Former members of the notorious Black Basta ransomware operation have adopted new techniques while maintaining a foothold in the cybercriminal landscape. A recent report from ReliaQuest revealed that these attackers have introduced Python script execution alongside established methods like email bombing and Microsoft Teams phishing to gain persistent access to target networks.
The latest report indicates that attackers are using curl requests to fetch and deploy malicious payloads, signifying their evolution in tactics despite the Black Basta brand suffering significant setbacks. The public leak of internal chat logs earlier this year has led to a decline in the group’s activities, as noted in reports by CybelAngel.
Data from ReliaQuest shows that a substantial portion of Teams phishing attacks observed from February to May 2025 originated from onmicrosoft.com domains, with breached domains accounting for 42% of those attacks. Such tactics allow threat actors to blend in with legitimate traffic, making it more challenging for organizations to identify and thwart these malicious attempts.
Interestingly, despite the apparent decline of Black Basta operations, former affiliates are believed to have either migrated to another Ransomware as a Service (RaaS) group like CACTUS or formed a new entity entirely. This shifting landscape showcases a troubling trend as threat actors leverage sophisticated techniques to maximize their illicit activities, raising alarms among cybersecurity experts.