Former members associated with the Black Basta ransomware operation have returned to
familiar tactics, using email spamming and Microsoft Teams phishing to gain persistent access to target networks.
According to a report by ReliaQuest, these attackers have recently started executing Python scripts by using cURL commands to download and deploy malicious payloads.
This move shows that despite the collapse of the Black Basta brand and the public exposure of its chat logs in February, former affiliates continue to adapt and reorganize.
ReliaQuest noted that between February and May 2025, half of the Teams phishing campaigns originated from onmicrosoft[.]com domains. Another 42 percent used compromised domains, making the attacks stealthier and helping them mimic legitimate traffic.
In one recent campaign, employees in the financial, insurance, and construction sectors were targeted. The attackers posed as help desk staff to trick users into handing over access.
According to the researchers, the shutdown of Black Basta’s public leak site suggests that former members have either migrated to another ransomware as a service (RaaS) operation or formed a new collective. Evidence points to many joining the CACTUS RaaS group, supported by leaked chat references to a 500,000 to 600,000 dollar payment to CACTUS. Since March 2025, however, CACTUS has not updated its leak site. This suggests either disbanding or a deliberate effort to stay under the radar. Another possibility is that the group shifted into BlackLock, which is rumored to collaborate with a cartel called DragonForce.
The attackers were observed using initial access from Teams phishing to launch remote desktop sessions with Quick Assist and AnyDesk. They then downloaded a malicious Python script from a remote server and executed it to establish command and control connections.
ReliaQuest suggests that the use of Python payloads reflects a broader trend that is likely to appear more frequently in upcoming Teams phishing operations.
This Black Basta style social engineering framework, combining email spam, Teams phishing, and remote assistant tools, has now been adopted by the BlackSuit ransomware group. This indicates that members of BlackSuit may have adopted the model or absorbed former Black Basta affiliates.
Mirroring findings from Rapid7, the initial access also serves to deploy updated versions of a Java based remote access trojan (RAT), originally used for credential harvesting in Black Basta campaigns. These new RAT variants now use cloud storage services from Google and Microsoft to relay commands. Previously relying on direct proxy connections, they now obfuscate themselves via OneDrive, Google Sheets, and Google Drive. The updated malware adds capabilities to transfer files, create a SOCKS5 proxy, steal browser stored credentials, display fake Windows login prompts, and load Java classes from provided URLs into memory.
Additionally, similar to the 3AM ransomware attacks detailed by Sophos, these intrusions involve using QDoor, a tunneling backdoor associated with BlackSuit, alongside a Rust based SSH loader and a Python RAT called Anubis.
Other developments in the ransomware landscape include:
- The Scattered Spider group targeting managed service providers (MSPs) and IT vendors to attack multiple organizations after compromising single firms. They have exploited accounts from Tata Consultancy Services.
- Scattered Spider using Evilginx phishing kits to bypass multi factor authentication and collaborating with ransomware groups such as ALPHV (BlackCat), RansomHub, and DragonForce. They exploit vulnerabilities in remote desktop software like SimpleHelp.
- The Qilin (Agenda and Phantom Mantis) group launching coordinated attacks through Fortinet FortiGate vulnerabilities including CVE 2024 21762 and CVE 2024 55591 between May and June 2025.
- The Play (Balloonfly and PlayCrypt) group compromising around 900 organizations between mid 2022 and May 2025, using SimpleHelp vulnerabilities (CVE 2024 57727) and targeting mainly United States entities.
- The VanHelsing ransomware developer leaking full source code, including TOR keys, admin interfaces, and chat logs, on the RAMP forum following internal conflict, according to PRODAFT.
- The Interlock ransomware gang deploying a previously unknown JavaScript RAT called NodeSnake in early 2025 to attack United Kingdom government and higher education institutions. Delivered via phishing, it offers persistent access, reconnaissance, and remote execution functionality.
As noted by cybersecurity firm Quorum Cyber, remote access trojans are powerful tools. They allow attackers to control infected systems, access or exfiltrate data, and maintain long term persistence by deploying further malware.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
