Stop unwanted interruptions before they stop your workflow. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryMalware
BlackEnergy

BlackEnergy Malware

Written by: Lizzie Danielson

Published: 12/23/2025


Glitch effectGlitch effect

What is BlackEnergy malware?

BlackEnergy is a modular malware toolkit originally designed for distributed denial-of-service (DDoS) attacks but later repurposed for espionage and destructive operations against critical infrastructure. It has evolved through three major versions: 

  • BlackEnergy 1 (BE1)
  • BlackEnergy 2 (BE2)
  • BlackEnergy 3 (BE3)

Each version is significantly more capable than the last. Its modular plugin architecture allows attackers to deploy tailored payloads for keylogging, file collection, ICS reconnaissance, and system destruction, making it especially dangerous for industries managing critical infrastructure.

When was BlackEnergy first discovered?

Who created BlackEnergy?

BlackEnergy was originally created by a Russian hacker known as Dmytro Oleksiuk (alias: Cr4sh), who developed and sold the first version as a DDoS toolkit around 2007. The malware was subsequently adopted and heavily modified by Sandworm, a threat group attributed to Russia's GRU military intelligence Unit 74455. Sandworm is not a cybercriminal organization — it is a state-sponsored advanced persistent threat (APT) group that has been indicted by the U.S. Department of Justice.

What does BlackEnergy target?

BlackEnergy has been deployed against critical infrastructure, industrial control systems (ICS), governmental systems, and media outlets. Specific targets include Ukrainian energy distribution companies, U.S. critical infrastructure operators running ICS platforms from vendors including GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens SIMATIC WinCC. The malware has a particular operational focus on geopolitical targets in Ukraine and NATO-affiliated nations.

BlackEnergy distribution method

The malware spreads through phishing emails containing malicious attachments and infected websites exploiting software vulnerabilities. Spear-phishing has been a common tactic, ensuring that victims unwittingly download the trojan by opening seemingly legitimate documents.

Technical analysis of BlackEnergy malware

BlackEnergy operates as a modular toolkit, using plugins to adapt its capabilities across three distinct generations:

  • BlackEnergy 1 (BE1, ~2007): HTTP-based DDoS botnet toolkit. Communicated with C2 servers via HTTP POST. Supported ICMP, TCP SYN, UDP, HTTP, and DNS flooding attacks.
  • BlackEnergy 2 (BE2, ~2008–2010): A complete code rewrite introducing a kernel-mode rootkit, strong encryption, and a modular plugin architecture. Plugins added capabilities including DDoS, spam, banking credential theft, and filesystem destruction. Sandworm adopted BE2 for ICS-focused espionage campaigns beginning around 2010.
  • BlackEnergy 3 (BE3, ~2014–2016): Dropped the kernel-mode driver for a lighter footprint. Used in the 2015 Ukraine power grid attack alongside KillDisk (a destructive disk-wiping component) to both gather ICS reconnaissance and destroy systems post-attack. BE3 caused outages affecting approximately 225,000–230,000 customers across three Ukrainian energy distribution companies on December 23, 2015, the first confirmed cyber-induced electric power outage in history.

Its variants are highly stealthy, utilizing rootkit functionality (in BE2) and encrypted C2 communications to evade detection.

Tactics, Techniques & Procedures (TTPs)

MITRE ATT&CK:

  • T1566.001 – Spearphishing Attachment (initial access via malicious Office documents)
  • T1071.001 – Application Layer Protocol: Web Protocols (HTTP-based C2 communications)
  • T1055 – Process Injection (BE2 rootkit-based injection techniques)
  • T1033 – System Owner/User Discovery
  • T1105 – Ingress Tool Transfer (plugin download and execution)
  • T1485 – Data Destruction (KillDisk component used for destructive wiping post-compromise)
  • T1078 – Valid Accounts (use of stolen operator credentials in the 2015 Ukraine attack)

Additional TTPs include UAC bypass via backward-compatibility settings in Windows 7 and later, encrypted plugin storage on disk, and coordinated scheduling of UPS shutdowns to prevent power restoration after grid disruption.

Indicators of Compromise (IoCs)

The following IoCs are associated with historical BlackEnergy campaigns documented by security researchers. Organizations should cross-reference with current threat intelligence feeds for the most up-to-date indicators.

C2 Infrastructure (historical):

  • 94.185.85.122 (associated with BE2 campaign, 2014 ICS targeting per Kaspersky research)

File Artifacts:

  • FONTCACHE.DAT - dropped file name associated with BE3 (detected by Kaspersky as Backdoor.Win32.Fonten)
  • Plugins stored as encrypted files on disk in BE2/BE3 variants

Malware Guide

Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.

Read the Malware Guide

How to know if you’re infected with BlackEnergy?

Signs of an infection include unusual system activity, such as excessive network traffic, disabled antivirus solutions, and unexpected system reboots. For ICS operators, operational anomalies or unexpected commands being issued to SCADA/HMI systems may indicate a BlackEnergy-linked intrusion.

BlackEnergy removal instructions

Manual removal of BlackEnergy is complex and risky due to its stealth and system-level impacts. Use advanced EDR solutions or Huntress’s remediation tools to identify and remove the trojan. It is also prudent to isolate infected systems, revoke and rotate any credentials that may have been exposed, and review logs for root cause analysis.

Is BlackEnergy still active?

While the original versions of BlackEnergy are no longer widespread, its variants and techniques influenced more recent threats. Vigilance against similar modular malware remains critical in defending critical systems.

Mitigation & prevention strategies

To mitigate the risk of BlackEnergy, organizations should implement robust cybersecurity measures, including multi-factor authentication (MFA), regular patch management, user awareness training, and network monitoring. Employing a managed detection service, like Huntress’s 24/7 monitoring, can help detect and contain threats early.

FAQs

BlackEnergy is a modular trojan malware that evolved from a DDoS tool to a weapon for espionage and sabotage. It infiltrates systems via phishing and exploits system vulnerabilities while deploying plugins for tailored attacks.

BlackEnergy spreads primarily through spear-phishing emails containing malicious attachments or compromised websites that exploit software vulnerabilities. It targets victims by masquerading as legitimate software or documents.

While the original BlackEnergy is no longer widespread, its techniques inspire modern malware attacks with similar destructive potential. Vigilance and modern defenses are still essential.


Organizations should adopt security best practices, such as MFA, patching systems, and using EDR tools. Managed detection and response services like Huntress can also provide comprehensive protection.

Glitch effectBlurry glitch effect
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free