An emergent ransomware gang that has been exploiting two vulnerabilities in Fortinet firewall appliances may have links to current or former members of the notorious LockBit operation, according to intelligence published this week by Forescout Research’s Vedere Labs unit.
Forescout is attributing SuperBlack to a threat actor tracked as Mora_001, which exhibits a distinct operational signature blending opportunistic attacks with ties to the LockBit ecosystem, according to researcher Sai Molige.
“Mora_001’s relationship to the broader Lockbit’s ransomware operations underscore the increased complexity of the modern ransomware landscape – where specialised teams collaborate to leverage complementary capabilities,” wrote Molige and the research team.
Mora_001/SuperBlack’s modus operandi to date has been to focus attention on CVE-2025-24472 and CVE-2024-55591 – a pair of authentication bypass flaws discovered in Fortinet’s FortiOS and FortiProxy – for initial access.
These vulnerabilities enable an unauthenticated actor to gain heightened admin rights on devices running FortiOS with exposed management interfaces. A proof-of-concept exploit released on 27 January 2025 was exploited within 96 hours, said Forescout.
Once in their target network, the gang moved laterally and prioritised targets such as authentication, database and file servers, domain controllers, and other elements of their victims’ network infrastructure. They then exfiltrated data and initiated encryption after doing so in a fairly standard ransomware attack.
Pattern recognition
In linking Mora_001/SuperBlack to LockBit – famously disrupted in a UK-led multinational operation just over 12 months ago – Forescout’s analysts said they observed a number of post-exploitation behaviours consistent with LockBit’s playbook.
These included identical usernames on victim networks, overlapping IP addresses used for access and command and control (C2), similar configuration backup behaviours, and rapid ransomware deployment, often after just 48 hours under “favourable” conditions.
Mora_001/SuperBlack also leveraged the leaked LockBit builder, removing LockBit branding from its ransom notes and deploying its own exfiltration tool.
The most concrete evidence was to be found in the gang’s ransom note, which includes a TOX ID used by LockBit for negotiations. Forescout said this suggested Mora_001 is either an operational affiliate of LockBit, or an associate group that shares communications channels with the gang.
“The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates,” wrote the team. “This consistent operational framework suggests a distinct threat actor with a structured playbook, rather than multiple operators following a generalised LockBit methodology.”
In analysing the timeline of Mora_001/SuperBlack intrusions, as well as overlapping indicators and operational patterns, Forescout said it could now “confidently” attribute future intrusions to the gang, independently of what its exact relationship to LockBit may be.
Following the National Crime Agency (NCA)-led Operation Cronos, which disrupted LockBit in February 2024, the ransomware landscape saw a significant fragmentation, and an increase in the number of operational gangs, suggesting that a number of members of the LockBit collective scattered under pressure and set up or joined new operations.
Although these suggestions are merely theories, the discovery of Mora_001/SuperBlack lends a certain weight to them, and as the year progresses, the legacy of LockBit looks set to remain for some time to come.
More information on Mora_001/SuperBlack, including tactics, techniques and procedures (TTPs), detection opportunities, and indicators of compromise (IoCs), can be obtained from Forescout.
