Black Basta Group

Threat Actor

First discovered in April 2022, hitting almost 50 organization in the months after.

Victims include manufacturing, utilities, transport, and government agencies in countries around the world including the United States, UK, India, Canada, Australia, New Zealand, and UAE.

Recently, VMWare ESXi variants of Black Basta have been discovered that target virtual machines running on Linux servers, alongside the versions which infect Windows systems.

In addition, many of the attacks have made use of Qakbot (also known as QBot) to help it spread laterally through an organisation, perform reconnaissance, steal data, and execute payloads. Furthermore, a group policy object is created on compromised domain controllers to disable Windows Defender and anti-virus solutions. [source:]