Gone But Not Forgotten: Black Basta’s Enduring Legacy

This report analyzes leaked internal chats from the Black Basta RaaS group, describing its organizational structure, core TTPs (mass email and Microsoft Teams phishing, fake VPN pages, brute-force access, and use of loaders like IcedID, QakBot and Pikabot), and how former members are likely reusing those methods in successor groups (e.g., Cactus, Blacklock). It highlights an evolution toward Python-based payload delivery and AiTM/Gmail session cookie theft, provides IOCs (notably onmicrosoft.com phishing sender patterns and C2 IP 161.35.60.146), and offers defensive guidance emphasizing user education, monitoring for unauthorized Python/script activity, and detection/playbook recommendations.