A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of target users, followed by social engineering attempts via Microsoft Teams. Operators impersonate IT staff and trick users into installing remote management tools. Once access is gained, they deploy credential harvesters, Zbot, DarkGate, and custom malware. The campaign has been linked to Black Basta ransomware deployments in the past, highlighting its serious nature. The attackers continue to update their strategies and tools rapidly, demonstrating sophisticated and persistent threat behavior. Author: AlienVault
Related Tags:
blackbasta
TinyZBot – S0004
DarkGate – S1111
Black Basta – S1070
T1566.003
T1566.002
T1566.001
T1204.001
T1204.002
Associated Indicators:
C50271CC3E26651A5B5384894490C7153C56B86435E61B5CA206F8E9C5C5542F
3B7E06F1CCAA207DC331AFD6F91E284FEC4B826C3C427DFFD0432FDC48D55176
C69AB262AC3F73277C4B9A777A408F57FEB618E2E00BC2E66E8D97274083C742
5FEF7A5DB4B1C216C9FC37D55143E5B635E8833D82F95004BB4FB47060FDF447
717AED4C123A3CDE0695818F7038C1092D9DCD7C910AC5DDBA96D5E348E1337F
2A8A49D9C25D786A5108A53D0B3281677B299540F54580A7B49AA8DE78EC0EE1
EE79F4E87E0B393C952B478C9A30F35802C09F93E899ECF6B40D8D6625188031
C4942F989530F09B499978721D282998EAA77BE31A4361AC6250F1DF721DECB9
71E08A89ECDFAC3BB490BEC6C4115CFD71DE744897FD8B7DD7383646E911858E