Has Black Basta returned? Former affiliates assemble for new campaign targeting business execs

Published: 14 April 2026
black-basta
Image by Cybernews

A new cyber intrusion campaign is reviving the playbook of the now-defunct Black Basta, raising concerns that former affiliates may be regrouping or reusing a proven model at scale.

In research published by ReliaQuest, researchers John Dilgen and Alexa Feminella claim to have unearthed a new campaign that they say is successfully evolving the Russian-linked ransomware-as-a-service (RaaS) group’s social engineering playbook.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

This time they claim the criminals have transformed these earlier methods into “a faster, more targeted, and increasingly automated intrusion method” which is aimed at compromising those who work in senior leadership positions.

Back to Black

Black Basta operated from early 2022 until February 2025, when internal chat logs were leaked, effectively disrupting the criminal gang.

One of the most vile ransomware groups, it was known for aggressive extortion and was thought to have compromised over 500 organizations, including breaches against huge healthcare organizations and caused over $100 million in damages.

The gang’s activities prompted alerts from the FBI, CISA, and other agencies.

server-lockbit-evil-corp-black-basta
One of the most vile ransomware groups, Black Basta was best known for aggressive extortion before its implosion in 2025

The group’s decline left a vacuum – but not its tactics, as the report notes, “this activity demonstrates that a threat group’s most effective tactics can long outlive the group itself.”

ReliaQuest’s findings suggest those tactics have since been refined. The new campaign hinges on a two-stage social engineering attack: Mass email bombing “to overwhelm a target’s inbox” followed by Microsoft Teams-based help desk impersonation to gain remote access.

ADVERTISEMENT

The speed at which these attacks are now taking place has also increased. In some cases, the researchers said that the attackers "moved from initial chat engagement to executing malicious scripts in as little as 12 minutes.”

The new spate of attacks also demonstrates more precise targeting. Between March 1st and April 1st , 77% of observed incidents were targeted senior-level employees, which researchers say is a sharp rise from earlier in the year and marks a deliberate refinement.

“The removal of [lower-privileged] roles from targeting scripts [such as project managers], suggest threat actors are actively iterating on their open-web reconnaissance automation,” the researchers noted.

The sectors most affected – manufacturing and professional, scientific, and technical services – mirror Black Basta’s historical focus. Each accounted for 26% of incidents, reinforcing attribution theories that “it’s highly likely a unified campaign from former affiliates who are carrying this tradecraft forward.”

Familiar tradecraft of Black Basta

Technically, ReliaQuest says that the campaign blends old methods with new tricks.

Attackers rely on “Russia-based source IP addresses,” disposable Microsoft tenants, and impersonations of internal IT staff.

Black Basta
Technically, ReliaQuest says that the campaign blends old methods with new tricks

Once trust is established, they deploy remote monitoring and management (RMM) tools – most notably a legitimate tool called Supremo which is often used for IT support and remote working.

According to the report this remote desktop tool has become "a primary tool...allowing attackers to quickly turn social engineering into hands-on access.”

ADVERTISEMENT

Scripts disguised as legitimate utilities – such as MailAccountWizard.jar, which is used for setting up and configuring email addresses – are then executed, reinforcing the illusion of IT support.

Strong password generator

Upgrade the security of your online accounts.
Create strong passwords that are completely random and impossible to guess.
Generated unique password
Ad link_title
Convenient way to secure and use all your passwords. Now 72% OFF!
Get NordPass

While ransomware deployment has not yet been observed, researchers warn the activity is “consistent with pre-ransomware staging.”

So, has Black Basta returned? ReliaQuest stops short of a definitive claim, instead outlining three scenarios: regrouping affiliates, collaboration with other groups, or outright imitation.

Their conclusion is that it's "highly likely" former Black Basta affiliates are involved although ultimately they add that the name may matter less than the method. As the report concludes, “a proven, effective intrusion method is now more active and refined than ever” – and increasingly targeted at people in organizations with the most privileged access.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT