Analyzing GLOBAL GROUP (BlackLock) Artifacts

This report analyzes two artifacts (SHA256 LNK dropper and Fragtor-style loader) and associated domains that are attributed to the GLOBAL GROUP (BlackLock/Eldorado) ransomware-as-a-service operation; it documents their ESXi-focused playbook — including AD compromise, creation of an “ESX Admins” group via CVE-2024-37085 techniques, Go-based ESXi encryptors that terminate VMs and encrypt datastores, and the use of ChaCha20/RSA-OAEP — and provides IOCs, MITRE ATT&CK mappings, and prioritized detection and mitigation guidance for hypervisor protection.