New Black Basta Social Engineering Scheme

ReliaQuest observed an active Black Basta campaign (May 2024) that floods targeted users with newsletter/mailing-list signups, then vishes them posing as IT support to convince victims to grant remote access via Quick Assist or AnyDesk. Attackers deliver an archive (s.zip) with evolving batch scripts and DLLs that establish persistence via registry Run keys, contact C2 IPs, harvest credentials, and stage additional tools; multiple newly-registered domains (e.g., upd9a.com, upd10a.com) and IOCs were identified, and defenders are advised to block new domains, restrict RMM software, and increase user awareness.