Blacktail

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Blacktail, a recognized threat actor in the cybersecurity landscape, has been drawing attention with its evolving modus operandi. Recent findings from Symantec suggest that Blacktail is now leveraging modified versions of leaked LockBit 3.0 and Babuk ransomware source codes to target Windows and Linux systems respectively. The group's ability to repurpose these leaked payloads, typically a sign of less-skilled operations, combined with their overall competence in executing attacks and their readiness to exploit newly discovered vulnerabilities, underscores the sophistication of their operations. The group's activities have been monitored since it was first identified as the operators behind Buhti. Blacktail has shown proficiency in exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution. This vulnerability has been exploited in the wild since mid-April, indicating the group's agility in capitalizing on new exploits. Despite the rebranding changes, Blacktail continues to use at least one piece of custom malware, a data exfiltration tool written in Go, designed to steal files with specific extensions prior to encryption. In summary, Blacktail represents a significant cyber threat due to its ability to adapt and leverage both existing and emerging vulnerabilities. Their use of a custom data exfiltration utility highlights their technical prowess and ability to execute complex cyberattacks. As they continue to target organizations globally, it is crucial for cybersecurity defenses to stay abreast of Blacktail's evolving tactics and tools to effectively mitigate the risks they pose.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Blacktail Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Blacktail: Unveiling the tactics of a notorious cybercrime group - Cybersecurity Insiders
CERT-EU
a year ago
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
CERT-EU
10 months ago
Blacktail: Unveiling the tactics of a notorious cybercrime group | IT Security News
CERT-EU
a year ago
Buhti: New Ransomware Operation Relies on Repurposed Payloads
CERT-EU
a year ago
Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Ces vulnérabilités qui nécessitent plus qu’un correctif | LeMagIT
CERT-EU
9 months ago
LockBit Builder Leak Leads to Flood of Ransomware Variants