{
	"id": "10a20f92-2546-4dbd-a0b2-4c2f304ffa3b",
	"created_at": "2026-04-06T00:14:46.121395Z",
	"updated_at": "2026-04-10T03:21:31.360147Z",
	"deleted_at": null,
	"sha1_hash": "faf6dcf1cd6cd82f5d9cde2214eb5a55981f74f7",
	"title": "Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2683714,
	"plain_text": "Inside BRUTED: Black Basta (RaaS) Members Used Automated\r\nBrute Forcing Framework to Target Edge Network Devices\r\nArchived: 2026-04-05 17:26:56 UTC\r\nExecutive Summary\r\nOn February 11, 2025, a Russian speaking actor using the Telegram handle @ExploitWhispers [1], leaked internal\r\nchat logs of Black Basta Ransomware-as-a-Service (RaaS) members [2]. These communications, spanning from\r\nSeptember 2023 to September 2024, provide an insider look on the group's operational tactics.\r\nFigure 1 - Black Basta key members inside EclecticIQ TIP graph view.\r\nEclecticIQ analysts examined these logs and identified a previously unknown brute forcing framework that Black\r\nBasta RaaS members have used since 2023. According to source code analysis, main capability of this framework\r\n´s main capability is to perform automated internet scanning and credential stuffing against edge network devices,\r\nincluding widely used firewalls and VPN solutions in corporate networks. Analysts named this offensive\r\nframework BRUTED based on its log naming conventions.\r\nEclecticIQ analysts assess that Black Basta targets edge network devices [3] for credential-stuffing attacks,\r\nexploiting weak or reused credentials to gain an initial foothold for lateral movement, and ransomware\r\ndeployment. BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding\r\ntheir victim pool for and accelerating monetization to drive ransomware operations.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 1 of 19\n\nBlack Basta’s Ransomware Strategy: Targeting High-Impact Industries\r\nBlack Basta, a ransomware-as-a-service (RaaS) group, emerged in April 2022 and quickly established itself as a\r\nfinancially motivated cybercrime operation. The group uses double extortion tactics, encrypting victims' data\r\nwhile threatening to publish sensitive information if they refuse to pay the ransom. EclecticIQ analysts assess that\r\nBlack Basta highly likely prioritizes the Business Services sector due to its critical role in supporting multiple\r\nindustries, amplifying operational disruptions. The group likely targets Industrial Machinery and Manufacturing\r\nsectors to exploit supply chain dependencies, increasing the pressure on victims to pay ransoms. This trend\r\nsuggests a strategic focus on high-value targets where downtime has a significant financial and operational\r\nimpact.Figure 2 illustrates the number of incidents targeting different industry sectors. It highlights Business\r\nServices (33 incidents) as the most targeted sector, followed by Industrial Machinery (14) and Manufacturing (6).\r\nFigure\r\n2 - Victimology Analysis per Industry in EclecticIQ TIP.\r\nInternal Black Basta Communication Leak and ExploitWhispers’ Motivations\r\nLeaked internal chat logs from the Black Basta ransomware gang exposed critical operational details, internal\r\npower struggles, and key member roles. EclecticIQ analysts assess with medium confidence that this leak has\r\nlikely disrupted Black Basta’s infrastructure and operations, prompting some members to defect to rival\r\nransomware groups.\r\nEclecticIQ analysts assess with moderate confidence that Black Basta’s long-term viability remains uncertain. The\r\nexposure of their infrastructure and operational details will likely hinders their short term recovery. However,\r\nformer members will likely reintegrate into other ransomware-as-a-service (RaaS) ecosystems, ensuring their\r\ncontinued presence within the cybercriminal landscape.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 2 of 19\n\nOn February 11, 2025, a Telegram user known as @ExploitWhispers published the gang’s internal\r\ncommunications, stating the leak was a direct response to Black Basta’s alleged breaches of multiple Russian\r\nfinancial institutions. Alongside the chat records, @ExploitWhispers disclosed key members of Black Basta,\r\ndetailing their roles and connections to the reported bank intrusions.\r\nFigure 3 - Telegram\r\nchannel created by ExploitWhispers.\r\nThe leaked conversations, originally exchanged over the Matrix protocol, provide valuable insight into Black\r\nBasta’s internal structure, attack methodologies, and financial disputes. In one exchange, a member identified as\r\n\"bio\" discusses their brief detention and subsequent release by Russian authorities with @GG—whom\r\n@ExploitWhispers identified as the group’s leader. EclecticIQ analysts assess with moderate confidence that the\r\nexposure of internal discussions increases the likelihood of future law enforcement intervention.\r\nThis leak mirrors past ransomware group exposures, such as the Conti chat leaks, and provides security\r\nprofessionals and law enforcement with valuable intelligence on Black Basta’s tactics, techniques, and procedures\r\n(TTPs).\r\nBlack Basta’s Brute-Force Infrastructure: Key Servers and Leadership Insights\r\nfrom Leaked Chats\r\nEclecticIQ analysts uncovered a previously unknown brute-forcing infrastructure utilized by Black Basta\r\nmembers. In the messages, a threat actor using the alias @lapa mentioned that the IPs 45.140.17[.]40,\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 3 of 19\n\n45.140.17[.]24 and 45.140.17[.]23 were the \"main servers for brute-force\", indicating their role in credential-based\r\nattacks.\r\nFigure 4 - Conversation between @lapa and @GG about BRUTED Infrastructure.\r\nThe logs reveal that these servers experienced downtime due to unpaid fees, but were later renewed by username\r\n@GG for an additional three months to sustain operations. According to @ExploitWhispers, @GG is Black\r\nBasta’s leader, previously known as tramp, a moniker also used by a former affiliate of the Conti Ransomware-as-a-Service (RaaS) group.\r\nAll three servers were registered under Proton66 (AS 198953) and are located in Russia, likely for operational\r\nsecurity (OPSEC) purposes. This strategic choice was very likely intended to evade Western law enforcement\r\nscrutiny while conducting malicious cyber activities within Russian territory.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 4 of 19\n\nFigure 5 - BRUTED Infrastructure registered under same ASN.\r\nExposing 'BRUTED' Framework: Mass Internet Scanning and Brute-Forcing\r\nAttacks Against Edge Network Devices\r\nEclecticIQ analysts accessed these publicly exposed servers and retrieved the source code of the brute-forcing\r\nframework. Analysts named it ‘BRUTED’ based on the naming convention found in result logs following\r\nsuccessful brute-force operations.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 5 of 19\n\nFigure 6 - Source code of\r\nthe BRUTED showing version and main C2 servers for communication.\r\nThe BRUTED framework target various remote-access and VPN solutions. It supports multiple vendors and\r\ntechnologies—including SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN,\r\nCitrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN to gain initial access to victim\r\nnetworks.\r\nFigure 7 - Palo Alto\r\nGlobal Protect appliances targeted by BRUTED.\r\nWritten in PHP, BRUTED enumerates a ti parameter (0 through 6). The script applies specialized brute-force logic\r\nfor each platform, using tailored user-agent strings, endpoint paths, and success checks. This broad coverage of\r\nVPN and remote-desktop products reflects a highly adaptable approach, enabling attackers to systematically probe\r\nfor weak or reused credentials across multiple enterprise environments.\r\nThe table below explains how each solution is targeted. Among them, Microsoft RDWeb [4] is a web-based\r\ninterface that allows users to access Remote Desktop Services (RDS) applications and virtual desktops over the\r\ninternet via a browser. While it serves as a gateway for remote access, it does not function as a network edge\r\ndevice:\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 6 of 19\n\nFigure 8 - List of all targeted edge network devices and remote access software RDWeb.\r\nAccording to source code analysis, BRUTED automates the following:\r\nProxy Rotation: Uses a large list of SOCKS5 proxies (all from the domain fuck-you-usa[.]com) to hide\r\nattacker server IP while performing high volume of brute forcing request.\r\nFigure 9 - List of proxy servers inside the BRUTED source code.\r\nScanning the internet: Automate subdomain enumeration and IP resolution for a given domain,\r\neffectively “scanning the internet” for potentially valid hostnames and IP addresses. It queries subdomains\r\nby prepending a series of known or likely prefixes (e.g., vpn, remote, mail, etc.) to a base domain, then\r\nresolves each resulting name to IP addresses. Finally, it reports any discovered hosts back to a remote\r\ncommand-and-control (C2) endpoint.\r\nFigure 10 - Internet scanning function inside the BRUTED searching for specific domain prefix\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 7 of 19\n\nCredential Generation \u0026 Retrieval: Gathers password candidates from a remote server, combines them\r\nwith locally generated guesses, and performs bulk authentication attempts.\r\nDistributed/Parallel Execution: Spawns multiple processes (via shell_exec) to scale brute-force attempts\r\ndepending on CPU cores.\r\nReporting \u0026 Logging: Sends progress and potential successful credentials back to a command-and-control (C2) server (e.g., via /get-items.php, /done-check.php).\r\nFigure 11 - Report and\r\nlogging system in BRUTED\r\nTarget-Specific Tactics: BRUTED adapts its attack strategy based on the target system (Citrix, Cisco,\r\nSonicWall, Fortinet, RDWeb, GlobalProtect, or WatchGuard). It crafts appropriate HTTP(S) requests, user-agent strings, and POST data to mimic real VPN or RDP clients.\r\nDomain \u0026 Certificate–Based Password Generation: Extracts common names (CN) and Subject\r\nAlternative Names (SAN) from a target’s SSL certificate getCertDomainsList() to generate additional\r\npassword guesses.\r\nFigure 12 - Password\r\npair generation by using victim SSL cert.\r\nExample result from brute forcing attack:\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 8 of 19\n\nFigure 13 - Example of\r\nthe result output from a brute force attack.\r\nAnalysts observed multiple forgotten source code comments that referenced another server (2.57.149[.]237),\r\nwhich Black Basta members very likely used in a previous version of the BRUTED tooling.\r\nFigure 14 - Comment inside the BRUTED source code contains forgotten IP address.\r\nThe same infrastructure appeared in a conversation between RaaS affiliate @lapa and Black Basta´s alleged leader\r\n@GG. In their exchange, they confirmed that the servers 2.57.149[.]237 and 2.57.149[.]231 were used for brute-forcing.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 9 of 19\n\nFigure 15 - Chat messages between @GG and @Lapa about BRUTED Infrastructure.\r\nInternal communications reveal that Black Basta has heavily invested in the BRUTED framework, enabling rapid\r\ninternet scans for edge network appliances and large-scale credential stuffing to target weak passwords. Successful\r\ncompromises grant high-privileged access and extensive visibility into victim networks, potentially amplifying the\r\nimpact of ransomware attacks. By systematically testing, developing, and maintaining BRUTED framework\r\nacross multiple infrastructures, the group speeds up mass target discovery and infiltration. Black Basta affiliates\r\nleverage their elevated privileges and network-wide view of compromised edge network devices to maximize\r\ndisruption, ultimately strengthening Black Basta’s bargaining position and heightening the threat they pose to\r\norganizations.\r\nHigh Tempo Exploitation Against Edge Network Devices for Initial Compromise\r\nEdge network devices act as entry points to an organization’s internal network, making them a key component of\r\nnetwork security. These devices include routers, virtual private networks (VPNs), wide-area networks (WANs),\r\nfirewalls, and integrated access devices (IADs), all of which are typically exposed to the internet. This exposure\r\nmakes them prime targets for threat actors, including groups like Black Basta.\r\nLeaked chat messages from Black Basta RaaS members reveal that the group exploits known vulnerabilities in\r\nVPN and firewall appliances for initial access. Figure 16 lists the vulnerabilities leveraged by Black Basta\r\nransomware operators:\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 10 of 19\n\nFigure 16 - Vulnerabilities exploited by Black Basta members to target edge network device inside EclecticIQ\r\ngraph view.\r\nMonitoring edge devices presents a significant challenge, as they often lack support for Endpoint Detection and\r\nResponse (EDR) solutions or other security mechanisms that can detect modifications, collect forensic images, or\r\nprovide real-time telemetry. Unlike traditional endpoints or servers, edge devices mostly have limited logging\r\ncapabilities, making it difficult to track intrusions or attribute attacks. These limitations not only reduce the\r\nlikelihood of early detection but also complicate forensic investigations and incident response efforts, ultimately\r\nincreasing an organization's risk of exposure to adversaries.\r\nFrom Edge Network Devices to Network-Wide Ransomware Execution\r\nEclecticIQ analysts assess with high confidence that Black Basta almost certainly prioritizes exploiting edge\r\nnetwork devices, such as VPNs and firewalls, to gain initial access while bypassing traditional security controls.\r\nThese devices mostly lack endpoint detection and response (EDR) capabilities, making them a highly attractive\r\nentry point. Once inside, Black Basta targets ESXi hypervisors, which host critical virtualized environments.\r\nGaining full administrative control over ESXi very likely allows threat actors to encrypt the file system, disrupt\r\nvirtual machines (VMs), and cripple business operations, increasing pressure for ransom payment. Compromising\r\nESXi also enables data exfiltration, lateral movement, and deeper network infiltration, maximizing operational\r\nimpact. By combining edge device exploitation with ESXi ransomware deployment, Black Basta ensures\r\npersistent access, widespread disruption, and stronger ransom negotiation leverage.\r\nBlack Basta follows a structured attack chain, beginning with the compromise of edge network devices through\r\nbrute-force attacks, stolen credentials, and known vulnerabilities. The group then deploys post-exploitation\r\nframeworks like Cobalt Strike or Brute Ratel to establish stealthy command-and-control (C2) channels and enable\r\nlateral movement.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 11 of 19\n\nFigure 17 -Exploitation attack flow against edge network devices.\r\nAfter gaining a foothold, attackers enumerate Active Directory, dump credentials, and execute remote commands\r\nusing tools like PsExec, WMI, and RDP hijacking. To maintain persistence and they leverage Socks5 proxies for\r\nOPSEC. Ransomware deployment is automated through custom scripts and VBS-based droppers, often abusing\r\nrundll32.exe and malicious DLLs to evade detection.\r\nFinally, ransomware payloads encrypt network shares, virtualized environments (e.g., VMware ESXi), and cloud\r\nstorage, rendering critical systems inoperable. This multi-layered attack strategy blends offensive security tools\r\nwith advanced evasion techniques, ensuring persistence, widespread impact, and increased pressure for ransom\r\npayment.\r\nPrevention Methodologies\r\nSince Black Basta primarily targets firewalls, VPNs, and other edge network appliances, securing these devices is\r\ncritical:\r\nEnsure Up-to-Date Firmware \u0026 Patch Management\r\nApply security patches for firewalls, VPNs, and remote access solutions immediately to mitigate known\r\nvulnerabilities.\r\nRegularly monitor CISA’s Known Exploited Vulnerabilities (KEV) catalog and vendor advisories for\r\nemerging threats.\r\nStrengthen Password /Login Policies\r\nEnforce strong, unique passwords for all edge devices and VPN accounts.\r\nImplement password complexity requirements to prevent brute-force and credential-stuffing attacks.\r\nMandate regular password rotation, especially for privileged accounts.\r\nImplement geo-blocking to prevent access from unauthorized regions.\r\nDisable Unnecessary Services \u0026 Features\r\nTurn off unnecessary remote management services such as Telnet, FTP, or outdated SNMP versions.\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 12 of 19\n\nDisable default accounts that are not needed.\r\nUse role-based access control (RBAC) to limit administrative privileges.\r\nThe BRUTED framework extracts SSL certificate details (such as Common Name (CN) and Subject Alternative\r\nNames (SAN)) from edge network devices to generate password pairs for brute-force attacks or search the exact\r\nvictim company from internet. This method allows attackers to craft targeted credential-stuffing attempts using\r\norganization-specific naming conventions. To mitigate this threat, organizations should implement the following\r\npreventive measures:\r\nAvoid using company names, domains, or predictable words in SSL certificate fields.\r\nUse generic, non-descriptive values for Common Name (CN) and Subject Alternative Names (SAN)\r\ninstead of exposing internal service names.\r\nExample: Instead of vpn.companyname.com, use randomized subdomains like access-secure-324.com.\r\nMITRE ATT\u0026CK TTPs\r\nT1110.004 - Brute Force: Credential Stuffing\r\nT1110.002 - Brute Force: Password Cracking\r\nT1190 - Exploit Public-Facing Application\r\nT1133 - External Remote Services\r\nT1021.001 - Remote Services: Remote Desktop Protocol (RDP)\r\nT1021.004 - Remote Services: SSH\r\nT1566.001 - Phishing: Spearphishing Attachment\r\nT1204.002 - User Execution: Malicious File\r\nT1078 - Valid Accounts\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 13 of 19\n\nT1078.002 - Valid Accounts: Domain Accounts\r\nT1078.003 - Valid Accounts: Local Accounts\r\nT1068 - Exploitation for Privilege Escalation\r\nT1486 - Data Encrypted for Impact\r\nT1489 - Service Stop\r\nT1003 - OS Credential Dumping\r\nT1003.001 - OS Credential Dumping: LSASS Memory\r\nT1003.002 - OS Credential Dumping: Security Account Manager (SAM)\r\nT1003.003 - OS Credential Dumping: NTDS\r\nT1036 - Masquerading\r\nT1036.005 - Masquerading: Match Legitimate Name or Location\r\nT1572 - Protocol Tunneling\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nT1071.004 - Application Layer Protocol: DNS\r\nT1090.002 - Proxy: External Proxy\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 14 of 19\n\nT1090.003 - Proxy: Multi-hop Proxy\r\nT1568.002 - Dynamic Resolution: Domain Generation Algorithms\r\nT1573.002 - Encrypted Channel: Asymmetric Cryptography\r\nT1095 - Non-Application Layer Protocol\r\nT1105 - Ingress Tool Transfer\r\nT1071.003 - Application Layer Protocol: Mail Protocols\r\nT1059 - Command and Scripting Interpreter\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\nT1059.004 - Command and Scripting Interpreter: Unix Shell\r\nT1070.004 - Indicator Removal: File Deletion\r\nT1033 - System Owner/User Discovery\r\nT1087 - Account Discovery\r\nT1087.001 - Account Discovery: Local Account\r\nT1087.002 - Account Discovery: Domain Account\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 15 of 19\n\nT1018 - Remote System Discovery\r\nT1083 - File and Directory Discovery\r\nT1135 - Network Share Discovery\r\nT1518.001 - Software Discovery: Security Software Discovery\r\nT1217 - Browser Information Discovery\r\nT1201 - Password Policy Discover\r\nT1046 - Network Service Scanning\r\nT1049 - System Network Connections Discovery\r\nT1016 - System Network Configuration Discovery\r\nT1482 - Domain Trust Discovery\r\nT1590.002 - Gather Victim Network Information: DNS\r\nT1595.002 - Active Scanning: Vulnerability Scanning\r\nT1595.003 - Active Scanning: Wordlist Scanning\r\nT1210 - Exploitation of Remote Services\r\nT1078.004 - Valid Accounts: Cloud Accounts\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 16 of 19\n\nT1567.002 - Exfiltration Over Web\r\nT1048 - Exfiltration Over Alternative Protocol\r\nT1048.003 - Exfiltration Over Protocol: SCP/FTP\r\nT1562.001 - Impair Defenses: Disable or Modify Tools\r\nT1562.009 - Impair Defenses: Safe Mode Boot\r\nT1562.006 - Impair Defenses: Indicator Blocking\r\nT1490 - Inhibit System Recovery\r\nT1219 - Remote Access Software\r\nT1543.003 - Create or Modify System Process: Windows Service\r\nT1543.002 - Create or Modify System Process: Systemd Service\r\nT1547.001 - Boot or Logon Autostart Execution: Registry Run Keys\r\nT1547.009 - Boot or Logon Autostart Execution: Shortcut Modification\r\nIOCs\r\ndomain fuck-you-usa[.]com - SOCKS5 Proxy Network\r\n45.140.17[.]40 - BRUTED Framework Infrastructure\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 17 of 19\n\n45.140.17[.]24 - BRUTED Framework Infrastructure\r\n45.140.17[.]23 - BRUTED Framework Infrastructure\r\n2.57.149[.]22 - BRUTED Framework Infrastructure\r\n2.57.149[.]25 - BRUTED Framework Infrastructure\r\n2.57.149[.]231 - BRUTED Framework Infrastructure\r\n2.57.149[.]237 - BRUTED Framework Infrastructure\r\nwordst7512[.]net - Cobalt Strike C2\r\ndns[.]investsystemus[.]net - Cobalt Strike C2\r\nseptcntr[.]com - Cobalt Strike C2\r\ndns[.]wellsystemte[.]net - Cobalt Strike C2\r\ndns[.]realeinvestment[.]net - Cobalt Strike C2\r\nbionetcloud[.]com - Cobalt Strike C2\r\ndns[.]clearsystemwo[.]net - Cobalt Strike C2\r\ndns[.]artstrailreviews[.]com - Cobalt Strike C2\r\ngetnationalresearch[.]com - Cobalt Strike C2\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 18 of 19\n\ndns[.]gift4animals[.]com - Cobalt Strike C2\r\n45.155.249[.]55 - Brute Ratel C2\r\nReference:\r\n[1]          “Telegram: Contact @ExploitWhispers.” Accessed: Feb. 27, 2025. [Online]. Available:\r\nhttps://t.me/ExploitWhispers\r\n[2]          T. H. News, “Leaked Black Basta Ransomware Chat Logs Reveal Inner Workings and Internal\r\nConflicts,” The Hacker News. Accessed: Feb. 27, 2025. [Online]. Available:\r\nhttps://thehackernews.com/2025/02/leaked-black-basta-chat-logs-reveal.html\r\n[3]          “Security considerations for edge devices | Cyber.gov.au.” Accessed: Feb. 27, 2025. [Online]. Available:\r\nhttps://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/securing-edge-devices/security-considerations-edge-devices\r\n[4]          “What is Microsoft Remote Desktop Web Access (Microsoft RD Web Access)? | Definition from\r\nTechTarget,” SearchWindows Server. Accessed: Feb. 27, 2025. [Online]. Available:\r\nhttps://www.techtarget.com/searchwindowsserver/definition/Microsoft-Remote-Desktop-Web-Access-Microsoft-RD-Web-Access\r\nSource: https://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nhttps://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices"
	],
	"report_names": [
		"inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faf6dcf1cd6cd82f5d9cde2214eb5a55981f74f7.pdf",
		"text": "https://archive.orkl.eu/faf6dcf1cd6cd82f5d9cde2214eb5a55981f74f7.txt",
		"img": "https://archive.orkl.eu/faf6dcf1cd6cd82f5d9cde2214eb5a55981f74f7.jpg"
	}
}