BlackCat Is Back. Our System Caught It.

# BlackCat Is Back. Our System Caught It.

*March 25, 2026 — DugganUSA PreCog Alert*

At 6:05 PM Eastern today, our PreCog V2 precursor detection system flagged an adversary infrastructure reboot signal for BlackCat (ALPHV) ransomware. Fourteen new indicators of compromise appeared in our feed from a malware family the FBI said they took down in December 2023.

They're back. PreCog caught it.

What PreCog Detected

PreCog V2 monitors 8 signals across our 1 million+ IOC database, looking for patterns that precede attacks:

1. **Adversary Reboot** — a dormant malware family suddenly producing new IOCs. BlackCat was quiet. Now it's not. Fourteen new indicators in the last 7 days after months of nothing.

2. **IOC Velocity Spike** — the Spamhaus DROP list surged to 7x its daily baseline in the same window. When known-bad IP ranges get allocated at that rate, infrastructure is being stood up.

3. **Block Clustering** and **GitHub Activation** both hit maximum scores simultaneously.

Five of eight signals elevated. That doesn't happen on a quiet day.

The Track Record

This isn't our first detection. PreCog has 20 validated predictions at 100% accuracy:

- **3 hours** before the Christmas Eve gaming DDoS (31.4 Tbps) — we indexed 20 Aisuru botnet C2 servers

- **48 hours** before ClawHavoc broke — we documented the AI agent supply chain vector

- **72 days** before the npm supply chain campaign was confirmed — we indexed 700+ compromised packages

We're not claiming to see the future. We're claiming that the data precedes the event, and our system measures the gap.

What BlackCat Reboot Means

BlackCat/ALPHV was the most prolific ransomware operation of 2023. The FBI seized their infrastructure in December 2023. The operators resurfaced briefly, extorted Change Healthcare for $22 million in March 2024, then went dark again.

Fourteen new IOCs from a dead group is a reboot signal. It could mean:

- The operators are rebuilding infrastructure under the same tooling

- An affiliate is reusing BlackCat's codebase with new C2s

- A copycat is staging infrastructure that pattern-matches to ALPHV TTPs

Any of those scenarios means someone is about to get hit with ransomware built by people who successfully extorted a $22 million payment from the largest healthcare payment processor in the United States.

What To Do

1. **Check your exposure** — if you're in healthcare, finance, or critical infrastructure, BlackCat has targeted your vertical before

2. **Update your IOC feeds** — our STIX 2.1 feed at analytics.dugganusa.com/stix includes all 14 new indicators

3. **Monitor for initial access** — BlackCat affiliates historically use compromised credentials, Citrix vulnerabilities, and Exchange Server exploits

4. **Test your backups** — don't wait for the ransom note to find out your backup rotation is broken

PreCog Is Now Automated

Until today, PreCog ran but required manual validation. As of this evening, the V2 system runs automatically against our entire IOC database. Eight signals. Real-time detection. The adversary reboot signal that caught BlackCat fires every time a dormant threat actor wakes up.

The API is public: `GET https://analytics.dugganusa.com/api/v1/precursor/status`

Our STIX feed is free: `https://analytics.dugganusa.com/api/v1/stix-feed`

We've been right 20 times out of 20. We just gave the system the ability to tell you without us having to be in the room.

*Patrick Duggan is the founder of DugganUSA LLC. The PreCog system was built in collaboration with Claude (Anthropic). The 20 validated predictions are documented with timestamps, sources, and outcomes at analytics.dugganusa.com.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →