{
	"id": "494a965b-d07a-4645-a1cb-bcae3b66befc",
	"created_at": "2026-04-06T01:31:01.939012Z",
	"updated_at": "2026-04-10T03:21:40.729599Z",
	"deleted_at": null,
	"sha1_hash": "d0b56b2be8cb2e38205e7dcac81d110f18b3a136",
	"title": "Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1165061,
	"plain_text": "Black Basta Ransomware Operators Expand Their Attack Arsenal With\r\nQakBot Trojan and PrintNightmare Exploit\r\nBy Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes,\r\nMelvin Singwa ( words)\r\nPublished: 2022-06-30 · Archived: 2026-04-06 00:33:44 UTC\r\nRansomware\r\nWe look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a\r\nmeans of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.\r\nBy: Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth\r\nReyes, Melvin Singwa Jun 30, 2022 Read time: 4 min (955 words)\r\nSave to Folio\r\nSince it became operational in April, Black Bastaopen on a new tab has garnered notoriety for its recent attacks on 50\r\norganizations around the worldopen on a new tab and its use of double extortionopen on a new tab, a modern ransomware\r\ntactic in which attackers encrypt confidential data and threaten to leak it if their demands are not met. The emerging\r\nransomwareopen on a new tab group has continued to improve its attacks: We recently caught it using the banking trojan\r\nQakBotopen on a new tab as a means of entry and movement, and taking advantage of the PrintNightmare vulnerability\r\n(CVE-2021-34527)open on a new tab to perform privileged file operations.\r\nIn the case of a Trend Micro customer, its system was infected with Black Basta ransomware that was deployed by QakBot\r\n(Figure 1). This behavior is typical of the QakBot malware family, which has served as a key enabler of ransomware\r\nfamilies like MegaCortex, PwndLockerm, Egregor, ProLock, and REvil (aka Sodinokibi)open on a new tab. QakBot, which\r\nwas discovered in 2007, is known for its infiltration capabilities and has been used as a “malware-installation-as-a-service”\r\nfor various campaigns. Over the years, this banking trojan has become increasingly sophisticated, as evidenced by its\r\nexploitation of a newly disclosed Microsoft zero-day vulnerability known as Follina (CVE-2022-30190)open on a new tab.\r\nFigure 1. A timeline of the files detected on the infected machine\r\nQakBot’s infection chain\r\nQakBot is distributed using spear-phishing emails (Figure 2) that contain Excel files with Excel 4.0 macros. The emails\r\nentice the recipient to enable macros, which download and execute the QakBot DLL files (Figures 3 and 4). The\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 1 of 7\n\ndownloaded QakBot DLL is dropped onto a specific file path and file name, and is executed via regsvr32.exe (Figure 5).\r\nThe QakBot DLL performs process injection using explorer.exe (Figure 6), after which the injected Explorer process creates\r\na scheduled task to maintain the malware’s initial foothold in the infected system (Figure 7).\r\nFigure 2. The infection chain from the point of entry to the Black Basta ransomware payload\r\nFigure 3. Instructions in the Excel file used by QakBot to lure a potential victim into enabling Excel 4.0\r\nmacros\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 2 of 7\n\nFigure 4. The malicious URL used to download the QakBot malware\r\nFigure 5. The downloaded QakBot malware dropped onto a specific file path and file name\r\nFigure 6. The explorer.exe process used in process injection\r\nFigure 7. The scheduled task created by QakBot\r\nOnce QakBot is installed in a system, it proceeds to download and drop the other components in the infection chain,\r\nbeginning with the Cobeacon backdoor. We have observed the execution of Cobeacon using a fileless PowerShell script with\r\nmultiple layers of obfuscation (Figures 8 to 11). The Base64-encoded shellcode of the installed Cobeacon establishes and\r\nnames a pipe for communication (Figure 12) that is possibly used for exfiltration purposes once information has been\r\ncollected from a targeted system. The Black Basta ransomware group posts this information on its leak sites if the victim\r\ndoes not pay the ransom.\r\nFigure 8. Cobeacon’s first layer of obfuscation, a Base64-encoded PowerShell command\r\nFigure 9. Cobeacon’s second layer of obfuscation, the loading and reading of an archive file in memory\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 3 of 7\n\nFigure 10. Cobeacon’s third layer of obfuscation, the decoded script for running the Base64-encoded\r\nshellcode\r\nFigure 11. Disassembly of the decoded shellcode\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 4 of 7\n\nFigure 12. Shellcode containing the named pipe for communication\r\nPrintNightmare and Coroxy\r\nUpon further analysis of the system that was affected by Black Basta, we found evidence that points to the ransomware\r\ngroup’s exploitation of the PrintNightmare vulnerabilityopen on a new tab. Exploiting this vulnerability, Black Basta abused\r\nthe Windows Print Spooler Service or spoolsv.exe to drop its payload, spider.dll, and perform privileged file operations. It\r\nalso exploited the vulnerability to execute another file in the affected system, but samples of this file were no longer\r\navailable in the system.\r\nAdditionally, our investigation found that the ransomware actors used the Coroxy backdoor. They used Coroxy in\r\nconjunction with the abuse of the computer networking utility tool Netcat to move laterally across the network. Once the\r\nattackers gained a wide foothold in the network, they executed the Black Basta ransomware, whose infection process we\r\nexplained in more detail in a previous blog postopen on a new tab.\r\nThwarting phishing attempts\r\nSpear phishing is a common precursor to ransomware infection. Organizations can protect their data from threats that spread\r\nthrough emails by adhering to best practices such as:\r\nEnsuring that macros are disabled in Microsoft Office applications.\r\nVerifying an email’s sender and content before opening or downloading any attachments.\r\nHovering the pointer over embedded links to show the links’ full addresses.\r\nBeing wary of telltale signs of malicious intent, including unfamiliar email addresses, mismatched email and sender\r\nnames, and spoofed company emails.\r\nBusinesses and their employees can safeguard sensitive company data from email-borne ransomware threats like Black\r\nBasta by turning to endpoint solutions such as Trend Micro’s Smart Protection Suitesproducts and Worry-Free Business\r\nSecurityworry free services suites solutions, which are equipped with behavior-monitoring capabilities that are able to detect\r\nmalicious files, scripts, and messages, and block all related malicious URLs. Trend Micro™ Deep Discovery™products also\r\nhas a layer for email inspectionproducts that protects businesses by detecting any malicious attachments and URLs.\r\nMultilayered detection and response solutions like the Trend Micro Vision One™products platform provides companies\r\nwith greater visibility across multiple layers — like email, endpoints, servers, cloud workloads, and networks — to look out\r\nfor suspicious behavior in their systems and block malicious components early, mitigating the risk of ransomware infection. \r\nIndicators of compromise\r\nHashes\r\nSHA-256 Trend Micro detection\r\n01fafd51bb42f032b08b1c30130b963843fea0493500e871d6a6a87e555c7bac Ransom.Win32.BLACKBASTA.YXCEP\r\n72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e Trojan.X97M.QAKBOT.YXCFH\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 5 of 7\n\n580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a Backdoor.Win32.COROXY.YACEKT\r\n130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed Trojan.Win64.QUAKNIGHTMARE.YACEJT\r\nc7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166 TrojanSpy.Win32.QAKBOT.YXCEEZ\r\nffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab TrojanSpy.Win32.QAKBOT.YACEJT\r\n2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9 TrojanSpy.Win32.QAKBOT.YACEJT\r\n1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2 TrojanSpy.Win32.QAKBOT.YACEJT\r\n2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb TrojanSpy.Win32.QAKBOT.YACEJT\r\n72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24 TrojanSpy.Win32.QAKBOT.YACEJT\r\n2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1 TrojanSpy.Win32.QAKBOT.YACEJT\r\nc9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70 Ransom.Win32.BLACKBASTA.YACEJ\r\n8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad Trojan.Win32.BLACKBASTA.YXCEJ\r\n0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27 Trojan.Win32.BLACKBASTA.YXCEJ\r\n0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed Trojan.Win32.BLACKBASTA.YXCEJ\r\ndf35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8 Trojan.Win32.BLACKBASTA.YXCEJ\r\n3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc Trojan.Win32.BLACKBASTA.YXCEJ\r\n433e572e880c40c7b73f9b4befbe81a5dca1185ba2b2c58b59a5a10a501d4236 Ransom.Win32.BLACKBASTA.A.note\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 6 of 7\n\nc4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79 PUA.Win32.Netcat.B\r\nURLs\r\n24[.]178[.]196[.]44:2222\r\n37[.]186[.]54[.]185:995\r\n39[.]44[.]144[.]182:995\r\n45[.]63[.]1[.]88:443\r\n46[.]176[.]222[.]241:995\r\n47[.]23[.]89[.]126:995\r\n72[.]12[.]115[.]15:22\r\n72[.]76[.]94[.]52:443\r\n72[.]252[.]157[.]37:995\r\n72[.]252[.]157[.]212:990\r\n73[.]67[.]152[.]122:2222\r\n75[.]99[.]168[.]46:61201\r\n103[.]246[.]242[.]230:443\r\n113[.]89[.]5[.]177:995\r\n148[.]0[.]57[.]82:443\r\n167[.]86[.]165[.]191:443\r\n173[.]174[.]216[.]185:443\r\n180[.]129[.]20[.]53:995\r\n190[.]252[.]242[.]214:443\r\n217[.]128[.]122[.]16:2222\r\nelblogdeloscachanillas[.]com[.]mx/S3sY8RQ10/Ophn[.]png\r\nlalualex[.]com/ApUUBp1ccd/Ophn[.]png\r\nlizety[.]com/mJYvpo2xhx/Ophn[.]png\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nhttps://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html"
	],
	"report_names": [
		"black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439061,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0b56b2be8cb2e38205e7dcac81d110f18b3a136.pdf",
		"text": "https://archive.orkl.eu/d0b56b2be8cb2e38205e7dcac81d110f18b3a136.txt",
		"img": "https://archive.orkl.eu/d0b56b2be8cb2e38205e7dcac81d110f18b3a136.jpg"
	}
}