BlackShades RAT Users – Busted


After a week of speculation, it would appear that the rumors are true: European law enforcement agencies have coordinated with the FBI to crackdown on international cybercrime, specifically targeting individuals who have downloaded the BlackShades remote administration tool (RAT).

Translation? The world is a little bit more Malware-Free.

What is BlackShades?

BlackShades is a remote administration tool, or a RAT. RATs allow their users to “remotely administrate” on other computers. In many cases, such as tech support or software demonstrations, RATs do indeed have legitimate use: they allow one user to help another or to show them how to use a new software tool. RATs can, however, also be used to commit cybercrime.

RATs become illegal when they are installed on target computers without consent. The BlackShades RAT is a hacking tool specifically designed to do just that and to, in turn, allow its user to perform a number of malicious actions. BlackShades is a versatile tool that can be used to spy on targets and to steal personal information. It allows for remote access to a victim’s files, it can log keystrokes, it can activate a victim’s webcam, it can be used to carry out a distributed denial of service attack (DDoS) on another victim, and it can be used to install more malware.

Typically, BlackShades can be purchased on underground hacker forums for a mere $40-100.

Who was arrested?

Early reports indicate that between 81-97 people have been arrested by the FBI and various European law enforcement agencies, on the premise of downloading BlackShades. At least 300 homes in many countries across the world, including Austria, Belgium, Canada, Chile, Croatia, Denmark, Estonia, France, Germany, Italy, the Netherlands, the United Kingdom, and the United States were raided. Raids followed seizure of one of the largest European BlackShades distribution websites,, on Wednesday.

In all, at least 1,000 computers were seized.

Part of a larger Anti-Cyber Crime effort

Last week’s BlackShades crackdown coincides with an FBI announcement via Reuters to increase its global, anti-cyber crime efforts and to take a more offensive approach to arresting criminals. In the weeks to come, it will be interesting to see if the BlackShades raid is just one of many conducted against popular malware kits and tools.

News of BlackShades is also followed by headlines that read that the United States will be charging Chinese Army personnel with cyberspying. Official announcement of the charges will come Monday morning.

Have a Great (Malware-Free) week ahead!

For more on RATs and how to stay protected, see our March warning on WinSpy and GimmeRAT, two prevalent variants that allow for remote monitoring of PCs and Android devices.

BlackShades Updates

Late Monday, the Manhattan U.S. Attorney and the FBI issued a public press release with more details about their ongoing BlackShades investigation.

Press Release Highlights

  • Since 2010, BlackShades was purchased by 1000s of people in 100s of countries, and it was used to infect at least 500,000 computers.
  • The crackdown on BlackShades is “the Largest-Ever Global Cyber Law Enforcement Operation, Involving More than 90 Arrests and Other Law Enforcement Actions in 19 Countries.”
  • Among the arrested is Alex Yücel of Sweden, the alleged co-creator of BlackShades and leader of the RAT’s highly organized, criminal proprietary distribution network.

BlackShades: Ease of Use

BlackShades was targeted by the FBI and other law enforcement agencies around the world because it was an extremely effective malware product that required very little technical competence, or money, to use. It was also backed by a highly organized team, which included customer and technical support.

“…We now live in a world where, for just $40, a cybercriminal halfway across the globe can – with just a click of a mouse – unleash a RAT that can spread a computer plague not only on someone’s property, but also on their privacy and most personal spaces.”

-Preet Bharara, Manhattan U.S. Attorney

For 4 years, BlackShades users around the world were purchasing a malware kit that essentially allowed for “point-and-click-hacking.” In addition to a user friendly GUI that listed an infected machine’s vital statistics, the malware also came with an abundance of ready-made features. BlackShades included automatic “link spreaders” which could distribute the malware to new computers through computers that were already infected, by remotely accessing infected computer’s social media accounts or emails. For those who didn’t want to do the work on their own, the malware also offered paid infection services from “experts.” In addition to the capabilities listed in our initial coverage of the BlackShades Bust, the malware also featured an automated form grabber and a ready-made file encryption kit, the latter of which even came with a pre-written ransom note!

BlackShades: Organized, Corporate Structure

From September 2010 to April 2014, BlackShades generated more than $350,000 in sales. This criminal profit can be attributed to what was, according to Monday’s press release, a highly structured distribution network, which included salaried employees, such as a director of marketing, a website developer, a customer service manager, and even a team of customer service representatives. Additionally, the point-and-click malware product was marketed – as seasoned security expert Brian Krebs puts it best – “principally for buyers who wouldn’t know how to hack their way out of a paper bag.”

What BlackShades means to you…

Coinciding with yesterday’s U.S. hacking allegation against China, BlackShades points to the highly structured and commercialized nature of most malware today. Long story short: they do it to make money, and if you have money flow or credentials connected to money online you can become a target without even knowing it.

BlackShades was dangerous because it was a good product. It allowed for a wide variety of hacking capabilities with a relatively low level of technical competence, all at an affordable price. It is unfortunate that it was used to commit crimes, but nonetheless the BlackShades crackdown represents a positive response to malware from federal authorities across the world.

The official U.S. Attorney’s BlackShades press release can be viewed in full here:

Have a great (RAT-Free) Day!