{ "id": "f22b4703-8d1a-4b95-bb3b-e430962a9758", "created_at": "2026-04-06T00:12:09.132385Z", "updated_at": "2026-04-10T13:11:52.198548Z", "deleted_at": null, "sha1_hash": "e5a8268fa1658a97666f2d1567f9a74309f824e9", "title": "New Buhti ransomware gang uses leaked Windows, Linux encryptors - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52824, "plain_text": "New Buhti ransomware gang uses leaked Windows, Linux\r\nencryptors - RedPacket Security\r\nBy March 30, 2026\r\nPublished: 2023-05-26 · Archived: 2026-04-05 15:03:18 UTC\r\nHacker\r\nA new ransomware operation named ‘Buhti’ uses the leaked code of the LockBit and Babuk ransomware families\r\nto target Windows and Linux systems, respectively.\r\nWhile the threat actors behind Buhti, now tracked as ‘Blacktail,’ have not developed their own ransomware strain,\r\nthey have created a custom data exfiltration utility that they use to blackmail victims, a tactic known as “double-extortion.”\r\nBuhti was first spotted in the wild in February 2023 by Palo Alto Networks’ Unit 42 team, which identified it as a\r\nGo-based Linux-targeting ransomware.\r\nA report published today by Symantec’s Threat Hunter team shows that Buhti also targets Windows, using a\r\nslightly modified LockBit 3.0 variant codenamed “LockBit Black.”\r\nRansomware recycling\r\nBlacktail uses the Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.\r\nSuccessful attacks change the wallpaper of the breached computers to tell victims to open the ransom note while\r\nall encrypted files receive the “.buthi” extension.\r\nBuhti ransom note\r\nBuhti ransom note (Unit 42)\r\nFor Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor posted on a\r\nRussian-speaking hacking forum in September 2021.\r\nEarlier this month, SentinelLabs and Cisco Talos highlighted cases of new ransomware operations using Babuk to\r\nattack Linux systems.\r\nWhile malware reuse is generally considered a sign of less sophisticated actors, in this case, multiple ransomware\r\ngroups gravitate towards Babuk due to its proven capability to compromise VMware ESXi and Linux systems,\r\nwhich are very profitable for cybercriminals.\r\nBlacktail’s traits\r\nhttps://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/\r\nPage 1 of 4\n\nBlacktail isn’t merely a copycat that repurposes other hackers’ tools with minimal modifications. Instead, the new\r\ngroup uses its own custom exfiltration tool and a distinct network infiltration strategy.\r\nSymantec reports that Buhti attacks have been leveraging the recently disclosed PaperCut NG and MF RCE\r\nvulnerability that the LockBit and Clop gangs have also exploited.\r\nThe attackers rely on CVE-2023-27350 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise\r\non target computers, using them to steal credentials and move laterally into compromised networks, steal files,\r\nlaunch additional payloads, and more.\r\nIn February, the gang exploited CVE-2022-47986, a critical remote code execution flaw impacting the IBM\r\nAspera Faspex file exchange product.\r\nBuhti’s exfiltration tool is a Go-based stealer that can receive command-line arguments that specify the targeted\r\ndirectories in the filesystem.\r\nThe tool targets the following file types for theft: pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav,\r\nwma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml.\r\nThe files are copied into a ZIP archive and later exfiltrated to Blacktail’s servers.\r\nBlacktail, and its ransomware operation Buhti, constitute a modern example of how easy it is for aspiring threat\r\nactors to spring into action using effective malware tools and cause significant damage to organizations.\r\nFurthermore, the leaked LockBit and Babuk source code can be used by existing ransomware gangs who want to\r\nrebrand under a different name, leaving no connection to previous encryptors.\r\nKaspersky researcher Marc Rivero told BleepingComputer that they have witnessed hits on Czechia, China,\r\nUnited Kingdom, Ethiopia, United States, France, Belgium, India, Estonia, Germany, Spain, and Switzerland.\r\nThis means that Buthi is already a very active ransomware operation, and Blacktail remains a significant threat for\r\norganizations worldwide.\r\nBlacktail’s tactic of quickly adopting exploits for newly disclosed vulnerabilities makes them a potent threat that\r\ncalls for increased vigilance and proactive defense strategies like timely patching.\r\nUpdate 5/25 – Article updated to add extra info from Kaspersky\r\nOriginal Source\r\nA considerable amount of time and effort goes into maintaining this website, creating backend automation and\r\ncreating new features and content for you to make actionable intelligence decisions. Everyone that supports the\r\nsite helps enable new functionality.\r\nIf you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below\r\nhttps://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/\r\nPage 2 of 4\n\nhttps://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/\r\nPage 3 of 4\n\nTo keep up to date follow us on the below channels.\r\nPost navigation\r\nSource: https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/\r\nhttps://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/" ], "report_names": [ "new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors" ], "threat_actors": [ { "id": "a9670e60-de2b-4c77-97ea-28e73f92902a", "created_at": "2023-11-30T02:00:07.264397Z", "updated_at": "2026-04-10T02:00:03.480707Z", "deleted_at": null, "main_name": "Blacktail", "aliases": [], "source_name": "MISPGALAXY:Blacktail", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434329, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5a8268fa1658a97666f2d1567f9a74309f824e9.pdf", "text": "https://archive.orkl.eu/e5a8268fa1658a97666f2d1567f9a74309f824e9.txt", "img": "https://archive.orkl.eu/e5a8268fa1658a97666f2d1567f9a74309f824e9.jpg" } }