Skip to main content
Mallory
Back to threat actors
Financially Motivated3 malware families

Blockade Spider

Also known asBLOCKADE SPIDER

BLOCKADE SPIDER is a CrowdStrike-tracked eCrime threat actor active since at least April 2024 and associated with Embargo ransomware campaigns. The group is described as financially motivated and is known for sophisticated cross-domain attack techniques. Reported activity includes initial access via unmanaged VPN infrastructure, attempts to dump credentials from Veeam Backup & Replication configuration databases, deletion of backup files, and repeated attempts to interfere with CrowdStrike Falcon. CrowdStrike also reported that BLOCKADE SPIDER used the OrBit Linux backdoor/rootkit to maintain persistence and stealthy access in VMware virtualization environments. The content identifies BLOCKADE SPIDER as targeting cloud and virtualized environments and as operating across multiple domains to evade detection. No additional high-confidence aliases or sub-groups are provided beyond the lowercase variant blockade_spider.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1574
Hijack Execution Flow
T1574.006×2
Dynamic Linker Hijacking
TA0003
Persistence
1 technique
T1556
Modify Authentication Process
TA0005
Stealth
3 techniques
T1014×2
Rootkit
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
T1574
Hijack Execution Flow
T1574.006×2
Dynamic Linker Hijacking
TA0112
Defense Impairment
1 technique
T1556
Modify Authentication Process
TA0006
Credential Access
2 techniques
T1556
Modify Authentication Process
T1649
Steal or Forge Authentication Certificates
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
OrbitA dangerous rootkit called OrBit has been quietly targeting Linux systems for years, stealing login credentials and hiding deep inside infected machines without triggering most security tools.2May 15, 2026
Embargo RansomwareA financially motivated threat actor known as Blockade Spider has been attributed to using cross-domain techniques in its ransomware campaigns since at least April 2024. The e-crime group uses Embargo ransomware and data theft to monetize their operations.1Mar 18, 2026
MedusaEssentially, OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022.1May 14, 2026
IOCS

Observables

24 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

24 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cyber security newsNews
May 15, 2026
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems

eCrime group associated with Embargo ransomware that used the OrBit rootkit to maintain covert persistence in VMware virtualization environments.

Read more
intezer blogNews
May 14, 2026
OrBit (Re)turns: Tracking an open-source Linux rootkit across four years of forks and deployments - Intezer

eCrime adversary active since at least 2024 that uses the OrBit backdoor for persistence and stealthy access in virtualization environments to support Embargo ransomware operations.

Read more
dark readingNews
Feb 24, 2026
Attackers Now Need Just 29 Minutes to Own a Network

Referenced as a China-backed threat actor noted for targeting unmanaged devices (e.g., VPNs, firewall appliances, personal devices, webcams, third-party apps, VMs) that often lack EDR coverage.

Read more
the hacker newsNews
Nov 24, 2025
⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

Blockade Spider conducts ransomware and data theft operations using Embargo ransomware, targeting unmanaged systems and cloud environments, and employing cross-domain lateral movement.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables24

Domains, IPs, and hashes tied to this actor, refreshed continuously.