Are Former Black Basta Affiliates Automating Executive Targeting
p2026 Annual CyberThreat Report Read how attackers achieved 4minute breakout in 2025and why defenders need AI to fight backpp2026 Annual CyberThreat ReportppRead how attackers achieved 4minute breakout in 2025and why defenders need AI to fight backppEliminate Tier 1 and Tier 2ppFree Your Analysts with Agentic AIppContain Threats in Under 5 MinppOutpace Attackers with AIPowered SecOpsppSecuring Operational TechnologyppUnified Security for IT and OTppMulticloud and MultiSIEM EnvironmentsppFrom Fragmentation to Unified VisibilityppDetect Everything EverywhereppDetect Threats Faster Wherever They Live ppSecOps Metrics and MaturityppPerformance Metrics Driving Security ForwardppAgentic AIppBuild Your AIDriven SOC with Agentic AIppGreyMatter Agentic TeammatesppScale Your Security Team with AI TeammatesppUniversal TranslatorppNormalize and Unify Your Security TelemetryppDetect At SourceppFaster Threat Detection and Lower SIEM CostsppSOAR AutomationppSecurity Automation Without the ComplexityppSecurity Data PipelineppThreat Detection for Data in MotionppEmail Phishing DefenseppAIPowered Phishing Defense in MinutesppTechnology PartnersppGreyMatter Your Security Your ToolsppAttack Surface and Exposure ManagementppProactive Attack Surface ProtectionppDark Web and Digital Risk ProtectionppStop Threats Beyond Your PerimeterppMobile AppppRespond to Threats From Your PocketppReliaQuest Resource CenterppFrom prevention techniques to emerging security trends our comprehensive library can arm you with the tools you need to improve your security postureppBlogppThreat Research ppCustomer StoriesppSolution BriefsppDigital GuidesppResearch ReportsppShadowTalk PodcastppVideosppWebinars and DemocastsppUpcoming EventsppA Mindset Like No Other in the IndustryppMany companies tout their cultures at ReliaQuest we share a mindset We focus on four values every day to make security possible being accountable helpful adaptable and focused These values drive development of our platform relationships with our customers and partners and further the ReliaQuest promise of security confidence across our customers and our own teamsppCompanyppLeadershipppNo Show Dogs PodcastppMake It PossibleppCareersppPress and Media CoverageppBecome a Technology PartnerppContact UsppAre Former Black Basta Affiliates Automating Executive TargetingppEditors note This report was authored by John Dilgen Alexa FeminellappFormer Black Basta affiliates are highly likely evolving the groups social engineering playbook using automated email bombing and Teamsbased social engineering to gain remote access to seniorlevel employees within minutes pp77 of such incidents in March 2026 targeted leadership up from 59 in the first two months of the year Manufacturing and PSTS account for 26 of incidents each consistent with Black Bastas historical targeting preferencesppSince the groups decline 56 of all Teamsbased phishing activity has occurred in 2026 alone We assess with high confidence this is a unified campaign by former affiliates not independent copycats ppDefenders must implement outofband verification for any help desk request involving remote access enforce strict remote access tooling control and run targeted simulations for senior personnel ppA new campaign is successfully evolving Black Bastas signature social engineering playbook into a faster more targeted and increasingly automated intrusion method aimed at senior leadershipppBlack Basta was a prolific Russialinked ransomwareasaservice RaaS group active from early 2022 until its internal chat logs were leaked in February 2025 This campaign likely conducted by former affiliates uses an automated twopronged social engineering attack mass email bombing to overwhelm a targets inbox followed by Microsoft Teamsbased help desk impersonation to gain remote access In some cases attackers moved from initial chat engagement to executing malicious scripts in as little as 12 minutespp56 of the Teams phishing activity weve observed since Black Bastas decline in early 2025 occurred in the first four months of 2026 alone with 32 happening in March This begs the question Why is the playbook of a nowdefunct group surging months after its collapse Throughout this report we will detail the indications that led us to conclude its highly likely a unified campaign from former affiliates who are carrying this tradecraft forward and evolving it by targeting senior leadership From March 1 to April 1 2026 77 of observed incidents targeted seniorlevel employees up from 59 in the first two months of 2026ppThis activity demonstrates that a threat groups most effective tactics can long outlive the group itself Defenders should treat this as a signal to reassess help desk verification procedures tighten controls around remote access tooling and ensure detection logic accounts for evolving pretexts and tool rotation detailed in this reportppppIn this report weppDetail how attackers combine email bombing and Teamsbased impersonation to target senior personnelppExamine how Black Bastas tradecraft continues to shape current threat activity despite the groups public declineppAssess targeting patterns attribution signals and defensive steps to disrupt similar intrusionspppp32 of the Teams phishing activity weve observed since May 2025 occurred in March 2026 alone Across these intrusions we identified three defining characteristics a focus on senior leadership automated attack timelines and a rotating set of remote access tools The following sections examine each in detailppFigure 1 Monthly distribution of Teams phishing activity since May 2025 culminating in a surge in March 2026ppThis campaigns most significant evolution is its focus on targeting senior leadership a tactic designed to secure highprivilege access from the very start and eliminate the need for noisy timeconsuming postcompromise escalation In March 2026 77 of attacks targeted executives managers and directors up from 59 during January and February 2026ppThat increase likely reflects a direct refinement to the attackers automated targeting During the earlier period most of the nonsenior users targeted held titles such as project manager a role that superficially resembles management but carries far fewer privileges The removal of such roles from targeting scripts appears to account for the jump suggesting threat actors are likely actively iterating on their openweb reconnaissance automation to improve the quality of their target poolppThe strategic advantage is clear An attacker who lands with highlevel access from day one a trend observed in 47 of all attacks ReliaQuest tracked in 2025 can move immediately to data theft or ransomware deployment bypassing lateral movement and privilege escalation techniques which are both timeconsuming and create additional detection opportunities for defendersppFigure 2 User targeting from recent Black Bastastyle attacksppThis risk is most acute in sectors where operational disruption carries immediate and severe consequences Manufacturing and professional Scientific and Technical Services PSTS each accounted for 26 of all Black Bastastyle incidents observed in 2026 and while all sectors were represented this concentration indicates that the top two sectors were likely direct targets see Figure 3 Both sectors tend to employ large operationally pressured workforces that may be more susceptible to social engineering tactics such as vishing and when the compromised user is a senior leader the threat of ransomware halting production creates intense pressure to meet extortion demands quickly This pattern closely mirrors Black Bastas known targeting preferences as the group named more manufacturing organizations on its dataleak site than any other sector during its active period further supporting the likelihood that former affiliates are behind this campaign Organizations in both manufacturing and PSTS should expect this targeting to continue and intensify in the near termppppFigure 3 Top five sectors targeted in recent Black Bastastyle attacksppAttackers are using automation to compress a multistep social engineering attack into minutes reducing the time defenders have to intervene before a live remote management session is established on a senior leaders machineppThe initial access phase appears to follow a twopronged approach that weaponizes a users own inbox to create urgency and make followon outreach appear credible It begins with a highvolume email bomb hundreds of emails sent in minutes designed to overwhelm users and create confusion Within minutes the threat actor posing as IT support contacts the targeted user via a direct Microsoft Teams message or phone call to begin the next phase of the attackppThis followon activity also involves automation or at minimum a highly repeatable process Chats directed at multiple users are often created within minutes of one another in one instance chats were initiated just 29 seconds apart That pace is difficult to sustain consistently through purely manual targeting and suggests that the attackers are streamlining the early stages of engagement to reach users before defensive action can be takenppConsistent with past Black Bastastyle tradecraft the campaigns infrastructure shows a repeatable setup The threat actors pose as internal support functions eg help desk and rely on consistent infrastructure elements across intrusionsppRussiabased source IP addresses to initiate contact see IOC table for specific threat actorlinked IP addressesppDisposable onmicrosoftcom tenant accounts easily created and rotated to avoid blocklistingppImpersonation identities and chat names styled as internal IT or help desk personas to increase user trustppNo single element here is unique and the use of disposable Microsoft tenant accounts is now common across multiple threat groups What distinguishes this campaign is the consistency with which these elements are combined and the speed with which the early engagement phase has been operationalized Historically social engineering attacks of this complexity often involved meaningful delay between steps giving defenders time to detect and intervene But now the time between the first sign of an email bomb and an active remote session may be measured in minutes and this automated playbook is being aimed squarely at an organizations most privileged users For defenders email bomb activity should trigger immediate user notification and heightened scrutiny of any IT support outreach that followsppppSupremo Remote Desktop has become a primary remote monitoring and management RMM tool in this campaign allowing attackers to quickly turn social engineering into handson access to a victims host This lightweight remote tool is legitimate but has malicious use cases which makes it ideal for attackers to blend in with legitimate business activity Security researchers have noted that Supremo was previously used by Black Basta affiliates in limited volumei which also supports the likelihood that the groups affiliates are behind this campaign The tools limited use also means that many defenders likely do not have security controls in place to prevent its execution and are less aware of its potential for malicious activityppOnce on the phone with the target user threat actors convince them to join an RMM session providing the attackers with control of the users host Through the RMM session the attackers execute malicious scripts often named to resemble common email tools such as MailAccountWizardjar By naming their scripts to mimic legitimate email utilities the attackers reinforce their social engineering premise that they are the help desk and are there to resolve the email bombing issue While ReliaQuest has not observed ransomware deployment in the incidents described here the techniques used are consistent with preransomware staging which suggests encryption will likely follow if attacks are successful see Figure 4ppFigure 4 Preransomware staging of Black Bastastyle attacks
ppSupremo was not the only RMM tool recently observed threat actors also used Quick Assist which is natively installed on Windows 11 devices To abuse this tool target users are simply provided a hotkey Windows Key Control Q then given a code to enter These are very easy instructions for nontechnical users to execute and Quick Assist requires no new software download these two advantages make it more likely for the target user to join the remote session and less likely for defenders to notice an unauthorized RMM session ultimately increasing the threat actors chance of successfully deploying ransomwareppThe use of RMM tools such as Quick Assist and Supremo is nothing new In fact Black Basta previously used Quick Assist extensively from 2024 to 2025 The reality that these tools are being leveraged again in 2026 highlights how difficult it is for organizations to close key foundational control gaps such as help desk procedural flaws and why attackers continue to exploit them While many organizations may have restricted certain RMM tools through global policies or application controls operational challenges such as new hosts joining the network through mergers and legitimate business requirements can leave persistent gaps To reduce this exposure defenders should regularly audit which RMM tools are permitted across their environments and enforce strict application controlsppppThis question matters because this activity reflects the reemergence of a highly effective intrusion model that has previously led to disruptive ransomware and extortion events Even if actors are not operating under the Black Basta name defenders are once again facing the same combination of email bombing impersonated IT outreach remote access abuse and the now targeting highvalue usersppThis campaign closely matches historical Black Basta activity in its manufacturing sector targeting use of specific but alternating RMM tools and reliance on a wellestablished social engineering workflow At the same time some downstream elements do not point cleanly to Black Basta alone Extortion activity has aligned at times with Chaos ransomware while some tooling and naming conventions align with FIN7 These overlaps suggest not a neat attribution but a fluid ecosystem in which operators and playbooks are reused across groupsppWe see three plausible explanationsppFormer Black Basta affiliates are regrouping under a new nameppFormer affiliates are collaborating with another ransomware or extortion cluster orppAnother actor is adopting Black Bastastyle tactics because they workppOur assessment is that it is highly likely former Black Basta affiliates are involved either regrouping or collaborating with others Pure imitation is possible but less likely given how closely the campaign aligns with legacy Black Basta tradecraftppUltimately the who is less important than the what A proven effective intrusion method is now more active and refined than ever and organizations must be prepared to defend against the tactic not just a nameppppThis Black Bastastyle campaign is built for speed moving from an email bomb to a remote access session in minutes by exploiting human trust rather than technical flaws ReliaQuest GreyMatter is designed to detect and respond to this behavioral chain by correlating weak signals across different technologies into a single highconfidence alertppGreyMatter Agentic AI focuses on the sequence of events rather than isolated alerts An email bomb a suspicious Teams chat from an external account and the launch of an RMM tool are all lowfidelity events on their own Correlated by GreyMatter they describe the pattern of this campaign allowing for detection before a malicious script is ever runppReliaQuest Detection Rules are continuously updated to surface the specific TTPs used in this campaign By looking for behavioral indicatorslike a massive influx of mail to one user a Teams chat impersonating IT or an RMM tool running from a users downloads folderwe can identify the attack chain as it unfoldsppGreyMatter Automated Response Playbooks turn that detection into immediate action Once the campaign is identified prebuilt playbooks can isolate the affected host revoke the remote access session and block the RMM tools network communicationall within minutes and across your existing security stack In a campaign designed to move from inbox to remote shell in under 10 minutes automated containment removes the window attackers depend onppThis campaign moves at the speed of social engineering meaning defenses must focus on disrupting the attack chain before remote access is achieved These recommendations target the procedural and configuration gaps exploited by these actorsppImplement a MultiChannel Verification Process for Help Desk Support Do not rely on email or Teams chat alone to verify identity Mandate a strict protocol in which any request for remote access requires outofband verification such as a callback to the users registered phone number or an approval flow through a separate trusted application This prevents an impersonator from controlling the entire communication channelppHarden Controls Around RMM Tooling Use application allowlisting to ensure only companyapproved RMM tools can be executed and restrict their use to authorized IT personnel only For native tools like Quick Assist use AppLocker or similar controls to prevent execution by general users especially senior leaders who are less likely to need it Block known malicious uses of RMM tools such as Supremo at the endpoint and network perimeterppConduct Targeted SimulationBased Training for Senior Personnel General security awareness training is not enough Run specific simulations for executives and managers that mimic this exact TTP an email bomb followed by an urgent Teams message from IT support The goal is to condition them to recognize that legitimate support will never create pressure or circumvent established verification protocolsppppThis campaigns success reinforces what has been true for some time Procedural gaps remain one of the most consistently exploitable weaknesses in enterprise environments An attack chain that abuses employee trust in the help desk cannot be stopped by technology alone it requires a strict nonnegotiable verification process for any request involving remote access Given the low barrier to entry and high success rate ReliaQuest assesses that within 12 months a majority of social engineeringled initial access campaigns targeting enterprises will likely incorporate some variant of this help desk impersonation modelppAs defenders adapt attackers will too As detections improve for common patterns like generic IT impersonation repeated Teams outreach or known RMM tools expect pretexts to vary and tooling to rotate The next likely RMM tool rotation may favor platforms that are preinstalled in enterprise environments such as Remote Desktop or cloudnative tools or tools with legitimate vendor presence that complicate allowlisting Defenders should expect these intrusions to become more common more tailored and less reliant on static indicators over timeppTargeting is also likely to become more selective Rather than broadly impersonating IT support to any senior employee attackers are likely to narrow their focus to roles that provide the fastest path to monetization or operational disruption such as CFOs and finance leaders RD leadership plant or operations management and other personnel with access to intellectual property payment workflows or production systems In manufacturing especially compromise of a single wellplaced user could expose proprietary designs supplier relationships financial controls or operational decisionmaking As awareness improves across general leadership populations threat actors will likely prioritize the users whose access creates the highest downstream leverageppppArtifactppDetailsppArtifactppDetailspphelpdeskatdpfedulkppEmail used for help desk impersonationppnetworksupportat techguard359 onmicrosoftcomppEmail used for help desk impersonationppItsolutionathelptech247 onmicrosoftcomppEmail used for help desk impersonationppf51f2e9893654666
9be85b39063c6692ppOffice 365 tenant used for help desk impersonationpphelpdeskatgriffinintlnetppEmail used for help desk impersonationpp2ad507a038a04574
baae0ccc19c7e051ppOffice 365 tenant used for help desk impersonationppitdeskatitdesktopppEmail used for help desk impersonationpp844294127ppThreat actorlinked IP addressppitassistanceatteams000472 onmicrosoftcomppEmail used for help desk impersonationpp844292225ppThreat actorlinked IP addresspphtachoucheat groupbiocarecomppEmail used for help desk impersonationpp844292111ppThreat actorlinked IP addressppinternalitatinternalsupportteams onmicrosoftcomppEmail used for help desk impersonationpp844292176ppThreat actorlinked IP addresspppp1 hxxpsgithubcomBushidoUKRansomwareToolMatrixblobmainToolsRMMToolsmdppRead the Full Forrester AnalysisppSee why GreyMatter is recognized as a large proactive security platform in The Proactive Security Platforms Landscape Q1 2026ppppThe ReliaQuest Threat Research Team comprises SOC experts security researchers security practitioners and intelligence analysts dedicated to bringing you the latest global analysis and essential updates within cyberthreat intelligence for your organizationpp2026 Annual CyberThreat ReportppBuilt on thousands of incidents investigated in 2025 this report covers the full attack lifecyclefrom social engineering and zeroday exploitation to AIgenerated malware ransomware fragmentation and nationstate infiltration Includes a CISO checklist and actionable recommendations for every major findingp
ppSupremo was not the only RMM tool recently observed threat actors also used Quick Assist which is natively installed on Windows 11 devices To abuse this tool target users are simply provided a hotkey Windows Key Control Q then given a code to enter These are very easy instructions for nontechnical users to execute and Quick Assist requires no new software download these two advantages make it more likely for the target user to join the remote session and less likely for defenders to notice an unauthorized RMM session ultimately increasing the threat actors chance of successfully deploying ransomwareppThe use of RMM tools such as Quick Assist and Supremo is nothing new In fact Black Basta previously used Quick Assist extensively from 2024 to 2025 The reality that these tools are being leveraged again in 2026 highlights how difficult it is for organizations to close key foundational control gaps such as help desk procedural flaws and why attackers continue to exploit them While many organizations may have restricted certain RMM tools through global policies or application controls operational challenges such as new hosts joining the network through mergers and legitimate business requirements can leave persistent gaps To reduce this exposure defenders should regularly audit which RMM tools are permitted across their environments and enforce strict application controlsppppThis question matters because this activity reflects the reemergence of a highly effective intrusion model that has previously led to disruptive ransomware and extortion events Even if actors are not operating under the Black Basta name defenders are once again facing the same combination of email bombing impersonated IT outreach remote access abuse and the now targeting highvalue usersppThis campaign closely matches historical Black Basta activity in its manufacturing sector targeting use of specific but alternating RMM tools and reliance on a wellestablished social engineering workflow At the same time some downstream elements do not point cleanly to Black Basta alone Extortion activity has aligned at times with Chaos ransomware while some tooling and naming conventions align with FIN7 These overlaps suggest not a neat attribution but a fluid ecosystem in which operators and playbooks are reused across groupsppWe see three plausible explanationsppFormer Black Basta affiliates are regrouping under a new nameppFormer affiliates are collaborating with another ransomware or extortion cluster orppAnother actor is adopting Black Bastastyle tactics because they workppOur assessment is that it is highly likely former Black Basta affiliates are involved either regrouping or collaborating with others Pure imitation is possible but less likely given how closely the campaign aligns with legacy Black Basta tradecraftppUltimately the who is less important than the what A proven effective intrusion method is now more active and refined than ever and organizations must be prepared to defend against the tactic not just a nameppppThis Black Bastastyle campaign is built for speed moving from an email bomb to a remote access session in minutes by exploiting human trust rather than technical flaws ReliaQuest GreyMatter is designed to detect and respond to this behavioral chain by correlating weak signals across different technologies into a single highconfidence alertppGreyMatter Agentic AI focuses on the sequence of events rather than isolated alerts An email bomb a suspicious Teams chat from an external account and the launch of an RMM tool are all lowfidelity events on their own Correlated by GreyMatter they describe the pattern of this campaign allowing for detection before a malicious script is ever runppReliaQuest Detection Rules are continuously updated to surface the specific TTPs used in this campaign By looking for behavioral indicatorslike a massive influx of mail to one user a Teams chat impersonating IT or an RMM tool running from a users downloads folderwe can identify the attack chain as it unfoldsppGreyMatter Automated Response Playbooks turn that detection into immediate action Once the campaign is identified prebuilt playbooks can isolate the affected host revoke the remote access session and block the RMM tools network communicationall within minutes and across your existing security stack In a campaign designed to move from inbox to remote shell in under 10 minutes automated containment removes the window attackers depend onppThis campaign moves at the speed of social engineering meaning defenses must focus on disrupting the attack chain before remote access is achieved These recommendations target the procedural and configuration gaps exploited by these actorsppImplement a MultiChannel Verification Process for Help Desk Support Do not rely on email or Teams chat alone to verify identity Mandate a strict protocol in which any request for remote access requires outofband verification such as a callback to the users registered phone number or an approval flow through a separate trusted application This prevents an impersonator from controlling the entire communication channelppHarden Controls Around RMM Tooling Use application allowlisting to ensure only companyapproved RMM tools can be executed and restrict their use to authorized IT personnel only For native tools like Quick Assist use AppLocker or similar controls to prevent execution by general users especially senior leaders who are less likely to need it Block known malicious uses of RMM tools such as Supremo at the endpoint and network perimeterppConduct Targeted SimulationBased Training for Senior Personnel General security awareness training is not enough Run specific simulations for executives and managers that mimic this exact TTP an email bomb followed by an urgent Teams message from IT support The goal is to condition them to recognize that legitimate support will never create pressure or circumvent established verification protocolsppppThis campaigns success reinforces what has been true for some time Procedural gaps remain one of the most consistently exploitable weaknesses in enterprise environments An attack chain that abuses employee trust in the help desk cannot be stopped by technology alone it requires a strict nonnegotiable verification process for any request involving remote access Given the low barrier to entry and high success rate ReliaQuest assesses that within 12 months a majority of social engineeringled initial access campaigns targeting enterprises will likely incorporate some variant of this help desk impersonation modelppAs defenders adapt attackers will too As detections improve for common patterns like generic IT impersonation repeated Teams outreach or known RMM tools expect pretexts to vary and tooling to rotate The next likely RMM tool rotation may favor platforms that are preinstalled in enterprise environments such as Remote Desktop or cloudnative tools or tools with legitimate vendor presence that complicate allowlisting Defenders should expect these intrusions to become more common more tailored and less reliant on static indicators over timeppTargeting is also likely to become more selective Rather than broadly impersonating IT support to any senior employee attackers are likely to narrow their focus to roles that provide the fastest path to monetization or operational disruption such as CFOs and finance leaders RD leadership plant or operations management and other personnel with access to intellectual property payment workflows or production systems In manufacturing especially compromise of a single wellplaced user could expose proprietary designs supplier relationships financial controls or operational decisionmaking As awareness improves across general leadership populations threat actors will likely prioritize the users whose access creates the highest downstream leverageppppArtifactppDetailsppArtifactppDetailspphelpdeskatdpfedulkppEmail used for help desk impersonationppnetworksupportat techguard359 onmicrosoftcomppEmail used for help desk impersonationppItsolutionathelptech247 onmicrosoftcomppEmail used for help desk impersonationppf51f2e9893654666
9be85b39063c6692ppOffice 365 tenant used for help desk impersonationpphelpdeskatgriffinintlnetppEmail used for help desk impersonationpp2ad507a038a04574
baae0ccc19c7e051ppOffice 365 tenant used for help desk impersonationppitdeskatitdesktopppEmail used for help desk impersonationpp844294127ppThreat actorlinked IP addressppitassistanceatteams000472 onmicrosoftcomppEmail used for help desk impersonationpp844292225ppThreat actorlinked IP addresspphtachoucheat groupbiocarecomppEmail used for help desk impersonationpp844292111ppThreat actorlinked IP addressppinternalitatinternalsupportteams onmicrosoftcomppEmail used for help desk impersonationpp844292176ppThreat actorlinked IP addresspppp1 hxxpsgithubcomBushidoUKRansomwareToolMatrixblobmainToolsRMMToolsmdppRead the Full Forrester AnalysisppSee why GreyMatter is recognized as a large proactive security platform in The Proactive Security Platforms Landscape Q1 2026ppppThe ReliaQuest Threat Research Team comprises SOC experts security researchers security practitioners and intelligence analysts dedicated to bringing you the latest global analysis and essential updates within cyberthreat intelligence for your organizationpp2026 Annual CyberThreat ReportppBuilt on thousands of incidents investigated in 2025 this report covers the full attack lifecyclefrom social engineering and zeroday exploitation to AIgenerated malware ransomware fragmentation and nationstate infiltration Includes a CISO checklist and actionable recommendations for every major findingp
