BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption

    Tuesday, August 12, 2025 In: Threat Research Print

    Date: 08/12/2025

    Severity: High

    Summary

    A recent ransomware attack revealed distinct tactics by the BlackSuit group, believed to be a rebrand of Royal, which evolved from Conti. They used tools like Cobalt Strike, rclone, RDP, psexec, and vssadmin in a multi-stage operation targeting data exfiltration and encryption. BlackSuit uniquely exfiltrates and deletes some data before encryption to speed up the process. An unusual use of the -nomutex flag was also noted, enabling multiple ransomware instances.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    misstallion.com

    Store.misstallion.com

    mail.misstallion.com

    store.beamofthemoon.com

    Mail.beamofthemoon.com

    beamofthemoon.com

    mail.beamofthemoon.com

    mail.kiddlanka.com

    kiddlanka.com

    IP address : 

    180.131.145.85

    82.192.88.95

    88.119.175.194

    184.174.96.71

    Hash : 

    d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b

    69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03

    0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "Mail.beamofthemoon.com" or url like "Mail.beamofthemoon.com" or siteurl like "Mail.beamofthemoon.com" or domainname like "store.beamofthemoon.com" or url like "store.beamofthemoon.com" or siteurl like "store.beamofthemoon.com" or domainname like "Store.misstallion.com" or url like "Store.misstallion.com" or siteurl like "Store.misstallion.com" or domainname like "beamofthemoon.com" or url like "beamofthemoon.com" or siteurl like "beamofthemoon.com" or domainname like "misstallion.com" or url like "misstallion.com" or siteurl like "misstallion.com" or domainname like "mail.misstallion.com" or url like "mail.misstallion.com" or siteurl like "mail.misstallion.com" or domainname like "kiddlanka.com" or url like "kiddlanka.com" or siteurl like "kiddlanka.com" or domainname like "mail.beamofthemoon.com" or url like "mail.beamofthemoon.com" or siteurl like "mail.beamofthemoon.com" or domainname like "mail.kiddlanka.com" or url like "mail.kiddlanka.com" or siteurl like "mail.kiddlanka.com" 

    IP Address : 

    dstipaddress IN ("180.131.145.85","82.192.88.95","88.119.175.194","184.174.96.71") or srcipaddress IN ("180.131.145.85","82.192.88.95","88.119.175.194","184.174.96.71")

    Hash : 

    sha256hash IN ("69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03","0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298","d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b")

    Reference:

    https://www.cybereason.com/blog/blacksuit-data-exfil


    Tags

    MalwareBlacksuitRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.