Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks.

“Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads,” ReliaQuest said in a report shared with The Hacker News.

The development is a sign that the threat actors are continuing to pivot and regroup, despite the Black Basta brand suffering a huge blow and a decline after the public leak of its internal chat logs earlier this February.

The cybersecurity company said half of the Teams phishing attacks that were observed between February and May 2025 originated from onmicrosoft[.]com domains, and that breached domains accounted for 42% of the attacks during the same period. The latter is a lot more stealthy and allows threat actors to impersonate legitimate traffic in their attacks.

As recently as last month, ReliaQuest’s customers in the finance and insurance sector and the construction sector have been targeted using Teams phishing by masquerading as help desk personnel to trick unsuspecting users.

“The shutdown of Black Basta’s data-leak site, despite the continued use of its tactics, indicates that former affiliates have likely either migrated to another RaaS group or formed a new one,” the company added. “The most probable scenario is that former members have joined the CACTUS RaaS group, which is evidenced by Black Basta leader Trump referencing a $500–600K payment to CACTUS in the leaked chats.”

That said, it’s worth noting that CACTUS hasn’t named any organizations on its data leak site since March 2025, indicating that the group has either disbanded or is deliberately trying to avoid drawing attention to itself. Another possibility is that the affiliates have moved to BlackLock, which, in turn, is believed to have started collaborating with a ransomware cartel named DragonForce.

The threat actors have also been spotted leveraging the access obtained via the Teams phishing technique to initial remote desktop sessions via Quick Assist and AnyDesk, and then downloading a malicious Python script from a remote address and executing it to establish command-and-control (C2) communications.

“The use of Python scripts in this attack highlights an evolving tactic that’s likely to become more prevalent in future Teams phishing campaigns in the immediate future,” ReliaQuest said.

The Black Basta-style social engineering strategy of using a combination of email spamming, Teams phishing, and Quick Assist has since also found takers among the BlackSuit ransomware group, raising the possibility that BlackSuit affiliates have either embraced the approach or absorbed members of the group.

According to Rapid7, the initial access serves as a pathway to download and execute updated variants of a Java-based RAT that was previously deployed to act as a credential harvester in Black Basta attacks.

“The Java malware now abuses cloud-based file hosting services provided by both Google and Microsoft to proxy commands through the respective cloud service provider’s (CSP) servers,” the company said. “Over time, the malware developer has shifted away from direct proxy connections (i.e., the config option is left blank or not present), towards OneDrive and Google Sheets, and most recently, towards simply using Google Drive.”

The new iteration of the malware packs in more features to transfer files between the infected host and a remote server, initiate a SOCKS5 proxy tunnel, steal credentials stored in web browsers, present a fake Windows login window, and download a Java class from a supplied URL and run it in memory.

Like the 3AM ransomware attacks detailed by Sophos a couple of weeks ago, the intrusions are also characterized by the use of a tunneling backdoor called QDoor, a malware previously attributed to BlackSuit, and a Rust payload that’s likely a custom loader for the SSH utility, and a Python RAT referred to as Anubis.

The findings come amid a number of developments in the ransomware landscape –

• The financially motivated group known as Scattered Spider has targeted managed service providers (MSPs) and IT vendors as part of a “one-to-many” approach to infiltrate multiple organizations through a single compromise, in some cases exploiting compromised accounts from the global IT contractor Tata Consultancy Services (TCS) to gain initial access.
• Scattered Spider has created bogus login pages using the Evilginx phishing kit to bypass multi-factor authentication (MFA) and forged strategic alliances with major ransomware operators like ALPHV (aka BlackCat), RansomHub, and, most recently, DragonForce, to conduct sophisticated attacks targeting MSPs by exploiting vulnerabilities in SimpleHelp remote desktop software.
• Qilin (aka Agenda and Phantom Mantis) ransomware operators have launched a coordinated intrusion campaign targeting several organizations between May and June 2025 by weaponizing Fortinet FortiGate vulnerabilities (e.g., CVE-2024-21762 and CVE-2024-55591) for initial access.
• The Play (aka Balloonfly and PlayCrypt) ransomware group is estimated to have compromised 900 entities as of May 2025 since its emergence in mid-2022. Some of the attacks have leveraged SimpleHelp flaws (CVE-2024-57727) to target many U.S.-based entities following public disclosure of the vulnerability.
• The administrator of the VanHelsing ransomware group has leaked the entire source code on the RAMP forum, citing internal conflicts between developers and leadership. The leaked details include the TOR keys, ransomware source code, admin web panel, chat system, file server, and the blog with its full database, per PRODAFT.
• The Interlock ransomware group has deployed a previously undocumented JavaScript remote access trojan called NodeSnake as part of attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware, distributed via phishing emails, offers persistent access, system reconnaissance, and remote command execution capabilities.

“RATs enable attackers to gain remote control over infected systems, allowing them to access files, monitor activities, and manipulate system settings,” Quorum Cyber said. “Threat actors can use a RAT to maintain persistence within an organization as well as to introduce additional tooling or malware to the environment. They can also access, manipulate, destroy, or exfiltrate data.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com