{
	"id": "58e304ed-ea42-416b-b7b7-318b42f876b5",
	"created_at": "2026-04-06T01:30:24.144983Z",
	"updated_at": "2026-04-10T03:21:13.27648Z",
	"deleted_at": null,
	"sha1_hash": "e7d841fc3a5aeb796f82b69299ed4cd7de20e103",
	"title": "Taking off the Blackshades",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1424044,
	"plain_text": "Taking off the Blackshades\r\nBy Adam Kujawa\r\nPublished: 2014-05-29 · Archived: 2026-04-06 00:31:36 UTC\r\nAbout two years ago, I wrote a series of blog posts that covered a particular Remote Access Trojan (RAT) known\r\nas Blackshades. The posts covered how Blackshades was used against Syrian rebels, how the co-creator was\r\narrested and a detailed analysis of the RAT functionality.  \r\nWell if you haven’t heard, they are back in the news again, this time because of a massive global effort by law\r\nenforcement to take down the RAT once and for all.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 1 of 9\n\nLast Monday, a mass arrest took place against not only the creators and distributors of Blackshades but also the\r\ncustomers.  More than 90 people were arrested globally for being somehow involved with Blackshades in the\r\nlargest offensive move against RATs ever done by global law enforcement.\r\nCan you ever get rid of RATs?\r\nSo what does this mean for the current and potential victims of Blackshades and RAT technology?  \r\nFortunately, the interest in Blackshades has decreased due to an array of different issues with the product.\r\nCustomers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 2 of 9\n\ndiscovered that opened a backdoor onto the attackers system, essentially turning a bad guy into just another\r\nvictim.\r\n“For Newcomers I can tell, don’t touch RAT’s like Blackshades, because they are backdoored and outdated…”\r\nUnfortunately, when one tool or bad guy gets busted in the cyber-crime community, it doesn’t stop the crime but\r\nmerely modifies its execution.\r\nAlready, criminals who were considering using Blackshades have sought out different tools that are a bit less\r\npopular in the hopes that they can still achieve their malicious goal without the greater risk of being busted by the\r\nFBI.  \r\nThe appeal of Blackshades was that it was often updated and had been used so greatly that its popularity brought\r\ndroves of potential customers to its door.\r\nThe Freemium Model\r\nBlackshades was usually sold for $40 a pop, for the most updated version. This amount also came with customer\r\nsupport and access to new updates for the software.\r\nHowever, paying wasn’t the only option.  In my previous blog posts about Blackshades, namely ‘You Dirty Rat\r\nPart 2″ I obtained a free (cracked) version of Blackshades for testing purposes.\r\nBlackshades Server Binary Builder\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 3 of 9\n\nThe software was an older version that was currently available so it meant that some of the more advanced\r\nfeatures were not available.\r\nIn addition, while many ‘free’ versions of Blackshades usually come bundled with a backdoor or additional\r\nmalware to infect the criminals, this one was completely clean.\r\nJust a sample of the kind of junk I got infected with looking for a legitimate version of Blackshades\r\nI didn’t get my hands on a free version by simply asking around my cyber criminal buddies, or being part of some\r\nunderground forum, all I had to do was search around online a little bit until I found one.  Something that even a\r\nkid could do.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 4 of 9\n\nAn advertisement for a cracked version of Blackshades on a overworld hacker forum\r\nThe Real Danger\r\nSo if you are wondering if an outdated version of Blackshades is even a threat, the answer is absolutely.  Though\r\nits necessary to talk about the real threat associated with any malware, that is the delivery method and crypters.  \r\nSo, delivery method refers to how the malware actually gets on the system. The easy methods are things like a\r\nmass phishing email that makes you download and execute some program, not many people fall for that.\r\nThen of course there is the act of social engineering via bot or manually using things like Skype or Facebook to\r\ntrick someone into trusting the criminal and then getting them to install the malware.\r\nThe third threat is drive-by exploits.\r\nWe have seen many types of malware distributed by drive-by exploits, all this attack requires is that a victim visit\r\na certain website that exploits an application through the browser, something like Java or Flash. Usually this is a\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 5 of 9\n\nhuge concern if the victim has failed to update those applications with security patches.\r\nNext up are crypters, which are basically just applications that apply a custom algorithm to the malware binary,\r\nmixing up the code and making it difficult to detect using traditional passive scan methods.  \r\nThis means that if an old version of Blackshades was encrypted with a modern crypter tool, it could potentially\r\nbypass an antivirus scan and even email filters that check for malware (Thanks Gmail!)\r\nCrypters are the real underground market commodity and since they are usually created by individuals and maybe\r\neven small teams then sold to bot herders. \r\nIt is unlikely that we will see  a mass arrest toward the entire crypter industry.  They are also usually sold for far\r\nmore than the malware itself, in fact Blackshades had a built-in crypter marketplace that it included in it’s control\r\npanel, to make it easy for the bad guys to find a crypter and apply it to their malware.\r\nCrypter marketplace — built into Blackshades interface\r\nLucky for us, most antivirus and anti-malware software includes active protection will detect the operations of the\r\nmalware after it has “decrypted” itself, which all malware must do before it can actually run on the system.  \r\nIn addition, a scan with a security product AFTER the malware has been installed will most likely remove it from\r\nyour system, no problem.\r\nProactive Protection\r\nSo what can you do to protect yourself from RATs? Well common security practices are always recommended, but\r\nspecifically  with this type of threat:\r\nInstall security software, be it a free or paid version of something like Malwarebytes Anti-Malware,\r\nKaspersky AV or whatever you want, as long as it stays updated and can detect the most common RATs.\r\nPut a piece of opaque tape over your webcam OR unplug your webcam (if possible)\r\nKeep your microphone muted when not using it.  You can do this through the operating system in many\r\ncases.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 6 of 9\n\nA common trick used by bad guys controlling a RAT is to paste the contents of whatever is currently\r\nloaded in the systems copy cache.  It’s important that whenever you copy something sensitive, like a\r\npassword, you copy something less important when you are done.\r\nLog off of social media when you are done using it, a RAT can take control of your browser that includes a\r\nvalid and open instance of a social media site, allowing them to post on your behalf.\r\nBe suspicious of everything, if your mouse moves on it’s own or if your cursor suddenly types something\r\nthat you don’t remember typing or if a window closes or opens on it’s own, maybe it’s a good time to run a\r\ndeep scan.\r\nIs It Over?\r\nLike I mentioned before, the threats that RATs pose will never be over, at least not for a while.  We will see an\r\nevolution of their ability based on the market needs and the capabilities of hardware and software, you can expect\r\nthat much of a change.\r\nAs far as Blackshades being done with, it’s possible that a lack of interest due to the high profile of this malware\r\nmight drive away a large portion of the market, in which case Blackshades won’t be updated and it’s\r\nfunctionality will become obsolete.  \r\nIt will only be a matter of time though until we see the next big RAT malware making its way from underground\r\nforums to user systems, we certainly know there are plenty of them that can take the throne.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 7 of 9\n\nA listing of different RATs being advertised on hacker forums\r\nThe Bright Side\r\nWhile RATs are incredibly dangerous, the bright side is that they are very inefficient.  \r\nThe largest customer group for Remote Access Trojans are individuals or small groups who just want to use it to\r\nmess with people or steal valuable and sensitive information (images included).  Even still, the time and effort it\r\ntakes to launch an attack using a RAT and obtaining anything juicy against a stranger is usually greater than most\r\ncyber criminals have the patience for.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 8 of 9\n\nThe bottom line is that while RATs are a danger and you should keep an eye out for the possibility of one running\r\non your system, we can all be even more afraid of things like Ransomware and Banker Trojans that have been\r\nskillfully created for the purpose of efficient user destruction.\r\nThanks for reading and safe surfing! @kujman5000\r\nAbout the author\r\nOver 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/"
	],
	"report_names": [
		"taking-off-the-blackshades"
	],
	"threat_actors": [],
	"ts_created_at": 1775439024,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7d841fc3a5aeb796f82b69299ed4cd7de20e103.pdf",
		"text": "https://archive.orkl.eu/e7d841fc3a5aeb796f82b69299ed4cd7de20e103.txt",
		"img": "https://archive.orkl.eu/e7d841fc3a5aeb796f82b69299ed4cd7de20e103.jpg"
	}
}