{ "id": "77a64b46-c879-4293-8e5e-0c86079043e2", "created_at": "2026-04-06T00:12:52.126184Z", "updated_at": "2026-04-10T13:11:45.682547Z", "deleted_at": null, "sha1_hash": "e46ea158fb056dd54e777b74c661ecb59cb5f92b", "title": "BlackMatter (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114225, "plain_text": "BlackMatter (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:25:28 UTC\r\nThere is no description at this point.\r\n2022-09-28 ⋅ vmware ⋅\r\nESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)\r\nAvoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna\r\nRansomEXX RedAlert Ransomware REvil 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team,\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-04-08 ⋅\r\nThe Hacker News ⋅ Ravie Lakshmanan\r\nResearchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity\r\nBlackCat BlackMatter BlackCat BlackMatter 2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira\r\nFrom BlackMatter to BlackCat: Analyzing two attacks from one affiliate\r\nBlackCat BlackMatter BlackCat BlackMatter 2022-02-09 ⋅ vmware ⋅ VMWare\r\nExposing Malware in Linux-Based Multi-Cloud Environments\r\nACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike 2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo,\r\nPaul Tarter\r\nOne Source to Rule Them All: Chasing AVADDON Ransomware\r\nBlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX 2021-11-18 ⋅ Cisco ⋅ Josh Pyorre\r\nBlackMatter, LockBit, and THOR\r\nBlackMatter LockBit PlugX 2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds\r\nCARBON SPIDER Embraces Big Game Hunting, Part 2\r\nBlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader 2021-11-03 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nThe Darker Things BlackMatter and their victims\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-11-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBlackMatter ransomware moves victims to LockBit after shutdown\r\nBlackMatter BlackMatter LockBit 2021-10-22 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware rushes to cash out $7 million in Bitcoin\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ Elliptic ⋅ Elliptic Intel\r\nDarkSide bitcoins on the move following government cyberattack against REvil ransomware group\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter\r\nPage 1 of 3\n\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ Twitter (@GelosSnake) ⋅ Omri Segev Moyal\r\nTweet on List of wallets used by Darkside/Blackmatter Operator to split out the money\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-18 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-291A): BlackMatter Ransomware\r\nBlackMatter BlackMatter 2021-10-14 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev\r\nDarkSide Ransomware Reverse Engineering\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity\r\nBabuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil 2021-09-23 ⋅\r\nBlackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: BlackMatter RaaS - Darker Than DarkSide?\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil 2021-09-10 ⋅ S2W LAB Inc. ⋅ S2W TALON\r\nGroove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter\r\nBabuk BlackMatter Babuk BlackMatter 2021-09-08 ⋅ McAfee ⋅ John Fokker, Max Kersten, Thibault Seret\r\nHow Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates\r\nBabuk BlackMatter Babuk BlackMatter CTB Locker 2021-09-08 ⋅ Medium s2wlab ⋅ S2W TALON\r\nGroove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands\r\nBabuk BlackMatter Babuk BlackMatter 2021-09-02 ⋅ US Department of Health and Human Services ⋅ Health Sector\r\nCybersecurity Coordination Center (HC3)\r\nDemystifying BlackMatter\r\nBlackMatter BlackMatter DarkSide 2021-09-01 ⋅ Medium s2wlab ⋅ Chaewon Moon, Denise Dasom Kim, Jungyeon Lim, S2W\r\nLAB INTELLIGENCE TEAM, Sujin Lim, Yeonghyeon Jeong\r\nBlackMatter x Babuk : Using the same web server for sharing leaked files\r\nBabuk BlackMatter Babuk BlackMatter 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-09 ⋅ Sophos ⋅ Mark Loman\r\nBlackMatter ransomware emerges from the shadow of DarkSide\r\nBlackMatter BlackMatter 2021-08-06 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nIt's alive! The story behind the BlackMatter ransomware strain\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-08-05 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on Linux variant of BlackMatter\r\nBlackMatter 2021-08-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLinux version of BlackMatter ransomware targets VMware ESXi servers\r\nBlackMatter\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter\r\nPage 2 of 3\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter" ], "report_names": [ "elf.blackmatter" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e46ea158fb056dd54e777b74c661ecb59cb5f92b.pdf", "text": "https://archive.orkl.eu/e46ea158fb056dd54e777b74c661ecb59cb5f92b.txt", "img": "https://archive.orkl.eu/e46ea158fb056dd54e777b74c661ecb59cb5f92b.jpg" } }