{
	"id": "5c31b7d3-a34a-4aed-9507-388df4c71726",
	"created_at": "2026-04-06T00:19:02.218556Z",
	"updated_at": "2026-04-10T13:11:44.081609Z",
	"deleted_at": null,
	"sha1_hash": "6c8e6d85959e3a93847ab6917fc995fd7cfadc4a",
	"title": "Black Kingdom ransomware (TTPs \u0026 IOC)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1097845,
	"plain_text": "Black Kingdom ransomware (TTPs \u0026 IOC)\r\nBy Pawel Wylecial\r\nArchived: 2026-04-05 22:25:40 UTC\r\nDescription\r\nIn general Web Share API [https://w3c.github.io/web-share/] allows users to share links from the browser via 3rd\r\nparty applications (e.g. mail and messaging apps). The problem is that file:  scheme is allowed and when a website\r\npoints to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an\r\nactual file from the user file system is included in the shared message which leads to local file disclosure when a\r\nuser is sharing it unknowingly. The problem is not very serious as user interaction is required, however it is quite\r\neasy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we\r\ntry to convince the unsuspecting user to perform some action.\r\nBelow are the steps to reproduce the issue:\r\n2. Click “Share it with friends!”\r\n3. Select the method (e.g. mail, messages)\r\n4. “Send it” or “Share it” (or just inspect what has been attached)\r\n5. Local /etc/passwd has been sent to the recipient\r\nSample malicious website tricking users into sharing cat pictures:\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 1 of 8\n\nThe issue exists on both MacOS and iOS, after selecting different methods of sharing we will get different results,\r\nsome of them are shown below.\r\nMacOS\r\nMail.app is the first choice appearing on the Web Share options. In this case we get a nice result because due to the\r\nnew lines in the message the victim won’t see the attachment unless he/she scrolls down to the bottom:\r\nOnly when we scroll down we can see the passwd file is actually attached to the e-mail message:\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 2 of 8\n\nFor the Messages app on MacOS it looks more interesting as no filename is displayed:\r\niOS\r\nMail.app as with MacOS version does not show the attached file unless we scroll down to the bottom of the\r\nmessage:\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 3 of 8\n\nMessages for iOS display the filename so it’s not as great:\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 4 of 8\n\nThe Gmail app looks interesting as well because the filename got “obfuscated” and does not reveal that we are\r\nactually sharing the passwd file:\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 5 of 8\n\nProof of Concept\r\nThis is the sample code used for the demonstration: \r\n\u003chtml\u003e\r\n\u003cscript\u003e\r\nvar opts = {text: 'check out this cute kitten!\r\nhttp://somerandomimagewebsite.com/cat.jpg\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n',\r\nurl: 'file:///etc/passwd'};\r\nfunction run() {\r\nnavigator.share(opts);\r\n}\r\n\u003c/script\u003e\r\n\u003cbody\u003e\r\nCheck out this cute kitten!\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 6 of 8\n\n![](cat.jpg)  \nshare it with friends!\n\nStealing iOS Safari browsing history\nI thought about a more useful scenario on how this bug could be used to extract sensitive information as a passwd\nfile is only good for demonstration. It had to be something accessible from Safari app so browser history seemed\nlike a good candidate to exfiltrate. In order to achieve that we only needed to change the url value to the following:\nfile:///private/var/mobile/Library/Safari/History.db\nBelow you can see a video demonstrating stealing user’s browsing history using web share API:\nAffected software\nThis was tested on iOS (13.4.1, 13.6), macOS Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8) and on macOS\nCatalina 10.15.5 with Safari 13.1.1 (15609.2.9.1.2).\nAs for today (24/08/2020) there is no fix available.\nDisclosure timeline\n17/04/2020 – Issue discovered and reported to Apple\n21/04/2020 – Report acknowledged by Apple, informing they would investigate the issue\n22/04/2020 – An updated report containing a small clarification was sent\n28/04/2020 – Asked for an status update\n29/04/2020 – Received a reply that the report is being analyzed\n11/05/2020 – Asked for an status update\n13/05/2020 – Apple reply that they are still investigating and have no updates on the issue\n11/06/2020 – Asked for a status update, no reply\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\nPage 7 of 8\n\n02/07/2020 – Asked for a status update, no reply\r\n13/07/2020 –  Asked for a status update, no reply\r\n21/07/2020 –  Asked for a status update and if Apple needs more time to address the issue as I informed that I\r\nintend to publish information about this case after 24/07/2020 if there is no reply / no objections from Apple side to\r\nmake it public.\r\n23/07/2020 – Apple responded they are investigating and will follow up as soon as they have an update\r\n02/08/2020 – Asked for a status update and announced disclosure to be on 24/08/2020\r\n14/08/2020 – Apple replied asking not to publish the details as they plan to address the issue in the Spring 2021\r\nsecurity update\r\n17/08/2020 – Replied that waiting with the disclosure for almost an additional year, while 4 months already have\r\npassed since reporting the issue is not reasonable\r\n24/08/2020 – This post has been published\r\nSource: https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html"
	],
	"report_names": [
		"black-kingdom-ransomware.html"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434742,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c8e6d85959e3a93847ab6917fc995fd7cfadc4a.pdf",
		"text": "https://archive.orkl.eu/6c8e6d85959e3a93847ab6917fc995fd7cfadc4a.txt",
		"img": "https://archive.orkl.eu/6c8e6d85959e3a93847ab6917fc995fd7cfadc4a.jpg"
	}
}