{
	"id": "fece2e3a-b25c-4e19-a8cc-dc98320d8a7a",
	"created_at": "2026-04-06T00:18:22.630547Z",
	"updated_at": "2026-04-10T03:30:51.893045Z",
	"deleted_at": null,
	"sha1_hash": "e03507dfb666e11df69ad415e99c32a6a85d3e28",
	"title": "Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1559770,
	"plain_text": "Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom\r\nBy Lawrence Abrams\r\nPublished: 2023-08-17 · Archived: 2026-04-05 12:40:52 UTC\r\nMicrosoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and\r\nthe Remcom hacking tool, both enabling spreading laterally across a breached network.\r\nIn April, cybersecurity researcher VX-Underground tweeted about a new BlackCat/ALPHV encryptor version called\r\nSphynx.\r\n\"We are pleased to inform you that testing of basic features ALPHV/BlackCat 2.0: Sphynx is completed,\" said the BlackCat\r\noperators in a message to their affiliates.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main\r\npriority of this update was to optimize detection by AV/EDR,\" further explained the ransomware operations.\r\nSoon after, IBM Security X-Force performed a deep dive into the new BlackCat encryptor, warning that the encryptor\r\nevolved into a toolkit.\r\nThis was based on strings in the executable that indicated it contained impacket, used for post-exploitation functions such as\r\nremote execution and dumping secrets from processes.\r\nImpacket strings found by IBM X-Force\r\nSource: IBM\r\nThe BlackCat Sphynx encryptor\r\nIn a series of posts today, the Microsoft's Threat Intelligence team says they have also analyzed the new Sphynx version and\r\nfound that it used the Impacket framework to spread laterally on compromised networks.\r\n\"Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns,\" posted Microsoft.\r\n\"This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral\r\nmovement in target environments.\"\r\nImpacket is described as an open-source collection of Python classes for working with network protocols.\r\nHowever, it is more commonly used as a post-exploitation toolkit by penetration testers, red teamers, and threat actors to\r\nspread laterally on a network, dump credentials from processes, perform NTLM relay attacks, and much more.\r\nImpacket has become very popular among threat actors who breach a device on a network and then use the framework to\r\nobtain elevated credentials and gain access to other devices.\r\nAccording to Microsoft, the BlackCat operation is using the Impacket framework for credential duping and remote service\r\nexecution to deploy the encryptor across an entire network.\r\nIn addition to Impacket, Microsoft says that the encryptor embeds the Remcom hacking tool, which is a small remote shell\r\nthat allows the encryptor to remotely execute commands on other devices on a network.\r\nIn a private Microsoft 365 Defender Threat Analytics advisory seen by BleepingComputer, Microsoft says they saw this new\r\nencrypted used by BlackCat affiliate 'Storm-0875' since July 2023.\r\nMicrosoft is identifying this new version as BlackCat 3.0, even though, as we previously said, the ransomware operation\r\ncalls it 'Sphynx' or 'BlackCat/ALPHV 2.0' in communications with affiliates.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nPage 3 of 5\n\nSample of a BlackCat ransom note\r\nAn ever-evolving ransomware gang\r\nBlackCat, aka ALPHV, launched its operation in November 2021 and is believed to be a rebrand of the\r\nDarkSide/BlackMatter gang, which was responsible for the attack on Colonial Pipeline.\r\nThe ransomware gang has always been considered one of the most advanced and top-tier ransomware operations, constantly\r\nevolving its operation with new tactics.\r\nFor example, as a new extortion tactic last summer, the ransomware gang created a clearweb website dedicated to leaking\r\ndata for a particular victim, so customers and employees could check if their data was exposed.\r\nMore recently, the threat actors created a data leak API, allowing for easier dissemination of stolen data.\r\nWith the BlackCat encryptor evolving from a decryptor to a full-fledged post-exploitation toolkit, it allows the ransomware\r\naffiliates to more quickly deploy file encryption across the network\r\nAs it is vital to detect ransomware attacks as soon as they occur, adding these tools only makes it harder for defenders.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/"
	],
	"report_names": [
		"microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom"
	],
	"threat_actors": [
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775791851,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e03507dfb666e11df69ad415e99c32a6a85d3e28.pdf",
		"text": "https://archive.orkl.eu/e03507dfb666e11df69ad415e99c32a6a85d3e28.txt",
		"img": "https://archive.orkl.eu/e03507dfb666e11df69ad415e99c32a6a85d3e28.jpg"
	}
}