Royal/BlackSuit

Also known asRoyal/BlackSuit

BlackSuit is a ransomware threat actor/group referenced in the provided content as part of the Royal/BlackSuit ransomware cluster. The content notes that abuse of ConnectWise/ScreenConnect matched documented TTPs of Black Basta affiliates and Royal/BlackSuit ransomware groups, citing CISA AA24-131A. In the analyzed reporting, an Amadey botnet campaign tagged fbf543 used legitimate remote management and monitoring tools from ConnectWise, DattoRMM, Atera, GoToResolve, and N-able as persistent backdoors, alongside credential theft, RAT deployment, redundant RMM persistence, and monetization. Breakglass Intelligence assessed the operator profile as consistent with an Initial Access Broker or ransomware affiliate playbook, which aligns with the mention context linking the activity to Royal/BlackSuit ransomware groups. The campaign delivered numerous follow-on payloads including Vidar, LummaStealer, XWorm, QuasarRAT, AsyncRAT, DarkVisionRAT, Smoke Loader, and a CoinMiner signed with a stolen AnyDesk certificate. The actor used stock, validly signed vendor installers pre-configured to connect to attacker-controlled relay infrastructure, including self-hosted domains, abused ConnectWise cloud instances, and a Seychelles-based bulletproof hosting IP. Alias directly present in the content: royal_blacksuit.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

breakglass intelNews

Mar 12, 2026

Amadey Botnet Campaign "fbf543" Weaponizes 9 Legitimate RMM Tools Across 5 Vendors for EDR-Evasive Persistence - Breakglass Intelligence - Breakglass Intelligence

Referenced as a ransomware group whose documented TTPs resemble the ConnectWise/ScreenConnect abuse seen in this campaign.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.