Home/ Threat Actors/ BlackByte

🇷🇺BlackByte

🇷🇺 BlackByte is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 17 detection use cases to this actor across 49 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-06-12 to 2026-06-12.

high 1

View full actor card → All threat actors MITRE ATT&CK group spec (G1043) ↗

17Use cases

1Articles

49Techniques

0IOCs

Known aliases

BlackByteBlackbyteHecamede

Top techniques

T1190 · Exploit Public-Facing Application T1486 · Data Encrypted for Impact T1003.001 · LSASS Memory

All other tracked techniques

T1003 · OS Credential Dumping T1012 · Query Registry T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1036.008 · Masquerade File Type T1041 · Exfiltration Over C2 Channel T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1055 · Process Injection T1055.012 · Process Hollowing T1059.001 · PowerShell T1059.003 · Windows Command Shell T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1071.001 · Web Protocols T1078 · Valid Accounts T1078.002 · Domain Accounts T1082 · System Information Discovery T1087.002 · Domain Account T1105 · Ingress Tool Transfer T1112 · Modify Registry T1134.003 · Make and Impersonate Token T1135 · Network Share Discovery T1136.002 · Domain Account T1140 · Deobfuscate/Decode Files or Information T1219 · Remote Access Tools T1480 · Execution Guardrails T1482 · Domain Trust Discovery T1490 · Inhibit System Recovery T1491.001 · Internal Defacement T1505.003 · Web Shell T1518.001 · Security Software Discovery T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1560 · Archive Collected Data T1567 · Exfiltration Over Web Service T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1583.003 · Virtual Private Server T1608.001 · Upload Malware T1614.001 · System Language Discovery T1685 · Disable or Modify Tools T1686 · Disable or Modify System Firewall

Detection use cases (17)

BlackByte BYOVD: RTCore64.sys driver-service install for kernel-mode EDR kill AI · profile SΣDD BlackByte exfil-then-wipe: Mega.io upload followed by VSS/bcdedit recovery destruction AI · profile SDD Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match

Threat-intel articles (1)

high Ukrainian national pleads guilty to role in Conti ransomware operation · 2026-06-12