Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former Black Basta affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for data theft, ransomware deployment, and extortion. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through Microsoft Teams messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats.
The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from 59% in January and February to 77% in March. Attackers have persuaded victims to install remote monitoring and management tools such as Supremo Remote Desktop or to launch Windows Quick Assist, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
Timeline
Apr 14, 2026
ReliaQuest links ongoing campaign to former Black Basta affiliates
ReliaQuest publicly reported that more than 100 employees across dozens of organizations had been targeted in the campaign and assessed the activity as highly likely tied to former Black Basta affiliates or operators closely aligned with the group's playbook. The report highlighted matching tooling, targeting, execution style, and remote-access methods.
Mar 1, 2026
Black Basta-linked campaign surges and intensifies executive focus
The campaign accelerated in March 2026, with executive targeting rising to 77% of observed victims and attackers often obtaining remote access within minutes of initial email bombing. Operators used tools such as Microsoft Teams, Windows Quick Assist, and Supremo Remote Desktop to scale intrusions more quickly and with greater automation.
Jan 1, 2026
Executive targeting dominates Black Basta-linked campaigns in early 2026
ReliaQuest observed that senior leaders and other highly privileged personnel became a primary focus of the campaign, with executives accounting for 59% of targets in January and February 2026. The attacks heavily affected manufacturing and professional services, with finance, insurance, construction, and technology also targeted.
May 1, 2025
Former Black Basta affiliates begin social-engineering intrusion campaign
A small group of suspected former Black Basta affiliates began a campaign active since at least May 2025, using email bombing followed by Microsoft Teams messages or phone calls impersonating IT help desks to gain network access. The activity was aimed at enabling data theft, ransomware deployment, and extortion.
Feb 1, 2025
Black Basta chat leak contributes to group fragmentation
Black Basta fragmented after its internal chat logs leaked, exposing the group's infrastructure, techniques, and operations. Subsequent activity using its tradecraft was assessed as likely tied to former affiliates or closely aligned operators.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Affected Products
Sources
Related Stories
BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
**BlackFile**, a financially motivated extortion group likely tied to **The Com** and overlapping with activity tracked by CrowdStrike as **Cordial Spider**, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes. After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including **Salesforce** and **SharePoint** through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support **seven-figure ransom demands** sent from compromised employee accounts or Gmail; in some cases, the group has also used **swatting** against employees and executives to intensify pressure on victims.
5 days ago
Microsoft Teams Social Engineering Abuses Quick Assist to Deploy A0Backdoor
A social-engineering campaign targeting employees at **financial and healthcare** organizations is abusing **Microsoft Teams** chats/calls to trick users into granting remote access via *Windows Quick Assist*, enabling deployment of a newly identified malware family dubbed **A0Backdoor**. The activity begins with **email bombing** (flooding inboxes with spam) followed by an attacker impersonating internal IT over Teams, offering help and then persuading the victim to start a Quick Assist session; the tradecraft overlaps with tactics previously attributed to **Blitz Brigantine / Storm-1811**, which Microsoft has linked to **Black Basta**-associated operations. Post-access, the actor deploys **digitally signed MSI installers** masquerading as Teams-related components and *CrossDeviceService* (associated with Windows *Phone Link*), sometimes delivered via **tokenized links** from Microsoft personal cloud storage to appear trustworthy and hinder collection. BlueVoyant reported the installers drop files into user `AppData` paths that mimic legitimate Microsoft locations and use **DLL sideloading** (e.g., a malicious `hostfxr.dll`) to execute an in-memory loader that decrypts shellcode, performs sandbox checks, and ultimately extracts and runs **A0Backdoor** (using **AES**-encrypted payloads and a **SHA-256**-derived key), with anti-analysis behavior including excessive thread creation intended to disrupt debugging.
3 days ago
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
1 months ago