blackfield

Also known asblackfield

Blackfield is a threat actor identified in the provided content as a ransomware gang and also referenced in the context of politically charged data-leak claims. The actor claimed responsibility for a ransomware attack against Nidec Corporation’s Taiwanese subsidiary, Nidec Chaun Choung Technology, following ransomware-originated damage confirmed by Nidec on June 22, 2026. In that incident, Blackfield demanded a $2 million ransom, gave the victim more than 15 days to negotiate, threatened to publish or sell allegedly stolen data, offered a one-day leak deadline extension for $5,000, and advertised immediate access to the purported stolen data for $400,000. The actor also posted sample files, including file structures and documents, as proof of breach, although the validity of those samples was not independently confirmed in the cited reporting. Separately, on October 10, 2023, Blackfield was reported to have announced on a Russian-speaking forum that it possessed personal data belonging to hundreds of Israel Defense Forces soldiers and Shabak members, including phone numbers, photos, and other personal information. Based on the provided content, known alias: blackfield.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Military
Government & Administration

Where they target

Geographies tied to known operations.

🇮🇱 Israel
🇺🇸 United States

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1537

Transfer Data to Cloud Account

TA0040

Impact

2 techniques

T1486

Data Encrypted for Impact

T1657

Financial Theft

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

bleeping computerNews

Jun 30, 2026

Blackfield ransomware asks Nidec Corporation for $2 million ransom

Conducting a ransomware and data-extortion attack against Nidec Corporation and its Taiwanese subsidiary, demanding $2 million, threatening to publish or sell allegedly stolen data, leaking sample files as proof, and offering deadline extensions for payment.

cyfirma otherNews

Oct 18, 2023

ISRAEL GAZA CONFLICT : THE CYBER PERSPECTIVE - CYFIRMA

Threat actor claiming possession of personal data on IDF soldiers and Shabak members, with possible intent for targeted attacks and disinformation campaigns; also hinted at targeting the US.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.