reliaquest.com
Revival of Black Basta Tactics: Targeting Executives with Automated Phishing
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A resurgence of cyber attacks has been linked to former affiliates of the defunct Black Basta ransomware group, focusing on senior executives across various sectors. Recent reports indicate that from March 1 to April 1, 2026, 77% of targeted incidents involved high-level employees, a significant increase from 59% earlier in the year. The attackers employ a two-stage social engineering method, beginning with mass email bombing to overwhelm inboxes, followed by impersonation of IT staff via Microsoft Teams to gain remote access. This campaign has affected over 100 employees in sectors such as manufacturing and professional services, which align with Black Basta's historical targets. Attackers utilize tools like Supremo Remote Desktop and Windows Quick Assist to establish control over compromised systems. The speed of these attacks has also increased, with malicious scripts being executed in as little as 12 minutes after initial contact. The findings suggest a coordinated effort by former affiliates, rather than isolated incidents, indicating a potential evolution of tactics from a previously dismantled group.
Key Points: • 77% of recent attacks targeted senior executives, up from 59% earlier in 2026. • Attackers use email bombing followed by Teams impersonation to gain remote access. • The campaign has affected over 100 employees, primarily in manufacturing and professional services.