Blacktail

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Blacktail, a recognized threat actor in the cybersecurity landscape, has been drawing attention with its evolving modus operandi. Recent findings from Symantec suggest that Blacktail is now leveraging modified versions of leaked LockBit 3.0 and Babuk ransomware source codes to target Windows and Linux systems respectively. The group's ability to repurpose these leaked payloads, typically a sign of less-skilled operations, combined with their overall competence in executing attacks and their readiness to exploit newly discovered vulnerabilities, underscores the sophistication of their operations. The group's activities have been monitored since it was first identified as the operators behind Buhti. Blacktail has shown proficiency in exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution. This vulnerability has been exploited in the wild since mid-April, indicating the group's agility in capitalizing on new exploits. Despite the rebranding changes, Blacktail continues to use at least one piece of custom malware, a data exfiltration tool written in Go, designed to steal files with specific extensions prior to encryption. In summary, Blacktail represents a significant cyber threat due to its ability to adapt and leverage both existing and emerging vulnerabilities. Their use of a custom data exfiltration utility highlights their technical prowess and ability to execute complex cyberattacks. As they continue to target organizations globally, it is crucial for cybersecurity defenses to stay abreast of Blacktail's evolving tactics and tools to effectively mitigate the risks they pose.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Buhti	1	Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cybercrime

Vulnerability

Remote Code ...

Ransomware

Windows

Linux

Encryption

Malware

Exploits

Papercut

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	1	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Babuk	Unspecified	1	Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-27350	Unspecified	1	CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter

Source Document References

Information about the Blacktail Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	Ces vulnérabilités qui nécessitent plus qu’un correctif \| LeMagIT
CERT-EU	a year ago	LockBit Builder Leak Leads to Flood of Ransomware Variants
CERT-EU	a year ago	Buhti: New Ransomware Operation Relies on Repurposed Payloads
CERT-EU	a year ago	Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
CERT-EU	a year ago	Blacktail: Unveiling the tactics of a notorious cybercrime group \| IT Security News
CERT-EU	a year ago	Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Blacktail: Unveiling the tactics of a notorious cybercrime group - Cybersecurity Insiders