6 malware familiesExploits CVEs in the wild

Black Basta

Also known asblack_basta

Black Basta is a financially motivated ransomware operation active since at least 2022. The group is referenced as part of the ransomware ecosystem and has been linked in reporting to initial access obtained by brokers such as Woodgnat/KongTuke, which has been publicly associated with attacks involving Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Reporting cited here states that in November 2022 Black Basta used the QakBot loader for initial access by hijacking legitimate email threads and sending phishing emails. Black Basta has also been observed exploiting or discussing vulnerabilities and remote access tooling: leaked Black Basta chat logs included active discussion of CVE-2024-3400 in Palo Alto PAN-OS, and the group has been seen exploiting Microsoft Quick Assist for initial access and persistence. CISA #StopRansomware advisories cited in the content state that Black Basta uses PsExec as a primary ransomware propagation tool. Additional reporting in the provided content describes Black Basta operational TTPs in detail, including use of EDR impairment tooling such as AvNeutralizer/AuKill, which telemetry indicated was used exclusively by the group for six months before later spreading to other ransomware actors. SentinelLABS assessed it is highly likely the Black Basta ransomware operation has ties to FIN7. Leaked Black Basta Matrix chat logs from 2025, covering September 2023 to September 2024, portray the group as a mature criminal enterprise with structured operations, two offices in Moscow, collaboration with other ransomware and malware actors, and use of ChatGPT for phishing pretexts, malware rewriting, debugging, and victim intelligence collection. Analysis of those leaks cited in the content reported potential connections to Russian authorities and identified alleged continuity with Conti-era personnel and tradecraft, including references linking leader GG/AA to Conti’s Tramp. The same reporting states Black Basta collaborated with or maintained relationships involving former Conti/Trickbot, BlackSuit/Royal, Rhysida, and Cactus-linked actors, and used or rented malware families and loaders including Pikabot, DarkGate, IcedID, and LummaC2 while developing a custom post-exploitation framework called Breaker. The content also notes Black Basta’s use of Linux/ESXi-focused ransomware is discussed alongside other major ransomware groups, although one cited report found no obvious similarity between Black Basta’s ESXi lockers and Babuk-derived families. Known alias mentioned in the content: Storm-1811.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

61 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics79 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

T1598.004

Spearphishing Voice

TA0001

Initial Access

2 techniques

T1078

Valid Accounts

T1566×5

Phishing

T1566.001

Spearphishing Attachment

T1566.003×3

Spearphishing via Service

T1566.004

Spearphishing Voice

TA0002

Execution

7 techniques

T1047×2

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.003×2

Windows Command Shell

T1059.006

Python

T1203

Exploitation for Client Execution

T1204

User Execution

T1569

System Services

T1569.002

Service Execution

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

5 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

T1112

Modify Registry

T1136×2

Create Account

T1136.001

Local Account

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0004

Privilege Escalation

6 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055×3

Process Injection

T1055.012

Process Hollowing

T1068×2

Exploitation for Privilege Escalation

T1078

Valid Accounts

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0005

Stealth

7 techniques

T1014

Rootkit

T1036

Masquerading

T1055×3

Process Injection

T1055.012

Process Hollowing

T1070

Indicator Removal

T1070.004

File Deletion

T1078

Valid Accounts

T1218×2

System Binary Proxy Execution

T1218.010

Regsvr32

T1218.011

Rundll32

T1574

Hijack Execution Flow

T1574.001

DLL

TA0112

Defense Impairment

2 techniques

T1112

Modify Registry

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

7 techniques

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1046

Network Service Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1482

Domain Trust Discovery

T1518

Software Discovery

TA0008

Lateral Movement

2 techniques

T1021×4

Remote Services

T1021.001×2

Remote Desktop Protocol

T1021.002×3

SMB/Windows Admin Shares

T1570

Lateral Tool Transfer

TA0009

Collection

1 technique

T1560

Archive Collected Data

TA0011

Command and Control

4 techniques

T1071×4

Application Layer Protocol

T1071.004

DNS

T1090

Proxy

T1105×5

Ingress Tool Transfer

T1219×3

Remote Access Tools

TA0010

Exfiltration

4 techniques

T1041

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

T1537

Transfer Data to Cloud Account

T1567

Exfiltration Over Web Service

TA0040

Impact

4 techniques

T1485

Data Destruction

T1486×2

Data Encrypted for Impact

T1490×3

Inhibit System Recovery

T1529

System Shutdown/Reboot

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Black BastaThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.6May 27, 2026

AvNeutralizerThe tool, known as AvNeutralizer, is used by criminal hackers to bypass threat detection systems on victims' devices.2Jun 14, 2026

AnyDeskAnyDesk is a popular remote desktop application that allows users to connect to computers and devices remotely... threat actors have been known to utilise AnyDesk's capabilities to control computers, therefore gaining unauthorised access to victims' systems.1Jun 9, 2026

HavocNearly half a dozen organizations have been targeted with the Havoc command-and-control framework for subsequent data theft or ransomware compromise in a new IT support scam campaign.1Mar 5, 2026

HeartCryptIn many cases, packer-as-a-service offerings such as HeartCrypt are used to obfuscate the tools.1Jun 14, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2025-68947Improper authorization in NSecsoft NSecKrnl driver allows arbitrary process terminationIn the wildEvidence4

↑のプロセスを脆弱なNsecSoft NSecKrnlドライバで止める CVE-2025-68947に関連するNsecSoft NSecKrnlドライバでサービス作成を試みて、そのサービスで脆弱性悪用によりカーネルレベルからプロセスキルや検知機能阻害を行う感じ。

CVE-2020-1472Zerologon in Microsoft Netlogon Remote ProtocolIn the wildEvidence1

Beyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a variety of exploits. We have seen the use of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and PrintNightmare (CVE-2021-34527).

CVE-2021-34527PrintNightmareIn the wildEvidence1

In one intrusion, we observed the Black Basta operator exploiting the PrintNightmare vulnerability and dropping spider.dll as the payload.

CVE-2021-42278NoPac sAMAccountName Spoofing in Active Directory Domain ServicesIn the wildEvidence1

CVE-2021-42287NoPac Domain Controller Impersonation in Active Directory Domain ServicesIn the wildEvidence1

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

50 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

50 IOCsView more in app

ip.v4

34 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+26

hash.sha1

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

4 total

••••••.com•••••••.ru••••••••.com•••••••••.net

hash.sha256

2 total

•••••••••••••••••

Email addresses

1 total

••••@•••••.•••

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

hackreadNews

Jun 26, 2026

Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

Referenced as a downstream ransomware operation that may purchase access from Woodgnat.

security affairsNews

Jun 25, 2026

Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

Named as a ransomware crew that purchases or uses access brokered by KongTuke/Woodgnat.

Jun 25, 2026

Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs

Named as a ransomware crew previously linked to attacks involving KongTuke-provided access.

cyber security newsNews

Jun 24, 2026

Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection

Referenced as one of the ransomware groups whose attacks have involved ModeloRAT.

+173 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping61

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables50

Domains, IPs, and hashes tied to this actor, refreshed continuously.