Black Basta-linked attacks target executives via Teams phishing | news | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Suspected former Black Basta ransomware affiliates are ramping up targeting of senior-level executives with social-engineering attacks designed to deploy remote monitoring and management (RMM) software, ReliaQuest reported Tuesday.Black Basta, a previously notorious Russia-linked ransomware-as-a-service (RaaS), became defunct last year following leaked chats exposing its infrastructure and techniques. However, attacks leveraging the group’s distinct tactics, techniques and procedures (TTPs) have continued into 2026, with ReliaQuest noting an accelerating volume and increased targeting of company leadership.For example, Microsoft Teams-based phishing — a staple of Black Basta’s playbook — is becoming more prevalent, with 56% of all Teams phishing over the last year occurring within the last quarter, and nearly a third happening in March 2026 alone.Additionally, ReliaQuest said attackers are saving themselves the effort of further lateral movement and privilege escalation by going after senior executives who already have the greatest access to company systems. In January and February 2026, 59% of these Black Basta-like attacks targeted senior-level staff — this figure has since rose to 77% in March 2026.The most targeted sectors are manufacturing and professional, scientific, and technical services (PSTS), together making up more than a quarter of victims, consistent with Black Basta’s past victimology. Finance and insurance, construction and technology sectors are also heavily targeted.Attacks, as seen with previous Black Basta infections, begin with “email bombing” followed by a Teams message from a supposed IT support staff member offering to resolve the disruptive email spam. Researchers believe attackers are increasingly automating this process, with Teams messages to different staff members being sent less than 30 seconds apart in the same campaign.Related reading:The attacker then convinces the targeted employee to install RMM software, namely Supremo Remote Desktop, which has been seen in a handful of past Black Basta attacks. Attackers have also been observed asking victims to give them control via Windows Quick Assist, which comes preinstalled on Windows 11 machines.After gaining access through an RMM session, the attackers execute malicious scripts with file names designed to resemble email tools, such as “MailAccountWizard.jar.” ReliaQuest did not observe ransomware deployment in these incidents but says the activity is consistent with pre-ransomware staging seen in past attacks.

The researchers believe these attacks are carried out by former affiliates of the Black Basta ransomware gang, possibly in collaboration with another ransomware or threat group. While a copycat is possible, the strong similarities in social-engineering tactics, RMM use and targeting of manufacturing and PSTS sectors suggest attackers with a strong familiarity with Black Basta’s playbook, the researchers concluded.As attacks on senior executives increase, ReliaQuest recommends organizations conduct targeted training for these employees, including simulations that mimic Teams phishing attacks seen in the wild. Employees should be trained to verify the identity of help desk staff through multiple channels, such as a phone number rather than just a Teams message or email, and companies should consider restricting the execution of RMM tools to allow-listed tools and authorized IT staff only.