The AI-Powered Arsenal: How ‘Forbidden Hyena’ Uses Generative AI to Spawn BlackReaperRAT
Do Son 
A detailed forensic investigation by BI.ZONE Threat Intelligence has unmasked a series of advanced cyber operations conducted by the threat actor known as Forbidden Hyena. Active through late 2025 and early 2026, the cluster has introduced a previously undocumented Remote Access Trojan (RAT) dubbed BlackReaperRAT, alongside an updated variant of the Blackout Locker ransomware, now rebranded as Milkyway.
The most striking finding in the BI.ZONE report is the clear evidence of AI involvement in the group’s coding process. By leveraging generative AI, the attackers are able to churn out new, obfuscated variants of their tools with minimal manual effort.
“The BI.ZONE Threat Intelligence team continues to observe threat actors’ interest in Al tools. In particular, some of the discovered samples contain signs of Al-generated code”.
This technological leap allows Forbidden Hyena to maintain a high operational tempo while making their malicious scripts harder for traditional signature-based security products to flag.
The primary weapon in this new campaign is BlackReaperRAT, typically distributed via malicious RAR archives. The infection chain is a carefully orchestrated sequence of scripts designed to evade detection:
- Initial Execution: A batch script (1.bat) triggers a heavily obfuscated VBScript loader (1.vbs).
- The Decoy: To keep the victim unsuspecting, the loader “downloads and runs a decoy document” while simultaneously staging the next phase of the attack in the background.
- Final Payload: The loader eventually deploys the core BlackReaperRAT binary, giving the attackers persistent remote access to the compromised system.
Forbidden Hyena’s success relies not just on custom malware, but on the clever manipulation of legitimate system utilities. By “living off the land,” the group can perform sensitive actions—such as stealing credentials or moving laterally through a network—without triggering red flags.
“Attackers abuse legitimate tools and built-in operating system utilities to accomplish tasks at different stages of the cyberattack lifecycle. In some cases, this allows them to evade detection”.
For instance, researchers found specialized scripts like ntds.ps1 designed to harvest Active Directory databases by abusing the Volume Shadow Copy Service (VSS). Another script was seen automating the setup of AnyDesk, a legitimate remote desktop tool, to provide the attackers with a “backdoor” for persistent access.
While the group shows a clear focus on intelligence gathering, they remain versatile in their objectives. The rebranding of the Blackout Locker ransomware to Milkyway suggests that Forbidden Hyena is equally comfortable engaging in financially motivated or disruptive operations.
“Hacktivists still employ wipers and ransomware. These can be used both to disrupt IT infrastructure and extract financial gain”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
