Back

Revival of Black Basta Tactics: Targeting Executives with Automated Phishing

Severity: High (Score: 69.5)

Sources: Cyberscoop, Cybernews, Scworld, reliaquest.com

Summary

A resurgence of cyber attacks has been linked to former affiliates of the defunct Black Basta ransomware group, focusing on senior executives across various sectors. Recent reports indicate that from March 1 to April 1, 2026, 77% of targeted incidents involved high-level employees, a significant increase from 59% earlier in the year. The attackers employ a two-stage social engineering method, beginning with mass email bombing to overwhelm inboxes, followed by impersonation of IT staff via Microsoft Teams to gain remote access. This campaign has affected over 100 employees in sectors such as manufacturing and professional services, which align with Black Basta's historical targets. Attackers utilize tools like Supremo Remote Desktop and Windows Quick Assist to establish control over compromised systems. The speed of these attacks has also increased, with malicious scripts being executed in as little as 12 minutes after initial contact. The findings suggest a coordinated effort by former affiliates, rather than isolated incidents, indicating a potential evolution of tactics from a previously dismantled group. Key Points: • 77% of recent attacks targeted senior executives, up from 59% earlier in 2026. • Attackers use email bombing followed by Teams impersonation to gain remote access. • The campaign has affected over 100 employees, primarily in manufacturing and professional services.

Key Entities

  • Data Breach (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Germany (country)
  • Russia (country)
  • dpf.edu (domain)
  • Construction (industry)
  • Finance And Insurance (industry)
  • Manufacturing (industry)
  • Professional, Scientific, And Technical Services (industry)
  • Professional Services (industry)
  • T1021 - Remote Services (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1566.003 - Spearphishing Via Service (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Microsoft Teams (tool)
  • MailAccountWizard.jar (tool)
  • Quick Assist (tool)
  • Supremo (tool)
  • Supremo Remote Desktop (tool)
  • Windows 11 (platform)
  • Black Basta (ransomware_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed