Home/ Threat Actors/ Embargo

🌐Embargo

🌐 Embargo is a tracked threat actor in the Clankerusecase corpus. Attributed to ??. Primary motivation: Criminal. We map 14 detection use cases to this actor across 33 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-03-19 to 2026-03-19.

crit 1

View full actor card → All threat actors

14Use cases

1Articles

33Techniques

0IOCs

Known aliases

Embargo ransomwareEmbargo group

Top techniques

T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.005 · Indicator Removal from Tools

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1014 · Rootkit T1021.002 · SMB/Windows Admin Shares T1027.009 · Embedded Payloads T1037.001 · Logon Script (Windows)T1055 · Process Injection T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1486 · Data Encrypted for Impact T1489 · Service Stop T1490 · Inhibit System Recovery T1543.003 · Windows Service T1562.001 · T1562.001 T1562.004 · T1562.004 T1562.006 · T1562.006 T1562.009 · T1562.009 T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution

Detection use cases (14)

Embargo / MDeployer safe-mode reboot to bypass EDR before encryption (BlackCat-lineage tradecraft) AI · profile SΣ Embargo MS4Killer BYOVD — vulnerable kernel driver service install + EDR process termination AI · profile S BYOVD: Genshin Impact mhyprot.sys driver dropped/loaded outside legitimate game install (Embargo evil-mhyprot-cli) Bespoke EDRSilencer-style WFP filter blocking outbound traffic from named EDR binaries Bespoke EDR-Freeze: WerFaultSecure.exe abused to suspend AV/EDR processes via MiniDumpWriteDump race Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal PowerShell encoded / obfuscated command Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal Article-specific behavioural hunt — EDR killers explained: Beyond the drivers Internal

Threat-intel articles (1)

crit EDR killers explained: Beyond the drivers · 2026-03-19