Blackshades
Blackshades is a Windows-focused remote access trojan (RAT) and trojan horse used to remotely control infected computers. Reported since around 2010, it was sold cheaply on Hack Forums for about US$40 and was described as widely used, including by low-skill operators. U.S. authorities stated it infected more than 500,000 computers worldwide, and reporting cited roughly US$350,000 in sales.
Its documented capabilities include remote unauthorized access, file access and modification, keystroke logging, webcam access, downloading and executing additional files, using the victim system as a proxy, participation in DDoS/TCP flood attacks, and ransomware-style lock-and-ransom behavior. Many antivirus products can detect it, but operators commonly used obfuscation tools sold alongside Blackshades to evade detection.
Documented infection vectors include malicious webpages, including drive-by downloads, and removable media such as USB flash drives. The malware targets Microsoft Windows-based operating systems.
Blackshades appears in multiple threat contexts in the provided content. Citizen Lab and EFF reported its use in 2012 against Syrian opposition forces, and a broader study of attacks in Syria found Blackshades among the predominant malware families used against activists, dissidents, journalists, trade unionists, and NGOs. The content also states that ALUMINUM SARATOGA / Molerats / Operation DustySky used Blackshades among many openly available tools in operations targeting organizations in the Middle East and North Africa. Another source notes a group deploying BlackShades alongside BrowserPasswordDump10, DarkComet, SPARK RAT, and Quasar RAT.
The malware was also used in criminal sextortion activity. In one cited case, Jared James Abrahams pleaded guilty in 2013 to hacking more than 100-150 women and installing Blackshades to obtain nude images and videos; he was sentenced in March 2014. Law-enforcement action against the malware was extensive: in 2014, the FBI coordinated an international crackdown that reportedly resulted in arrests of almost 100 people in 19 countries, 359 searches, and seizure of more than 1,100 electronic devices. Separate reporting states the U.S. Justice Department announced actions against more than 100 people accused of purchasing and using Blackshades. The content attributes Blackshades to Alex Yucel and Michael Hogue, and notes Michael Hogue was arrested and indicted under the Computer Fraud and Abuse Act.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“ALUMINUM SARATOGA uses many openly available tools for its operations, including… Blackshades…”
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique"...speculates that Abrahams used the technique of Google Dorking to find and target Cassidy Wolf's webcam online"
Initial Access
2 techniques"Blackshades infects computer systems by downloading onto a victim's computer when the victim accesses a malicious webpage (sometimes downloading onto the victim's computer without the victim's knowledge, known as a drive-by download)"
The attacks we have documented usually involve the use of malicious links or e-mail attachments, designed to obtain information from a device.
Execution
1 techniqueThe messages usually include text, often in Arabic, that attempts to persuade the target to execute the file or click the link.
Stealth
1 technique"...avoid detection... by using software that obfuscates the Blackshades binary to avoid detection by antivirus programs"
Credential Access
1 techniqueCollection
5 techniquesThe attacks we have documented usually involve the use of malicious links or e-mail attachments, designed to obtain information from a device.
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture...
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture (from over 20 applications) and recording of screenshots...
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture... and input from the computer’s microphone and webcam.
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture... and input from the computer’s microphone and webcam.
Command and Control
4 techniques"...or through external storage devices, such as USB flash drives."
"Download and execute files on the victim's computer."
The attacks often include fake or maliciously packaged security tools; intriguing, or ideological, or movement-relevant content... Researchers and security professionals have already profiled many of these RATs, including DarkComet, Blackshades Remote Controller, Xtreme RAT, njRAT, and ShadowTech.
Impact
2 techniques"Blackshades can also act as ransomware... restrict access to the victim's computer and demand a ransom"
"...special features... such as ... DDoS / TCP Flood..." and "Make all infected computers subordinate to DDoS attack commands"
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote Access Trojan (RAT) used by Molerats for espionage and surveillance.
A cheap and powerful Remote Access Trojan reportedly used to infect more than half a million computers worldwide.
A Windows remote administration trojan (RAT) sold on underground forums that enables remote control of infected systems, including file access/modification, keystroke logging, webcam access, DDoS participation, downloading/executing additional files, and proxying. It is also described as being usable as ransomware by restricting access and demanding payment.
Remote access trojan used as part of the group’s publicly available tooling for remote control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.