SuperBlack

Also known asSuperBlack

SuperBlack is a rising ransomware threat group/strain observed in 2025. Reporting links it to exploitation of Fortinet FortiOS/FortiProxy CVE-2024-55591 for initial access, and VulnCheck listed SuperBlack among six named ransomware families associated with that vulnerability. Trustwave SpiderLabs reported that IP address 193.143.1.65 was connected to operators of the SuperBlack ransomware strain and linked the activity to Proton66, a Russian bulletproof hosting provider (ASN 198953). SpiderLabs also stated that SuperBlack operators were distributing recent critical-priority exploits. The group has been reported as preferring non-profit, engineering, and financial sectors. Forescout linked the same IP to the Mora_001 threat actor exploiting Fortinet FortiOS vulnerabilities to deploy SuperBlack ransomware. Based on the provided content, SuperBlack is associated with ransomware operations leveraging edge-device exploitation, particularly Fortinet appliances, and infrastructure tied to Proton66. No additional aliases or sub-groups beyond the name SuperBlack are directly supported in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

industrialcyberNews

Feb 26, 2026

VulnCheck finds ransomware operators increasingly relying on zero-days, raising risk in OT environments - Industrial Cyber

Named ransomware family associated with exploitation of Fortinet FortiOS CVE-2024-55591 in 2025 ransomware activity.

bushidotoken blogNews

May 5, 2025

Ransomware Tool Matrix Project Updates: May 2025

Rising ransomware group; associated with exploitation of Fortinet FortiProxy.

hackreadNews

Apr 22, 2025

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Ransomware operators leveraging Proton66 bulletproof hosting infrastructure; associated with mass scanning/brute-force/exploitation activity and distribution of recent critical exploits. Reported to target non-profit, engineering, and financial sectors.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.