{
	"id": "8a981717-9c57-4d63-8f1a-af032ce53a76",
	"created_at": "2026-04-06T00:17:38.687836Z",
	"updated_at": "2026-04-10T03:20:07.391098Z",
	"deleted_at": null,
	"sha1_hash": "8864756118098f0a8bbd3dabce06407f8746f801",
	"title": "BlackCat Climbs the Summit With a New Tactic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2698416,
	"plain_text": "BlackCat Climbs the Summit With a New Tactic\r\nBy Unit 42\r\nPublished: 2023-10-18 · Archived: 2026-04-05 16:41:02 UTC\r\nExecutive Summary\r\nBlackCat operators recently announced new updates to their tooling, including a utility called Munchkin that\r\nallows attackers to propagate the BlackCat payload to remote machines and shares on a victim organization\r\nnetwork. For the past two years, the BlackCat ransomware operators have continued to evolve and iterate their\r\ntooling as part of their ransomware-as-a-service (RaaS) business model.\r\nAs part of a recent investigation, Unit 42 researchers have acquired an instance of Munchkin that is unique, in that\r\nit is loaded in a customized Alpine virtual machine (VM). This new tactic of leveraging a customized VM to\r\ndeploy malware has been gaining traction in recent months, allowing ransomware threat actors to use VMs to\r\ncircumvent security solutions in deploying their malware payloads.\r\nThis publication details how this new utility works and sheds further light on the continued tactics used by\r\nBlackCat threat actors. In doing so, it is our sincere hope to motivate further effort by the information security\r\nindustry to better defend against this evolving threat.\r\nPalo Alto Networks customers receive protections against this specific threat through appropriate identification of\r\nthe provided indicators as malicious.\r\nOverview of BlackCat\r\nThe BlackCat ransomware threat was first made public when it surfaced in November 2021. This threat gained\r\nnotoriety due to the sophistication employed within their malware, along with unique approaches such as the use\r\nof the Rust programming language.\r\nBlackCat, similar to other ransomware threat actors, employs a RaaS business model. This model allows affiliates\r\nto leverage their tooling, in turn providing a portion of the profits to the operators. Based on historical reports,\r\naffiliates keep roughly 80-90% of the ransom payment, with the remainder being sent to the operators.\r\nThe BlackCat organization, including its affiliates, has historically focused on targeting victims in the United\r\nStates. However, this focus has greatly broadened over time with increased popularity, and BlackCat has more\r\nrecently been observed targeting victims worldwide across numerous industries and verticals.\r\nThe BlackCat tool set has continued to evolve over the years. Original versions provided an embedded JSON\r\nconfiguration with no obfuscation or encryption applied.\r\nOver time, threat operators updated the malware family to obfuscate this underlying configuration. They also\r\nrequired a unique command-line parameter to execute the malware. In doing so, BlackCat prevented those within\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 1 of 12\n\nthe security community from gaining insight into the underlying payloads in the event this command-line\r\nparameter was unavailable.\r\nThe malware family has continued to evolve, with threat operators employing further capabilities and obfuscation\r\nmechanisms. In recent months, BlackCat has released a new tool named “Munchkin.”\r\nThis tooling provided a Linux-based operating system (OS) running Sphynx (the latest BlackCat variant). Threat\r\noperators can use this utility to run BlackCat on remote machines, or to deploy it to encrypt remote Server\r\nMessage Block (SMB)/Common Internet File Shares (CIFS).\r\nFigure 1. Diagram of Munchkin tool process.\r\nThe use of virtual machines to run malware is a growing trend within the ransomware community. Other\r\nransomware organizations have been reported to leverage this new tactic as well.\r\nThe benefits of this approach include circumventing any security controls or protections set on the host OS, such\r\nas antivirus software. As these solutions often do not have the introspection within the embedded virtualized OS,\r\nmalware will frequently bypass any checks that are present.\r\nAs part of a recent investigation, Unit 42 researchers were able to acquire a copy of this VM utility. As such, we\r\ncan provide insights into how it works.\r\nClimbing the Summit\r\nThe Munchkin utility is delivered as an ISO file, which is loaded in a newly installed instance of the VirtualBox\r\nvirtualization product. This ISO file represents a customized implementation of the Alpine OS, which threat\r\noperators likely chose due to its small footprint. Upon running the operating system, the following commands are\r\nexecuted at boot:\r\necho -n \"root:[password]\" | chpasswd\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 2 of 12\n\ntmux new-session -A -s controller \\; send -t controller \"/app/controller \u0026\u0026 poweroff\" ENTER \\; detach -s\r\ncontroller\r\neject\r\nIn doing so, the malware initially changes the root password of the VM to one chosen by the threat actors. It\r\nsubsequently generates a new terminal session via the built-in tmux utility, which is used to execute the malware\r\nbinary named controller. After the malware completes execution, it powers the VM off.\r\nThe controller malware is hosted within the /app directory, along with other related files. In addition, other related\r\nand notable files are included within the VM OS, as noted in Table 1 below.\r\nFile Path Description\r\n/app/controller Munchkin malware utility.\r\n/app/config Serialized configuration file used by Munchkin.\r\n/app/payload\r\nTemplate BlackCat malware sample, which is customized by Munchkin at\r\nruntime.\r\n/scripts/smb_common.py Python helper utility for SMB-related operations.\r\n/scripts/smb_copy_and_exec.py Python script used to copy a file via SMB and subsequently run it.\r\n/scripts/smb_exec.py Python script used to execute a remote file.\r\nTable 1. File path and description of the files included within the VM OS.\r\nIn addition to the files noted above, a large number of Python scripts are present within the /usr/bin directly, which\r\nthe BlackCat operators can use in subsequent updates within the VM.\r\nDumpNTLMInfo.py\r\nGet-GPPPassword.py\r\nGetADUsers.py\r\nGetNPUsers.py\r\nGetUserSPNs.py\r\naddcomputer.py\r\natexec.py\r\nchangepasswd.py\r\ndcomexec.py\r\ndpapi.py\r\nesentutl.py\r\nexchanger.py\r\nfindDelegation.py\r\nflask\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 3 of 12\n\nfuturize\r\ngetArch.py\r\ngetPac.py\r\ngetST.py\r\ngetTGT.py\r\ngoldenPac.py\r\nkarmaSMB.py\r\nkeylistattack.py\r\nkintercept.py\r\nldapdomaindump\r\nldd2bloodhound\r\nldd2pretty\r\nlookupsid.py\r\nmachine_role.py\r\nmimikatz.py\r\nmqtt_check.py\r\nmssqlclient.py\r\nmssqlinstance.py\r\nnet.py\r\nnetview.py\r\nnmapAnswerMachine.py\r\nnormalizer\r\nntfs-read.py\r\nntlmrelayx.py\r\npasteurize\r\nping.py\r\nping6.py\r\npip\r\npip3\r\npip3.11\r\npsexec.py\r\nraiseChild.py\r\nrbcd.py\r\nrdp_check.py\r\nreg.py\r\nregistry-read.py\r\nrpcdump.py\r\nrpcmap.py\r\nsambaPipe.py\r\nsamrdump.py\r\nsecretsdump.py\r\nservices.py\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 4 of 12\n\nsmbclient.py\r\nsmbexec.py\r\nsmbpasswd.py\r\nsmbrelayx.py\r\nsmbserver.py\r\nsniff.py\r\nsniffer.py\r\nsplit.py\r\nticketConverter.py\r\nticketer.py\r\ntstool.py\r\nwmiexec.py\r\nwmipersist.py\r\nwmiquery.py\r\nAttackers can use many of the Python scripts above for lateral movement, password dumping and further\r\nexecution of malware on the victim network.\r\nThe controller malware is written in the Rust programming language in a manner very similar to the BlackCat\r\nmalware family. Upon execution, the controller will initially decrypt numerous strings using a unique single-byte\r\nXOR operation.\r\nFigure 2. String decryption at runtime.\r\nAfter the strings are decrypted, the threat will perform basic checks to ensure that the expected configuration and\r\npayload files reside within the /app directory. The threat will then deserialize and parse the /app/config file. In the\r\nevent any of these files are not present or if they are unable to be parsed, the malware will exit with an error\r\nmessage.\r\nThe /app/config file contains a wealth of information including the following, which the controller malware\r\nsample subsequently uses:\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 5 of 12\n\nAccess Token\r\nTask identifiers\r\nVictim credentials (including usernames, passwords and domains)\r\nBlackCat victim URLs\r\nBlocklisted file types and paths\r\nHosts and shares to target for encryption\r\nAfter the configuration is parsed, the controller creates and mounts the /payloads/ directory, which it uses to host\r\nsubsequently created instances of BlackCat. The controller uses the previously noted /app/payload as a template\r\nfor creating customized BlackCat samples. Within the template file, there are specific markers that the controller\r\nlooks for and uses when it modifies this file.\r\nFigure 3. Creation of a new BlackCat sample based on template and configuration.\r\nThe created files are based on the provided configuration. However, they are named as follows, with incremental\r\nvalues:\r\n/payloads/0\r\n/payloads/1\r\nAfter these payloads have been created, the malware proceeds to iterate through the provided configuration with\r\nthe intent of infecting any SMB/CIFS drives that are specified. These attempts are outlined in various outputs\r\nwritten to STDOUT, an example of which is shown below.\r\n(Note: The actual IP addresses and share names have been redacted in the output below.)\r\n1\r\n2\r\n3\r\n4\r\n05:21:40 [INFO] Loading Config\r\n05:21:40 [INFO] Initializing System\r\n05:21:40 [INFO] Initializing Array\r\n05:21:40 [INFO] Pass #1\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 6 of 12\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n05:21:40 [INFO] Executing tasks\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n05:21:40 [INFO] Scanning [ip_address]\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n05:21:40 [INFO] Scanning [ip_address]\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n05:21:40 [INFO] Scanning [ip_address]\r\n05:21:40 [INFO] Task [ip_address]\r\n[TRUNCATED]\r\n05:21:40 [INFO] Pass #2\r\n05:21:40 [INFO] Executing tasks\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n05:21:40 [INFO] Scanning [ip_address]\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n05:21:40 [INFO] Scanning [ip_address]\r\n05:21:40 [INFO] Task [ip_address]\r\n05:21:40 [INFO] Encode Shares [ip_address] -\u003e [share_path]\r\n[TRUNCATED]\r\n05:21:40 [INFO] Done!\r\nAfter the malware executes fully, the VM powers off and performs no further actions.\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 7 of 12\n\nWe found the following message embedded within the malware sample itself. It is not used; it was presumably\r\nincluded at a certain stage of development but was later removed from use.\r\nATTENTION:\r\n    At the time there is NO CONFIG ENCRYPTION, meaning chat access token is NOT ENCRYPTED in\r\nthe ISO.\r\n    Leaking the ISO will result in chat access token leak!\r\n    It's highly recommended to EJECT and DELETE the ISO right after system boot.\r\n    DO NOT LEAVE THE ISO ON TARGET SYSTEMS!\r\nUsage:\r\n    Controller is launched at boot time in tmux session named \"controller\".\r\n    It will execute all the tasks and exit.\r\n    If you've set \"shutdown\" option at config time it will also shutdown the machine after finishing tasks.\r\n    If \"shutdown\" option is not set you can relaunch Controller by running \"/app/controller\".\r\nMonitoring:\r\n    Monitor progress by running \"tmux a\" with either terminal or ssh connection.\r\nThis message appears to be a message from the BlackCat creators to their affiliates urging them to remove this file\r\nfrom a compromised environment. It would seem that the affiliate in question failed to heed this advice.\r\nConclusion\r\nMalware authors, especially those behind the BlackCat ransomware threat, continue to iterate and evolve their\r\ntechniques and tactics. This is fully apparent in their recent release of Munchkin, which they’ve developed and\r\nprovided to their affiliates.\r\nThis tool follows a continued trend of leveraging VMs in an attempt to thwart security controls present on a host\r\nand to stay ahead of the security community in defending against these threats.\r\nPalo Alto Networks customers receive protection from the threats discussed above through the following products:\r\nNext-Generation Firewalls with cloud-delivered security services including WildFire detect the files\r\nmentioned within this report as malicious.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 8 of 12\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\n/app/controller - Munchkin Binary\r\n1a4082c161eafde7e367e0ea2c98543c06dce667b547881455d1984037a90e7d\r\n/app/payload - BlackCat Stub\r\nb4dd6e689b80cfcdd74b0995250d63d76ab789f1315af7fe326122540cddfad2\r\n/scripts/smb_common.py - Python SMB Classes\r\n41c0b2258c632ee122fb52bf2f644c7fb595a5beaec71527e2ebce7183644db2\r\n/scripts/smb_copy_and_exec.py - Python SMB Copy/Exec Script\r\n2e808fc1b2bd960909385575fa9227928ca25c8665d3ce5ad986b03679dace90\r\n/app/payload - BlackCat Stub\r\nb4dd6e689b80cfcdd74b0995250d63d76ab789f1315af7fe326122540cddfad2\r\nYARA Rules\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nrule u42_crime_nix_munchkin\r\n{\r\n    meta:\r\n        author = \"Unit 42 Threat Intelligence\"\r\n        date = \"2023-10-12\"\r\n        description = \"Identifies a scanning utility leveraged by the BlackCat operators that is used to\r\npropagate the malware payload to additional hosts via SMB.\"\r\n        hash = \"1a4082c161eafde7e367e0ea2c98543c06dce667b547881455d1984037a90e7d\"\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 9 of 12\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n        reference = \"https://unit42.paloaltonetworks.com/blackcat-ransomware/\"\r\n    strings:\r\n        $str0 = \"At the time there is NO CONFIG ENCRYPTION, meaning chat access token is NOT\r\nENCRYPTED in the ISO.\" xor(1-255)\r\n        $str1 = \"Leaking the ISO will result in chat access token leak!\" xor(1-255)\r\n        $str2 = \"It's highly recommended to EJECT and DELETE the ISO right after system boot.\" xor(1-\r\n255)\r\n        $str3 = \"DO NOT LEAVE THE ISO ON TARGET SYSTEMS!\" xor(1-255)\r\n        $str4 = \"Controller is launched at boot time in tmux session named \\\"controller\\\".\" xor(1-255)\r\n        $str5 = \"It will execute all the tasks and exit.\" xor(1-255)\r\n        $str6 = \"If you've set \\\"shutdown\\\" option at config time it will also shutdown the machine after\r\nfinishing tasks.\" xor(1-255)\r\n        $str7 = \"If \\\"shutdown\\\" option is not set you can relaunch Controller by running \\\"/app/controller\"\r\nxor(1-255)\r\n        $str8 = \"Monitor progress by running \\\"tmux a\\\" with either terminal or ssh connection\" xor(1-255)\r\n        $str9 = \"controller::smb\" xor(1-255)\r\n        $str10 = \": Failed, either no credentials or no ADMIN$ share found\" xor(1-255)\r\n        $str11 = \"bin/controller/src/program.rs\" xor(1-255)\r\n        $str12 = \"/scripts/smb_exec.py\" xor(1-255)\r\n        $str13 = \"No payload configs provided!\" xor(1-255)\r\n        $str14 = \"Can't deserialize config\" xor(1-255)\r\n        $str15 = \"controller::program\" xor(1-255)\r\n    condition:\r\n        any of them\r\n}\r\n1\r\n2\r\nrule u42_crime_win_blackcat\r\n{\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 10 of 12\n\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n    meta:\r\n        author = \"Unit 42 Threat Intelligence\"\r\n        date = \"2023-10-12\"\r\n        description = \"Identifies the BlackCat ransomware malware family, which is written in the Rust\r\nprogramming language.\"\r\n        hash = \"b4dd6e689b80cfcdd74b0995250d63d76ab789f1315af7fe326122540cddfad2\"\r\n        reference = \"https://unit42.paloaltonetworks.com/blackcat-ransomware/\"\r\n    strings:\r\n        $str0 = \"paths_file\" xor(1-255)\r\n        $str1 = \"override_credentials\" xor(1-255)\r\n        $str2 = \"disable_recursion\" xor(1-255)\r\n        $str3 = \"disable_network\" xor(1-255)\r\n        $str4 = \"disable_elevate_to_system\" xor(1-255)\r\n        $str5 = \"disable_self_propagation\" xor(1-255)\r\n        $str6 = \"self_destruct\" xor(1-255)\r\n        $str7 = \"The following required argument was not provided: Path to resource to be processed.\"\r\nxor(1-255)\r\n        $str8 = \"Resource is one of:\" xor(1-255)\r\n        $str9 = \"Path to local or remote File\" xor(1-255)\r\n        $str10 = \"Path to local or remote Directory\" xor(1-255)\r\n        $str11 = \"Path to remote server, i.e. \\\"\\\\10.0.0.1\\\"\" xor(1-255)\r\n        $str12 = \"If no paths provided:\" xor(1-255)\r\n        $str13 = \"A full scan in all available resources will be performed.\" xor(1-255)\r\n        $str14 = \"(you can provide multiple, single or no paths, i.e.: \\\"-p /home -p /opt\\\")\" xor(1-255)\r\n        $str15 = \"Override config credentials:\\n\\nFormat:\\n\\nusername:password\\n\\n\" xor(1-255)\r\n        $str16 = \"If Resource is a directory and this option is defined, only direct children of that directory\r\nwill be processed\" xor(1-255)\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 11 of 12\n\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n        $str17 = \"disable-recursion\" xor(1-255)\r\n        $str18 = \"DISABLE_NETWORK\" xor(1-255)\r\n        $str19 = \"Disable automatic network discovery\" xor(1-255)\r\n        $str20 = \"disable-network\" xor(1-255)\r\n        $str21 = \"DISABLE_ELEVATE_TO_SYSTEM\" xor(1-255)\r\n        $str22 = \"Do not attempt to elevalte access token to system\" xor(1-255)\r\n        $str23 = \"disable-elevate-to-system\" xor(1-255)\r\n        $str24 = \"DISABLE_SELF_PROPAGATION\" xor(1-255)\r\n        $str25 = \"Disable network self propagation\" xor(1-255)\r\n        $str26 = \"Network propagation is disabled by default in case you provided \u003c\" xor(1-255)\r\n        $str27 = \"Attach to parent console instead of allocating new one\" xor(1-255)\r\n        $str28 = \"If no command provided an interactive client will be launched, otherwise client will send\r\nprovided command and exit.\" xor(1-255)\r\n    condition:\r\n        3 of them\r\n}\r\nSource: https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/"
	],
	"report_names": [
		"blackcat-ransomware-releases-new-utility-munchkin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434658,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8864756118098f0a8bbd3dabce06407f8746f801.pdf",
		"text": "https://archive.orkl.eu/8864756118098f0a8bbd3dabce06407f8746f801.txt",
		"img": "https://archive.orkl.eu/8864756118098f0a8bbd3dabce06407f8746f801.jpg"
	}
}