Executive Summary

Infrastructure Destruction Squad, an actor that has been promoting BLACKNET-00 as a ransomware framework, announced a new update focused on evasion, data theft, remote control, persistence, local information capture, and file encryption.

Based on the available information, there is no validated technical sample or independent analysis confirming the real functionality of all announced capabilities. For that reason, the content should be treated as operator claims rather than verified features.

The relevance of the announcement does not lie in the fact that BLACKNET-00 combines encryption, information theft, and extortion, which is already common in modern ransomware. The point of interest is how the operator attempts to package those capabilities into an accessible commercial framework, with full source code, a low price, and a sale allegedly limited to two buyers.

Key Judgments

• BLACKNET-00 again presents itself as a ransomware framework with combined capabilities for encryption, data theft, remote control, persistence, and evasion.
• The announcement follows a logic typical of modern ransomware, which does not focus only on encryption, but also on collecting information, pressuring the victim, and reducing recovery options.
• The alleged sale of the full source code for USD 500, limited to two buyers, seeks to project exclusivity, commercial urgency, and distribution control.
• The declared capabilities require independent technical validation before being treated as confirmed.
• Infrastructure Destruction Squad should be tracked as the actor promoting, pushing, or distributing BLACKNET-00 within the crimeware ecosystem.

What Happened

On 12 May 2026, operators linked to BLACKNET-00 published an update announcement for the framework. The message presents a version with alleged stealth mode, defensive control evasion, sensitive information theft, remote control, and full file encryption.

Among the declared capabilities are functions associated with cryptocurrency wallet theft, browser data collection, local document capture, WiFi credential extraction, keystroke logging, screenshot capture, webcam and microphone capture, as well as persistence mechanisms and Telegram-based control.

The announcement also mentions encryption of multiple file types, shadow copy deletion, a ransom message with an XMR wallet address, a 72-hour deadline, and a threat to publish stolen data. According to the operator, the full source code would be sold to a maximum of two people for USD 500.

Operational Assessment

For years, much of the ransomware ecosystem has moved beyond encryption alone and has relied on data theft, multiple extortion, reputational pressure, evasion, persistence, and abusive administration tooling.

In that sense, BLACKNET-00 does not introduce a new logic. Instead, it attempts to present itself as a compact package that brings together capabilities already expected in contemporary ransomware operations. The difference lies in the commercialization model: full source code, low price, and a promise of restricted distribution.

The references to SmartScreen, Windows Defender, and local control evasion should be treated with caution. Without a sample or technical validation, it is not appropriate to assume that these functions operate as announced. However, their presence in the message shows that evasion remains a central sales argument for malware aimed at operators with low or medium technical skill.

Although encryption remains the direct pressure mechanism, the collection of wallets, documents, credentials, browser data, and environmental captures from the victim reinforces a double- or multiple-extortion logic.

Intelligence Significance

For iQBlack, the BLACKNET-00 announcement is relevant for two reasons. First, it confirms Infrastructure Destruction Squad’s intention to position BLACKNET-00 as a commercial offensive product, not only as an internal-use tool. Second, it shows how the actor is trying to lower the entry barrier for operators interested in ransomware by packaging theft, evasion, persistence, and encryption functions into a single framework.

Available public information had already positioned BLACKNET-00 as a RaaS platform promoted by Infrastructure Destruction Squad, with a graphical builder and an orientation toward users without programming knowledge. That context helps interpret the new announcement: this is not simply a technical update, but a continuation of the product’s commercial positioning.

The message should also be read as criminal marketing. The promise of “stealth,” complete evasion, Telegram control, full source code, and limited sale seeks to build a perception of power, exclusivity, and opportunity. That narrative can be as important as the real capability, because it aims to attract buyers and position the framework within a market saturated with recycled malware, builders, and low-quality tools.

Analytical Closing

The BLACKNET-00 announcement should be treated as a statement of capabilities pending technical validation, not as confirmation of each listed function. Its intelligence value lies in the direction it signals: Infrastructure Destruction Squad is attempting to present BLACKNET-00 as a commercial, accessible, and functionally broad ransomware framework, aligned with the modern extortion model based on encryption, data theft, evasion, and reputational pressure. Until samples or independent analysis are available, the most prudent reading is to observe this update as a signal of commercial positioning and possible expansion of circulation within the crimeware ecosystem.