Ex-Black Basta Operatives Adapt Tactics with Python Scripts While Migrating to New Ransomware Collectives

Following the significant disruption of the Black Basta ransomware operation after internal communications were publicly exposed in February, former members have continued employing their established attack methodologies while introducing new technical capabilities. Research from ReliaQuest reveals that these threat actors are now incorporating Python script execution into their traditional email bombing and Microsoft Teams phishing campaigns.

Evolved Attack Techniques

The cybercriminals have enhanced their toolkit by integrating Python scripts that utilize cURL requests to retrieve and deploy malicious payloads. This development demonstrates the group's commitment to refining their attack methods despite the operational setbacks experienced by the original Black Basta organization.

Between February and May 2025, security researchers documented that approximately 50% of Teams phishing campaigns originated from onmicrosoft[.]com domains, while 42% leveraged compromised legitimate domains. The use of breached domains provides superior stealth capabilities, enabling attackers to blend their malicious activities with authentic network traffic.

Recent targeting has focused on organizations in the financial services, insurance, and construction industries, with attackers impersonating IT support personnel to deceive employees through Teams communications.

Organizational Migration Patterns

The cessation of Black Basta's data leak site operations, coupled with the continued use of their signature tactics, suggests that former affiliates have either joined alternative Ransomware-as-a-Service (RaaS) platforms or established new criminal enterprises. Intelligence analysis points to the CACTUS RaaS group as the most likely destination for former Black Basta members, supported by leaked communications referencing substantial payments between the organizations.

However, CACTUS has not published any victim organizations on their leak site since March 2025, indicating potential operational changes or deliberate efforts to maintain a lower profile. Alternative migration paths may include the BlackLock group, which has reportedly established collaborative relationships with the DragonForce ransomware cartel.

Technical Infrastructure Evolution

The threat actors have expanded their post-exploitation capabilities by leveraging Teams phishing access to initiate remote desktop connections through Quick Assist and AnyDesk platforms. This initial access enables the deployment of malicious Python scripts downloaded from remote servers to establish command-and-control communications.

The social engineering approach pioneered by Black Basta—combining email flooding, Teams phishing, and Quick Assist abuse—has been adopted by other criminal groups, including BlackSuit ransomware operators. This suggests either tactical sharing among groups or the absorption of Black Basta personnel by competing organizations.

Malware Development Advances

Research from Rapid7 indicates that the Java-based remote access trojan (RAT) previously associated with Black Basta campaigns has undergone significant updates. The enhanced malware now exploits cloud-based file hosting services from Google and Microsoft to proxy command communications through legitimate cloud service provider infrastructure.

The malware has evolved from direct proxy connections to utilizing OneDrive and Google Sheets, with the most recent variants leveraging Google Drive for command-and-control operations. Additional capabilities include file transfer functionality, SOCKS5 proxy tunneling, browser credential theft, fake Windows login prompts, and in-memory Java class execution.

Broader Ransomware Landscape Developments

Several significant trends have emerged across the ransomware ecosystem:

Scattered Spider has intensified focus on managed service providers (MSPs) and IT vendors, employing a "one-to-many" compromise strategy. The group has exploited compromised accounts from Tata Consultancy Services (TCS) for initial access and created fraudulent login pages using the Evilginx phishing framework to circumvent multi-factor authentication. Strategic partnerships with major ransomware operations including ALPHV/BlackCat, RansomHub, and DragonForce have enabled sophisticated attacks exploiting SimpleHelp remote desktop vulnerabilities.

Qilin ransomware (operating under aliases Agenda and Phantom Mantis) has conducted coordinated intrusion campaigns targeting multiple organizations between May and June 2025, primarily leveraging Fortinet FortiGate vulnerabilities including CVE-2024-21762 and CVE-2024-55591 for initial network access.

Play ransomware (also known as Balloonfly and PlayCrypt) has reportedly compromised approximately 900 entities since its emergence in mid-2022, with recent campaigns exploiting SimpleHelp vulnerabilities (CVE-2024-57727) to target U.S.-based organizations.

VanHelsing ransomware experienced internal disruption when its administrator leaked complete source code on the RAMP forum due to conflicts between developers and leadership. The disclosure included TOR keys, ransomware source code, administrative panels, communication systems, and complete database information.

Interlock ransomware has deployed a previously unknown JavaScript remote access trojan called NodeSnake in attacks against UK local government and higher education institutions during January and March 2025. The malware, distributed through phishing campaigns, provides persistent access, system reconnaissance, and remote command execution capabilities.

Strategic Implications

These developments highlight the resilience and adaptability of ransomware operations despite law enforcement actions and operational disruptions. The migration of skilled operators between groups ensures the continuation of sophisticated attack capabilities, while the integration of new technologies like Python scripting and cloud-based command-and-control infrastructure demonstrates ongoing innovation in the threat landscape.

The widespread adoption of proven tactics across multiple groups indicates the effectiveness of the Black Basta methodology and suggests that organizations should prepare for continued evolution of these attack patterns across different ransomware families.