{ "id": "decedef2-1f88-4eee-b43f-6135791f3482", "created_at": "2026-04-06T01:31:37.678198Z", "updated_at": "2026-04-10T03:35:52.94905Z", "deleted_at": null, "sha1_hash": "b1498ecf6cfe40abb5b05563d755086b9704c3b6", "title": "Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 32063, "plain_text": "Black Basta Ransomware | Attacks Deploy Custom EDR Evasion\r\nTools Tied to FIN7 Threat Actor\r\nBy Author:\r\nArchived: 2026-04-06 00:54:26 UTC\r\nColor\r\nSize\r\nof 36\r\n1BLACK BASTA RANSOMWARE | ATTACKS DEPLOY CUSTOM EDR EVASION TOOLS TIED TO FIN7\r\nTHREAT ACTOR\r\nBLACK BASTA RANSOMWARE |\r\nATTACKS DEPLOY CUSTOM\r\nEDR EVASION TOOLS TIED\r\nTO FIN7 THREAT ACTOR\r\nAuthors: Antonio Cocomazzi, Antonio Pirozzi\r\nNovember 2022\r\nSentinelLABS\r\n2BLACK BASTA RANSOMWARE | ATTACKS DEPLOY CUSTOM EDR EVASION TOOLS TIED TO FIN7\r\nTHREAT ACTOR\r\nTABLE OF\r\nCONTENTS\r\n3 EXECUTIVE SUMMMARY\r\n4 OVERVIEW\r\n5 BLACK BASTA INITIAL\r\nACCESS ACTIVITY\r\n6 ENTER THE BLACK\r\nBASTA OPERATOR\r\n8 BLACK BASTA PRIVILEGE\r\nESCALATION TECHNIQUES\r\n9 REMOTE ADMIN TOOLS\r\n12 BLACK BASTA\r\nLATERAL MOVEMENT\r\n13 IMPAIR DEFENSES\r\n14 CUSTOM DEFENSE\r\nIMPAIRMENT TOOL\r\n18 UNCOVERING FURTHER TIES\r\nhttps://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta\r\nPage 1 of 2\n\nBETWEEN BLACK BASTA AND FIN7\r\n23 ATTRIBUTION OF THE\r\nTHREAT ACTOR: FIN7\r\n24 CONCLUSION\r\n25 INDICATORS OF COMPROMISE\r\n36 ABOUT SENTINELLABS\r\nSource: https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta\r\nhttps://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta" ], "report_names": [ "sentinellabs-blackbasta" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439097, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1498ecf6cfe40abb5b05563d755086b9704c3b6.pdf", "text": "https://archive.orkl.eu/b1498ecf6cfe40abb5b05563d755086b9704c3b6.txt", "img": "https://archive.orkl.eu/b1498ecf6cfe40abb5b05563d755086b9704c3b6.jpg" } }