{ "id": "e37dae67-8dd3-4d07-b2cd-f458ca30a8c2", "created_at": "2026-04-06T00:11:35.217266Z", "updated_at": "2026-04-10T13:11:36.1163Z", "deleted_at": null, "sha1_hash": "b14aed4027149dec8568f0533b406f56640175d8", "title": "BlackEnergy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91052, "plain_text": "BlackEnergy\r\nBy Contributors to Wikimedia projects\r\nPublished: 2018-04-08 · Archived: 2026-04-05 14:52:25 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nBlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute\r\ndistributed denial of service attacks.[1] It was created by Russian hacker Dmyrtro Oleksiuk around 2007. Oleksiuk\r\nalso utilized the alias Cr4sh.\r\n[2]\r\n In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014,\r\nBlackEnergy 3 came equipped with a variety of plug-ins.\r\n[3]\r\n A Russian-based group known as Sandworm (aka\r\nVoodoo Bear) is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document\r\nor PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.[4]\r\nBlackEnergy 1 (BE1)\r\n[edit]\r\nBlackEnergy's code facilitates different attack types to infect target machines. It is also equipped with server-side\r\nscripts which the perpetrators can develop in the command and control (C\u0026C) server. Cybercriminals use the\r\nBlackEnergy bot builder toolkit to generate customized bot client executable files that are then distributed to\r\ntargets via email spam and phishing e-mail campaigns.[5] BE1 lacks the exploit functionalities and relies on\r\nexternal tools to load the bot.[6] BlackEnergy can be detected using the YARA signatures provided by the United\r\nStates Department of Homeland Security (DHS).\r\n[6]\r\nCan target more than one IP address per hostname\r\nHas a runtime encrypter to evade detection by antivirus software\r\nHides its processes in a system driver (syssrv.sys)\r\nDDoS attack commands (e.g. ICMP flood, TCP SYN flood, UDP flood, HTTP get flood, DNS flood, etc.)\r\n[1][clarification needed]\r\nDownload commands to retrieve and launch new or updated executables from its server\r\nControl commands (e.g. stop, wait, or die)\r\nBlackEnergy 2 (BE2)\r\n[edit]\r\nBlackEnergy 2 uses sophisticated rootkit/process-injection techniques, robust encryption, and a modular\r\narchitecture known as a \"dropper\".[7] This decrypts and decompresses the rootkit driver binary and installs it on\r\nhttps://en.wikipedia.org/wiki/BlackEnergy\r\nPage 1 of 3\n\nthe victim machine as a server with a randomly generated name. As an update on BlackEnergy 1, it combines\r\nolder rootkit source code with new functions for unpacking and injecting modules into user processes.[7] Packed\r\ncontent is compressed using the LZ77 algorithm and encrypted using a modified version of the RC4 cipher. A\r\nhard-coded 128-bit key decrypts embedded content. For decrypting network traffic, the cipher uses the bot's\r\nunique identification string as the key. A second variation of the encryption/compression scheme adds an\r\ninitialization vector to the modified RC4 cipher for additional protection in the dropper and rootkit unpacking\r\nstub, but is not used in the inner rootkit nor in the userspace modules. The primary modification in the RC4\r\nimplementation in BlackEnergy 2 lies in the key-scheduling algorithm.[7]\r\nCan execute local files\r\nCan download and execute remote files\r\nUpdates itself and its plugins with command and control servers\r\nCan execute die or destroy commands\r\nBlackEnergy 3 (BE3)\r\n[edit]\r\nThe latest full version of BlackEnergy emerged in 2014. The changes simplified the malware code: this version\r\ninstaller drops the main dynamically linked library (DLL) component directly to the local application data folder.\r\n[8]\r\n This variant of the malware was involved in the December 2015 Ukraine power grid cyberattack.\r\n[9]\r\n[3]\r\nfs.dll — File system operations\r\nsi.dll — System information, “BlackEnergy Lite”\r\njn.dll — Parasitic infector\r\nki.dll — Keystroke Logging\r\nps.dll — Password stealer\r\nss.dll — Screenshots\r\nvs.dll — Network discovery, remote execution\r\ntv.dll — Team viewer\r\nrd.dll — Simple pseudo “remote desktop”\r\nup.dll — Update malware\r\ndc.dll — List Windows accounts\r\nbs.dll — Query system hardware, BIOS, and Windows info\r\ndstr.dll — Destroy system\r\nscan.dll — Network scan\r\n1. ^ Jump up to: a\r\n \r\nb\r\n Nazario, Jose (October 2007). \"BlackEnergy DDoS Bot Analysis\" (PDF). Arbor\r\nNetworks. Archived from the original (PDF) on 21 February 2020. Retrieved 17 April 2019.\r\n2. ^ Greenberg, Andy (2019). Sandworm: a new era of cyberwar and the hunt for the Kremlin's most\r\ndangerous hackers. New York: Doubleday. ISBN 978-0-385-54440-5.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \"Updated BlackEnergy Trojan Grows More Powerful - McAfee Blogs\". 14 January 2016.\r\nhttps://en.wikipedia.org/wiki/BlackEnergy\r\nPage 2 of 3\n\n4. ^ \"Details on August BlackEnergy PowerPoint Campaigns\". 4 October 2014.\r\n5. ^ \"BlackEnergy APT Malware - RSA Link\". community.rsa.com. 23 March 2016. Archived from the\r\noriginal on 18 April 2018. Retrieved 15 April 2018.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n Khan, Rafiullah; Maynard, Peter; McLaughlin, Kieran; Laverty, David M.; Sezer, Sakir\r\n(1 October 2016). Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control\r\nand Monitoring in Smart Grid (PDF). Proceedings of the 4th International Symposium for ICS \u0026 SCADA\r\nCyber Security Research 2016. doi:10.14236/ewic/ICS2016.7. Archived from the original (PDF) on 20\r\nOctober 2016. Retrieved 5 November 2022.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Joe Stewart (3 March 2010). \"BlackEnergy Version 2 Threat Analysis\".\r\nwww.secureworks.com.\r\n8. ^ \"ThreatSTOP Report: BlackEnergy\" (PDF). threatstop.com. 7 March 2016. Archived (PDF) from the\r\noriginal on 28 May 2022. Retrieved 5 November 2022.\r\n9. ^ Cherepanov A., Lipovsky R. (7 October 2016). \"BlackEnergy – what we really know about the notorious\r\ncyber attacks\" (PDF).\r\nSource: https://en.wikipedia.org/wiki/BlackEnergy\r\nhttps://en.wikipedia.org/wiki/BlackEnergy\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/BlackEnergy" ], "report_names": [ "BlackEnergy" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434295, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b14aed4027149dec8568f0533b406f56640175d8.pdf", "text": "https://archive.orkl.eu/b14aed4027149dec8568f0533b406f56640175d8.txt", "img": "https://archive.orkl.eu/b14aed4027149dec8568f0533b406f56640175d8.jpg" } }