In the Hacker Hacking instance, threat hunters managed to infiltrate online infrastructure related to a ransomware group called BlackRock, revealing important information about the techniques they take along the way.
Resecurity said it has identified a security vulnerability at the Data Leak Site (DLS) that the e-Crime group runs, which allows it to extract configuration files, credentials, and history of commands executed on the server.
The flaws are related to certain misconfigurations in BlackRock Ransomware data leak sites (DLS), leading to disclosure of ClearNet IP addresses related to the network infrastructure behind TOR Hidden Services (hosting) and additional service information.
It described the history of acquired commands as one of the biggest operational security (OPSEC) failures for BlackRock Ransomware.
BlackRock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active terr syndicates in 2025, targeting the technology, manufacturing, construction, finance and retail sectors. As of last month, the site lists 46 casualties.
The affected organizations are in Argentina, Alba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the UK and the United States.
Announced the launch of an underground affiliate network in mid-January 2025, the group has been observed to actively recruit traffic personnel to promote the early stages of the attack by directing victims to malicious pages that deploy malware that can establish initial access to the compromised system.
The vulnerability identified in the answer is a local file inclusion (LFI) bug that essentially causes web servers to leak sensitive information by performing a past traversal attack that contains a history of commands executed by operators at leak sites.
Some of the most notable findings are listed below –
- Remove data to MEGA Cloud Storage Services using RCLONE.
- Threat actors created at least eight accounts in Mega using disposable email addresses created via yopmail (e.g. “Zubinnecrouzo-6860@yopmail.com”).
- Ransomware reverse engineering discovered source code and ransom, and similarities to ransomware stocks. This is the codename Dragonforce targeted at Saudi Arabian organizations (Dragonforce is written in Visual C++, but using BlackLock GO)
- “$$$”, one of BlackRock’s leading operators, launched a short-lived ransomware project called Mamona on March 11, 2025.
With an interesting twist, BlackLock’s DLS was tainted by Dragonforce on March 20th. Perhaps leveraging the same LFI vulnerability (or similar) will cause your configuration files and internal chat to your landing page. A day ago, the Mamona ransomware DLS was also tainted.
“It is unclear whether Black Rock Ransomware (as a group) has begun working with Dragon Force Ransomware or if it has quietly moved under new ownership,” the response said. “The new Masters could have taken over the project and its affiliate base to integrate the ransomware market, allowing them to understand their previous successors.”
“The key actor “$$$” shared no surprises after the incident with BlackRock and Mamona Ransomware. The actor was fully aware that his business could have already been compromised, so a silent “exit” from the previous project could be the most reasonable option. ”
