{ "id": "54de1bad-8645-42db-9841-fe69a398fedd", "created_at": "2026-04-06T02:13:08.143897Z", "updated_at": "2026-04-10T03:32:24.804244Z", "deleted_at": null, "sha1_hash": "4eadcac034c8cf281961264d05ee1c63dead5953", "title": "BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 626708, "plain_text": "BlackByte blends tried-and-true tradecraft with newly disclosed\r\nvulnerabilities to support ongoing attacks\r\nBy James Nutland\r\nPublished: 2024-08-28 · Archived: 2026-04-06 02:00:50 UTC\r\nWednesday, August 28, 2024 06:00\r\nThe BlackByte ransomware group continues to leverage tactics, techniques and procedures (TTPs) that\r\nhave formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable\r\ndrivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor.\r\nIn recent investigations, Talos IR has also observed BlackByte using techniques that depart from their\r\nestablished tradecraft, such as exploiting CVE-2024-37085 – an authentication bypass vulnerability in\r\nVMware ESXi – shortly after it was disclosed and using a victim’s authorized remote access mechanism\r\nrather than deploying a commercial remote administration tool like AnyDesk.\r\nTalos IR observed a new iteration of the BlackByte encryptor that appends the file extension\r\n“blackbytent_h” to encrypted files, drops four vulnerable driver files compared to the previously observed\r\nthree, and uses victim Active Directory credentials to self-propagate.\r\nTalos also assesses that the BlackByte group is more active than its data leak site may imply, where only 20\r\nto 30 percent of successful attacks result in an extortion post.\r\nBlackByte is a ransomware-as-a-service (RaaS) group believed to be an offshoot of the infamous Conti\r\nransomware group. First observed in mid- to late-2021, their tradecraft includes the use of vulnerable drivers to\r\nbypass security controls, deployment of self-propagating ransomware with worm-like capabilities, and the use of\r\nknown-good system binaries (LoLBins) and other legitimate commercial tools as part of their attack chain. \r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 1 of 10\n\nBlackByte has reengineered its ransomware binary over time, with versions written in Go, .NET, C++, or a\r\ncombination of these languages. The group’s apparent efforts to continuously improve its tooling, operations and\r\neven its data leak site is well-documented.\r\nDuring investigation of a recent BlackByte attack, Cisco Talos Incident Response (Talos IR) and Talos threat\r\nintelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the\r\ninvestigation and other events flagged in Talos’ global telemetry. Further investigation of these similarities\r\nprovided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly\r\nmore active than would appear from the number of victims published on its data leak site.\r\nTechnical details\r\nInitial access\r\nDuring Talos IR’s investigation into a recent BlackByte ransomware attack, the threat actor gained initial access\r\nusing valid credentials to access the victim organization’s VPN. Limits in telemetry and loss of evidence following\r\nthe ransomware encryption event prevented Talos IR from determining whether the credentials were obtained\r\nthrough brute-forcing of the VPN interface or had already been known by the adversary prior to the attack.\r\nHowever, Talos IR has moderate confidence that brute-force authentication facilitated via internet scanning was\r\nthe initial access vector based on the following observations:\r\nThe initial account compromised by the adversary had a basic naming convention and, reportedly, a weak\r\npassword.\r\nThe VPN interface may have allowed a domain account to authenticate without multi-factor authentication\r\n(MFA) if the target account had a specific Active Directory configuration.\r\nBlackByte has a history of scanning for and exploiting public-facing vulnerabilities, such as the ProxyShell\r\nvulnerability in Microsoft Exchange server.\r\nGiven BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote\r\naccess may represent a slight shift in technique or could represent opportunism. The use of the victim’s VPN for\r\nremote access also affords the adversary other advantages, including reduced visibility from the organization’s\r\nEDR.\r\nReconnaissance and enumeration\r\nAfter gaining initial access to the environment, the adversary managed to escalate privileges by compromising\r\ntwo Domain Admin-level accounts. One of these accounts was used to access the organization’s VMware vCenter\r\nserver and, shortly after, create Active Directory domain objects for individual VMware ESXi hypervisors,\r\neffectively joining those hosts to the domain. The same account was then used to create and add several other\r\naccounts to an Active Directory group called \"ESX Admins.\" Talos IR assesses that this user group was created to\r\nexploit CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi known to be used by multiple\r\nransomware groups. Successful exploitation of this vulnerability grants members of a specific Active Directory\r\ngroup elevated privileges on an ESXi host, allowing for control over virtual machines (VMs), the ability to modify\r\nthe host server’s configuration, and access to system logs, diagnostics and performance monitoring tools. \r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 2 of 10\n\nTalos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the\r\nsecurity community, within days of its publication. This highlights the speed with which ransomware groups like\r\nBlackByte can adapt their TTPs to incorporate newly disclosed vulnerabilities, and the level of time and effort put\r\ninto identifying potential avenues for advancing an attack. \r\nThe threat actor accessed other systems, directories and files within each victim environment using protocols such\r\nas Server Message Block (SMB) and Remote Desktop Protocol (RDP). Analysis of system event and\r\nauthentication logs revealed a consistent pattern where the threat actor primarily leveraged NT LAN Manager\r\n(NTLM) for authentication, while organizational users primarily used Kerberos. This early NTLM activity could\r\nreflect authentication attacks such as pass the hash for lateral movement. Dynamic analysis of the ransomware\r\nbinary later revealed consistent use of NTLM for authentication by that file, as well.\r\nTalos IR also observed the execution of a file called “atieclxx.exe” from the “C:\\temp\\sys\\” directory on one of the\r\nfile servers. The legitimate version of “atieclxx.exe” can normally be found in the “C:\\Windows\\System32”\r\ndirectory, where it supports system processes associated with AMD graphics cards. However, during the\r\ninvestigation of one BlackByte attack, “atieclxx.exe” was executed from the “C:\\temp\\sys” directory with the\r\ncommand `atieclxx.exe P@$$w0rd123!!!`. Since BlackByte actors are known to favor the string “P@$$w0rd”\r\nwhen setting account passwords and as input parameters for custom tooling, this syntax may indicate efforts to\r\ndisguise malware – such as their custom data exfiltration tool, ExByte – as a known or legitimate file. Talos IR\r\ncould not obtain a copy of the file for analysis.\r\nFinally, the threat actor was observed tampering with security tool configurations via system registry\r\nmodifications, manually uninstalling EDR from multiple key systems, and, in one investigation, changing the root\r\npassword for the organization’s ESXi hosts. Immediately prior to the first sign of file encryption, increased\r\nvolumes of NTLM authentication and SMB connection attempts were observed between dozens of systems in the\r\nenvironment. This activity was later understood to be characteristic of the ransomware’s self-propagating\r\nmechanism. \r\nData exfiltration\r\nLimitations in available telemetry, the effect of the ransomware encryption process, and the adversary’s off-network staging location during Talos IR’s investigation prevented a high-confidence assessment of data\r\nexfiltration methods, and whether exfiltration took place at all. As noted in previous sections, the possible use of\r\nBlackByte’s custom data exfiltration tool, ExByte, was observed, but could not be confirmed.\r\nRansomware execution\r\nSimilarities to prior reports\r\nIn recent cases, the BlackByte ransomware binary, “host.exe,” was executed from the same directory –\r\n“C:\\Windows” – across all victims investigated by Talos IR. The command syntax used by the adversary during\r\neach attack – `C:\\Windows\\host.exe -s [8-digit numeric string] svc` – and the behavior of the ransomware binary\r\nis consistent with previous analysis of the BlackByteNT binary by Microsoft, DuskRise, Acronis and others.\r\nObserved commonalities included: \r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 3 of 10\n\nThe ransomware binary will not execute without the correct eight-digit numeric string passed to the “-s”\r\nparameter. This eight-digit string was the only part of the command syntax that differed between victims.\r\nIn one attack, the adversary used two different encryptors sequentially, each with its own “-s” parameter\r\nvalue, though it was not clear why multiple encryptors were employed.\r\nThe “svc” parameter causes the ransomware to install itself as a service, which appeared to convert an\r\ninfected system into an additional spreader as part of the ransomware’s wormable behavior. Subsequent\r\nSMB and NTLM authentications were observed against reachable hosts after the ransomware service was\r\ncreated, resulting in multiple waves of encryption hours after the initial event.\r\nThe ransomware binary creates and operates primarily out of the “C:\\SystemData” directory. Several\r\ncommon files are created in this directory across all BlackByte victims, including a text file called\r\n“MsExchangeLog1.log”, which appears to be a process tracking log where execution milestones are\r\nrecorded as comma-separated “q”, “w”, and “b” values as shown in the following screenshot.\r\nFigure 1: MsExchangeLog1.log contents mid-execution\r\nUpon successful execution, the ransomware binary executed the command `/c ping 1.1.1[.]1 -n 10 \u003e Nul \u0026\r\nfsutil file setZeroData offset=0 length=503808 c:\\windows\\host.exe \u0026 Del c:\\windows\\host.exe /F /Q`\r\nwhich, after a delay, zeroes the contents of the file and deletes itself. This general command structure has\r\nbeen observed across various BlackByte tools since 2022.\r\nNovel observations\r\nTalos observed some differences in the recent BlackByte attacks. Most notably, encrypted files across all victims\r\nwere rewritten with the file extension “blackbytent_h”, which has not yet appeared in public reporting. \r\nThis newer version of the encryptor also drops four vulnerable drivers as part of BlackByte’s usual Bring Your\r\nOwn Vulnerable Driver (BYOVD) technique, which is an increase from the two or three drivers described in\r\nprevious reports. The four drivers were dropped by the encryptor binary in all BlackByte attacks investigated by\r\nTalos IR, each with a similar naming convention – eight random alphanumeric characters followed by an\r\nunderscore and an iterating number value. Using “AM35W2PH” as a fictitious example, the vulnerable drivers\r\nwould appear in the same order as:\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 4 of 10\n\n“AM35W2PH” – RtCore64.sys, a driver originally used by MSI Afterburner a system overclocking utility.\r\n“AM35W2PH_1” – DBUtil_2_3.sys, a driver that is part of the Dell Client firmware update utility.\r\n“AM35W2PH_2” – zamguard64.sys, a driver that is part of the Zemana Anti-Malware (ZAM) application.\r\n“AM35W2PH_3” – gdrv.sys, a driver that is part of the GIGABYTE Tools software package for\r\nGIGABYTE motherboards.\r\nThe inclusion of the “zamguard64.sys” file, which is also known as “Terminator,” is particularly interesting\r\nbecause of recent reporting from other security researchers about its prevalence and also because the ransomware\r\nbinary created two service-related registry keys associated with that file during execution, then deleted them later\r\nin the execution process. Using the same fictitious string above, those registry keys would be:\r\n·      HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\AM35W2PH_2\r\n·      HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\AM35W2PH_2\\SECURITY \r\nDuring dynamic analysis of multiple BlackByte ransomware binaries, Talos found that the file attempted network\r\nshare enumeration via the ‘SRVSVC’ named pipe’s NetShareEnumAll function using specific user accounts\r\nassociated with the victim. Since this analysis was conducted in a controlled, sandboxed environment, these\r\naccounts could only appear in network traffic if they were built into the ransomware binary itself. This finding\r\ngives Talos high confidence that BlackByte’s per-victim customization of the ransomware encryptor includes\r\npacking some form of stolen credential into the binary to support its worm capability.\r\nFigure 2: Victim credentials observed during ransomware execution in an isolated sandbox\r\nenvironment\r\nOther behaviors of interest observed during dynamic analysis of this version of the ransomware binary included:\r\nCommunication with msdl.microsoft[.]com via IP address 204.79.197[.]219 early in the execution process.\r\nThis site is associated with the Microsoft Public Symbol Server. BlackByte tools have long been observed\r\ndownloading and saving debugging symbols directly from Microsoft.\r\nDisabling antivirus and anti-spyware protections via the HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\r\nDEFENDER registry key and adding the value “*.exe” to the\r\nHKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\EXTENSIONS registry\r\nkey.\r\nDeletion of system binaries from the “C:\\Windows\\System32” directory, including “taskmgr.exe”,\r\n“perfmon.exe”, “shutdown.exe”, and “resmon.exe”.\r\nA broad view of BYOVD use and BlackByte victimology\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 5 of 10\n\nTalos pivoted on the vulnerable drivers identified during this analysis, extrapolating findings from endpoint\r\ntelemetry to establish a strategic picture of BYOVD exposure across various industry verticals. Our findings\r\nhighlight that the professional, scientific, and technical services sectors have the greatest exposure to the observed\r\nvulnerable drivers, accounting for 15 percent of the total (see Figure 1). Analysis of the exposure reveals that\r\ncertain industries are at more risk than others, such as those that are more likely to store and/or process critical or\r\nsensitive data. \r\nFigure 3: Top 10 BYOVD exposure by industry vertical\r\nBlackByte’s victimology aligns with this assessment, with over 32 percent of known victims falling into the\r\nmanufacturing industry vertically.\r\nFigure 4: BlackByte victimology by industry vertical\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 6 of 10\n\nThese are likely conservative figures given the disparity between the number of victims published on BlackByte’s\r\ndata leak site over the past six to nine months and the number of victims found in telemetry and disclosed in\r\npublic reporting. It is not clear why only a limited subset – an estimated 20 to 30 percent – of BlackByte’s victims\r\nare eventually posted.\r\nImplications for defenders\r\nBlackByte’s progression in programming languages from C# to Go and subsequently to C/C++ in the latest\r\nversion of its encryptor – BlackByteNT – represents a deliberate effort to increase the malware's resilience against\r\ndetection and analysis. Complex languages like C/C++ allow for the incorporation of advanced anti-analysis and\r\nanti-debugging techniques, which have been observed across the BlackByte tooling during detailed analysis by\r\nother security researchers.\r\nThe self-propagating nature of the BlackByte encryptor creates additional challenges for defenders. The use of the\r\nBYOVD technique compounds these challenges since it may limit the effectiveness of security controls during\r\ncontainment and eradication efforts. However, since this current version of the encryptor appears to rely on built-in credentials stolen from the victim environment, an enterprise-wide user credential and Kerberos ticket reset\r\nshould be highly effective for containment. Review of SMB traffic originating from the encryptor during\r\nexecution will also reveal the specific accounts used to spread the infection across the network. \r\nTaking a wider view of ransomware tradecraft shows that the inherent flexibility of the overarching RaaS model\r\nallows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating\r\nand updating its tooling. This creates an ongoing arms race between cybercriminals and defenders. As BlackByte\r\nand other ransomware groups continue to evolve, organizations will need to invest in adaptive, resilient security\r\ncontrols and build out measures that can keep pace with a dynamic, diverse threat landscape.\r\nRecommendations for defenders\r\nImplement MFA for all remote access and cloud connections. Prioritize “verified push” as the MFA\r\nmethod over less secure options such as SMS or phone call.\r\nAudit VPN Configuration. Confirm that legacy VPN policies are removed, and that authentication\r\nattempts not matching a current VPN policy are denied by default. Restrict VPN access to only necessary\r\nnetwork segments and services, limiting exposure of critical assets like Domain Controllers. \r\nSet up alerts for any changes in privileged groups, such as the creation of new user groups or addition of\r\naccounts to domain administrators. Ensure that administrative privileges are granted only when necessary\r\nand routinely audited thereafter. A Privileged Access Management (PAM) solution may be used to\r\nstreamline control and monitoring of privileged accounts.\r\nLimit or disable the use of NTLM where possible and enforce more secure authentication methods like\r\nKerberos instead. Limit the rate of authentication attempts and failures on public-facing and internal\r\ninterfaces to prevent automated authentication scanning.\r\nDisable SMBv1 and enforce SMB signing and encryption to protect against lateral movement and\r\nmalware propagation.\r\nDeploy EDR clients to all systems throughout the environment. Configure an administrator password\r\non EDR clients to prevent unauthorized tampering or removal of the client.\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 7 of 10\n\nDisable vendor accounts and remote access capabilities when not actively in use.\r\nCreate detections for unauthorized configuration changes that may be made on various systems in the\r\nenvironment, including changes to Windows Defender policies, unauthorized changes to Group Policy\r\nObjects, and creation of unusual scheduled tasks and installed services.\r\nDevelop and document procedures for enterprise password reset to ensure that all user credentials can\r\nbe reset quickly and completely. Include procedures for rolling critical Kerberos tickets in this\r\ndocumentation.\r\nHarden and patch ESX hosts to reduce the attack surface of these critical servers to the extent possible\r\nand ensure that newly discovered vulnerabilities are corrected as quickly as possible.\r\nMITRE ATT\u0026CK Mapping of New TTPs\r\nTactic: Technique ID: Tactic, Technique, Sub-Technique Description:\r\nInitial Access T1078.002 Initial Access: Valid Accounts: Domain Accounts\r\nT1078.003 Valid Accounts: Local Accounts\r\nDiscovery T1018 Discovery: Remote System Discovery\r\nT1083 Discovery: File and Directory Discovery\r\nPersistence T1136.002 Persistence: Create Account: Domain Account\r\nExecution T1204 Execution: User Execution\r\nT1569.002 Execution: System Services: Service Execution\r\nPrivilege Escalation T1543 Privilege Escalation: Create or Modify System Process\r\nT1484.001 Privilege Escalation: Domain Policy Modification\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 8 of 10\n\nT1484 Privilege Escalation: Domain Modification\r\nT1098 Privilege Escalation: Account Manipulation\r\nLateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares\r\nT1021.001 Remote Services: Remote Desktop Protocol\r\nT1210 Exploitation of Remote Services\r\nResource Development T1608 Resource Development: Stage Capabilities\r\nDefense Evasion T1562.001 Defense Evasion: Impair Defenses: Disable or Modify Tools\r\nT1112 Defense Evasion: Modify Registry\r\nT1070.004 Defense Evasion: Indicator Removal: File Deletion\r\nT1211 Defense Evasion: Exploitation for Defense Evasion\r\nImpact T1529 Impact: System Shutdown/Reboot\r\nT1486 Impact: Data Encrypted for Impact\r\nIOCs\r\nNOTE: Certain IOCs have been withheld to prevent potential victim identification.\r\nRtCore64.sys – 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd\r\nDBUtil_2_3.sys – 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5\r\nzamguard64.sys – 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 9 of 10\n\ngdrv.sys – 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427\r\nSource: https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nhttps://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/" ], "report_names": [ "blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441588, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4eadcac034c8cf281961264d05ee1c63dead5953.pdf", "text": "https://archive.orkl.eu/4eadcac034c8cf281961264d05ee1c63dead5953.txt", "img": "https://archive.orkl.eu/4eadcac034c8cf281961264d05ee1c63dead5953.jpg" } }