Operator dossier

Black X is a ransomware operator currently active on public leak sites. Darkfield has indexed 4 public victims claimed by this operator between June 2, 2026. Black X is a nascent ransomware group first observed in June 2026 with limited public documentation available from major threat intelligence sources including CISA, FBI, Mandiant, or comparable research organizations. With only four known victims on record, the group remains in early operational stages, though its targeting pattern suggests a financially motivated threat actor pursuing opportunistic or selectively targeted intrusions across geographically diverse regions. The group has demonstrated activity spanning South Africa, the Philippines, South Korea, and Germany, indicating either a broad global targeting posture or the use of affiliate infrastructure capable of operating across multiple jurisdictions. Targeted sectors include Business Services, Healthcare, Energy, and the Public Sector, a mix consistent with groups seeking high-value data for double extortion leverage or organizations with lower tolerance for operational disruption and therefore greater likelihood of ransom payment. Due to the group's limited operational history and the absence of formal attribution or technical reporting from authoritative cybersecurity bodies, specific details regarding initial access vectors, tooling, encryption methodology, and affiliation structures cannot be responsibly stated at this time. Black X should be considered an emerging and closely monitored threat, and organizations operating in the identified target sectors and regions are advised to maintain heightened defensive posture pending further intelligence development.

Most-targeted sectors

Business Services1 victims
Healthcare1 victims
Energy1 victims
Public Sector1 victims

Most-affected countries

ZA1 victims
PH1 victims
KR1 victims
DE1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Black X

4 victims indexed · first seen 2 days ago · last activity 2 days ago

Victims indexed

#258 of 352 tracked operators

<1m

Active period

Jun 2026 → Jun 2026

Countries hit

top ZA · 1

At a glance

Status: active
First seen: 2 days ago
Last activity: 2 days ago
Primary sector: Business Services · 1 hits

About

Black X is a nascent ransomware group first observed in June 2026 with limited public documentation available from major threat intelligence sources including CISA, FBI, Mandiant, or comparable research organizations. With only four known victims on record, the group remains in early operational stages, though its targeting pattern suggests a financially motivated threat actor pursuing opportunistic or selectively targeted intrusions across geographically diverse regions. The group has demonstrated activity spanning South Africa, the Philippines, South Korea, and Germany, indicating either a broad global targeting posture or the use of affiliate infrastructure capable of operating across multiple jurisdictions. Targeted sectors include Business Services, Healthcare, Energy, and the Public Sector, a mix consistent with groups seeking high-value data for double extortion leverage or organizations with lower tolerance for operational disruption and therefore greater likelihood of ransom payment. Due to the group's limited operational history and the absence of formal attribution or technical reporting from authoritative cybersecurity bodies, specific details regarding initial access vectors, tooling, encryption methodology, and affiliation structures cannot be responsibly stated at this time. Black X should be considered an emerging and closely monitored threat, and organizations operating in the identified target sectors and regions are advised to maintain heightened defensive posture pending further intelligence development.

Timeline

1 months

2026-06-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇿🇦 ZA

🇵🇭 PH

🇰🇷 KR

🇩🇪 DE

ZA dossier →PH dossier →KR dossier →DE dossier →

Top sectors

Business Services

Healthcare

Energy

Public Sector

Business Services dossier →Healthcare dossier →Energy dossier →Public Sector dossier →

MITRE ATT&CK

9 techniques · 6 tactics

Tactics

Initial AccessExecutionDiscoveryCollectionExfiltrationImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1204User Execution
T1083File and Directory Discovery
T1082System Information Discovery
T1005Data from Local System
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact
T1490Inhibit System Recovery

Recent victims

Loading…

Source

Updated 2 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Black X posts a victim.

Add Black X to your watchlist — Pro pings you within 5 minutes of any new Black X leak-site post, Telegram callout, or affiliate-rebrand inference.