{ "id": "ac70af52-b7de-45fe-ba46-5e7514f107e8", "created_at": "2026-04-06T00:11:22.540291Z", "updated_at": "2026-04-10T13:12:49.741049Z", "deleted_at": null, "sha1_hash": "79d3f827458e1a269c0ce006fda644028779533d", "title": "Threat Spotlight: BlackMatter, LockBit, and THOR - Cisco Umbrella", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 192600, "plain_text": "Threat Spotlight: BlackMatter, LockBit, and THOR - Cisco\r\nUmbrella\r\nBy Josh Pyorre\r\nPublished: 2021-11-18 · Archived: 2026-04-05 18:23:13 UTC\r\nEver wonder what happens when some of yesterday’s most crippling ransomware or RAT attacks evolve? That’s\r\nwhat we unpack in this month’s Cybersecurity Threat Spotlight. Our three cyberattacks wreak havoc by borrowing\r\nsome of the most effective techniques and tools formerly used by DarkSide, REvil, LockBit, and the PlugX RAT.\r\nWe break down this evolution in today’s blog, and discuss the ways in which you can protect your network in an\r\non-demand webinar.\r\nThreat Type: Ransomware\r\nAttack Chain:\r\nDescription: BlackMatter ransomware is both a ransomware variant and a ransomware-as-a-service, borrowing\r\ntechniques and tools from DarkSide and REvil RaaS platforms and from LockBit 2.0 ransomware. One interesting\r\nchange in BlackMatter from similar variants is that it will encrypt Russian systems.\r\nFirst appearing in July, 2021, BlackMatter appears to be the next generation of DarkSide, REvil, and LockBit 2.0,\r\nusing the best techniques from each to be more effective at achieving its goals. The name BlackMatter applies to\r\nits operators, its use as a Ransomware-as-a-Service (RaaS), and the artifacts used in infections.\r\nThe operators have a presence on TOR, where they claim transparency with victims, recovery companies, and\r\njournalists while providing a list of verticals they do not target.\r\nMany similarities between BlackMatter, DarkSide, REvil, and LockBit 2.0 exist. These include being provided as\r\nRaaS, multi-threading, in-place file encryption, and similar ransom desktop wallpaper on victim machines. Some\r\nof the notable differences with BlackMatter include a larger encryption size of 1,024 KB and the fact that it will\r\nencrypt Russian-language systems.\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 1 of 7\n\nThe ransom notes are similar to what has been observed in DarkSide infections in regard to file size, image\r\nformat, and appearance. BlackMatter uses Initial Access Brokers, individuals or groups who are willing to sell\r\naccess to compromised networks while also recruiting affiliates to deliver ransomware for a portion of the ransom\r\npayments. Variants exist for Windows and Linux, affecting Windows Server 2003 and later and Windows 7 and\r\nlater on x86 and x64 architectures. Affected Linux versions include VMWare ESXI, Ubuntu, Debian, and CentOS.\r\nInitial access is via compromised remote desktop, phishing, the use of stolen credentials, or exploitation of\r\nvulnerabilities in web browsers or operating systems. When a system is infected with BlackMatter, the privilege of\r\nthe current user is verified and an attempt to escalate occurs. Processes are terminated to close any running\r\nprograms that might prevent encryption of files, shadow volume copies are deleted, data is exfiltrated, and the\r\nfiles on the system are encrypted. During encryption, files are opened, checked to determine if they were already\r\nencrypted, renamed with a new extension, and partially encrypted. Then, data to indicate the file was encrypted is\r\nadded and the file is closed. Access permissions for encrypted files are changed to ‘All’. Victims who choose to\r\npay the ransom to recover files are unable to restore the original access permissions. If unable to run due to\r\nendpoint protection, BlackMatter will reboot a Windows system in safe mode. To inhibit analysis, string\r\ninformation in malware artifacts are encrypted and only decrypted while running in memory.\r\nTarget Geolocations: Any\r\nTarget Data: Any\r\nTarget Businesses: Financial, Legal, Manufacturing, Professional Services, Retail, Technology1\r\nExploits: Web Browser or OS Vulnerabilities\r\nMITRE ATT\u0026CK for BlackMatter\r\nInitial Access: Phishing, External Remote Services\r\nPersistence: Scheduled Task/Job\r\nEvasion: Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Injection: Dynamic-Link Library Injection\r\nCollection: N/A\r\nExfiltration: Exfiltration Over Web Service, Transfer Data to Cloud Account, Exfiltration Over C2 Channel\r\nIOCs\r\nDomains:\r\nkucukisletmeler[.]com\r\nlentingbouw[.]nl\r\nfluentzip[.]org\r\nnowautomation[.]com\r\nmojobiden[.]com\r\nPaymenthacks[.]com\r\nAdditional Information:\r\nBlackMatter ransomware emerges from the shadow of DarkSide\r\nBlackMatter Ransomware Portal Tweet\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 2 of 7\n\nWhich Cisco Products Can Block:\r\nCisco Secure Endpoint\r\nCisco Cloud Web Security\r\nCisco Network Security\r\nCisco Secure Network Analytics\r\nCisco Secure Cloud Analytics\r\nCisco Secure Malware Analytics\r\nCisco Umbrella\r\nCisco Secure Web Appliance\r\n1\r\n These target businesses were identified by BlackMatter operators, but this attack may target other businesses\r\nThreat Name: LockBit\r\nThreat Type: Ransomware\r\nAttack Chain:\r\nDescription: LockBit ransomware was first seen in 2019. A second version, called LockBit 2.0, appeared in July,\r\n2021 and operates as ransomware-as-a-service (RaaS). It shares features with Ryuk and Egregor ransomware\r\nfamilies, such as Wake-on-LAN and Print Bombing (sending the ransom note to connected printers). LockBit\r\noperators use double-extortion methods and attempt to recruit affiliates from within the targeted organizations.\r\nAutomatic encryption on victim systems occurs across Windows domains by abusing Microsoft Entra ID policies.\r\nLockBit uses multithreading for encryption and only partially encrypts files to increase speed.\r\nOriginally known as the .abcd virus, the first version of LockBit was able to self-replicate, performed host\r\ndiscovery using ARP tables, and would move laterally by exploiting SMB on Windows systems. It would spread\r\nvia PowerShell and avoided encrypting Russian-language systems.\r\nA new version of LockBit, called LockBit 2.0, began appearing in late 2019. The wallpaper that was set on victim\r\nsystems would attempt to recruit internal affiliates or members of the victim organization to help further the\r\ninfection and provide additional data for exfiltration in exchange for payment. LockBit 2.0 also attempted to\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 3 of 7\n\nrecruit outside affiliates by advertising faster encryption speed than the first version of LockBit as well as other\r\nRansomware variants. Delivery is typically via phishing, where a dropper is installed. C2 communication begins\r\nshortly after and additional tools are downloaded. Data exfiltration then occurs, followed by data encryption.\r\nOnce LockBit is installed on a system, Cobalt Strike and remote access tools are also installed. Some of these\r\ntools are legitimate, which helps to avoid detection. Data is then exfiltrated for additional ransom if payment is not\r\nmade. LockBit 2.0 samples employ anti-analysis techniques similar to BlackMatter, where strings are encrypted\r\nuntil runtime. Shadow volume copies are deleted on victim systems prior to encryption. When encrypting files, the\r\nextension is changed to .lockbit and a custom icon is set to display for that file type. It then looks for connected\r\ndrives and network volumes, creates a ransom note in all directories, encrypts the files, and changes the desktop\r\nbackground to a ransom message. One of the final steps is to print the ransom note to any connected printers.\r\nTarget Geolocations: Asia, North America, South America, Europe\r\nTarget Data: Any\r\nTarget Businesses: Any\r\nExploits: N/A\r\nMITRE ATT\u0026CK for LockBit\r\nInitial Access: Unconfirmed\r\nPersistence: Registry Run Keys / Startup Folder\r\nEvasion: Virtualization/Sandbox Evasion\r\nCollection: Data From Local System\r\nExfiltration: Exfiltration Over Command and Control Channel\r\nIOCs\r\nDomains:\r\nNone\r\nIPs:\r\n139.60.160[.]200\r\n168.100.11[.]72\r\n174.138.62[.]35\r\n185.215.113[.]39\r\n193.162.143[.]218\r\n193.38.235[.]234\r\n45.227.255[.]190\r\n88.80.147[.]102\r\n93.190.143[.]101\r\nAdditional Information:\r\nLockBit ransomware now infects Windows domains using group policies\r\nLockBit Resurfaces With version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 4 of 7\n\nWhich Cisco Products Can Block:\r\nCisco Secure Endpoint\r\nCisco Cloud Web Security\r\nCisco Network Security\r\nCisco Secure Network Analytics\r\nCisco Secure Cloud Analytics\r\nCisco Secure Malware Analytics\r\nCisco Umbrella\r\nCisco Secure Web Appliance\r\nThreat Name: THOR\r\nThreat Type: RAT\r\nAttack Chain:\r\nDescription: THOR is a variant of the PlugX Remote Access Tool (RAT). PlugX RATs have been in use since\r\n2008 and have the ability to upload, download, and modify files, perform keystroke logging, webcam control, and\r\nprovide access to a remote shell. THOR is unique from previous PlugX variants in that it changed the word\r\n‘PLUG’ to ‘THOR’ in its source code. It is further differentiated from past PlugX RATs by its use of modified\r\npayload delivery mechanisms and the use of trusted binaries on a victim system to accomplish its goals. It first\r\nappeared in March, 2021 as part of an attack on Exchange Servers via CVE-2021-26855 and CVE-2021-27065.\r\nTHOR Spotlight: THOR is a new variant of the PlugX malware, which has been involved in targeted attacks and\r\nintrusions since 2008. PlugX is often installed as a second-stage implant following the initial infection. It’s built\r\nfor modular use, allowing the use of plug-ins to achieve specific objectives. Delivery is via malicious documents\r\nin phishing emails and C2 communication occurs after infection. Additional components may be downloaded after\r\ncommunication begins.\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 5 of 7\n\nIn March of 2019, two zero-day exploits (CVE-2021-26855 and CVE-2021-27065) were discovered affecting\r\nMicrosoft Exchange Servers. These exploits were used to upload a webshell to a publicly accessible web\r\ndirectory, allowing code execution, the ability to write malicious files to any path, run commands, escalate\r\nprivilege, and allow remote access. In the attacks, a variant of PlugX was being used to install a remote access\r\ntool. This variant had a modification in its source code, changing a well-known variable name from PLUG to\r\nTHOR.\r\nWhen run, a legitimate Windows binary is used to download a dropper, which is designed to remain undetected\r\nand can only be run with a specific loader. All variants of PlugX require the use of DLL side-loading to run. The\r\ndownloaded dropper has its first 1000 bytes filled with random padding until it has a NULL byte, signaling the\r\nbeginning of the file. When loaded into memory, the code unpacks and communication with a command and\r\ncontrol (C2) server begins.\r\nWhen running, THOR behaves the same as previous PlugX variants, decrypting hard-coded and embedded\r\nconfiguration settings. Communication with the C2 server is over ports 80, 443, 53, and 8000 using UDP and TCP.\r\nWhile the first handshake with the C2 looks like HTTP data, it is made of random bytes with variable lengths. If\r\nthe return value from the C2 is the correct length, actual HTTP communication between the victim and C2 starts.\r\nVarious values in the C2 traffic are hard-coded, such as the user-agent and a known PlugX constant. When\r\ninstallation is complete, a Windows system service named HP Digital Image is created and system events are\r\nlogged to a hidden file labeled NTUSER.dat. The MZ and PE headers of the running module are removed and\r\nreplaced with ROHT, which is THOR written backwards.\r\nThe primary goals of THOR and other PlugX variants are to monitor, make changes, and interact with the system,\r\nas well as to install additional malware.\r\nTarget Geolocations: Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet, Xinjiang\r\nTarget Data: Any\r\nTarget Businesses: Any\r\nExploits: CVE-2021-26855, CVE-2021-27065\r\nMITRE ATT\u0026CK for THOR\r\nInitial Access: Spearphishing Attachments, Malspam\r\nPersistence: Server Software Component\r\nEvasion: Deobfuscate/Decode Files or Information, Hide Artifacts\r\nCollection: Audio Capture, Clipboard Data, Input Capture, Screen Capture, Video Capture\r\nExfiltration: Exfiltration Over Command and Control Channel\r\nIOCs\r\nDomains:\r\napple-net[.]com\r\ndestroy2013[.]com\r\nemicrosoftinterview[.]com\r\nfitehook[.]com\r\nflashplayerup[.]com\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 6 of 7\n\nindonesiaport[.]info\r\nmanager2013[.]com\r\nrainydaysweb[.]com\r\nupload.ukbbcnews[.]com\r\nIPs:\r\n185.239.226[.]65\r\n45.251.240[.]55\r\n58.158.177[.]102\r\nAdditional Information\r\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG\r\nGroup\r\nPKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia\r\nTake a Deep Dive into PlugX Malware\r\nWhich Cisco Products Can Block:\r\nCisco Secure Endpoint\r\nCisco Cloud Web Security\r\nCisco Network Security\r\nCisco Secure Network Analytics\r\nCisco Secure Cloud Analytics\r\nCisco Secure Malware Analytics\r\nCisco Umbrella\r\nCisco Secure Web Appliance\r\nSee security in action\r\nLet one of our experts show you how Cisco Umbrella can simplify your security and protect your users\r\neverywhere.\r\nSource: https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor" ], "report_names": [ "cybersecurity-threat-spotlight-blackmatter-lockbit-thor" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434282, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79d3f827458e1a269c0ce006fda644028779533d.pdf", "text": "https://archive.orkl.eu/79d3f827458e1a269c0ce006fda644028779533d.txt", "img": "https://archive.orkl.eu/79d3f827458e1a269c0ce006fda644028779533d.jpg" } }