{
	"id": "99b50076-92b2-453b-9a74-710965b084da",
	"created_at": "2026-04-06T00:21:46.951568Z",
	"updated_at": "2026-04-10T13:11:30.404667Z",
	"deleted_at": null,
	"sha1_hash": "497cf305c68c976b0f8288753816fdabde0c35ae",
	"title": "Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1967499,
	"plain_text": "Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom\r\nMalware\r\nBy Tyler McGraw\r\nPublished: 2024-12-04 · Archived: 2026-04-05 23:09:56 UTC\r\nExecutive Summary\r\nBeginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign\r\nbeing conducted by Black Basta ransomware operators. Rapid7 initially reported the discovery of the novel social\r\nengineering campaign back in May, 2024, followed by an update in August 2024, when the operators updated their tactics\r\nand malware payloads and began sending lures via Microsoft Teams. Now, the procedures followed by the threat actors in\r\nthe early stages of the social engineering attacks have been refined again, with new malware payloads, improved delivery,\r\nand increased defense evasion.\r\nOverview\r\nThe social engineering attacks are still initiated in a similar manner. Users within the target environment will be email\r\nbombed by the threat actor, which is often achieved by signing up the user’s email to numerous mailing lists simultaneously.\r\nAfter the email bomb, the threat actor will reach out to the impacted users. Rapid7 has observed the initial contact still\r\noccurs primarily through usage of Microsoft Teams, by which the threat actor, as an external user, will attempt to call or\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 1 of 16\n\nmessage the impacted user to offer assistance. The account domains in use include both Azure/Entra tenant subdomains\r\n(e.g., username[@]tenantsubdomain[.]onmicrosoft[.]com) and custom domains (e.g., username[@]cofincafe[.]com).\r\nIn many cases, Rapid7 has observed that the threat actor will pretend to be a member of the target organization’s help desk,\r\nsupport team, or otherwise present themself as IT staff. Below are examples of Microsoft Teams display names observed, by\r\nRapid7, to be in use by operators. The display names may or may not be padded with whitespace characters. Rapid7 has also\r\nobserved threat actors use a first and last name, as the chat display name and/or account username, to impersonate an IT staff\r\nmember within the targeted organization.\r\nOperator Chat Display Name\r\nHelp Desk\r\nHELP DESK\r\nHelp Desk Manager\r\nTechnical Support\r\nAdministracion\r\nIf the user interacts with the lure, either by answering the call or messaging back, the threat actor will attempt to get the user\r\nto install or execute a remote management (RMM) tool, including, but not limited to, QuickAssist, AnyDesk, TeamViewer,\r\nLevel, or ScreenConnect. Rapid7 has also observed attempts to leverage the OpenSSH client, a native Windows utility, to\r\nestablish a reverse shell. In at least one instance, the threat actor shared a QR code with the targeted user. The purpose of the\r\nQR code is unconfirmed but appears to be an attempt to bypass MFA after stealing a user’s credentials. The URL embedded\r\nwithin the QR code adheres to the following format: hxxps://\u003ccompany_name\u003e[.]qr-\u003cletter\u003e\u003cnumber\u003e[.]com.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 2 of 16\n\nIn a majority of cases, Rapid7 has observed that the operator, after gaining access to the user’s asset via RMM tool, will then\r\nattempt to download and execute additional malware payloads. In one case handled by Rapid7, the operator requested more\r\ntime — potentially to hand off the access to another member of the group.\r\nThe payload delivery methods vary per case, but have included external compromised SharePoint instances, common file\r\nsharing websites, servers rented through hosting providers, or even direct upload to the compromised asset in the case of\r\nRMM tool remote control. In one case, the operator used the group’s custom credential harvester to dump the user’s\r\ncredentials, the results for which were subsequently uploaded to a file sharing site — publicly exposing the stolen\r\ncredentials. SharePoint has been used to distribute copies of AnyDesk portable, likely to circumvent security measures that\r\nwould prevent the user from downloading it directly from anydesk[.]com. Such attempts have been blocked by web proxy in\r\nprevious cases.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 3 of 16\n\nThe overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s\r\ncredentials. When possible, operators will also still attempt to steal any available VPN configuration files. With the user’s\r\ncredentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to\r\nthe target environment.\r\nRapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is\r\nnow delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated\r\n.NET executable, the program is now commonly contained within a compiled 64-bit DLL loader. Rapid7 has analyzed at\r\nleast one sample that has also been obfuscated using the group’s custom packer. The newest versions of the credential\r\nharvester now save output to the file 123.txt in the user’s %TEMP% directory, an update from the previous qwertyuio.txt\r\nfile, though versions of the DLL distributed earlier in the campaign would still output to the previous file.\r\nThe credential harvester is most commonly followed by the execution of a loader such as Zbot (a.k.a. Zloader) or DarkGate.\r\nThis can then serve as a gateway to the execution of subsequent payloads in memory, facilitate data theft, or otherwise\r\nperform malicious actions. Rapid7 has also observed operators distributing alternate payload archives containing Cobalt\r\nStrike beacon loaders and a pair of Java payloads containing a user credential harvester variant and a custom multi-threaded\r\nbeacon by which to remotely execute PowerShell commands. In some cases, operators have sent the user a short command,\r\nvia Teams, which will then begin an infection chain after execution by the targeted user.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 4 of 16\n\nRapid7 continues to observe inconsistent usage of the group’s custom packer to deliver various malware payloads, including\r\ntheir custom credential harvester. A YARA rule is now publicly available that can be used to detect the packer. For example,\r\nthis packer was used to deliver several obfuscated versions of Black Basta ransomware, obtained via open source\r\nintelligence, which directly links operators to the ongoing social engineering campaign.\r\nAt the time of writing, the threat actors behind the campaign continue to update both their strategy for gaining initial access\r\nand the tools subsequently used. For example, around the time the most recent campaign activity began, Rapid7 observed\r\nthe delivery of a timestamped and versioned payload archive, 171024_V1US.zip (2024-10-17, version 1, US), which, when\r\ncompared to a more recently delivered archive, 171124_V15.zip (2024-11-17, version 15), highlights the rapid iteration\r\nbeing undertaken. Many of the payloads being delivered follow a similar pattern as previous activity and often consist of a\r\nlegitimate file where an export or function entry point has been overwritten to jump to malicious code, and the result is\r\nsigned with a likely stolen code signing certificate.\r\nIntrusions related to the campaign should be taken seriously — the intent goes beyond typical phishing activity. Past\r\ncampaign activity has led to the deployment of Black Basta ransomware. While Rapid7 has handled a high volume of\r\nincidents related to the current social engineering campaign across a variety of customer environments, to date, every case\r\nhas been contained before the operator was able to move laterally beyond the targeted user’s asset.\r\nTechnical Analysis\r\nInitial Access\r\nEach attack is preceded by the targeted user receiving an often overwhelming amount of emails. An operator will then\r\nattempt to contact the user via Microsoft Teams, either via messaging or calling, by which they will pretend to offer\r\nassistance. Operators will attempt to impersonate the organization’s help desk, such as using the names of existing staff\r\nmembers.\r\nDuring this social engineering stage, operators often need to troubleshoot with the user to establish remote control of the\r\nuser’s asset. Based on the environment, for example, RMM tool downloads or execution may be blocked (often some, but\r\nnot all) or QuickAssist may be disabled, causing the operator to cycle through their options at establishing a foothold. One\r\nof the most common first steps after gaining either the confidence of the user, or remote access, is to execute a custom\r\ncredential harvester.\r\nCredential Harvesting\r\nThe credential harvester used by operators, for example SafeStore.dll (SHA256:\r\n3B7E06F1CCAA207DC331AFD6F91E284FEC4B826C3C427DFFD0432FDC48D55176), is an updated version of the\r\npreviously analyzed program AntiSpam.exe. The DLL variant of the credential harvester is executed by a command like the\r\nfollowing example:\r\nrundll32.exe SafeStore.dll,epaas_request_clone\r\nThe module will quickly execute three enumeration commands to gather system information — systeminfo, route print,\r\nipconfig /all — and then prompt the user for their password. The user’s credentials are appended onto a new line of the text\r\nfile 123.txt with each attempt, after the enumeration command output, regardless of whether the credentials are correct. If\r\nthe user enters the wrong password, they will be prompted to try again. The output for the enumeration commands and the\r\nuser’s credentials were saved to the file qwertyuio.txt in older versions of the harvester, but are now saved to 123.txt, within\r\nthe user’s %TEMP% directory. The enumeration commands within the updated version are executed via successive calls to\r\nCreateProcessA.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 5 of 16\n\nBased on analysis of one credential harvester sample, EventCloud.dll, the program was present in shellcode form. The\r\nshellcode is decrypted from the Cursor Group 880 resource embedded within the executable, using the XOR key 5A 3C 77\r\n6E 33 30 4D 38 4F 38 40 78 41 58 51 30 42 5F 3F 67 71 00, and then injected locally. The following strings which were\r\nextracted from the shellcode show the output file and list dynamically loaded libraries:\r\nCredential Harvester Strings - - - -\r\ncmd.exe /c %s%s %s%s%s%s 123.txt ooki\r\nUpdate filter kb_outl Need credentials to update... Username: Password:\r\nntdll.dll Gdi32.dll user32.dll msvcrt.dll ucrtbase.dll\r\nComctl32.dll Advapi32.dll kernel32.dll - -\r\nThe Java variant of the credential harvester, identity.jar, provides a similar prompt to the user, though when a password is\r\nentered it is appended, without the username, to a .txt file with a random 10-letter alphabetic name to the current working\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 6 of 16\n\ndirectory. The cancel button on the prompt, shown below, is not functional and the prompt is drawn on top of other\r\nwindows, meaning that it will not close until the user has entered their password correctly.\r\nMalware Payloads\r\nFollowing execution of a credential harvester, an operator will typically infect the asset with Zbot or DarkGate. One of the\r\nZbot samples delivered after initial access, SyncSuite.exe (SHA256:\r\nDB34E255AA4D9F4E54461571469B9DD53E49FEED3D238B6CFB49082DE0AFB1E4) contains similar functionality\r\nand strings to other Zbot/Zloader samples previously reported by ZScaler. However, in addition to previously observed\r\nstrings, the sample also contains encrypted strings for an embedded command help menu, error messages, and more. Rapid7\r\nobserved the embedded malware version was 2.9.4.0.\r\nUpon execution, the malware will copy itself to a random folder within the %APPDATA% directory. If the file does not\r\nhave its original filename however, the process will immediately exit. The malware also contains the functionality to\r\nestablish persistence either via a Run key at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run or a scheduled task\r\nnamed after the executable, which executes the malware copy in %APPDATA% whenever the user logs on. After collecting\r\nthe hostname, username, and the installation date from the InstallDate value contained within the registry key\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion, this data is concatenated (delimited by underscore characters) and\r\nencrypted, along with other config information. It is then stored within the user’s registry inside a random key created at\r\nHKCU\\Software\\Microsoft\\. The analyzed sample will also load a fresh copy of ntdll.dll to avoid hooking, which is then\r\nused to perform calls to NTAPI functions. SyncSuite.exe ultimately injects itself into a suspended instance of msedge.exe,\r\ncreated using NtCreateUserProcess and executed via ResumeThread, a technique known as Process Hollowing.\r\nAll of the strings used by the malware are stored encrypted within the .rdata section along with the configuration. The\r\nstrings are decrypted using an obfuscated loop that is ultimately a simple XOR operation with the hard coded key 16 EB D5\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 7 of 16\n\n3E AA E6 51 09 14 D3 DF 18 AD D6 1B BD BE, which is also stored in the .rdata section. The configuration is decrypted\r\nusing an RC4 key, F3 F9 F7 FB FA F3 F7 F7 FF F5 F2 F3 FA FD FE F2 for this sample. The decrypted configuration for\r\nSyncSuite.exe can be seen below, with empty rows removed. The configuration contains a different public RSA key and\r\nbotnet ID than the one previously shared by ThreatLabz, indicating that the campaign is being run by a different affiliate. All\r\ndecrypted strings from SyncSuite.exe can be seen in the Zbot Strings section following other Indicators of Compromise.\r\nRapid7 has also observed the delivery of DarkGate malware following initial access. One payload archive contained both a\r\nDarkGate infection initiation script, test.vbs, and an executable copy of the DarkGate malware itself, SafeFilter.exe\r\n(SHA256: EF28A572CDA7319047FBC918D60F71C124A038CD18A02000C7AB413677C5C161 ), though this copy is\r\npacked using the group’s custom packer. The final payload containing the DarkGate malware, after several layers of\r\ndecrypting and loading, contains the version string 7.0.6. If the folder c:\\debugg exists on the system when the malware is\r\nexecuted it will display the version number via MessageBoxA. The configuration for this sample can be seen below along\r\nwith hard coded commands. Notably, the campaign ID for the sample appears to be drk2.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 8 of 16\n\nThe configuration is decrypted with the key ckcilIcconnh within a customized XOR loop near the beginning of execution to\r\nreveal CRLF delimited options. However, due to the implementation of the decryption loop, the keyspace is effectively\r\nreduced to that of a single byte (0-255), after the first byte. This makes the XOR key for the majority of the config 0x60, for\r\nthis sample allowing for the encrypted data to be trivially bruteforced.\r\nKey-Value Pair (SafeFilter.exe\r\nDarkGate Config)\r\nDescription\r\n0=179.60.149[.]194| C2 domains or IP addresses, delimited with ‘|’ characters\r\n8=No\r\nIf enabled and the file C:\\ProgramData\\hedfdfd\\Autoit3.exe does not exist, call\r\nMessageBoxTimeoutA using keys 11 and 12 and a timeout of 1770ms.\r\n11=Error Used by key 8 as a message box title.\r\n12=PyKtS5Q\r\nThe string Error, base64 encoded with the custom alphabet\r\nzLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=.\r\nUsed by key 8 as a message box caption.\r\n13=6 Unknown\r\n14=Yes Unknown\r\n15=80 C2 communication port.\r\n1=Yes Enables infection.\r\n32=Yes\r\nIf enabled, attempt bypass of detected security products. For example, enables calls to\r\nRtlAdjustPrivilege and NtRaiseHardError to cause a crash if hdkcgae is not present in\r\nC:\\temp\\ and a Kaspersky product has been detected.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 9 of 16\n\nKey-Value Pair (SafeFilter.exe\nDarkGate Config)\nDescription\n3=No If disabled, do an anti-vm display check.\n4=No If enabled, compare system drive size to key 18. If below, exit.\n18=100 Minimum drive size in GB.\n6=No\nIf enabled and key 3 is disabled, check the display for known virtual machine display\nstrings using EnumDisplayDevicesA. If matched, exit. Failed to match properly when\ntested.\n7=No If enabled, compare system RAM to key 19. If below, exit.\n19=4096 Minimum RAM size in MB.\n5=No\nIf enabled, check the registry key ProcessorNameString at\nHKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 for xeon. If found,\nexit.\n21=No Unknown\n22\nNot present in the config for this sample, but is still checked for in the code. If enabled,\nset the variant string to DLL, otherwise ?.\n23=Yes If enabled, set the variant string to AU3 for Autoit3 payloads.\n31=No If enabled, set the variant string to AHK for AutoHotKey payloads.\n25=drk2 Campaign ID\n26=No Unknown\n27=rsFxMyDX Decryption key, also used to bound/find payloads stored within other files.\n28=No Unknown\n29=2 Unknown\n35=No Unknown\ntabla=IsUiPQ4\u0026atzM5N=0($\"\n3]TGfyK8JYwvO61SAF{ndrDu\nol29*RkmqCpgxeX[EH,V)}7j\nbZBc.WLh\nUnknown\nDarkGate Hard-coded Commands\n/c cd /d \"C:\\Users\\User\\AppData\\Roaming\" \u0026\u0026 move  /c cd /d \"C:\\Users\\User\\AppData\\Local\" \u0026\u0026 move  /c cmdkey /delete:\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\nPage 10 of 16\n\nDarkGate Hard-coded Commands\r\n/c cmdkey /list \u003e c:\\temp\\cred.txt\r\n/c del /q /f /s C:\\Users\\User\\AppData\\Roaming\\Mozilla\\firefox*\r\n/c ping 127.0.0.1 \u0026 del /q /f /s c:\\temp \u0026 del /q /f /s C:\\ProgramData\\hedfdfd\\ \u0026 rmdir /s /q C:\\ProgramData\\hedfdfd\\\r\n/c shutdown -f -r -t 0\r\n/c shutdown -f -s -t 0\r\n/c wmic ComputerSystem get domain \u003e C:\\ProgramData\\hedfdfd\\fcadaab\r\nDuring execution, DarkGate will hash certain strings and use the result to create or check files at the directories\r\nC:\\ProgramData\\hedfdfd(mainfolder) and C:\\temp\\. The hashing algorithm uses a randomized key generated at runtime, so\r\nthe hashes across infections will be different. Commonly used strings and their resultant hash, for the analysis environment,\r\nare shown below.\r\nPath String DarkGate Custom Hash\r\nmainfolder hedfdfd\r\nlogsfolder fhhcfhh\r\nsettings dhkbbfc\r\ndomain fcadaab\r\nmutex0 hfgdced\r\nmutex1 cekchde\r\nau3 dgfeabe\r\nc.txt adfcbdd\r\ncc.txt dehgaba\r\nscript daaadeh\r\nfs.txt hdkcgae\r\nDarkGate may also change its behavior if a known security product is detected. This is achieved by using\r\nCreateToolhelp32Snapshot and related functions to loop through running processes which are compared to a hard-coded list.\r\nThe malware will also check for known installation directories using GetFileAttributesA. If a security product is found, a\r\nflag will be set which may alter the execution path. Only the following products had associated flags:\r\nDarkGate “Supported” Security Products - - - -\r\nWindows Defender Sophos Quick Heal MalwareBytes Panda Security\r\nNorton/Symantec ESET/Nod32 Kaspersky Avast SentinelOne\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 11 of 16\n\nDarkGate “Supported” Security Products - - - -\r\nBitdefender - - - -\r\nAt the end of the first execution of the DarkGate payload, it will then attempt to inject itself into a host process. First,\r\nDarkGate will select the injection target by searching a list of hard coded directories for any executable that contains the\r\nstring updatecore.exe, subdirectories included. The path C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\ is searched first,\r\nwith the fallback being C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe. If a matching Edge\r\nexecutable is not found, the path C:\\Program Files (x86)\\Google\\Update\\ is then searched. If that also fails, the malware will\r\nattempt to use C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe.\r\nAfter successfully choosing the injection target, DarkGate will then inject itself into the target process using shellcode,\r\nterminating the original instance of the final DarkGate payload after executing the shellcode. When creating an instance of\r\nthe target process to inject, DarkGate will also attempt to spoof the parent process ID (PPID) of the injection target by\r\nenumerating running processes for accessibility using OpenProcess and then randomly selecting one from an assembled list.\r\nThe PPID of the target is then updated using UpdateProcThreadAttribute prior to creation with CreateProcessA.\r\nExecution of the injected process is coordinated by checking for the presence of two file based mutexes within\r\nC:\\ProgramData\\hedfdfd\\ (mainfolder). Each instance of the DarkGate malware checks both of the file-based mutexes. The\r\nfile mutex usage is checked via calls to CreateFileA using an exclusive share mode flag (0) and a creation disposition of\r\nCREATE_ALWAYS, which means that if the mutex is already in usage by another DarkGate instance the call will fail. If the\r\ncall to both mutexes created by DarkGate, hfgdced and cekchde, fails, DarkGate will exit. As a result of having two\r\nmutexes, DarkGate will typically run within two injected process instances at the same time, so if one process is terminated,\r\nthe remaining instance will spawn another. If a DarkGate instance is spawned and both calls to open the file based mutexes\r\nfail, indicating two existing DarkGate instances, the new instance will terminate. This technique is rarely used by malware\r\ndevelopers and highlights the sophistication of DarkGate malware.\r\nDarkGate will unconditionally log keystrokes as well as clipboard data that is under 1024 bytes. The logged data is stored\r\nencrypted at C:\\ProgramData\\hedfdfd\\fhhcfhh (mainfolder\\logsfolder) within files named \u003cdate\u003e.log. The logged data may\r\nbe sent directly to the C2 address contained within the config. A thread is also created to persist on infected systems by\r\ncreating the Run key daaadeh (script) at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. The Run key will point\r\nto the copies of Autoit3.exe and the compiled AU3 script payload dgfeabe.a3x (au3) created at C:\\ProgramData\\hedfdfd\r\n(mainfolder), with the former executing the latter every time the user logs on. When the AU3 script is executed, DarkGate\r\nreinfects the system. The thread continuously monitors the text within the infected user’s active window however, sleeping\r\n1500ms between checks, and will delete the registry key if a blacklisted application is detected. This list includes popular\r\nanalysis tools such as Process Hacker, Process Monitor, Task Manager, and even the Windows Registry Editor.\r\nThe DarkGate sample executed by SafeFilter.exe contains 78 remote commands, some of which can be seen below with\r\ntheir intended function. Every loop, the malware will re-send the text of the active window, user idle time, and whether or\r\nnot the malware instance has admin rights, before checking for a command.\r\nCommand ID Function\r\n1000 Sleep for a randomized amount of time.\r\n1004 Use MessageBoxA to display the message test msg.\r\n1044,1045,1046\r\nClick the user’s mouse at specified screen coordinates using SetCursorPos and successive calls to\r\nmouse_event. 1044 for double left-click. 1045 for single left click. 1046 for single right click.\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 12 of 16\n\nCommand ID Function\r\n1049 Create a remote shell via powershell.exe.\r\n1059 Terminate process by PID.\r\n1061\r\nInject DarkGate shellcode into a specified process or an Edge/Chrome process if none is selected.\r\nThe shellcode is then executed via ResumeThread.\r\n1062,1063,1064\r\nInject DarkGate shellcode into a specified process or cmd.exe if none is selected. The shellcode is\r\nthen executed via CreateRemoteThread.\r\n1066\r\nRemove infection files by using cmd.exe to delete the staging directories C:\\ProgramData\\hedfdfd\r\nand c:\\temp\\.\r\n1071 Steal sitemanager.xml and recentservers.xml from %APPDATA%\\FileZilla\\ if present.\r\n1079 If admin, delete stored credentials found using cmdkey.\r\n1080\r\nRename browser directories for Firefox, Chrome, and Brave if present after terminating the related\r\nbrowser executable. Attempt to steal Opera cookies if present, after terminating the process.\r\n1081 Use NTAPI calls RtlAdjustPrivilege and NtRaiseHardError to crash the system.\r\n1083 Use the shutdown command to turn the system off.\r\n1084 Use the shutdown command to restart the system.\r\n1089 If 1=Yes in config, reinfect system with AU3 payloads.\r\n1093 Create a remote shell via cmd.exe.\r\n1097\r\nInfect system with AU3 variant. Creates the files script.a3x and Autoit3.exe in c:\\temp and then\r\nexecutes script.a3x via Autoit3.exe using CreateProcessA.\r\n1104\r\nInfect system with AHK variant. Creates the files script.ahk, test.txt, and AutoHotkey.exe in c:\\temp\r\nand then executes script.ahk via AutoHotkey.exe using CreateProcessA.\r\n1108\r\nInfect system with DLL variant. Creates the files libcurl.dll, test.txt, and GUP.exe in c:\\temp and\r\nthen executes GUP.exe via CreateProcessA.\r\n1111\r\nCreate the files ransom.txt and decrypter.exe in c:\\temp. Terminate decrypter.exe if already running\r\nand then execute decrypter.exe using CreateProcessA. Likely ransomware deployment method.\r\nDarkGate Remote\r\nCommand Related Strings\r\n- - - -\r\nU_Binder U_BotUpdate U_Constantes U_FTPRecovery U_FileManager\r\nU_FileManagerMisc U_GetScreens U_HVNC U_HVNC_7\r\nU_HWID U_InfoRecovery U_InjectOnFly U_Keylogger U_LNKStartup\r\nU_MemExecute U_MemExecuteMisc U_RemoteScreen U_SysApi U_SysNtReadWrite\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 13 of 16\n\nDarkGate Remote\r\nCommand Related Strings\r\n- - - -\r\nU_miniclipboard u_AntiAntiStartup u_Antis u_AudioRecord u_CustomBase64\r\nu_ExtraMisc u_HollowInstall u_InjectEP u_InvokeBSOD u_RDPRecovery\r\nu_Ransomware u_ReadCookies u_ReverseShell u_RootkitMutex u_Settings\r\nu_SettingsPad u_ShellcodeEP u_UnlockCookies u_loadpe hxxps://ipinfo[.]io/ip\r\nMitigation Guidance\r\nRapid7 recommends taking the following precautions to limit exposure to these types of attacks:\r\nRestrict the ability for external users to contact users via Microsoft Teams to the greatest extent possible. This\r\ncan be done for example by blocking all external domains or creating a white/black list. Microsoft Teams will allow\r\nall external requests by default. For more information, see this reference.\r\nStandardize remote management tools within the environment. For unapproved tools, block known hashes and\r\ndomains to prevent usage. Hash blocking can be done, for example, via Windows AppLocker or an endpoint\r\nprotection solution.\r\nProvide user awareness training regarding the social engineering campaign. Familiarize users with official help\r\ndesk and support procedures to enable them to spot and report suspicious requests.\r\nStandardize VPN access. Traffic from known low cost VPN solutions should be blocked at a firewall level if there\r\nis no business use case.\r\nRapid7 Customers\r\nInsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage\r\nthrough Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts\r\nto ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that\r\nare deployed and will alert on behavior related to this activity:\r\nDetections\r\nSuspicious Chat Request - Potential Social Engineering Attempt\r\nInitial Access - Potential Social Engineering Session Initiated Following Chat Request\r\nSuspicious Conversation - Potential Social Engineering Message Interaction\r\nAttacker Technique - Process Executed Using Nt Object Path\r\nSuspicious Process - Enumeration Burst via ShellExecute\r\nAttacker Technique - Renamed Kaspersky Dump Writer\r\nRansomware - Possible Black Basta Related Binary Execution\r\nCredential Access - Steal or Forge Kerberos tickets\r\nSuspicious Process - Diskshadow (Windows Server) Delete Shadow Copies\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 14 of 16\n\nDetections\r\nNon-Approved Application - Remote Management and Monitoring (RMM) Tools\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Procedure\r\nResource\r\nDevelopment\r\nT1587.001: Develop Capabilities:\r\nMalware\r\nThe threat actor is actively developing new malware to\r\ndistribute.\r\nImpact T1498: Network Denial of Service\r\nThe threat actor overwhelms email protection solutions\r\nwith spam.\r\nInitial Access\r\nT1566.004: Phishing: Spearphishing\r\nVoice\r\nThe threat actor calls impacted users and pretends to be a\r\nmember of their organization’s IT team to gain remote\r\naccess.\r\nDefense Evasion\r\nT1140: Deobfuscate/Decode Files\r\nor Information\r\nThe threat actor encrypts some zip archive payloads with a\r\npassword.\r\nDefense Evasion\r\nT1055.002: Process Injection:\r\nPortable Executable Injection\r\nMultiple payloads executed by the threat actor utilize local\r\nPE injection.\r\nDefense Evasion T1620: Reflective Code Loading\r\nMultiple payloads executed by the threat actor load and\r\nexecute shellcode.\r\nCredential\r\nAccess\r\nT1649: Steal or Forge\r\nAuthentication Certificates\r\nThe threat actor has distributed numerous signed malware\r\npayloads.\r\nCredential\r\nAccess\r\nT1056.001: Input Capture:\r\nKeylogging\r\nThe threat actor runs an executable that harvests the user’s\r\ncredentials.\r\nCredential\r\nAccess\r\nT1558.003: Steal or Forge Kerberos\r\nTickets: Kerberoasting\r\nThe threat actor has performed Kerberoasting after gaining\r\ninitial access.\r\nDiscovery\r\nT1033: System Owner/User\r\nDiscovery\r\nThe threat actor enumerates asset and user information\r\nwithin the environment after gaining access.\r\nCommand and\r\nControl\r\nT1572: Protocol Tunneling The threat actor has attempted to use SSH reverse tunnels.\r\nCommand and\r\nControl\r\nT1219: Remote Access Software\r\nThe threat actor has used QuickAssist, AnyDesk,\r\nScreenConnect, TeamViewer, Level, and more, to facilitate\r\nremote access.\r\nIndicators of Compromise\r\nIndicators of compromise are available here.\r\nNEVER MISS AN EMERGING THREAT\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 15 of 16\n\nBe the first to learn about the latest vulnerabilities and cybersecurity news.\r\nSubscribe Now\r\nSource: https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nhttps://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/"
	],
	"report_names": [
		"black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/497cf305c68c976b0f8288753816fdabde0c35ae.pdf",
		"text": "https://archive.orkl.eu/497cf305c68c976b0f8288753816fdabde0c35ae.txt",
		"img": "https://archive.orkl.eu/497cf305c68c976b0f8288753816fdabde0c35ae.jpg"
	}
}