Mora_001
Mora_001 is a threat actor tracked in reporting as a Russian-origin actor and initial access broker associated with exploitation of Fortinet FortiGate/FortiOS vulnerabilities, particularly CVE-2024-55591 and CVE-2025-24472, to obtain unauthenticated super_admin access on exposed management interfaces. Reporting attributes a series of intrusions from late January to early March to this actor, with activity culminating in deployment of the SuperBlack ransomware, and in one separate February 2026 incident the actor was described as evolving from ransomware operations toward strategic espionage. Mora_001 has been described as exhibiting a consistent operational signature, using Russian-language artifacts, and showing ties to the LockBit ecosystem while being tracked as distinct from LockBit itself. Observed tradecraft includes use of jsconsole and HTTPS exploitation methods against Fortinet devices; creation of recurring local administrator accounts such as forticloud-tech, fortigate-firewall, adnimistrator, admin_support, and forticloud-sync; use of scheduled FortiGate automation objects to recreate backdoor super_admin accounts; creation of lookalike local VPN users with an added digit; downloading firewall configuration files; use of built-in FortiGate dashboards for reconnaissance; propagation of access across HA deployments; attempted abuse of TACACS+ or RADIUS-backed VPN access; and lateral movement to high-value systems including file servers, authentication servers/domain controllers, database servers, and other infrastructure devices. Reporting states the actor primarily used WMIC for remote discovery and execution and SSH for access to additional systems and network devices. Mora_001 has been linked to deployment of SuperBlack ransomware, assessed as closely resembling LockBit 3.0/LockBit Black but with a modified ransom note and a custom data-exfiltration executable. Reporting states the ransom note reused a TOX ID associated with LockBit 3.0, and assesses that Mora_001 may be a LockBit affiliate or associate group sharing communication channels. In at least one confirmed case, the actor exfiltrated data before selectively encrypting file servers rather than encrypting the entire network. A wiper component named WipeBlack has also been associated with this activity. In the February 2026 intrusion dubbed "FortiSync Quasar," Mora_001 was reported deploying Matanbuchus 3.0, Astarion RAT, and SystemBC. Known alias in the provided content: Mora_001.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
- 🇮🇳 India
- 🇧🇷 Brazil
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
6 malware families attributed to this actor across reporting.
1 additional family tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, we observed active exploitation in the wild using two distinct methods: jsconsole ... HTTPS ...
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces... Another common exploitation method we observed involved the threat actor using the fortigate-firewall account to exploit CVE-2025-24472 rather than CVE-2024-55591.
Observables
35 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat actor linked (by Forescout) to exploitation of Fortinet FortiOS vulnerabilities resulting in deployment of SuperBlack ransomware; infrastructure overlap noted with Proton66-associated IP activity.
Mora_001 is an initial access broker attributed with exploiting Fortinet FortiOS vulnerabilities to deliver the SuperBlack ransomware.
Conducts intrusions via exploitation of FortiGate/FortiOS perimeter devices, establishes persistence (e.g., creating VPN users), performs reconnaissance and lateral movement (WMIC/SSH), exfiltrates data, and deploys a customized ransomware variant (“SuperBlack”) resembling LockBit 3.0; selectively encrypts high-value systems (notably file servers) after exfiltration.
Independent ransomware operator exploiting Fortinet FortiGate vulnerabilities for initial access, establishing persistence via super_admin accounts and automation scripts, conducting reconnaissance and lateral movement, exfiltrating data, and deploying the SuperBlack ransomware variant.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.