3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Bl00dy

Bl00dy

ID: 1fde33249e249e08831798e406e40b5e82752
Cybercrime Botnet Operator Cybercriminal
Threat types: Malware, Botnet
Russia
Updated: 2026-02-17
Created: 2026-02-16
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Bl00dy is a ransomware operator label/brand associated in public reporting with exploit-driven intrusions (notably PaperCut and ScreenConnect vulnerability windows) and reuse of leaked LockBit 3.0 builder tooling. Victimology is opportunistic and linked to exposure and patch cadence; education sector is explicitly referenced in PaperCut advisory context.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2023-05-11 — PaperCut MF/NG CVE-2023-27350 exploitation in the wild is documented in the joint advisory; Bl00dy is repeatedly linked to PaperCut exploitation in supporting reporting. · ref
  • 2024-02-27 — Bl00dy is listed among actors exploiting ScreenConnect CVE-2024-1708/1709 in the disclosed exploitation wave. · ref
T1136.001 Local Account TA0003
  • 2024-02-27 — ScreenConnect exploitation reporting describes attackers creating admin accounts on vulnerable servers as part of takeover behavior. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2024-03-12 — INFERENCE (confidence: medium): Command-line and scripting (e.g., PowerShell/cmd) are common post-exploitation mechanisms in ransomware intrusions, and are a reasonable expectation for an exploit-driven actor like Bl00dy. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-02-27 — INFERENCE (confidence: medium): Exploit-driven compromise of management apps is commonly followed by payload staging/transfer to deploy ransomware tooling; hunt for download-and-run chains on app servers. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2024-03-12 — INFERENCE (confidence: medium): Ransomware operators commonly use RDP for lateral movement and staging; treat as a likely movement surface when exploit-driven initial access is confirmed. · ref
T1490 Inhibit System Recovery TA0040
  • 2024-03-12 — INFERENCE (confidence: medium): Inhibiting system recovery (e.g., shadow copy deletion) is common ransomware precursor behavior; include in pre-encryption alert bundles for Bl00dy-like scenarios. · ref
T1486 Data Encrypted for Impact TA0040
  • 2022-09-28 — Bl00dy is described as conducting ransomware attacks; encryption for impact is inherent to ransomware operations. · ref
  • 2024-03-12 — INFERENCE (confidence: high): Ransomware operations centered on disruptive encryption remain the most direct impact pattern for this actor label. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-17T19:31:19+00:00

Bl00dy — Ransomware “brand” leveraging leaked LockBit tooling

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Cybercrime / Ransomware (operator group / “brand”) - Origin: Unknown

Author: iQBlack CTI Team[]


Executive Summary

Bl00dy (also stylized “Bl00Dy” / “BL00DY” in public reporting) is an extortion-and-encryption ransomware operator name that gained visibility through campaigns tied to exploitation of public-facing software vulnerabilities and opportunistic use of tooling from the wider ransomware ecosystem. Public reporting links the group to use of a leaked LockBit 3.0 (“LockBit Black”) builder, which is consistent with a model where smaller actors adopt “commodity” ransomware components rather than maintaining a fully proprietary locker pipeline.

Multiple open sources describe Bl00dy activity clustered around exploit windows for widely deployed enterprise software. Public reporting ties Bl00dy to exploitation of PaperCut print-management vulnerabilities in 2023, and to exploitation of ConnectWise ScreenConnect vulnerabilities disclosed and mass-exploited in February 2024. These patterns suggest an operations model that prioritizes speed-to-exploit, external access acquisition, and rapid disruption (encryption) — consistent with financially motivated ransomware operations.

Confidence is medium on the overall characterization (ransomware brand, exploit-driven access, LockBit-builder reuse) because these claims appear across multiple reputable sources; however, confidence is low-to-medium on whether Bl00dy should be treated as a “LockBit affiliate” in a strict organizational sense. The better-supported view is that Bl00dy leveraged leaked LockBit tooling, which is not equivalent to membership in the LockBit RaaS program.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Bl00dy

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Bl00dy


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-17T19:59:58+00:00


This appendix contains only indicators and patterns that are supportable from open sources at time of writing.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-17T19:43:12+00:00

OSINT Library — Bl00dy


2022-09-28 — BleepingComputer — “Leaked LockBit 3.0 builder used by 'Bl00dy' ransomware gang in attacks”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.