DarkBit is a ransomware persona/group launched in 2023 that has been used in destructive cyber operations rather than conventional financially motivated ransomware activity. Multiple sources in the provided content link DarkBit to Iranian state-sponsored activity, specifically DEV-1084/Storm-1084 and MOIS-linked actors, with collaboration or association noted with MERCURY, now tracked as Mango Sandstorm/MuddyWater. The DarkBit persona was used in the February 2023 attack on the Technion Israel Institute of Technology in Israel, which Microsoft and other reporting described as a destructive operation masquerading as ransomware. Supporting content also states that DarkBit is believed to be associated with the MuddyWater Iranian espionage group and is cited as an example of Iran using fronts/personas to claim responsibility for disruptive attacks. Reported capabilities and characteristics in the content include ransomware-style encryption, but researchers and Israeli security firm Profero developed/deployed decryptors after identifying a weak key generation algorithm that allowed brute-forcing of the decryption key. High-confidence targeting reflected in the content includes Israeli organizations, specifically Technion, within the broader context of Iranian operations against regional adversaries and critical or strategic sectors. No additional specific IOCs are provided in the supplied content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...it has also been linked to disruptive operations targeting the Technion Israel Institute of Technology by adopting the DarkBit ransomware persona.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware persona/family linked to disruptive operations attributed to MuddyWater.
Ransomware whose encryption has been cracked by researchers, potentially allowing victims to recover files without paying ransom.
Ransomware that encrypts files and demands payment, known for a weak key generation algorithm. Believed to be associated with the MuddyWater Iranian espionage group.
Named malware/tool referenced as an alternate name associated with Storm-1084 in Microsoft's naming table.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.