Darkbit

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, another threat group, DEV-1084, assumed the DarkBit persona, likely to mask their involvement. Further analysis of DarkBit's activities was presented in a VB2023 paper titled "Darkbit decoded: analysis of an Iranian-sponsored attack," which provided an in-depth examination of the group's tactics, techniques, and procedures. The group's modus operandi involves leaving encrypted files with the extension DARKBIT and dropping a ransom note. Their operations have been linked to several malware tools, including Play, Qilin, BianLian, and BlackCat, which are known to partially encrypt files. In response to these threats, CyberArk released a novel ransomware decryptor named White Phoenix in May 2023. This tool enables partial recovery for files subjected to intermittent encryption as performed by the aforementioned ransomware operations. It's noteworthy that the White Phoenix ransomware decryptor has been tested against documents that BlackCat had encrypted, showing potential for it to work on files that other malware tools might only partially encrypt. Furthermore, DarkBit's activities are not limited to Iran or Israel. They have also been implicated in a global ransomware spree targeting unpatched VMWare servers. As such, understanding and mitigating the risks posed by DarkBit remains a priority in the cybersecurity sector.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dev-1084
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Telegram
Ransom
Bitcoin
Ransomware
Malware
Israel
Extortion
Cybercrime
Encryption
Encrypt
Apt
School
Reddit
Facebook
Implant
Payload
Youtube
University
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
BianlianUnspecified
1
BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
MuddyWaterUnspecified
1
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Vice SocietyUnspecified
1
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Darkbit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
CERT-EU
a year ago
After apparent hack, data from Australian tech giant Atlassian dumped online
CERT-EU
a year ago
Toyota's bungling of customer privacy is becoming a pattern
CERT-EU
a year ago
The cost of expected cybersecurity mandates: bigger energy bills for consumers
CSO Online
a year ago
Iranian APT group launches destructive attacks in hybrid Azure AD environments
CERT-EU
a year ago
Cryptojacking added to updated RapperBot DDoS botnet
CERT-EU
a year ago
Signs of MuddyWater Developments Found in the DNS
CERT-EU
a year ago
Newly identified APT group's motives in Ukraine baffle researchers
CERT-EU
a year ago
Why the US needs the Bureau of Cyber Statistics right now
CERT-EU
10 months ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
a year ago
Staten Island Hospital operating in network downtime amid ransomware attack
DARKReading
a year ago
Free Tool Unlocks Some Encrypted Data in Ransomware Attacks
CERT-EU
a year ago
Novel White Phoenix ransomware decryptor published
CERT-EU
a year ago
'Pig butchering' scams on the rise, luring victims with promises of relationships and riches
CSO Online
a year ago
UK universities at high risk of cybersecurity incidents due to breached credentials
CERT-EU
a year ago
Hackers Target Israel’s Technion Demanding Huge Sum In Bitcoin | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
CSO Online
a year ago
Hackers attack Israel’s Technion university, demand over $1.7 million in ransom
BankInfoSecurity
a year ago
Israel's Technion University Under Ransomware Attack
CERT-EU
a year ago
New cybercrime group calling itself DarkBit attacks Israeli university
DARKReading
a year ago
Israel's Top Tech University Targeted by DarkBit Ransomware