In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
The flaw concerns a “certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information,” the company said.
It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware.
BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors. As of last month, it has listed 46 victims on its site.
The impacted organizations are located in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.
The group, which announced the launch of an underground affiliate network in mid-January 2025, has also been observed actively recruiting traffers to facilitate early stages of the attacks by directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.
The vulnerability identified by Resecurity is a local file inclusion (LFI) bug, essentially tricking the web server into leaking sensitive information by performing a path traversal attack, including the history of commands executed by the operators on the leak site.
