← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Forbidden Hyena attacks with new remote access trojan BlackReaperRAT
WHITE Forbidden_hyena PetrP.73 2026-03-04 Modified: 2026-04-03
61
IOCs
HIGH VOLUME
Threat Intelligence observed significant activity from the Forbidden Hyena threat actor group in late 2025 into early 2026, unveiling a novel remote access trojan (RAT) named BlackReaperRAT and a modified version of the Blackout Locker ransomware, now rebranded as Milkyway. BlackReaperRAT is disseminated via RAR files containing a batch script (1.bat) designed to execute a malicious VBS script (1.vbs), which subsequently downloads the RAT and a misleading document to distract users. The BlackReaperRAT is implemented as an obfuscated VBS script that generates a unique BotID upon execution, storing it in the user’s application data directory. Persistence mechanisms are robustly built in; it utilizes registry modifications to create autorun entries to ensure it executes upon system startup and employs Windows Task Scheduler for additional persistence as it registers these tasks under the highest privileges.
forbidden hyenablackreaperrathyenablackoutlockerpowershellappdatablackout lockerbashfilepathanydesksliverservicelocalpowersploitnetcatmediaexecutiondaterootdmsetupplinkpersistencemanipulationdefenderpowerviewtoolsteamcookie
Indicators of Compromise (11 / 61 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 8661b78fd4508eb3d21b78b5d406c3d5 MD5 of f3064e852a2dd178aeb950c914f42689bf075ccaddf881938c4f7ff6b418d0f4 2026-03-04
FileHash-MD5 269ce7b3a3fcdf735cd8a37c04abfdae MD5 of 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7 2026-03-04
FileHash-MD5 523613a7b9dfa398cbd5ebd2dd0f4f38 MD5 of 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 2026-03-04
FileHash-MD5 73329e5da370532dd08260c3a0f046f3 MD5 of dd965684ec191206014e72b302492a5c6ccb285ff4afe4f39cf760f6dccfc129 2026-03-04
FileHash-MD5 8e994a899efe3a1a035992ccf301c74c MD5 of 01e0960c04097f73dbaaa45025370763ed26f488538c7195203dd3584d145891 2026-03-04
FileHash-MD5 97612118a62fee66e367e045b2b48c0f MD5 of 8f2d99c8f48c1e73c69666218fa7b791ed5ff7900ee66cf1ea24a711529971ef 2026-03-04
FileHash-MD5 aa3ce9b7a42174bd0c42127e6498a395 MD5 of 19eb63db7fa79fae746e1f2b4d3bc5c4fbd0e7a7a9e372e7345cddd6cb0020c1 2026-03-04
FileHash-MD5 b55646dd5400d7d27a450fbbb9672702 MD5 of 3fed834849907bdb3ae5fbd6c7a17e67256edf1d2fde2f1473d8dc4dfccfe6e6 2026-03-04
FileHash-MD5 bd51895ec50ad13a5a74ac8f5c92021b MD5 of 507e8666c239397561c58609f7ea569c9c49ddbb900cd260e7e42b02d03cfd87 2026-03-04
FileHash-MD5 db0eaad52465d5a2b86fdd6a6aa869a5 MD5 of c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93 2026-03-04
FileHash-MD5 f3ed5373dc99b6f6525723110e904f2f MD5 of 1b5a73cafa33d82e994e8928279a3b97b0c424422bf678284ee9877c00de2c48 2026-03-04
References (1)
↗ https://bi.zone/expertise/blog/forbidden-hyena-atakuet-s-novym-troyanom-udalennogo-dostupa-blackreaperrat/