The BlackCat ransomware has evolved with a new version of its data exfiltration tool for double-extortion attacks. The stealer tool, named Exmatter, is in use since BlackCat was first launched in November 2021.

Evolution of Exmatter

Researchers at Symantec (who track the group as Noberus) claim in a report that the focus of the ransomware group seems to be on data exfiltration capabilities, which is a critical part of double-extortion attacks.
  • The exfiltration tool was significantly updated in August featuring various changes such as exfiltrating data from a wide range of file types from FTP and WebDav to SFTP, and offering the option to create a report listing all processed files.
  • Further, it has added 'Eraser' feature to corrupt processed files along with 'Self-destruct' configuration option to delete and quit if it runs in a non-valid environment.

New info-stealer

BlackCat's info-stealing capacity has been further improved with the deployment of new malware named Eamfo, which is specifically used to target credentials saved in Veeam backups.
  • Eamfo connects to the Veeam SQL database and steals backup credentials with a SQL query. 
  • Once credentials are extracted, Eamfo decrypts and displays them to an attacker.

Stealth and efficiency

Along with the expansion of Exmatter’s capabilities, the latest version is updated with heavy code refactoring to make the existing features stealthier to avoid detection.
The BlackCat operation anyway uses an older anti-rootkit utility to terminate antivirus processes.


BlackCat isn't showing any signs of slowing down and seems to focus on continually evolving itself with new tools, improvements, and extortion strategies. Thus, organizations are suggested to secure access points and provide training to their employees against penetration tricks of cybercriminals. Further, businesses must invest more in cross-layer detection and response solutions.
Cyware Publisher