8.Locks HexConnections CodeGlobe Esm W900

A new ransomware operation has been targeting Windows and Linux systems with a combination of payloads relying on leaked LockBit and Babuk code and custom-developed tools.

Researchers said the threat actor behind the campaign, Blacktail, hasn’t been linked to any existing cybercrime group. The group’s recent campaign, called Buhti, first was publicly exposed in February when security researchers found it targeting Linux systems. Researchers in a Thursday analysis found that the group was also targeting Windows systems and leveraging a new set of vulnerabilities for initial access.


“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated,” said researchers.

The group has been exploiting vulnerabilities soon after they are disclosed, including a flaw in IBM’s Aspera Faspex file exchange application (CVE-2022-47986) and, more recently, a known bug in the popular PaperCut print management software (CVE-2023-27350) that enables bad actors to remotely execute code.