Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
6 malware families

BlackJack

Also known asBlackJack

BlackJack is described in the provided content as a hacktivist group targeting Russian organizations. Kaspersky reported overlaps between BlackJack and other Russia-targeting clusters including Crypt Ghouls and Twelve. Observed overlaps include use of XenAllPasswordPro, SoftPerfect Network Scanner, Intellpui.vbs, the CobInt backdoor/loader, resocks, and dismcore.dll sideloading; Kaspersky also noted broader similarities in utilities shared across Crypt Ghouls, BlackJack, and Twelve, including PingCastle. The group was specifically mentioned as having claimed responsibility for targeting Moscollector using the Fuxnet wiper. Kaspersky further reported that BlackJack also used Shamoon and LockBit in attacks. Based on the content, BlackJack appears to be part of a broader hacktivist ecosystem conducting operations against Russian targets, with technical overlap suggesting shared tooling, collaboration, or intelligence exchange with groups such as Twelve, Crypt Ghouls, MorLock, and Shedding Zmiy (aka ExCobalt).

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
XenAllPasswordProThe attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.2Jun 14, 2026
FuxnetUpdateKaspersky, in a follow-up analysis published on September 25, 2024, said it identified overlaps between Twelve and another hacktivist group called BlackJack, which took responsibility for targeting Moscollector using Fuxnet, a wiper malware described as "Stuxnet on steroids."1Mar 18, 2026
LockBitThe attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.1Mar 18, 2026
PingCastle"...utilities, including SoftPerfect Network Scanner, PingCastle..."1Mar 18, 2026
ShamoonThe wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.1Mar 18, 2026

1 additional family tracked in Mallory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

Group noted here for toolkit overlap with Crypt Ghouls, specifically use of XenAllPasswordPro.

Read more
security online infoNews
Oct 21, 2024
Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Referenced as a related ransomware intrusion cluster sharing utilities and potentially infrastructure with Crypt Ghouls, complicating attribution.

Read more
the hacker newsNews
Oct 19, 2024
Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Referenced as a separate group conducting similar recent campaigns targeting Russia with overlapping tools/infrastructure; no additional details provided in the content.

Read more
the hacker newsNews
Sep 21, 2024
Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

Hacktivist/destructive actor overlapping with Twelve; claimed attacks on Russian targets (e.g., Moscollector) using wipers (Fuxnet; also Shamoon) and LockBit, with stated non-financial motive to maximize damage (encrypt/delete/steal).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.