← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Forbidden Hyena attacks with new remote access trojan BlackReaperRAT
Threat Intelligence observed significant activity from the Forbidden Hyena threat actor group in late 2025 into early 2026, unveiling a novel remote access trojan (RAT) named BlackReaperRAT and a modified version of the Blackout Locker ransomware, now rebranded as Milkyway. BlackReaperRAT is disseminated via RAR files containing a batch script (1.bat) designed to execute a malicious VBS script (1.vbs), which subsequently downloads the RAT and a misleading document to distract users.
The BlackReaperRAT is implemented as an obfuscated VBS script that generates a unique BotID upon execution, storing it in the user’s application data directory. Persistence mechanisms are robustly built in; it utilizes registry modifications to create autorun entries to ensure it executes upon system startup and employs Windows Task Scheduler for additional persistence as it registers these tasks under the highest privileges.
Indicators of Compromise (61)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 8661b78fd4508eb3d21b78b5d406c3d5 | MD5 of f3064e852a2dd178aeb950c914f42689bf075ccaddf881938c4f7ff6b418d0f4 | 2026-03-04 | |
| FileHash-SHA1 | f875d300d6203d14522de58f66f1e1f42743b177 | SHA1 of f3064e852a2dd178aeb950c914f42689bf075ccaddf881938c4f7ff6b418d0f4 | 2026-03-04 | |
| FileHash-SHA256 | f3064e852a2dd178aeb950c914f42689bf075ccaddf881938c4f7ff6b418d0f4 | — | 2026-03-04 | |
| FileHash-MD5 | 269ce7b3a3fcdf735cd8a37c04abfdae | MD5 of 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7 | 2026-03-04 | |
| FileHash-MD5 | 523613a7b9dfa398cbd5ebd2dd0f4f38 | MD5 of 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 | 2026-03-04 | |
| FileHash-MD5 | 73329e5da370532dd08260c3a0f046f3 | MD5 of dd965684ec191206014e72b302492a5c6ccb285ff4afe4f39cf760f6dccfc129 | 2026-03-04 | |
| FileHash-MD5 | 8e994a899efe3a1a035992ccf301c74c | MD5 of 01e0960c04097f73dbaaa45025370763ed26f488538c7195203dd3584d145891 | 2026-03-04 | |
| FileHash-MD5 | 97612118a62fee66e367e045b2b48c0f | MD5 of 8f2d99c8f48c1e73c69666218fa7b791ed5ff7900ee66cf1ea24a711529971ef | 2026-03-04 | |
| FileHash-MD5 | aa3ce9b7a42174bd0c42127e6498a395 | MD5 of 19eb63db7fa79fae746e1f2b4d3bc5c4fbd0e7a7a9e372e7345cddd6cb0020c1 | 2026-03-04 | |
| FileHash-MD5 | b55646dd5400d7d27a450fbbb9672702 | MD5 of 3fed834849907bdb3ae5fbd6c7a17e67256edf1d2fde2f1473d8dc4dfccfe6e6 | 2026-03-04 | |
| FileHash-MD5 | bd51895ec50ad13a5a74ac8f5c92021b | MD5 of 507e8666c239397561c58609f7ea569c9c49ddbb900cd260e7e42b02d03cfd87 | 2026-03-04 | |
| FileHash-MD5 | db0eaad52465d5a2b86fdd6a6aa869a5 | MD5 of c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93 | 2026-03-04 | |
| FileHash-MD5 | f3ed5373dc99b6f6525723110e904f2f | MD5 of 1b5a73cafa33d82e994e8928279a3b97b0c424422bf678284ee9877c00de2c48 | 2026-03-04 | |
| FileHash-SHA1 | 1d4bcf772a9e349d499958188235bbd93498df61 | SHA1 of 01e0960c04097f73dbaaa45025370763ed26f488538c7195203dd3584d145891 | 2026-03-04 | |
| FileHash-SHA1 | 1f311110696b6aecfff3a107f5ac83fc1d4c652e | SHA1 of 1b5a73cafa33d82e994e8928279a3b97b0c424422bf678284ee9877c00de2c48 | 2026-03-04 | |
| FileHash-SHA1 | 3e92f697d642d68bb766cc93e3130b36b2da2bab | SHA1 of 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 | 2026-03-04 | |
| FileHash-SHA1 | 46ddfbbb5b4193279b9e024a5d013f5d825fcdf5 | SHA1 of 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7 | 2026-03-04 | |
| FileHash-SHA1 | 69b7572304702dab79ed279a2397cbb73046447b | SHA1 of 3fed834849907bdb3ae5fbd6c7a17e67256edf1d2fde2f1473d8dc4dfccfe6e6 | 2026-03-04 | |
| FileHash-SHA1 | 9438250706e35ce6a96b2ed0d4a8a6fe97b744fc | SHA1 of 19eb63db7fa79fae746e1f2b4d3bc5c4fbd0e7a7a9e372e7345cddd6cb0020c1 | 2026-03-04 | |
| FileHash-SHA1 | 95f169ca0b87e4f4e3e63ae24216df7b7e498b70 | SHA1 of dd965684ec191206014e72b302492a5c6ccb285ff4afe4f39cf760f6dccfc129 | 2026-03-04 | |
| FileHash-SHA1 | 9c10a09b499bbb51cef7d5471208692a8ab67565 | SHA1 of 8f2d99c8f48c1e73c69666218fa7b791ed5ff7900ee66cf1ea24a711529971ef | 2026-03-04 | |
| FileHash-SHA1 | deb6b9c6c060ff4ec1eecd2521ad5f0650ecb60f | SHA1 of 507e8666c239397561c58609f7ea569c9c49ddbb900cd260e7e42b02d03cfd87 | 2026-03-04 | |
| FileHash-SHA1 | f9881d2380363cb7b3d316bbf2bde6c2d7089681 | SHA1 of c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93 | 2026-03-04 | |
| FileHash-SHA256 | 01e0960c04097f73dbaaa45025370763ed26f488538c7195203dd3584d145891 | — | 2026-03-04 | |
| FileHash-SHA256 | 19eb63db7fa79fae746e1f2b4d3bc5c4fbd0e7a7a9e372e7345cddd6cb0020c1 | — | 2026-03-04 | |
| FileHash-SHA256 | 19fd3337b21a78c86880a4eb47657a1cccd08f81e8196b19e508e8820d7ec741 | — | 2026-03-04 | |
| FileHash-SHA256 | 1b5a73cafa33d82e994e8928279a3b97b0c424422bf678284ee9877c00de2c48 | — | 2026-03-04 | |
| FileHash-SHA256 | 1e20360e439594eeb38782b6dbf8de1de214a0b0f657d6c83c6c7a150498d6f4 | — | 2026-03-04 | |
| FileHash-SHA256 | 1eb19f45b8b228785d6f9e3736de902b07422b1911790e36a3a1a7dd35ae0b06 | — | 2026-03-04 | |
| FileHash-SHA256 | 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 | — | 2026-03-04 | |
| FileHash-SHA256 | 3e9d22280a28ec73b6e84550febb8425d9c660f9777e2e4d3b5baaedea263cbe | — | 2026-03-04 | |
| FileHash-SHA256 | 3fed834849907bdb3ae5fbd6c7a17e67256edf1d2fde2f1473d8dc4dfccfe6e6 | — | 2026-03-04 | |
| FileHash-SHA256 | 40fc5e5c4bc7ac0880dcf1635acd01c09dba0411ef7ac4f4cc0e309412aae348 | — | 2026-03-04 | |
| FileHash-SHA256 | 4ccd9e987f918500ddfc538d96b78ab4e6383b838e3e508311fd6ae815bd156f | — | 2026-03-04 | |
| FileHash-SHA256 | 4fbd2f5b4625fa46b5706748dbb15d3f58fbeda723fc644d0db9174a78cbade1 | — | 2026-03-04 | |
| FileHash-SHA256 | 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7 | — | 2026-03-04 | |
| FileHash-SHA256 | 507e8666c239397561c58609f7ea569c9c49ddbb900cd260e7e42b02d03cfd87 | — | 2026-03-04 | |
| FileHash-SHA256 | 5df07f2b3ddae4b24d05926167a4a5968e2748efe744e4600f968be9abd293a2 | — | 2026-03-04 | |
| FileHash-SHA256 | 61a6878a3a864df7664b2729e9ae3b5448dcd1c087cbb36b6a7827d83061c127 | — | 2026-03-04 | |
| FileHash-SHA256 | 71eba7b77838fffb0754852a9335555468dd161f87eb5ce048bceeb4d66ba64f | — | 2026-03-04 | |
| FileHash-SHA256 | 74056c6fe7d5670c41e56c2d00f27880cf47784caffde890ec3f79c0276c99b8 | — | 2026-03-04 | |
| FileHash-SHA256 | 7eb58ca2d1bcc354a1a722fb8025d88289e4ec3ecbf0d7d612b7b2d1ee2e26a3 | — | 2026-03-04 | |
| FileHash-SHA256 | 8f2d99c8f48c1e73c69666218fa7b791ed5ff7900ee66cf1ea24a711529971ef | — | 2026-03-04 | |
| FileHash-SHA256 | 9129f200ec9a89896005ee67457f57ff250f8ebef7ca1ccc75a1b8df42fe9b19 | — | 2026-03-04 | |
| FileHash-SHA256 | b94fab0b5c5854055c28b8ab3ce2d579ec9f66140251be8209729464fa717556 | — | 2026-03-04 | |
| FileHash-SHA256 | c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93 | — | 2026-03-04 | |
| FileHash-SHA256 | c3dc5c64193f849ca5048d0e81ee1778ffc086087a20de1e09aef68a8bd560b2 | — | 2026-03-04 | |
| FileHash-SHA256 | dd0983d7b298743ab90fd6b9eff7c24cffa33c2678d82e971a69eeb3fda0ca98 | — | 2026-03-04 | |
| FileHash-SHA256 | dd965684ec191206014e72b302492a5c6ccb285ff4afe4f39cf760f6dccfc129 | — | 2026-03-04 | |
| URL | http://193.233.48.98:443/systemd-cron | — | 2026-03-04 | |
| URL | http://193.233.48.98:443/systemd-svchelper | — | 2026-03-04 | |
| URL | http://193.233.48.98:4458 | — | 2026-03-04 | |
| URL | https://193.233.48.98 | — | 2026-03-04 | |
| URL | https://2.59.163.169 | — | 2026-03-04 | |
| URL | https://big-tree.ru/.ss/s.php | — | 2026-03-04 | |
| URL | https://big-tree.ru/.ss/s.php?k=[redacted]&botid=Computername:DESKTOP-JGLLJLD|2025-12-19|10:57:14|Username:admin|BotID:JR9DDVran1tzKO | — | 2026-03-04 | |
| URL | https://big-tree.ru/.ss/s.php?k=[redacted]&botid=Computername:[COMPUTER_NAME]|[DATE]|[TIME]|Username:[USERNAME]|BotID:[GENERATED_BOT_ID] | — | 2026-03-04 | |
| URL | https://confluence.dada-tuda.ru/.w/wrgdfregrtgawreg.vbs | — | 2026-03-04 | |
| domain | big-tree.ru | — | 2026-03-04 | |
| domain | dada-tuda.ru | — | 2026-03-04 | |
| hostname | confluence.dada-tuda.ru | — | 2026-03-04 |