{ "id": "f732f377-7c94-4deb-8816-f4afae487f65", "created_at": "2026-04-06T00:12:19.548322Z", "updated_at": "2026-04-10T03:27:55.337632Z", "deleted_at": null, "sha1_hash": "69c579bd197023fd97a2e35ae0403bfc09f0b4d2", "title": "Buhti: New Ransomware Operation Relies on Repurposed Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44586, "plain_text": "Buhti: New Ransomware Operation Relies on Repurposed\r\nPayloads\r\nBy About the Author\r\nArchived: 2026-04-05 13:58:18 UTC\r\nA relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload\r\nand is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and\r\nLinux systems.\r\nWhile the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed\r\ntool, an information stealer designed to search for and archive specified file types.\r\nBuhti, which first came to public attention in February 2023, was initially reported to be attacking Linux\r\ncomputers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers\r\non compromised networks.\r\nThe group appears to be quick to exploit recently disclosed vulnerabilities, with one recent attack exploiting the\r\nrecently patched PaperCut vulnerability. Since Buhti hasn’t been linked to any known cyber-crime group,\r\nSymantec has assigned the actor name Blacktail to its operators.\r\nLockBit rebrand\r\nA recent Buhti attack saw the attackers attempt to deploy a ransomware payload against Windows computers on\r\nthe targeted network. Analysis of the payload revealed that it was a minimally modified version of the leaked\r\nLockBit 3.0 (aka LockBit Black) ransomware.  \r\nEncrypted files are appended with a .buthi extension. The ransom note can be seen in Figure 1.\r\nThe ransomware includes a feature that drops a LockBit-branded .bmp file (Figure 2) and makes it the Windows\r\nwallpaper, but this functionality was disabled by the attackers.\r\nThe ransomware also has the capability to send system information about the infected computer to a command-and-control (C\u0026C) server, but this functionality is also disabled and no C\u0026C server is specified.\r\nLockBit 3.0 was developed for the Syrphid cyber-crime group (aka Bitwise Spider), which is the operator of the\r\nLockBit ransomware. The builder for the ransomware was leaked in September 2022, allegedly by a disgruntled\r\ndeveloper.\r\nBabuk repurposed\r\nWhile Buhti came to public attention for targeting Linux machines with a payload written in Golang, analysis by\r\nSymantec of multiple Linux payloads found that they were all variants of the leaked Babuk ransomware.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\nPage 1 of 4\n\nBabuk was one of the first ransomware actors to target ESXi systems with a Linux payload. Babuk’s source code\r\nwas leaked in 2021 and since then has been adopted and reused by multiple ransomware operations.\r\nThe ransom note dropped by Linux variants was identical to that of the Windows payload; with only the payment\r\naddress differing.\r\nExfiltration tool\r\nBlacktail does appear to use at least one piece of custom malware, a data-exfiltration tool (SHA256:\r\n9f0c35cc7aab2984d88490afdb515418306146ca72f49edbfbd85244e63cfabd).\r\nWritten in Golang, it is designed to steal the following file types: .pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql,\r\n.svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx,\r\n.yaml. Copied files are placed into a .zip archive, which is created using an open source utility called zip.\r\nThe tool can be configured via command-line arguments to specify both the directory to search for files of interest\r\nin and the name of the output archive. The -o argument in the command line specifies the archive to be created.\r\nThe -d argument specifies the directory to search for files of interest in. For example:\r\nCSIDL_WINDOWS\\temp\\xhfw.exe -o CSIDL_WINDOWS\\temp\\output.zip -d CSIDL_PROFILE\r\nVulnerability exploitation\r\nRecent Buhti attacks exploited a recently discovered vulnerability in PaperCut NG and MF (CVE-2023-27350).\r\nThe exploit allows an attacker to bypass authentication and remotely execute code. The vulnerability was\r\ndisclosed and patched by PaperCut on March 15, 2023, and in recent weeks multiple threat actors have begun\r\nutilizing the exploit against unpatched systems.\r\nThe attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and\r\nConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple\r\ncomputers on the targeted network.\r\nBlacktail appears quick to utilise new exploits. In February, they were reported to be exploiting a vulnerability in\r\nIBM’s Aspera Faspex file-exchange application (CVE-2022-47986).\r\nDangerous adversary\r\nWhile the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s\r\ngeneral competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered\r\nvulnerabilities, suggests that it is not to be underestimated.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\nPage 2 of 4\n\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n063fcedd3089e3cea8a7e07665ae033ba765b51a6dc1e7f54dde66a79c67e1e7 - Buhti (Windows)\r\neda0328bfd45d85f4db5dbb4340f38692175a063b7321b49b2c8ebae3ab2868c - Buhti (Linux)\r\ne5d65e826b5379ca47a371505678bca6071f2538f98b5fef9e33b45da9c06206 - Buhti (Linux)\r\nd65225dc56d8ff0ea2205829c21b5803fcb03dc57a7e9da5062cbd74e1a6b7d6 - Buhti (Linux)\r\nd259be8dc016d8a2d9b89dbd7106e22a1df2164d84f80986baba5e9a51ed4a65 - Buhti (Linux)\r\n8b5c261a2fdaf9637dada7472b1b5dd1d340a47a00fe7c39a79cf836ef77e441 - Buhti (Linux)\r\n898d57b312603f091ff1a28cb2514a05bd9f0eb55ace5d6158cc118d1e37070a - Buhti (Linux)\r\n515777b87d723ebd6ffd5b755d848bb7d7eb50fc85b038cf25d69ca7733bd855 - Buhti (Linux)\r\n4dc407b28474c0b90f0c5173de5c4f1082c827864f045c4571890d967eadd880 - Buhti (Linux)\r\n22e74756935a2720eadacf03dc8fe5e7579f354a6494734e2183095804ef19fe - Buhti (Linux)\r\n18a79c8a97dcfff57e4984aa7e74aa6ded22af8e485e807b34b7654d6cf69eef - Buhti (Linux)\r\n01b09b554c30675cc83d4b087b31f980ba14e9143d387954df484894115f82d4 - Buhti (Linux)\r\n7eabd3ba288284403a9e041a82478d4b6490bc4b333d839cc73fa665b211982c - Buhti (Linux)\r\n287c07d78cafc97fb4b7ef364a228b708d31e8fe8e9b144f7db7d986a1badd52 - Buhti (Linux)\r\n32e815ef045a0975be2372b85449b25bd7a7c5a497c3facc2b54bcffcbb0041c - Cobalt Strike Beacon\r\n5b3627910fe135475e48fd9e0e89e5ad958d3d500a0b1b5917f592dc6503ee72 - Cobalt Strike Beacon\r\nd59df9c859ccd76c321d03702f0914debbadc036e168e677c57b9dcc16e980cb - Cobalt Strike Beacon\r\nde052ce06fea7ae3d711654bc182d765a3f440d2630e700e642811c89491df72 - Cobalt Strike Beacon\r\n65c91e22f5ce3133af93b69d8ce43de6b6ccac98fc8841fd485d74d30c2dbe7b - Meterpreter\r\n8041b82b8d0a4b93327bc8f0b71672b0e8f300dc7849d78bb2d72e2e0f147334 - Meterpreter\r\n8b2cf6af49fc3fb1f33e94ad02bd9e43c3c62ba2cfd25ff3dfc7a29dde2b20f2 - Meterpreter\r\n97378d58815a1b87f07beefb24b40c5fb57f8cce649136ff57990b957aa9d56a – Meterpreter\r\nc33e56318e574c97521d14d68d24b882ffb0ed65d96203970b482d8b2c332351 - Meterpreter\r\n9b8adde838c8ea2479b444ed0bb8c53b7e01e7460934a6f2e797de58c3a6a8bf - Possible Meterpreter\r\n9f0c35cc7aab2984d88490afdb515418306146ca72f49edbfbd85244e63cfabd - Exfiltration tool\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\nPage 3 of 4\n\nca6abfa37f92f45e1a69161f5686f719aaa95d82ad953d6201b0531fb07f0937 - Possible exfiltration tool\r\nbdfac069017d9126b1ad661febfab7eb1b8e70af1186a93cb4aff93911183f24 - Sliver\r\n91.215.85[.]183\r\n81.161.229[.]120\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware" ], "report_names": [ "buhti-ransomware" ], "threat_actors": [ { "id": "a9670e60-de2b-4c77-97ea-28e73f92902a", "created_at": "2023-11-30T02:00:07.264397Z", "updated_at": "2026-04-10T02:00:03.480707Z", "deleted_at": null, "main_name": "Blacktail", "aliases": [], "source_name": "MISPGALAXY:Blacktail", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "3940f08b-39aa-492c-8699-86bfe515fa70", "created_at": "2023-01-06T13:46:39.470535Z", "updated_at": "2026-04-10T02:00:03.339964Z", "deleted_at": null, "main_name": "BITWISE SPIDER", "aliases": [], "source_name": "MISPGALAXY:BITWISE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775791675, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69c579bd197023fd97a2e35ae0403bfc09f0b4d2.pdf", "text": "https://archive.orkl.eu/69c579bd197023fd97a2e35ae0403bfc09f0b4d2.txt", "img": "https://archive.orkl.eu/69c579bd197023fd97a2e35ae0403bfc09f0b4d2.jpg" } }