ExMatter

ExMatter is a custom data-exfiltration malware/tool used in ransomware double-extortion operations to steal sensitive data prior to file encryption. It is directly associated with the BlackCat/ALPHV (also tracked as Noberus) ransomware operation and was previously associated with BlackMatter; reporting also notes overlaps between BlackCat and BlackMatter. The tool has reportedly been in use since BlackCat’s launch in November 2021, and BlackCat was observed deploying it in August 2022.

High-confidence reported capabilities include selective harvesting/exfiltration of files with specific extensions, generation of a report listing processed files, corruption of processed files via an "Eraser" feature, a self-destruct option to quit and delete itself in non-valid environments, and support for multiple exfiltration methods including SFTP, WebDav, and later FTP. One report states the August 2022 update limited exfiltration to specific file types including PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG; removed Socks5 support; added an option for GPO deployment; and underwent substantial code refactoring intended to implement features more stealthily and evade detection. Reporting also describes a revamped version that harvests only files with specific extensions, generates a report of processed files, and corrupts files.

In context, ExMatter is used to support BlackCat/ALPHV’s double-extortion model across enterprise intrusions, where data theft is used to pressure victims in addition to ransomware encryption. Mentioned reporting ties its use to ransomware affiliate activity and to BlackCat attacks broadly. One mention context also lists ExMatter among "wiper malware examples," but the dominant and consistently supported characterization in the content is as a custom data-exfiltration tool rather than a standalone wiper. No standalone IOCs for ExMatter are provided in the content.