Skip to main content

Operator dossier

blacknevas (also tracked as black nevas) is a ransomware operator currently active on public leak sites. Darkfield has indexed 36 public victims claimed by this operator between August 6, 2025 and July 14, 2026. Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published.

Most-targeted sectors

Most-affected countries

Recent disclosures by blacknevas

All 36 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for blacknevas

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

blacknevas

aka black nevas · 36 victims indexed · first seen 11 months ago · last activity 21 hours ago

36
Victims indexed
#127 of 364 tracked operators
11m
Active period
Aug 2025 → Jul 2026
10
Countries hit
top US · 6

At a glance

Status
active
Aliases
black nevas
First seen
11 months ago
Last activity
21 hours ago
Onion sites
1 known endpoint
Primary sector
Not Found · 5 hits

About

Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

4 months
2025-08-01T00:00:00+00:00 · 132025-09-01T00:00:00+00:00 · 42025-10-01T00:00:00+00:00 · 52026-01-01T00:00:00+00:00 · 1
2025-08-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇺🇸 United States
6
🇪🇸 Spain
3
🇮🇳 India
2
🇯🇵 Japan
2
🇹🇭 Thailand
2
🇬🇧 United Kingdom
2
🇧🇭 Bahrain
1
🇦🇷 Argentina
1

Top sectors

Technology
5
Manufacturing
4
Energy
2
Consumer Services
2
Business Services
2
Education
1
Construction
1
Hospitality and Tourism
1

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://ctyfftrjgtwdjzlgqh4avbd35sqrs6tde4oyam2ufbjch6oqpqtkdtid.onion

Source

Updated 21 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time blacknevas posts a victim.

Add blacknevas to your watchlist — Pro pings you within 5 minutes of any new blacknevas leak-site post, Telegram callout, or affiliate-rebrand inference.