Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ BlackCat

🇷🇺BlackCat

🇷🇺 BlackCat is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 14 detection use cases to this actor across 29 MITRE ATT&CK techniques, with 4 threat-intel articles citing them. Active in our corpus from 2026-04-20 to 2026-06-12.

crit 3high 1
View full actor card → All threat actors
14Use cases
4Articles
29Techniques
0IOCs

Known aliases

BlackCatALPHVALPHV-BlackCatNoberus

Top techniques

T1190 · Exploit Public-Facing ApplicationT1486 · Data Encrypted for ImpactT1003.001 · LSASS Memory

All other tracked techniques

T1003 · OS Credential DumpingT1005 · Data from Local SystemT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1059.001 · PowerShellT1059.005 · Visual BasicT1071.001 · Web ProtocolsT1071.004 · DNST1133 · External Remote ServicesT1195.002 · Compromise Software Supply ChainT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1498 · Network Denial of ServiceT1539 · Steal Web Session CookieT1555.003 · Credentials from Web BrowsersT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1566.004 · Spearphishing VoiceT1569.002 · Service ExecutionT1583.001 · DomainsT1583.003 · Virtual Private ServerT1598.003 · Spearphishing Link

Detection use cases (14)

BlackCat (ALPHV/Noberus) Rust encryptor invocation via --access-token CLI flags AI · profile SΣDD BlackCat (ALPHV) affiliate BYOVD — POORTRY / aswArPot / Burnt-Cigar driver load to kill EDR AI · profile SDD Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) Bespoke World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Bespoke Beaconing — periodic outbound to small set of destinations Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal

Threat-intel articles (4)

high Ukrainian national pleads guilty to role in Conti ransomware operation · 2026-06-12
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface · 2026-05-28
crit IT threat evolution in Q1 2026. Mobile statistics · 2026-05-18
crit What the ransom note won’t say · 2026-04-20

Tracked indicators

CVEs (1)

CVE-2026-20131