IntelligenceSign in Sign Up

Back to malware

MalwareRansomwareUsed by 1 actor

BLACKNET-00

Share:

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Infrastructure Destruction Squad

A threat actor named Infrastructure Destruction Squad announced BLACKNET-00 via Telegram, a fully GUI-driven ransomware builder available for $500 that requires zero programming knowledge to operate.

via socradar blogsocradar.io

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1053Scheduled Task/JobEvidence1

On the persistence front, the platform reportedly supports Registry Run key injection and Scheduled Task creation (both standard MITRE ATT&CK T1547 and T1053 techniques)

T1574.001DLLEvidence1

but extends into more sophisticated territory with DLL Hijacking (T1574.001). DLL hijacking, where a malicious library is placed in a path searched before the legitimate one

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

On the persistence front, the platform reportedly supports Registry Run key injection and Scheduled Task creation (both standard MITRE ATT&CK T1547 and T1053 techniques)

T1547.001Registry Run Keys / Startup FolderEvidence1

On the persistence front, the platform reportedly supports Registry Run key injection and Scheduled Task creation (both standard MITRE ATT&CK T1547 and T1053 techniques)

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

On the persistence front, the platform reportedly supports Registry Run key injection and Scheduled Task creation (both standard MITRE ATT&CK T1547 and T1053 techniques)

T1547.001Registry Run Keys / Startup FolderEvidence1

On the persistence front, the platform reportedly supports Registry Run key injection and Scheduled Task creation (both standard MITRE ATT&CK T1547 and T1053 techniques)

Stealth

3 techniques

T1497Virtualization/Sandbox EvasionEvidence1

The platform’s Anti-VM and Anti-Sandbox detection is particularly telling... By refusing to execute in detected virtual environments (MITRE ATT&CK T1497), the payload actively degrades the quality of automated threat intelligence collection.

T1497.003Time Based ChecksEvidence1

The delayed execution capability (T1497.003) targets the time-bound analysis windows of most sandbox deployments — typically two to five minutes of monitored execution.

T1574.001DLLEvidence1

but extends into more sophisticated territory with DLL Hijacking (T1574.001). DLL hijacking, where a malicious library is placed in a path searched before the legitimate one

Discovery

2 techniques

T1497Virtualization/Sandbox EvasionEvidence1

The platform’s Anti-VM and Anti-Sandbox detection is particularly telling... By refusing to execute in detected virtual environments (MITRE ATT&CK T1497), the payload actively degrades the quality of automated threat intelligence collection.

T1497.003Time Based ChecksEvidence1

The delayed execution capability (T1497.003) targets the time-bound analysis windows of most sandbox deployments — typically two to five minutes of monitored execution.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

BLACKNET-00 offers a multi-algorithm encryption suite: AES-256 for symmetric bulk file encryption, RSA for asymmetric key exchange... and ChaCha20 as an alternative stream cipher

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

socradar blogNews

BLACKNET-00: The Ransomware-as-a-Service Platform That Weaponizes Mediocrity

A GUI-driven ransomware builder/RaaS platform that enables low-skill operators to generate customized ransomware payloads with layered encryption, anti-analysis features, Tor- and DGA-backed C2, persistence, data exfiltration, and self-propagation capabilities.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.