Back

Former Black Basta Affiliates Launch Targeted Social Engineering Campaign

Severity: High (Score: 69.5)

Sources: Cybernews, reliaquest.com, Cyberscoop

Summary

A group of former affiliates of the Black Basta ransomware gang has initiated a social engineering campaign targeting senior leadership across various organizations. The attackers have used mass email bombing and Microsoft Teams impersonation to gain remote access to over 100 employees, primarily executives and managers. In March 2026, 77% of the targeted incidents were aimed at high-level personnel, a significant increase from 59% in the previous months. This campaign, which leverages tactics from Black Basta’s playbook, has been linked to a surge in Teams-based phishing activity, with 56% of such incidents occurring in 2026 alone. The sectors most affected include manufacturing and professional services, consistent with Black Basta's historical targets. The campaign has been ongoing since at least May 2025, indicating a sustained effort by these affiliates to exploit known vulnerabilities. Researchers emphasize the need for enhanced verification procedures and stricter controls on remote access tools to combat this evolving threat. Key Points: • Former Black Basta affiliates are targeting senior leadership with automated social engineering tactics. • 77% of incidents in March 2026 focused on executives, a rise from 59% earlier this year. • The campaign utilizes mass email bombing and Teams impersonation, indicating a high level of organization.

Key Entities

  • Data Breach (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Germany (country)
  • Russia (country)
  • dpf.edu (domain)
  • Construction (industry)
  • Manufacturing (industry)
  • Professional, Scientific, And Technical Services (industry)
  • Professional Services (industry)
  • Technology (industry)
  • T1021 - Remote Services (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Microsoft Teams (tool)
  • MailAccountWizard.jar (tool)
  • Quick Assist (tool)
  • Supremo (tool)
  • Supremo Remote Desktop (tool)
  • Windows 11 (platform)
  • Black Basta (ransomware_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed