z",
	"updated_at": "2026-04-10T03:20:31.981761Z",
	"deleted_at": null,
	"sha1_hash": "454b81f972afd8354b8f1a62cb7e9ef0c69805f0",
	"title": "BlackShades in Syria",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 525312,
	"plain_text": "BlackShades in Syria\r\nBy Adam Kujawa\r\nPublished: 2012-06-20 · Archived: 2026-04-05 21:46:24 UTC\r\nAs reported by the Electronic Frontier Foundation (EFF) earlier this week, a new Trojan is being spread to Syrian\r\nactivists in an attempt to employ electronic surveillance on the group and its members.  This Trojan is none other\r\nthan the BlackShades RAT I blogged about last week as Part 2 of a series on different RATs found in the wild.  As\r\nit turns out the first blog post on DarkComet has also been used against the activists in the past.\r\nBackground\r\nSyria is currently undergoing a very serious and bloody internal war between the government and the opposition\r\nforces or activists who want to see the tyranny and injustice shown by the country’s top leaders come to an end. I\r\ncannot speak about it in detail but can only refer you to this video by CNN which explains everything very well up\r\nto now:\r\nSyria: How a year of horror unfolded (CNN)\r\nBeyond attempting to squash opposition on the ground with the use of tanks and guns, attempts have been made to\r\ndo the same thing in the cyber arena, by pitting people against each other and destroying communication, at the\r\nsame time collecting vital information on the communications of the activists.  In order to accomplish this, three\r\ntypes of Remote Access Trojans/Tools have been used against the activists with various methods of infection.\r\nInfection\r\nAccording to the EFF, the hackers who have been infecting the systems of the Syrian activists are the same ones\r\nwho had previously been infecting them with DarkComet. They had accomplished this by leading the victims to a\r\nfake YouTube video page which had anti-government opposition themes, upon accessing these pages, the\r\ndownload and installation of an Adobe Flash Update would be required, however the updater executable was\r\nactually a DarkComet implant in disguise.  It also allowed for the victims to log-in with their real YouTube\r\ncredentials to leave comments, at which point the credentials would be stolen and used against the activists,\r\npossibly to spread the fake YouTube video to any contacts.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 1 of 6\n\nThis image is from the EFF report on Fake Youtube Pages used to infect Syrian Activists:\r\nhttps://www.eff.org/deeplinks/2012/03/fake-youtube-site-targets-syrian-activists-malware\r\nThe new infection method used with BlackShades includes distributing the implants through Skype as a “.pif” file.\r\nThe EFF was able to document this based on the sample they obtained of the malware, which was obtained by an\r\nofficer of the Free Syrian Army through his Skype account. After downloading and executing the file, it\r\nautomatically infected his system and sent out the same link to the file as he received, which described the\r\ndownload as an “Important Video”, to all of his contacts.\r\nEvading Detection\r\nAs I mentioned in the blog post, BlackShades NET has the ability to create implant binaries which employ custom\r\nobfuscation algorithms or Crypters, which can be bought through the Bot/Crypter marketplace embedded in the\r\nBlackShades controller.  The implant sample collected from infected systems of the Syrian activists uses one of\r\nthese custom Crypters in order to hide the implant binary from detection.\r\nAccording to Citizen Lab, a laboratory at the University of Toronto whom conducted an in-depth analysis of the\r\ncollected implant sample,  at the time they released their results online, the malware variant was undetected by any\r\nof the antivirus engines used by VirusTotal. However, thanks to the diligence and observations of the Researchers\r\nat Malwarebytes, the samples noted as ‘Undetected’ by Citizen Lab were being detected by Malwarebytes Anti-Malware definitions 9 days before the release of the Citizen Lab report on June 7th\r\n.\r\nImplant Infection Breakdown:\r\nThe exact technical details about the infection can be found on the report from the EFF and Citizen Lab:\r\nTo summarize a very interesting and technical explanation:\r\nOnce downloaded and executed, the “.pif” file drops multiple files into:\r\nThe User “Templates” directory\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 2 of 6\n\nThe User “Temp” directory\r\nThe malware then creates multiple registry entries which serve the purpose of allowing the dropped files\r\naccess to the internet without being stopped by the local Windows firewall\r\nThe malware establishes persistence (so it will start again if the system is rebooted) by creating an\r\n“AutoRun” registry key for one particular dropped file named “VSCover.exe”\r\n“VSCover.exe” runs an internal decryption algorithm which reveals the hidden BlackShades implant\r\nexecutable\r\nInitially the implant beacons to TCP port 4444 to the website alosh55.myftp.org\r\nIt is important to note that alosh55 is of a similar naming convention of the beacon address for\r\nthe previously used DarkComet RAT which, according to Citizen Lab, was alosh66. This\r\nconnection, in addition to their finding of both the alosh55 and alosh66 pointing to the same IP\r\naddress for consecutive days, allowed for the conclusion that both the attacks used with the\r\nDarkComet RAT and the new ones with the BlackShades RAT are being performed by the same\r\nactor.\r\nPersonal Observations\r\nTo start off with, obviously the hackers using BlackShades NET for their nefarious espionage purposes have\r\nviolated the terms of use agreement:\r\nThey may have voided their warranty.\r\nEFF mentioned that one of the capabilities of BlackShades is installing a keylogger and a screenshot grabber; we\r\nknow that these are only the minor capabilities of BlackShades. However taking that into consideration, what can\r\nhappen if the information obtained from using these types of functionality were put in the wrong hands? I created\r\na list of what that info is and what it can be used for in the hands of state-sponsored hackers:\r\n Keylogging:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 3 of 6\n\nKeylogging is one of the simple features available to BlackShades users, however unlike most keyloggers, the\r\nBlackShades interface allows for a very understandable feed of key presses by the infected user.  Using this\r\nfunctionality, hackers can obtain:\r\nLogin credentials for chat clients, forums, social networking accounts, bank information, etc.\r\nThe hacker or group of hackers behind the attacks can pose as the activists, as they have in the past,\r\nto do more than just spread more malware but also to inject doubt or worry into the group, defeating\r\nmorale or ending discussions on particular plans of action.\r\nThe text of emails being sent between activists and the text of the chat sessions between them\r\nThis information can be used to obtain plans for activist rallies and any anti-government actions\r\ntaken by the Free Syrian Army, essentially being able to predict when and how they will happen and\r\ncome up with a plan to stop them before they even start.\r\nThis information can also be used to blackmail activists into giving up information on other activists\r\nor their activities. It can also be used to paint a negative picture of the activists to the public by\r\ntaking their words or plans out of context. Already the President of Syria refers to the opposition\r\nforces as “Criminal Terrorists”, revealing text or actions from the opposition in the wrong light\r\nmight just back up that claim to the non-combatant public.\r\nRemote Controlling:\r\nWe know that BlackShades has the capability to remotely control a system by taking over the input of the user,\r\ncombined with other features of BlackShades, the hacker has the ability to:\r\nDisable any sort of antivirus protection against further malware\r\nSteal files and documents from the victims system\r\nReroute network traffic\r\nMonitor the activities of the victim while using the system\r\nWebcam Viewing:\r\nWhile the use of being able to remotely activate and monitor the webcam attached to a computer allows a hacker\r\nto invade user privacy on many levels, I can think of only a few uses to government sponsored hackers:\r\nObtaining a visual identification of any persons using the system flagged as being used by activists\r\nObtaining intelligence on the kinds of resources which might be discussed or revealed in front of a\r\nwebcam.\r\nDetermining possible location of the system\r\nCertain features available to the BlackShades RAT allow it to pinpoint to a certain level the location\r\nof the infected system based upon the IP address being used, however if one was able to determine a\r\nnear location of the system, then narrow it down based upon visual cues, for example if the victim\r\nwas on a laptop outside, then the probability of finding the exact location would increase drastically\r\nBlackShades includes many more features which would be useful to government sponsored hackers, including:\r\nActivating a Ransomware functionality which would encrypt all the files on the system\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 4 of 6\n\nUsing the infected system as a proxy for all traffic, this could be used to frame a user by forcing them to\r\nvisit websites or perform cyber-attacks against their will.\r\nHost torrent files; imagine if the next variation of the espionage malware was downloaded from one of the\r\nvictim systems belonging to the enemy\r\nListen in to any conversations or sounds around the area of the infected systems microphone\r\nAnd many more…\r\nIf you are curious about any further functionality of BlackShades, please check out my blog post from last week:\r\nYou Dirty RAT Part 2: BlackShades NET\r\nProtecting Yourself\r\nUnlike Flame, which had little likelihood of reaching the general public and being a threat to the normal person,\r\nBlackShades is a very real threat to the average user. It is because it isn’t only used in political or international\r\nconflicts, it is used on the everyday person to steal information, spy and exploit people every day.  My\r\nBlackShades blog post goes into some detail about how to most effectively protect your system from being\r\ncompromised by a BlackShades implant.  In addition, the EFF included a portion of their report on how to protect\r\nyourself from this threat and I encourage you to check it out.\r\nAs stated previously, Malwarebytes Anti-Malware was able to detect the obfuscated BlackShades implants 9 days\r\nbefore the release of the Citizen Lab report.  In saying that, Malwarebytes Anti-Malware works in conjunction\r\nwith pre-existing antivirus software to add a second layer of protection against new and upcoming threats.  If you\r\nare concerned with the possibility of being infected by this or a similar type of malware, please download and\r\ninstall, at the very least, the free version of Malwarebytes Anti-Malware to protect your information.\r\nHow bad are these guys?\r\nWhile writing this I couldn’t help but consider a few things that threw up some flags for me and I thought would\r\nbe interesting to share. Namely it was about the choices made by the hackers in their design and execution of their\r\nattacks compared to the espionage efforts of other, more developed countries.\r\nPort 4444\r\nWhile we didn’t go into it very deep in my BlackShades blog post, port 4444 is set as the default transfer port, and\r\naccording to Citizen Lab, it was the port they saw being used by BlackShades to connect to its C2C.  This means\r\nthat regardless of all the obfuscation used by the hackers to hide the implant binary, they are still using the at least\r\nsome of the default settings for the implants themselves. This is usually a sign of a lack of experience using this\r\nkind of tool or a lack of concern for using the tool correctly.\r\nDarkComet / BlackShades NET\r\nDespite BlackShades being a pretty mean piece of software, you still have to wonder about the fact that a state-sponsored hacker or hacker group is using freely available malware that is more often seen in the hands of Script\r\nKiddies and organized cyber-crime organizations.  There is a small price ($40) for BlackShades and of course\r\nhowever much they paid for the Crypters, but DarkComet is completely free! Over the past few weeks, we have\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 5 of 6\n\nseen the most intricate piece of spy malware ever developed (Flame) and being used for cyber espionage purposes\r\nagainst the infrastructure of developed countries, and then we look at the poverty stricken government of Syria\r\nand see over-the-counter RATs being used.  It is clear that even in cyber war, the more developed countries have\r\nbetter weapons while the poorer countries use whatever they can get their hands on.\r\nConclusion\r\nThe hackers behind the attacks and infection of Syrian activists are not employing sophisticated methods of\r\nespionage and infection but only the same tactics as the average cybercriminal. The fact that default settings and\r\npublicly used RATs are being used means that the hackers are not especially skilled in cyber espionage and are\r\njust using what they can in order to get the most results.\r\nIn addition, this is just one case of publicly available malware being used beyond the means it was ever intended.\r\nA while ago, when speaking about Flame, I asked the question “How much super malware could really be out\r\nthere?” In this instance, I ask: ‘How much publicly available and widely used malware is being used every day for\r\npurposes of great importance, such as war or cyber-espionage on a corporate or international level?’  Lucky for us\r\nthere is only so many ways to mask a variant of the same malware, as long as we know about it, we can fight it.\r\nReferences:\r\n1. /blog/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/\r\n2. https://www.eff.org/deeplinks/2012/06/darkshades-rat-and-syrian-malware\r\n3. https://www.eff.org/deeplinks/2012/03/fake-youtube-site-targets-syrian-activists-malware\r\n4. https://citizenlab.org/2012/06/syrian-activists-targeted-with-blackshades-spy-software/\r\n5. http://edition.cnn.com/2012/02/17/tech/web/computer-virus-syria/index.html\r\n6. http://blog.trendmicro.com/fake-skype-encryption-software-cloaks-darkcomet-trojan/\r\n7. https://threatpost.com/en_us/blogs/syrian-dissidents-hit-another-wave-targeted-attacks-062012\r\nAbout the author\r\nOver 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/"
	],
	"report_names": [
		"blackshades-in-syria"
	],
	"threat_actors": [],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/454b81f972afd8354b8f1a62cb7e9ef0c69805f0.pdf",
		"text": "https://archive.orkl.eu/454b81f972afd8354b8f1a62cb7e9ef0c69805f0.txt",
		"img": "https://archive.orkl.eu/454b81f972afd8354b8f1a62cb7e9ef0c69805f0.jpg"
	}
}