SYMBOL | COMMON_NAME | aka. SYNONYMS |
STAC5143 is a threat actor group tracked by Sophos, notable for its sophisticated use of Microsoft Office 365's legitimate services to conduct ransomware and data extortion campaigns. Unlike FIN7, which typically targets larger organizations through phishing and malicious Google Ads, STAC5143 focuses on smaller victims across diverse business sectors. Their operations begin with overwhelming targeted individuals with email bombing, followed by Microsoft Teams messages impersonating tech support to initiate a remote screen control session. Utilizing Microsoft's Quick Assist or direct Teams screen sharing, they deploy malware, including Java Archive (JAR) files and Python-based backdoors, from external SharePoint file stores. This cluster exploits legitimate services within the Microsoft Office 365 platform, using a Java-based proxy to execute PowerShell commands and download malicious payloads. While employing publicly available tools like RPivot, their obfuscation methods and the use of side-loaded DLLs for command and control, combined with the deployment of Black Basta ransomware in one instance, indicate a sophisticated and evolving threat actor adapting known techniques for their specific objectives.
2025-03-03
⋅
Trend Micro
⋅
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal Black Basta Black Basta Cactus ReedBed |
2025-02-22
⋅
CrowdStrike
⋅
Wandering Spider Black Basta Black Basta GOLD REBELLION |
2025-01-25
⋅
Sophos
⋅
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” ReedBed STAC5143 UNC4393 |
2024-12-04
⋅
Rapid7
⋅
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware Black Basta Cobalt Strike DarkGate SystemBC Zloader |
2024-10-25
⋅
Reliaquest
⋅
ReliaQuest Uncovers New Black Basta Social Engineering Technique Black Basta |
2024-08-12
⋅
Rapid7
⋅
Ongoing Social Engineering Campaign Refreshes Payloads Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC |
2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 |
2024-07-29
⋅
Microsoft
⋅
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption Black Basta Black Basta Storm-0506 |
2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta UNC4393 |
2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta |
2024-05-15
⋅
Stairwell
⋅
Stairwell threat report: Black Basta overview and detection rules Black Basta Black Basta |
2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot UNC4393 |
2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot SystemBC |
2024-05-10
⋅
Rapid7 Labs
⋅
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators Black Basta Black Basta Cobalt Strike NetSupportManager RAT |
2024-05-10
⋅
CISA
⋅
AA24-131A: #StopRansomware: Black Basta Black Basta Black Basta |
2024-02-28
⋅
Security Intelligence
⋅
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023 404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos |
2023-11-16
⋅
YouTube (Swiss Cyber Storm)
⋅
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware Black Basta |
2023-06-27
⋅
SecurityIntelligence
⋅
The Trickbot/Conti Crypters: Where Are They Now? Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot |
2023-04-19
⋅
Bleeping Computer
⋅
March 2023 broke ransomware attack records with 459 incidents Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom |
2023-04-18
⋅
Mandiant
⋅
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
2023-03-20
⋅
PWC
⋅
Cyber Threats 2022: A Year in Retrospect Black Basta Black Basta Earth Lusca GOLD REBELLION |
2023-03-15
⋅
Reliaquest
⋅
QBot: Laying the Foundations for Black Basta Ransomware Activity Black Basta QakBot |
2023-01-25
⋅
Quadrant Information Security
⋅
Technical Analysis: Black Basta Malware Overview Black Basta Black Basta |
2023-01-23
⋅
Kroll
⋅
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
2022-12-01
⋅
Zscaler
⋅
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0 Black Basta |
2022-11-23
⋅
Cybereason
⋅
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
2022-11-03
⋅
SentinelOne
⋅
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
2022-11-03
⋅
Sentinel LABS
⋅
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor Black Basta |
2022-10-12
⋅
Trend Micro
⋅
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
2022-09-08
⋅
Sentinel LABS
⋅
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection AgendaCrypt Black Basta BlackCat PLAY |
2022-09-01
⋅
Trend Micro
⋅
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta |
2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
2022-08-22
⋅
Microsoft
⋅
Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
2022-07-20
⋅
Kaspersky
⋅
Luna and Black Basta — new ransomware for Windows, Linux and ESXi Black Basta Conti |
2022-06-30
⋅
Trend Micro
⋅
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
2022-06-28
⋅
GBHackers on Security
⋅
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks Black Basta |
2022-06-06
⋅
NCC Group
⋅
Shining the Light on Black Basta Black Basta |
2022-06-01
⋅
Avertium
⋅
An In-Depth Look At Black Basta Ransomware Black Basta |
2022-05-26
⋅
IBM
⋅
Black Basta Besting Your Network? Black Basta |
2022-05-20
⋅
AdvIntel
⋅
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive |
2022-05-09
⋅
Trend Micro
⋅
Examining the Black Basta Ransomware’s Infection Routine Black Basta |
2022-04-29
⋅
The Record
⋅
German wind farm operator confirms cybersecurity incident Black Basta BlackCat |
2022-04-27
⋅
BleepingComputer
⋅
New Black Basta ransomware springs into action with a dozen breaches Black Basta |
2022-04-26
⋅
Bleeping Computer
⋅
American Dental Association hit by new Black Basta ransomware Black Basta |