Black Basta: Defense Evasion Capability Embedded in Ransomware Payload

This Symantec-style intelligence brief describes a Black Basta (Cardinal) ransomware campaign that unusually embedded a vulnerable NsecSoft NSecKrnl kernel driver (CVE-2025-68947) inside the ransomware payload to terminate security/EDR processes (BYOVD), appending ".locked" to encrypted files; the report also notes a prior suspicious side-loaded loader, post-deployment presence of the GotoHTTP RAT, and provides hashes and IOCs for the ransomware, driver, loader and webshell.