SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte

VTCollection    

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2026-02-01splintersfuryAhmad Abdillah Bin Zaini
KernelSight: Windows Kernel Driver Exploitation Knowledge Base
BlackByte FudModule Nokoyawa Ransomware
2024-08-28Talos IntelligenceCraig Jackson, James Nutland, Terryn Valikodath
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks
BlackByte
2023-07-06MicrosoftMicrosoft Incident Response
The five-day job: A BlackByte ransomware intrusion case study
BlackByte ExByte
2023-05-22Cluster25Cluster25 Threat Intel Team
Back in Black: BlackByte Ransomware returns with its New Technology (NT) version
BlackByte
2023-03-21Twitter (@splinter_code)Antonio Cocomazzi
Tweet on BlackByte ransomware rewrite in C++
BlackByte
2022-10-04SophosAndreas Klopsch
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerBrett Stone-Gross, Javier Vicente
Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-02-28TrellixTaylor Mullins
Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20260504 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bc2 72f4 b8ffffffff 4883c420 }
            // n = 4, score = 200
            //   3bc2                 | mov                 ecx, dword ptr [esp + 0x88]
            //   72f4                 | dec                 esp
            //   b8ffffffff           | mov                 dword ptr [esp + 0x70], ecx
            //   4883c420             | dec                 ecx

        $sequence_1 = { 3bd0 0f8f7f000000 4c63c2 498bcf }
            // n = 4, score = 200
            //   3bd0                 | cmp                 eax, edx
            //   0f8f7f000000         | jg                  0x33
            //   4c63c2               | dec                 esp
            //   498bcf               | arpl                ax, bx

        $sequence_2 = { 3bc7 7ce0 eb03 488bda }
            // n = 4, score = 200
            //   3bc7                 | mov                 dword ptr [esp + 0x48], esi
            //   7ce0                 | dec                 esp
            //   eb03                 | mov                 dword ptr [esp + 0x50], eax
            //   488bda               | dec                 ecx

        $sequence_3 = { 3bc1 7f4d 33c9 4c63c8 }
            // n = 4, score = 200
            //   3bc1                 | jae                 0x80
            //   7f4d                 | dec                 eax
            //   33c9                 | mov                 dword ptr [esp + 0x70], 0
            //   4c63c8               | mov                 dword ptr [esp + 0x78], 0

        $sequence_4 = { 48ffc2 4c8b842458010000 0f1f00 4939d0 0f8feefeffff }
            // n = 5, score = 200
            //   48ffc2               | dec                 ecx
            //   4c8b842458010000     | cmovl               ecx, ecx
            //   0f1f00               | nop                 
            //   4939d0               | dec                 ecx
            //   0f8feefeffff         | cmp                 eax, ecx

        $sequence_5 = { 4b8d0413 90 e8???????? 488b542458 }
            // n = 4, score = 200
            //   4b8d0413             | cmp                 eax, edx
            //   90                   | jg                  0xfffffefa
            //   e8????????           |                     
            //   488b542458           | dec                 eax

        $sequence_6 = { 48c744247000000000 c744247800000000 c744246800000000 48c744247000000000 }
            // n = 4, score = 200
            //   48c744247000000000     | mov    edx, dword ptr [esp + eax + 0x200]
            //   c744247800000000     | dec                 esp
            //   c744246800000000     | mov                 ebx, dword ptr [esp + eax + 0x208]
            //   48c744247000000000     | dec    ebx

        $sequence_7 = { 3bc8 757b 498bc8 6685d2 }
            // n = 4, score = 200
            //   3bc8                 | shl                 ecx, 4
            //   757b                 | dec                 eax
            //   498bc8               | mov                 dword ptr [edx + ecx + 8], ebx
            //   6685d2               | dec                 eax

        $sequence_8 = { 4939c9 490f4cc9 90 4939c8 }
            // n = 4, score = 200
            //   4939c9               | dec                 ecx
            //   490f4cc9             | sub                 ecx, ecx
            //   90                   | dec                 ecx
            //   4939c8               | mov                 eax, edi

        $sequence_9 = { 3bc2 7f2f 4c63d8 85c0 }
            // n = 4, score = 200
            //   3bc2                 | mov                 ecx, eax
            //   7f2f                 | dec                 ecx
            //   4c63d8               | mov                 eax, ecx
            //   85c0                 | dec                 eax

        $sequence_10 = { 4989c1 48c1e004 4c8b940400020000 4c8b9c0408020000 }
            // n = 4, score = 200
            //   4989c1               | dec                 esp
            //   48c1e004             | mov                 eax, dword ptr [esp + 0x158]
            //   4c8b940400020000     | nop                 dword ptr [eax]
            //   4c8b9c0408020000     | dec                 ecx

        $sequence_11 = { 3bc7 7f38 33d2 4c63c8 }
            // n = 4, score = 200
            //   3bc7                 | test                ecx, ecx
            //   7f38                 | jle                 0xc4
            //   33d2                 | dec                 eax
            //   4c63c8               | mov                 ecx, dword ptr [eax + 0x28]

        $sequence_12 = { 3bc8 7708 41034908 3bc1 }
            // n = 4, score = 200
            //   3bc8                 | test                eax, eax
            //   7708                 | cmp                 eax, ecx
            //   41034908             | jg                  0x51
            //   3bc1                 | xor                 ecx, ecx

        $sequence_13 = { 4989f8 4d85c9 0f8ebb000000 488b4828 }
            // n = 4, score = 200
            //   4989f8               | nop                 
            //   4d85c9               | dec                 eax
            //   0f8ebb000000         | mov                 edx, dword ptr [esp + 0x58]
            //   488b4828             | dec                 eax

        $sequence_14 = { 4989c1 4989c8 488b842480000000 488b8c2488000000 }
            // n = 4, score = 200
            //   4989c1               | lea                 eax, [ebx + edx]
            //   4989c8               | nop                 
            //   488b842480000000     | dec                 eax
            //   488b8c2488000000     | mov                 edx, dword ptr [esp + 0x58]

        $sequence_15 = { 4939c9 0f8234020000 48014840 4829cf 4929c9 4989f8 48f7df }
            // n = 7, score = 200
            //   4939c9               | dec                 ecx
            //   0f8234020000         | cmp                 ecx, ecx
            //   48014840             | jb                  0x23a
            //   4829cf               | dec                 eax
            //   4929c9               | add                 dword ptr [eax + 0x40], ecx
            //   4989f8               | dec                 eax
            //   48f7df               | sub                 edi, ecx

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules