Exploring BlackTech IoCs Reveals Hundreds of Artifacts | WhoisXML API

Threat Reports

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

  • Complete list of 35+ IoCs with their sources1, 2, 3, 4, 5, 6, 7
  • Malware check results for the IoCs, revealing that some were not flagged as malicious
  • Registrant detail analysis uncovering two unredacted email addresses shared with 40+ other domains
  • 600+ domain artifacts, sharing the same IP addresses with the IoCs
  • Several active IP resolutions to six unique IP addresses

Download the threat research materials containing the data related to the BlackTech APT Group now.


  • [1] https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
  • [2] https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
  • [3] https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
  • [4] https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/
  • [5] https://www.taiwannews.com.tw/en/news/3991160
  • [6] https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-216a
  • [7] https://www.ithome.com.tw/news/139504
Try our WhoisXML API for free
Get started