Connect with us

Hi, what are you looking for?


Malware & Threats

Worldwide Arrests Unlikely to End the Use of BlackShades RAT

Law enforcement authorities from all over the world arrested around 100 individuals suspected of creating, distributing and using BlackShades RAT (ShadyRAT). However, experts say it’s unlikely this will end the use of BlackShades.

Law enforcement authorities from all over the world arrested around 100 individuals suspected of creating, distributing and using BlackShades RAT (ShadyRAT). However, experts say it’s unlikely this will end the use of BlackShades.

A total of 300 searches were conducted worldwide, 100 email and physical search warrants being executed in the United States alone. Some 1,900 command and control domains have been seized. Europol reported that more than 1,000 computers, laptops, mobile phones, external hard drives and other electronic devices were confiscated by investigators.

Michael Hogue, aka ‘xVisceral’, one of the developers of BlackShades, was arrested in the United States in June 2012. Hogue has already pleaded guilty to the charges brought against him. The recent law enforcement operation also included the unsealing of an indictment against Alex Yucel, a Swedish national previously arrested in Moldova. Yucel, who is believed to be the head of the organization that sold the malware, is awaiting extradition to the US.

Despite all these actions against BlackShades creators and users, experts say it’s unlikely that anyone will witness the end of the RAT, especially since the source code for this piece of malware has been available for more than three years and it’s not difficult for moderately skilled hackers to modify it for their purposes.

“The BlackShades arrests, which reportedly targeted over 100 hackers worldwide that were associated with the RAT, dealt a significant blow to the BlackShades criminal market, and will hopefully discourage further use,” Alex Watson, director of security research at Websense, told SecurityWeek. “However, it’s unlikely that this will end the use of BlackShades, which has survived multiple arrests over the past two years and had source code leaked to the Internet, which can be modified by hackers or used as building blocks for a new RAT.”

Watson highlights the fact that even if we are to see the end of BlackShades, there are plenty of other RATs and general purpose malware to take its place, including Xtreme RAT, Gh0st RAT and ZeuS.  While BlackShades has made numerous headlines mostly due to its use in sextortion operations, the threat is actually a multipurpose tool utilized in many cybercriminal campaigns, including industrial espionage and mid-level attacks.

In fact, Websense has been monitoring a series of low-level attacks targeted at financial institutions in the Middle East and India.

Advertisement. Scroll to continue reading.

“These attacks use a combination of malware, including Xtreme RAT and Zeus, indicating a more aggressive (and less sophisticated) campaign, likely with the goal of stealing credentials and financial information,” Watson explained.

The expert notes that attackers gain more flexibility around searching compromised machines and networks by combining information-stealing malware like ZeuS with such remote access Trojans. In order to protect themselves against these threats, organizations must inspect both inbound and outbound data streams because RATs function through two-way communications.

“It’s a challenge that organizations face with the increased use of RATs such as BlackShades for both targeted and non-targeted attacks,” Watson said. “The end result being that it becomes more difficult to understand the business impact or risk associated with an incident ─ for example, whether an attack is a targeted specifically at an organization and attempting to steal intellectual property or sensitive information- which would be very high risk for the organization, or if is simply part of a widespread and non-targeted campaign designed to steal credentials from many organizations.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...