The BlackCat group has once again enhanced its evasion tactics against security solutions provided by various vendors. They have developed a new tool called Munchkin, which allows them to execute ransomware payloads on remote machines or encrypt remote Server Message Block (SMB)/Common Internet File Shares (CIFS).

This development comes just over a month after Microsoft reported the discovery of a new version of the BlackCat ransomware. The attackers were found to be utilizing tools like Impacket and RemCom to conduct lateral movement and remote code execution attacks in targeted environments.

What’s the latest update?

The Munchkin utility is distributed as an ISO file, which is loaded into VirtualBox for execution.

  • This ISO file contains a customized Alpine OS installation, enabling the malware to change the root password of virtual machines and execute the malware binary named “controller”.
  • The “controller” malware, written in Rust, shares similarities with the BlackCat malware family.
  • Its purpose is to infect specific SMB/CIFS drives, log activities in different output logs, and shut down the virtual machine once the operation is complete.

Affiliates involved in the attacks

Notably, the attackers are not only updating their tools to avoid detection, but the group’s affiliates have also been actively participating in multiple cyberattacks worldwide.

  • The group claimed responsibility for targeting ten banks using the Quality Service Installation (QSI) service, disclosing that they stole approximately 5TB of sensitive data.
  • The Motel One Group revealed that it fell victim to BlackCat ransomware attacks, resulting in the theft of customer data, including details of 150 credit cards.
  • An affiliate of BlackCat disrupted MGM Resorts’ operations by encrypting over 100 ESXi hypervisors.


Amidst the persistent hacking activities of this ransomware group and their continuous efforts to evolve, organizations are advised to utilize the updated Indicators of Compromise (IOCs) associated with this malware to ensure their safety. Implementing a robust Threat Intelligence Platform (TIP) can also help automatically detect and mitigate such threats.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles