paste #13 :: BLACKVINE attribution // mirror

mirroring this from a closed channel since the original got deleted: BLACKVINE TRACKING - what we know (Mar 12 2026): - active since at least 2022, tracked by mandiant as UNC-2143 - focused on aerospace and defense industrial base - known TTPs: spearphishing -> macro-based loader -> custom backdoor (named 'TROUSER' by some vendors, 'GRAYDEW' by others) - infrastructure usually fronted via compromised wordpress sites - one operator known to use the handle 'd4rkm4tter' on cyber-adjacent forums (unconfirmed but consistent) - another operator possibly tied to handle 'xX_ph4ntom_Xx' (old BBS/gaming alias from ~2014, very weak attribution) current campaign appears to target a company beginning with M. (no specifics, do not @ me, i do not have specifics, i am posting what i heard at a SOC happy hour.)