Black Kingdom, a malware also known as DEMON or DemonWare is the most recent malware caught within networks that is leveraging the Microsoft Exchange vulnerabilities as an initial entry point in order to push ransomware.

Known not only for their attacks, Black Kingdom hackers enjoy using a specific signature, typically  black_kingdom, DEMON, or .death.

The Microsoft Exchange vulnerabilities are still being heavily exploited, therefore increasing the ransomware cases related to these vulnerabilities.


Black Kingdom ransomware threat actors have previously relied on exploiting Pulse Secure VPN vulnerabilities, but now they seem to be analyzing all available information in order to improve their access strategy.

The uniqueness of Black Kingdom ransomware is found in the way they package and execute their ransomware, therefore instead of using typical memory injection techniques, they are using python scripting in order to package an executable like py2exe for Python 3.


Py2exe can be used to build console executables and windows executables, and after the initial build, the ransomware group will push python to a machine followed by pushing the ransomware executable so it can operate effectively.

It looks like Black Kingdom is trying to run ransomware after the initial exploit of the available Microsoft exchange vulnerabilities.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Having the patches available, it is important to not only patch your system but also deploy monitoring tools in order to be able to stop threats like these from running into your environment.

Heimdal™ Releases Vulnerability Data on the Microsoft Exchange Patch

Python Programming Language Rushes to Address RCE Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *