Threat Actor Profile
High APT
Description

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024) Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

Confidence Score
100%
Known Aliases
BlackByte Hecamede
Tags
intrusion-set mitre-attack ransomware ransomware.live stix-2.1
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (49)
T1560 - Archive Collected Data
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219 - Remote Access Tools
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1036.008 - Masquerade File Type
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1055.012 - Process Hollowing
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1134.003 - Make and Impersonate Token
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1480 - Execution Guardrails
Defense Evasion
T1562 - Impair Defenses
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1135 - Network Share Discovery
Discovery
T1482 - Domain Trust Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1614.001 - System Language Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1569.002 - Service Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567 - Exfiltration Over Web Service
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1490 - Inhibit System Recovery
Impact
T1491.001 - Internal Defacement
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1136.002 - Domain Account
Persistence
T1505.003 - Web Shell
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1583.003 - Virtual Private Server
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
[{'aliases': ['BlackByte', 'Hecamede'],
  'created': '2024-12-16T23:19:40.207Z',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'description': '[BlackByte](https://attack.mitre.org/groups/G1043) is a '
                 'ransomware threat actor operating since at least 2021. '
                 '[BlackByte](https://attack.mitre.org/groups/G1043) is '
                 'associated with several versions of ransomware also labeled '
                 '[BlackByte '
                 'Ransomware](https://attack.mitre.org/software/S1180). '
                 '[BlackByte](https://attack.mitre.org/groups/G1043) '
                 'ransomware operations initially used a common encryption key '
                 'allowing for the development of a universal decryptor, but '
                 'subsequent versions such as [BlackByte 2.0 '
                 'Ransomware](https://attack.mitre.org/software/S1181) use '
                 'more robust encryption mechanisms. '
                 '[BlackByte](https://attack.mitre.org/groups/G1043) is '
                 'notable for operations targeting critical infrastructure '
                 'entities among other targets across North America.(Citation: '
                 'FBI BlackByte 2022)(Citation: Picus BlackByte '
                 '2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft '
                 'BlackByte 2023)(Citation: Cisco BlackByte 2024)',
  'external_references': [{'external_id': 'G1043',
                           'source_name': 'mitre-attack',
                           'url': 'https://attack.mitre.org/groups/G1043'},
                          {'description': '(Citation: Symantec BlackByte 2022)',
                           'source_name': 'Hecamede'},
                          {'description': 'Huseyin Can Yuceel. (2022, February '
                                          '21). TTPs used by BlackByte '
                                          'Ransomware Targeting Critical '
                                          'Infrastructure. Retrieved December '
                                          '16, 2024.',
                           'source_name': 'Picus BlackByte 2022',
                           'url': 'https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure'},
                          {'description': 'James Nutland, Craig Jackson, '
                                          'Terryn Valikodath, & Brennan Evans. '
                                          '(2024, August 28). BlackByte blends '
                                          'tried-and-true tradecraft with '
                                          'newly disclosed vulnerabilities to '
                                          'support ongoing attacks. Retrieved '
                                          'December 16, 2024.',
                           'source_name': 'Cisco BlackByte 2024',
                           'url': 'https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/'},
                          {'description': 'Microsoft Incident Response. (2023, '
                                          'July 6). The five-day job: A '
                                          'BlackByte ransomware intrusion case '
                                          'study. Retrieved December 16, 2024.',
                           'source_name': 'Microsoft BlackByte 2023',
                           'url': 'https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/'},
                          {'description': 'Symantec Threat Hunter Team. (2022, '
                                          'October 21). Exbyte: BlackByte '
                                          'Ransomware Attackers Deploy New '
                                          'Exfiltration Tool. Retrieved '
                                          'December 16, 2024.',
                           'source_name': 'Symantec BlackByte 2022',
                           'url': 'https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware'},
                          {'description': 'US Federal Bureau of Investigation '
                                          '& US Secret Service. (2022, '
                                          'February 11). Indicators of '
                                          'Compromise Associated with '
                                          'BlackByte Ransomware. Retrieved '
                                          'December 16, 2024.',
                           'source_name': 'FBI BlackByte 2022',
                           'url': 'https://www.ic3.gov/CSA/2022/220211.pdf'}],
  'id': 'intrusion-set--02b16bd6-ae88-417a-8a3f-02c5e166175a',
  'modified': '2025-03-09T15:58:36.918Z',
  'name': 'BlackByte',
  'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'revoked': False,
  'spec_version': '2.1',
  'type': 'intrusion-set',
  'x_mitre_attack_spec_version': '3.2.0',
  'x_mitre_contributors': ['Kaung Zaw Hein'],
  'x_mitre_deprecated': False,
  'x_mitre_domains': ['enterprise-attack'],
  'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'x_mitre_version': '1.0'},
 {'added_date': None,
  'client': '2003264@sit.singaporetech.edu.sg',
  'description': 'Ransomware. Uses dropper written in JavaScript to deploy a '
                 '.NET payload.\n',
  'firstseen': '2021-10-04T09:45:12.242194+00:00',
  'group': 'blackbyte',
  'has_negotiations': False,
  'has_ransomnote': True,
  'lastseen': '2025-07-30T10:43:51.538876+00:00',
  'locations': [{'available': False,
                 'fqdn': 'dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion',
                 'slug': 'http://dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion',
                 'title': 'BB Auction',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': '53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion',
                 'slug': 'http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion',
                 'title': 'BB Auction',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': 'f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion',
                 'slug': 'http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion',
                 'title': 'BlackByte BLOG',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': 'dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion',
                 'slug': 'http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/',
                 'title': 'BlackByte BLOG',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': 'tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion',
                 'slug': 'http://tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion',
                 'title': 'File downloader',
                 'type': 'Files'},
                {'available': False,
                 'fqdn': 'ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion',
                 'slug': 'http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion/',
                 'title': 'BlackByte BLOG',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': '6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion',
                 'slug': 'http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion',
                 'title': '',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': 'fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion',
                 'slug': 'http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion',
                 'title': 'BlackByte BLOG',
                 'type': 'DLS'},
                {'available': False,
                 'fqdn': 'jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion',
                 'slug': 'http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion',
                 'title': 'BB Auction',
                 'type': 'DLS'}],
  'negotiation_count': 0,
  'ransomnotes_count': 4,
  'tiaras_metadata': {'has_negotiations': False,
                      'has_ransomnote': True,
                      'locations': [{'available': False,
                                     'fqdn': 'dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion',
                                     'slug': 'http://dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion',
                                     'title': 'BB Auction',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': '53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion',
                                     'slug': 'http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion',
                                     'title': 'BB Auction',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': 'f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion',
                                     'slug': 'http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion',
                                     'title': 'BlackByte BLOG',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': 'dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion',
                                     'slug': 'http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/',
                                     'title': 'BlackByte BLOG',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': 'tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion',
                                     'slug': 'http://tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion',
                                     'title': 'File downloader',
                                     'type': 'Files'},
                                    {'available': False,
                                     'fqdn': 'ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion',
                                     'slug': 'http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion/',
                                     'title': 'BlackByte BLOG',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': '6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion',
                                     'slug': 'http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion',
                                     'title': '',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': 'fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion',
                                     'slug': 'http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion',
                                     'title': 'BlackByte BLOG',
                                     'type': 'DLS'},
                                    {'available': False,
                                     'fqdn': 'jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion',
                                     'slug': 'http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion',
                                     'title': 'BB Auction',
                                     'type': 'DLS'}],
                      'negotiation_count': 0,
                      'ransomnotes_count': 4,
                      'ransomware_live_group': 'blackbyte',
                      'tools': {'CredentialTheft': [],
                                'DefenseEvasion': ['Dell Client driver (BYOVD)',
                                                   'GIGABYTE Motherboard '
                                                   'driver (BYOVD)',
                                                   'MSI Afterburner driver '
                                                   '(BYOVD)',
                                                   'Zemana Anti-Rootkit '
                                                   'driver'],
                                'DiscoveryEnum': ['PowerView',
                                                  'SoftPerfect NetScan'],
                                'Exfiltration': [],
                                'LOLBAS': [],
                                'Networking': [],
                                'Offsec': ['Cobalt Strike',
                                           'PowerShell Empire'],
                                'RMM-Tools': ['AnyDesk']},
                      'url': 'https://www.ransomware.live/group/blackbyte',
                      'victims': 147,
                      'vulnerabilities': []},
  'tiaras_source': 'ransomware.live',
  'tools': {'CredentialTheft': [],
            'DefenseEvasion': ['Dell Client driver (BYOVD)',
                               'GIGABYTE Motherboard driver (BYOVD)',
                               'MSI Afterburner driver (BYOVD)',
                               'Zemana Anti-Rootkit driver'],
            'DiscoveryEnum': ['PowerView', 'SoftPerfect NetScan'],
            'Exfiltration': [],
            'LOLBAS': [],
            'Networking': [],
            'Offsec': ['Cobalt Strike', 'PowerShell Empire'],
            'RMM-Tools': ['AnyDesk']},
  'ttps': [],
  'url': 'https://www.ransomware.live/group/blackbyte',
  'victims': 147,
  'vulnerabilities': []}]
Quick Actions
Related TTPs (49)
Archive Collected Data
Collection
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Remote Access Tools
Command and Control
OS Credential Dumping
Credential Access
View All 49 TTPs
Back to Threat Actors
Dashboard Home