{ "id": "67546b0b-65fe-449b-939f-1eda1be97659", "created_at": "2026-04-06T00:19:44.219147Z", "updated_at": "2026-04-10T13:11:55.060738Z", "deleted_at": null, "sha1_hash": "45b3a2b13d89774c21f20c58ae99fdbc196af64a", "title": "BlackCat plays with malvertising traps to lure corporate victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49726, "plain_text": "BlackCat plays with malvertising traps to lure corporate victims\r\nBy Connor Jones\r\nPublished: 2023-11-16 · Archived: 2026-04-05 23:39:19 UTC\r\nUpdated Affiliates of the ALPHV/BlackCat ransomware-as-a-service operation are turning to malvertising\r\ncampaigns to establish an initial foothold in their victims' systems.\r\nPaid adverts for popular business software such as Slack and Cisco AnyConnect are being used to lure corporate\r\nvictims into downloading malware that in turn leads to ransomware deployment.\r\nRather than downloading the legitimate software, victims are instead infected with Nitrogen malware – an initial\r\naccess payload that can be used to launch second-stage attacks, akin to the the deployment of ransomware.\r\neSentire's Threat Response Unit (TRU) says it was engaged after affiliates of the ransomware group targeted its\r\ncustomers on multiple occasions.\r\nThe Nitrogen malware campaign was first observed in June, but the tactic of malvertising associated with\r\nNitrogen is new.\r\n\"Nitrogen is initial-access malware that leverages Python libraries for stealth,\" says Keegan Keplinger, senior\r\nthreat intelligence researcher with TRU in its report. \"This foothold provides intruders with an initial entry into the\r\ntarget organization's IT environment.\r\n\"Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing. In\r\nthe case with this attack campaign, the target victims are being infected with the ALPHV/BlackCat ransomware.\"\r\nUsing Python libraries allows attackers to more easily blend into an organization's normal traffic patterns since\r\nthey are so ubiquitous. Added obfuscation techniques further delay defenders from spotting malicious activity.\r\neSentire says it stopped the BlackCat ransomware attack before it unfolded, but the company has a special\r\nresentment for the group owing to its previous, \"despicable\" methods.\r\nNot only is the group known for its willingness to target victims in the healthcare sector, activity that's considered\r\noff-limits even for some criminals, in July it also tried to extort one healthcare network by posting topless images\r\nof breast cancer patients. The same tactic was repeated recently by the Hunters International group.\r\nAmong its other major scalps claimed this year are social media giant Reddit, Seiko Group, and Barts Health NHS\r\nTrust – the latter another example of healthcare attacks.\r\nClorox CISO flushes self after multimillion-dollar cyberattack\r\nGoogle Workspace weaknesses allow plaintext password theft\r\nRansomware more efficient than ever, and baddies are still after your logs\r\nRansomware royale: US confirms Royal, BlackSuit are linked\r\nhttps://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/\r\nPage 1 of 2\n\nThe group has also shown its continued ambition to evolve and strengthen over time. It recently broke its rule on\r\npartnering with English-speaking cybercriminals after welcoming Octo Tempest into its affiliate program.\r\nOcto Tempest's expertise in SIM swapping, SMS phishing, and advanced English-speaking social engineering\r\ncampaigns was enough to seduce BlackCat, supposedly with a view to opening up its pool of potential targets.\r\nMalvertising scourge\r\nMalvertising has grown in popularity among cybercriminals in the past few years, with Google often addressing\r\nthe issue reactively rather than proactively.\r\nSecurity researcher Will Dormann posted a lengthy thread to X earlier this year criticizing Google's apparent lack\r\nof action in preventing malicious ads from appearing in Search results.\r\nIt followed a widely publicized case of a cryptocurrency influencer downloading what they thought was a copy of\r\nthe OBS streaming software. The link turned out to be malware and they then had their NFT (remember those?)\r\nwallet raided.\r\nAmong the many criticisms was the suggestion that Google didn't run links through the VirusTotal platform,\r\nwhich it owns, before approving them for display.\r\nIn a number of examples listed by Dormann, searches displayed links that led to known malicious payloads\r\ndetected by various security vendors.\r\nNumerous malware campaigns used malvertising for attacks throughout the year. HP Wolf Security's report from\r\nJanuary found a notable increase in malvertising activity, especially toward the end of 2022.\r\nIt found a variety of campaigns making use of search engine ads to promote their payloads, including IcedID,\r\nBatLoader, and Rhadamanthys Stealer. Weeks later, SentinelOne alerted the community to .NET malware loaders\r\nusing the same method.\r\nRecently, in its Digital Defense Report, Microsoft identified Magniber deployments from the Russian cybercrime\r\ngroup that it tracks as Storm-0381 through its heavy use of malvertising. ®\r\nUpdated on November 17 to add:\r\nA Google spokesperson told The Register: \"We don’t allow ads on our platform that contain malicious software.\r\nWe’ve reviewed the report in question and taken action where appropriate. We continue to see bad actors operate\r\nwith more sophistication and at a greater scale, using a variety of tactics to evade our detection.\r\n\"We invest heavily in our ads safety efforts and have a team of thousands working around the clock to enforce our\r\npolicies at scale.\"\r\nSource: https://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/\r\nhttps://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/" ], "report_names": [ "blackcat_ransomware_luring_corporate_targets" ], "threat_actors": [ { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d469e41f-08d5-428a-8d2a-74895bf68519", "created_at": "2024-02-02T02:00:04.078321Z", "updated_at": "2026-04-10T02:00:03.554166Z", "deleted_at": null, "main_name": "Storm-0381", "aliases": [ "DEV-0381" ], "source_name": "MISPGALAXY:Storm-0381", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45b3a2b13d89774c21f20c58ae99fdbc196af64a.pdf", "text": "https://archive.orkl.eu/45b3a2b13d89774c21f20c58ae99fdbc196af64a.txt", "img": "https://archive.orkl.eu/45b3a2b13d89774c21f20c58ae99fdbc196af64a.jpg" } }