UNC4393 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC4393 (Back to overview)

aka: CURLY SPIDER, Cardinal, STAC5777, Storm-1811

UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.

Associated Families

win.blackbasta

References

2025-03-03 ⋅ Trend Micro ⋅ Adam O'Connor, Catherine Loveria, Gabriel Cardoso, Ian Kenefick, Jack Walsh, Jovit Samaniego, Lucas Silva, Stephen Carbery
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
Black Basta Black Basta Cactus ReedBed

2025-02-28 ⋅ CrowdStrike ⋅ CrowdStrike
2025 Global Threat Report
GOLD REBELLION UNC4393

2025-02-22 ⋅ CrowdStrike ⋅ CrowdStrike
Wandering Spider
Black Basta Black Basta GOLD REBELLION

2025-02-22 ⋅ CrowdStrike ⋅ CrowdStrike
Curly Spider
UNC4393

2025-01-30 ⋅ eSentire ⋅ eSentire
Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation
UNC4393

2025-01-25 ⋅ Sophos ⋅ Anthony Bradshaw, Colin Cowie, Daniel Souter, Hunter Neal, Mark Parsons, Sean Baird, Sean Gallagher
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
ReedBed STAC5143 UNC4393

2025-01-21 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Threat Intelligence
Twitter Thread describing spotting of ReedBed in a Storm-1811 campaign
ReedBed UNC4393

2025-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Jonathan Mccay, Joshua Platt
Qbot is Back.Connect
ReedBed UNC4393

2025-01-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet about affiliates of DarkScorpius using Social Engineering via MS Teams
UNC4393

2024-12-04 ⋅ Rapid7 ⋅ Tyler McGraw
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Black Basta Cobalt Strike DarkGate SystemBC Zloader

2024-12-02 ⋅ Red Canary ⋅ Red Canary Intelligence
Storm-1811 exploits RMM tools to drop Black Basta ransomware
UNC4393

2024-10-25 ⋅ Reliaquest ⋅ RELIAQUEST THREAT RESEARCH TEAM
ReliaQuest Uncovers New Black Basta Social Engineering Technique
Black Basta

2024-10-15 ⋅ Microsoft ⋅ Akash Chaudhuri, Gourav Khandelwal, Krithika Ramakrishnan, Matthew Mesa, Sagar Patil, Uri Oren
Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack
UNC4393

2024-08-12 ⋅ Rapid7 ⋅ Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC

2024-07-29 ⋅ Mandiant ⋅ Ashley Pearson, Jake Nicastro, Joseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong
UNC4393 Goes Gently into the SILENTNIGHT
Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393

2024-07-29 ⋅ Microsoft ⋅ Charles-Edouard Bettan, Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Vaibhav Deshmukh
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Black Basta Black Basta Storm-0506

2024-06-20 ⋅ Red Canary ⋅ The Red Canary Team
Gourav Khandelwal, Akash Chaudhuri, Matthew Mesa, Sagar Patil, Uri Oren, Krithika Ramakrishnan
UNC4393

2024-06-12 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Black Basta

2024-06-12 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Black Basta UNC4393

2024-05-15 ⋅ Stairwell ⋅ Threat Research at Stairwell
Stairwell threat report: Black Basta overview and detection rules
Black Basta Black Basta

2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot SystemBC

2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot UNC4393

2024-05-10 ⋅ CISA ⋅ CISA
AA24-131A: #StopRansomware: Black Basta
Black Basta Black Basta

2024-05-10 ⋅ Rapid7 Labs ⋅ Evan McCann, Thomas Elkins, Tyler McGraw
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Black Basta Black Basta Cobalt Strike NetSupportManager RAT

2024-04-22 ⋅ Mandiant ⋅ Mandiant
M-Trends 2024 Special Report
UNC4393

2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos

2023-12-14 ⋅ Mandiant ⋅ Adrian McCabe, Geoff Ackerman, Rufus Brown, Ryan Tomcik
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
DanaBot DarkGate UNC4393

2023-11-16 ⋅ YouTube (Swiss Cyber Storm) ⋅ Angelo Violetti
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware
Black Basta

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-04-20 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023 Mandiant Special Report
UNC3973 UNC4393

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-20 ⋅ PWC ⋅ PWC
Cyber Threats 2022: A Year in Retrospect
Black Basta Black Basta Earth Lusca GOLD REBELLION

2023-03-15 ⋅ Reliaquest ⋅ RELIAQUEST THREAT RESEARCH TEAM
QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot

2023-01-25 ⋅ Quadrant Information Security ⋅ Quadrant Information Security
Technical Analysis: Black Basta Malware Overview
Black Basta Black Basta

2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2022-12-01 ⋅ Zscaler ⋅ Zscaler
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0
Black Basta

2022-11-23 ⋅ Cybereason ⋅ Cybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot

2022-11-03 ⋅ SentinelOne ⋅ SentinelLabs
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot

2022-11-03 ⋅ Sentinel LABS ⋅ Antonio Cocomazzi
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta

2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot

2022-09-08 ⋅ Sentinel LABS ⋅ Aleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot

2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-15 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Deep Dive Into Black Basta Ransomware
Black Basta

2022-07-20 ⋅ Kaspersky ⋅ Dmitry Galov, Jornt van der Wiel, Marc Rivero López, Sergey Lozhkin
Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti

2022-06-30 ⋅ Trend Micro ⋅ Emmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-28 ⋅ GBHackers on Security ⋅ Gurubaran S
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
Black Basta

2022-06-06 ⋅ NCC Group ⋅ Peter Gurney, Ross Inman
Shining the Light on Black Basta
Black Basta

2022-06-01 ⋅ Avertium ⋅ Avertium
An In-Depth Look At Black Basta Ransomware
Black Basta

2022-05-26 ⋅ IBM ⋅ Dave McMillen, Kevin Henson
Black Basta Besting Your Network?
Black Basta

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Trend Micro ⋅ Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales
Examining the Black Basta Ransomware’s Infection Routine
Black Basta

2022-04-29 ⋅ The Record ⋅ Jonathan Greig
German wind farm operator confirms cybersecurity incident
Black Basta BlackCat

2022-04-27 ⋅ BleepingComputer ⋅ BleepingComputer
New Black Basta ransomware springs into action with a dozen breaches
Black Basta

2022-04-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
American Dental Association hit by new Black Basta ransomware
Black Basta

Credits: MISP Project