SuperBlack
SuperBlack is a ransomware strain first reported in intrusions observed from late January to early March 2025 that began with exploitation of Fortinet FortiGate/FortiOS firewall vulnerabilities, notably CVE-2024-55591 and CVE-2025-24472, to obtain unauthenticated super_admin access on exposed management interfaces. Forescout attributed the activity to a threat actor tracked as Mora_001. After compromising FortiGate devices, the actor established persistence by creating administrative accounts and automation tasks, created lookalike VPN users, harvested firewall configurations, used FortiGate dashboards for reconnaissance, and moved laterally with WMIC and SSH to high-value systems including file servers, domain controllers/authentication servers, database servers, and other infrastructure devices. In at least one confirmed case, the operator exfiltrated data before selectively encrypting file servers rather than the entire network, consistent with double-extortion behavior.
SuperBlack is assessed to be a customized variant closely resembling LockBit 3.0 (LockBit Black). Reported differences from LockBit 3.0 include a modified ransom note and a custom data-exfiltration executable. Forescout assessed the actor likely used a leaked LockBit builder and removed LockBit branding while retaining LockBit-like note structure; the ransom note reportedly reused the Tox ID DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815, suggesting ties to the LockBit ecosystem. A related wiper component, WipeBlack (hash: 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2), was reported to remove evidence of the ransomware executable.
Observed targeting associated with SuperBlack included non-profit, engineering, and financial organizations; separate reporting also linked attacks from Proton66 infrastructure to SuperBlack infections. One IP tied to pivot activity was 185.147.124.34, and Trustwave linked 193.143.1.65 to operators associated with SuperBlack activity. High-confidence operational artifacts in the reporting include recurring firewall admin account names such as forticloud-tech, fortigate-firewall, adnimistrator, and admin_support, use of FortiClient VPN from 89.248.192.55 in at least one case, and exploitation activity against Fortinet edge devices shortly after public proof-of-concept release.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack. ... The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black). The primary differences lie in the ransom note left after encryption and a custom data exfiltration executable. Due to these modifications, we have designated this variant “SuperBlack”. | Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, we observed active exploitation in the wild using two distinct methods: jsconsole ... HTTPS ...
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces... Another common exploitation method we observed involved the threat actor using the fortigate-firewall account to exploit CVE-2025-24472 rather than CVE-2024-55591. | It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack. ... The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black). The primary differences lie in the ransom note left after encryption and a custom data exfiltration executable. Due to these modifications, we have designated this variant “SuperBlack”.
"...connected to the operators of a new ransomware strain called SuperBlack..."
"...connected to the operators of a new ransomware strain called SuperBlack..."
"...connected to the operators of a new ransomware strain called SuperBlack..."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack. ... The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black). The primary differences lie in the ransom note left after encryption and a custom data exfiltration executable. Due to these modifications, we have designated this variant “SuperBlack”.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques“When the firewall had VPN capabilities, the threat actor created local VPN user accounts with names resembling legitimate accounts but with an added digit at the end… added to the VPN user group, enabling future logins… manually assigned a password…”
CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces.
Execution
1 techniqueThe actor primarily relied on Windows Management Instrumentation (WMIC) for remote system discovery and execution.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniquesThe wiper file is designed to remove evidence of the ransom executable after encryption.
Credential Access
1 technique"...mass scanning, credential brute-forcing, and exploitation attempts..." and "...patterns like consistent brute-force attempts still matter."
Discovery
1 technique"...a major increase in 'mass scanning, credential brute-forcing, and exploitation attempts' coming from Proton66’s network..."
Lateral Movement
2 techniquesThe actor primarily relied on Windows Management Instrumentation (WMIC) for remote system discovery and execution, and SSH to access additional systems, particularly servers and network devices.
The actor primarily relied on Windows Management Instrumentation (WMIC) for remote system discovery and execution, and SSH to access additional systems, particularly servers and network devices.
Exfiltration
1 techniqueThe encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption.
Impact
1 techniqueIt began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack.
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware strain referenced as being deployed by actors exploiting Fortinet CVE-2024-21762 (authentication bypass) for initial access.
SuperBlack is a ransomware strain that has been deployed by the Mora_001 operator and is linked to the LockBit cybercrime gang. It is used to encrypt files and demand ransom payments.
Ransomware that infects organizations by exploiting vulnerabilities in network devices and systems, leading to file encryption and ransom demands.
Ransomware strain associated with activity originating from Proton66 infrastructure; operators observed distributing critical exploits and linked to exploitation of edge-device vulnerabilities leading to ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.