A new data extortion group, BlackShrantac, has emerged on the threat landscape, claiming two major corporate breaches in September 2025. This group distinguishes itself by focusing exclusively on high-volume data theft for extortion, bypassing traditional file encryption tactics. 

Intelligence indicates BlackShrantac’s TTPs include phishing with malicious attachments (MITRE T1566.001) and supply chain compromise (T1195.002) for initial access. For execution, the group utilizes command line interpreters like PowerShell, Windows Command Shell, and Bash (T1059.001, T1059.003, T1059.004). 

To maintain their foothold, the group establishes persistence through methods like creating scheduled tasks or modifying registry run keys and startup folders (T1547.001, T1053.005). 

The group’s signature tactic is the collection and staging of massive datasets, followed by large-scale exfiltration. The primary indicator of a BlackShrantac compromise is therefore not a malicious binary, but the detection of anomalous, high-volume outbound data transfers.

Their operational capability was demonstrated against Klingenberg Industries in India, with 2TB of data stolen, and Altas Food and Drinks in Turkey, where they exfiltrated 600GB. These attacks show a focus on data-rich targets regardless of industry or location. 

Given the lack of specific IOCs like file hashes or C2 domains, defense must pivot to behavioral analytics and network detection and response (NDR) to identify data staging and exfiltration patterns. Implementing a zero-trust architecture is crucial to contain lateral movement and limit the scope of a potential breach.