Skip to content

S1179 Exbyte

Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. Observed since 2022, Exbyte transfers collected files to online file sharing and hosting services.1

Item Value
ID S1179
Associated Names
Type MALWARE
Version 1.0
Created 17 December 2024
Last Modified 09 March 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution.2
enterprise T1480 Execution Guardrails Exbyte checks for the presence of a configuration file before completing execution.2
enterprise T1567 Exfiltration Over Web Service Exbyte exfiltrates collected data to online file hosting sites such as Mega.co.nz.12
enterprise T1083 File and Directory Discovery Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Exbyte will self-delete if a hard-coded configuration file is not found.2
enterprise T1106 Native API Exbyte calls ShellExecuteW with the IpOperation parameter RunAs to launch explorer.exe with elevated privileges.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Exbyte checks whether the process is running with privileged local access during execution.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Exbyte checks for the presence of various security software products during execution.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Exbyte performs various checks to determine if it is running in a sandboxed environment to prevent analysis.1

Groups That Use This Software

ID Name References
G1043 BlackByte BlackByte used Exbyte for automated file collection and exfiltration.12

References

  1. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  2. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.