{
	"id": "294ce864-b049-498f-b5b6-fc0b51087d2f",
	"created_at": "2026-04-06T00:13:18.723939Z",
	"updated_at": "2026-04-10T03:30:57.713464Z",
	"deleted_at": null,
	"sha1_hash": "202fca2e47663b97aab4968478b48a779a100a67",
	"title": "An in-depth look at Black Basta's TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 530732,
	"plain_text": "An in-depth look at Black Basta's TTPs\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 17:35:34 UTC\r\nThe Black Basta group ranks as one of the top 10 most prolific and destructive ransomware-as-a-service (RaaS)\r\ngangs of all time. In December 2023, a cryptocurrency analysis firm and an insurance company estimated the\r\ngroup had collected at least US $107 million in ransoms. This staggering sum was due to Black Basta leveraging\r\nmyriad attack vectors to compromise networks. This insight comes from a recent leak of 197,000 Matrix chat\r\nmessages covering about a year of the group’s private communications from 2023 to 2024. The chat leaks\r\nindicate Black Basta attempted to target or attacked at least 583 entities at different times. About 60% of the\r\ntargeted entities were based in the U.S. The five most-impacted industries in descending order were law services\r\nand consulting; industrial products and services; information technology (IT) or technology consulting;\r\nengineering and construction; and retail, wholesale and distribution.\r\nThe group conducted sophisticated reconnaissance, used private botnets to distribute bespoke malware, leveraged\r\nstolen credentials, conducted brute-force attacks, administered phishing campaigns, exploited software\r\nvulnerabilities and directly social engineered victims over the phone. Although Black Basta developed many of\r\nits tools in house, it outsourced several services and tools of other cybercriminal vendors. This combined approach\r\nmeant the group gained a steady stream of potential victims to turn over to its malicious penetration testers. Those\r\nattackers then sought to move laterally, steal data and deploy file-encrypting ransomware if the conditions\r\nallowed. Based on a selection of the leaked chats, Black Basta’s most fruitful years were in 2022 and 2023, and\r\nthere are indications that by 2024 an increasing number of compromised organizations were in positions to decline\r\nto pay ransoms. As of February 2025, the gang appears to have ceased activity, with only eight compromised\r\norganizations listed on its data leak blog in January 2025.\r\nIntel 471 analysts have derived deep insight from the leaked chat messages into how Black Basta targeted its\r\nvictims. This insight can be used by organizations to strengthen their cyber resilience and put in place better\r\ndefensive controls. Despite Black Basta’s inactivity, these threat actors are likely to regroup or continue their\r\nactivities by either rebranding or joining other ransomware actors. This means the group’s tactics, techniques and\r\nprocedures (TTPs) discussed below are still relevant for defenders, as some are used by other ransomware actors.\r\nReconnaissance\r\nThe Black Basta group used a wide range of free and paid open source and business intelligence services and\r\ntools to gather information on potential targets. These include:\r\n— Gathering information from RocketReach and ZoomInfo about potential targets' employees, revenues, etc.\r\n— Leveraging the Censys, FOFA and Shodan search engines to find exposed and/or potentially vulnerable\r\ninternet-facing hosts or systems.\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 1 of 6\n\n— Operating a paid account or accounts at the Intelligence X aka IntelX search engine and data archive platform\r\nto collect leaked user credentials and use them for brute-forcing attacks as shown in the message below:\r\n— Using a private dataset or datasets to enrich information about companies' employees for phishing attacks.\r\nThe group methodically collected information about its potential targets. Information about specific employees\r\nwas often recorded in Google Sheets for distribution to a social-engineering team, who would then call victims to\r\ntry and gain initial access (more information on that technique will follow). Some of the spreadsheets were still\r\nlive when the chat logs were released. Intel 471 analysts counted more than 5,000 employees from many\r\norganizations who worked in departments such as accounting, marketing, sales, customer service, financial and\r\nhuman resources (HR).\r\nAn example of how Black Basta listed potential phishing targets in Google Sheets.\r\nInitial access\r\nThe group used a variety of methods to gain initial access to victims’ networks and deploy malware, which\r\nincluded:\r\n— Employing brute-forcing techniques to collect valid access credentials for remote desktop protocol (RDP) and\r\nvirtual network computing (VNC) accounts of potential victims. The actors harvested login and password\r\ncombinations from public information-stealing (infostealer) malware logs, IntelX and other sources. \r\n— Using several infostealer malware strains to harvest compromised access credentials. The chat logs contained\r\ndiscussions regarding the Lumma aka LummaC2, MetaStealer, Stealc and Vidar products.\r\n — Partnering with initial access brokers (IABs) on underground forums to purchase compromised access\r\ncredentials. IABs specialize in selling access to systems, which can involve the sale of credentials or knowledge of\r\nvulnerabilities. Group members who went by the personas usernameugway, usernameboy\r\nand usernamehunter, among others, were responsible for such operations.\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 2 of 6\n\n— Using phishing attacks in conjunction with social engineering for initial compromise. The group operated an\r\nin-house team of callers that impersonated technical support and conducted telephone-oriented attack delivery\r\n(TOAD) campaigns. Attackers abused legitimate remote monitoring and management (RMM) tools, such as\r\nAnyDesk, Quick Assist and TeamViewer, to establish a foothold in organizations.\r\nIn one scenario, an employee would be targeted in a spam attack that would fill the person’s inbox. Then, someone\r\nfrom Black Basta would call the person and — reading from a predrafted script — impersonate an IT support\r\nmember from the victim’s organization. The attacker would offer to install antispam software on the user’s\r\nmachine, but in order to do that, the victim needed to install remote access software. \r\nThe group captured web camera images of some of its voice phishing (vishing) targets, some of which were\r\nincluded in the chats.\r\nAfter the victim installed the software, Black Basta would contact one of its malicious penetration testers, who\r\nwould then try to install additional malware to enable persistent access. The pentester would provide a code the\r\nvictim was supposed to enter on the computer, allowing the pentester to establish another foothold. The leaked\r\nchat messages did not reveal what malware was used to obtain persistent access. However, one member claimed to\r\nrun a batch (.bat) file that prompted the employee to enter credentials for the corporate virtual private network\r\n(VPN) portal. These credentials would then allow Black Basta actors to access the domain network, advancing\r\nthe data exfiltration and ransomware attack by one more step.\r\n— Using phishing pages mimicking the Citrix, Cisco, Fortinet, GlobalProtect and SonicWall VPN services as well\r\nas Microsoft Remote Desktop Web (RDWeb) accounts. These phishing attacks sought to exploit the dependence\r\non network edge devices and remote access tools. The success of a phishing attack depends on how well the lure\r\nis created. A Black Basta threat actor going by the name tinker had a special talent for writing phishing emails\r\nand social engineering content, such as scripts for cold calls made to potential victims, as well as ransom\r\ndemands.\r\nThe leaked chats contain many conversations between tinker and usernamegg aka GG, tramp, the leader of\r\nthe Black Basta gang whose real-world identity is likely Oleg Nefedov (see our blog here). In one\r\nexample, tramp tasked tinker with creating a phishing email for a campaign that targeted users of FortiClient\r\nVPN software. The phishing email contained a fake security notice with a malicious link to a fake corporate login\r\nportal. In another example in May 2024, tramp called on tinker to draft a phishing scenario to target corporate\r\nemployees that involved the use of the Microsoft Teams cloud-based phone system. This scenario typically\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 3 of 6\n\ninvolved convincing a hapless employee to install a remote access tool or other malware, which would then be\r\nused to further an attack. The actor tinker drafted the phishing scenario in just an hour.\r\nAnother Black Basta threat actor, lapa, was also charged with phishing-related operations. We discovered the\r\ngang possibly contracted several phishing-as-a-service (PhaaS) operators including the Ninja Admin phishing kit,\r\na PhaaS program run by the persona kalashnikov aka expert_kalash and QuantumBuilder, which is a tool used to\r\ndevelop malicious .LNK files, also known as Windows shortcut files. \r\n— Conducting malicious advertising (malvertising) campaigns via the Facebook and Google Ads services. The\r\ngroup member lapa was tasked with such operations in 2023. Malvertising is the practice of purchasing web\r\nadvertisements intended to trick people into visiting malicious sites or links or downloading applications. The\r\ngroup appeared to acquire Google Ads accounts from another cybercriminal actor. \r\nMalware, tools used \r\nThe group commonly used third-party products as well as internally developed malware strains. Our research\r\nrevealed the gang used the Anubis aka Bokbot, IcedID; Pikabot aka iPika; and Qakbot aka Qbot backdoors and\r\nmalware loaders, which were not advertised on hacker forums.\r\nPikabot’s development is proof of the proverb that necessity is the mother of invention. The\r\ngroup’s leader, tramp, was involved in administering and using the Qakbot loader malware during the actor’s\r\ntime with the Conti ransomware group, another one of the most destructive and profitable ransomware groups of\r\nall time. Qakbot was initial access malware that was used to load other malware onto a machine such as\r\nransomware including Conti, ProLock, Egregor, REvil and MegaCortex. Qakbot spread in malicious spam or\r\n“malspam” campaigns masquerading as invoices or interesting Excel files in hopes that victims would click\r\nthrough and launch a chain of events that would eventually surreptitiously install the malware. In 2022, Qakbot\r\nwas absolutely prolific, posing daily challenges for large organizations that would receive floods of malspam.\r\nQakbot continued to be used by Black Basta. But Qakbot hit a roadblock in August 2023 when it was severely\r\ndisrupted in an international law enforcement action. By that time, Pikabot had already been in development for\r\nabout a year. The actor tramp had been collaborating with an associate, the actor usernamew aka w, to develop\r\nthe Pikabot malware for Black Basta’s exclusive use. The malware originally was codenamed iPika and\r\nfrequently was referenced in the leaked conversations as “пика,” which means “pike” or “knife” and is colloquial\r\nslang for the playing card suit of spades in the Russian language. \r\nDespite a steady stream of improvements by usernamew, Pikabot never came close to the distribution scale of\r\nQakbot. In February 2024, usernamew — who changed handles to n3auxaxl — expressed frustration that\r\nresearchers reverse-engineered the malware quickly and referenced a report from cybersecurity vendor Zscaler on\r\nthe new Pikabot version. The actor allegedly intended to implement additional obfuscation to hinder analysis. By\r\nMay 2024, n3auxaxl planned to rewrite the source code and significantly upgrade the malware with a new name.\r\nThe group actively sought and tested other types of loader malware offered on underground forums. Two Black\r\nBasta members claimed to use AtomLoader. The group also used the Amadey malware loader, which the\r\nactor InCrease has promoted on the Exploit cybercrime forum since October 2018. The group’s arsenal also\r\nappears to have included private loader malware developed by the actor lo0o0o0ong and a private JavaScript\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 4 of 6\n\nloader from the actor Baragozer. The actor tramp also appears to have purchased the X.loader malware loader\r\nfrom the actor Ghost_Pulse; the EugenLoader aka FakeBat, PaykLoader, X.Loader loader from the\r\nactor Payk_34 aka eugenfest; and the Matanbuchus loader from the actor BelialDemon.\r\nAdditionally, Black Basta member usernameugway claimed to purchase private loader malware from the\r\nactor Bordislav, who advertised the DarkGate malware loader in February 2024 and possibly was the\r\nactor RastaFarEye’s alternative online persona or partner. The leaked chat logs confirm the Black Basta group\r\nalso cooperated with RastaFarEye and purchased various malicious products from the actor.\r\nGroup members purchased antivirus (AV) software licenses to test malicious setups. They also purchased\r\nCrowdStrike, Sentinel and Sophos software to store on local servers to simulate real attacks.\r\nData exfiltration tactics\r\nThe group revealed numerous data exfiltration tactics used in 2023 and 2024, which varied depending on the\r\navailable resources, targeted entities, amount of data and numerous other factors. The group allegedly used the\r\nRclone and WinSCP services to set up file transfer protocol (FTP) servers and transferred data via the FileZilla\r\nservice and the cURL command-line tool.\r\nAnother identified tactic was mapped drive exfiltration using RDP drive redirection or shadowing. The group\r\nconfigured local drives on its system to be accessible from a remote machine via RDP settings. This allows\r\ndirectly dragging and dropping files from the compromised machine to the attacker’s local disk. The group\r\nmembers adm and usernamegg also used the pCloud secure file storage for stolen data.\r\nConclusion\r\nThe sheer diversity of tooling and techniques Black Basta used makes it a formidable adversary. It’s impossible to\r\nhave perfect defenses in place to block all of the attack vectors the gang used, whether it be malware, social-engineering attempts, malspam, compromised credentials or vulnerability exploitation. The group’s leveraging of\r\nother offerings in underground cybercriminal forums and marketplaces proved to be a force multiplier, allowing it\r\nto use other capable tools to continue compromising victims. \r\nThreat intelligence can help organizations stay ahead of attackers such as Black Basta. Understanding the latest\r\nmalware, how it is distributed and how it functions can ensure better detection. Monitoring underground markets\r\nfor offerings of compromised credentials can allow administrators to reset them before adversaries use them.\r\nUnderstanding which vulnerabilities may be of high interest to ransomware actors can ensure those flaws are\r\neither mitigated or patched properly. \r\nThreat hunting — the practice of looking through logging systems for clues of a compromise — can potentially\r\nstop an attack from proceeding further. Intel 471’s HUNTER platform contains pre-written queries that can be\r\nused to hunt for threats in endpoint detection and response (EDR), security incident and event management\r\n(SIEM) and logging systems. HUNTER contains a collection of hunt packages based on Black Basta TTPs.\r\nRegister for a HUNTER Community Account, which contains sample free hunt packages and insight into\r\nHUNTER’s comprehensive library of advanced threat hunting packages, detailed analyst notes and proactive\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 5 of 6\n\nrecommendations. These resources are designed to strengthen your threat hunting capabilities and keep your\r\norganization secure.\r\nFor more information about how threat intelligence and threat hunting can thwart data breaches and ransomware\r\nattacks, please contact Intel 471.\r\nSource: https://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nhttps://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps"
	],
	"report_names": [
		"an-in-depth-look-at-black-bastas-ttps"
	],
	"threat_actors": [
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434398,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/202fca2e47663b97aab4968478b48a779a100a67.pdf",
		"text": "https://archive.orkl.eu/202fca2e47663b97aab4968478b48a779a100a67.txt",
		"img": "https://archive.orkl.eu/202fca2e47663b97aab4968478b48a779a100a67.jpg"
	}
}