Little-discussed in open source, China-based threat actor BlackTech (which PwC tracks as Red Djinn) has a long history: from targeting Taiwan since at least 2010, to expanding its focus to Japan, and, more recently, the United States. Also known as the Phantom of Routers for its router exploitation capabilities, BlackTech has a peculiar characteristic: surprising defenders by changing and updating its toolset all the time, while also staying true to its core skillset. Since 2019, BlackTech has been on a development streak: introducing ELF variants of its main backdoors, minting new Remote Access tools, and – why not – adopting and potentially developing exploits.

Beyond a full timeline of BlackTech’s operations and how the threat actor has evolved, this presentation will offer a comprehensive view of the threat actor’s tools, techniques and procedures (TTPs), pre-, during, and post-initial intrusion. We will describe a full intrusion chain, from an email sent to a target, to malicious documents, to backdoors and dumping LSASS. And in doing so, we will introduce new malware families that we attribute uniquely to BlackTech, including a downloader that we call Flagpro.

This will lead us straight into a web of command-and-control infrastructure, and to an open directory: one which we assess was used by BlackTech in 2021 to stage multiple backdoors, post-intrusion utilities, as well as several folders of vulnerability scanners and tailored router exploits with comments still in the code. We will analyse these exploits, and discuss at a higher level what they reveal about BlackTech’s capabilities and scope of targeting… and how we link all of the above back to Black(Tech).