{
	"id": "29aa0f9f-a907-486f-a7cb-23349ff07859",
	"created_at": "2026-04-06T00:06:53.407372Z",
	"updated_at": "2026-04-10T03:35:13.812469Z",
	"deleted_at": null,
	"sha1_hash": "e8b2fbb2989d6ee6f9d81d658d78416bb35ad45b",
	"title": "Storm-1811 exploits RMM tools to drop Black Basta ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44925,
	"plain_text": "Storm-1811 exploits RMM tools to drop Black Basta ransomware\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 13:53:41 UTC\r\nRed Canary has detected likely Storm-1811 activity in multiple customers in the past few weeks. Storm-1811 is\r\nMicrosoft’s name for a financially motivated threat actor that uses social engineering to impersonate help desk\r\nemployees or other IT admins to gain initial access to environments via remote monitoring and management\r\n(RMM) tools—in this case Microsoft Quick Assist—on victim endpoints. Without prompt response, this activity\r\ncan lead to Black Basta ransomware in your environment.\r\n \r\nStorm-1811’s attack path\r\nConsistent with the Storm-1811 activity we reported in our June 2024 Intelligence Insights, the recently observed\r\nactivity began with email bombing to flood a victim’s inbox with spam, followed by the adversary, posing as an IT\r\nadmin offering to help with the email problem, contacting the user via phone or a link to join a Microsoft Teams\r\ncall. Once in contact, the adversary guided the user into running Microsoft Quick Assist or downloading and\r\nrunning AnyDesk or TeamViewer to provide remote access. The attack continued with reconnaissance, lateral\r\nmovement, and the establishment of an SSH tunnel backdoor.\r\nhttps://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/\r\nPage 1 of 2\n\nTake action\r\nWe recommend taking the following precautions to prevent this activity from reaching your environment.\r\nEnhance endpoint visibility\r\nDeploy detection and response sensors across systems\r\nUnmonitored endpoints = attacker playground; visibility limits adversary freedom\r\nMonitor RMM tools\r\nMaintain an approved tools list and monitor or deny unauthorized RMM tools\r\nLegitimate tools can be exploited—know what’s in your environment\r\nSecure Microsoft Teams usage\r\nDisable external access by default\r\nAllowlist trusted partner domains\r\nLimit file-sharing capabilities to reduce risks from unauthorized tools\r\nYou can find more information on Black Basta ransomware in CISA’s recent #StopRansomware advisory.\r\nSource: https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/\r\nhttps://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/"
	],
	"report_names": [
		"storm-1811-black-basta"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3",
			"created_at": "2025-04-23T02:00:55.20526Z",
			"updated_at": "2026-04-10T02:00:05.307504Z",
			"deleted_at": null,
			"main_name": "Storm-1811",
			"aliases": [
				"Storm-1811"
			],
			"source_name": "MITRE:Storm-1811",
			"tools": [
				"Black Basta",
				"Cobalt Strike",
				"Quick Assist",
				"BITSAdmin",
				"PsExec",
				"Impacket",
				"QakBot"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775792113,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8b2fbb2989d6ee6f9d81d658d78416bb35ad45b.pdf",
		"text": "https://archive.orkl.eu/e8b2fbb2989d6ee6f9d81d658d78416bb35ad45b.txt",
		"img": "https://archive.orkl.eu/e8b2fbb2989d6ee6f9d81d658d78416bb35ad45b.jpg"
	}
}