A new social engineering campaign, likely orchestrated by former affiliates of the defunct Black Basta ransomware group, has targeted over 100 employees across numerous organizations, aiming for network intrusion, potential data theft, and extortion. This renewed activity, identified by cybersecurity firm ReliaQuest, uses mass email and impersonation tactics to gain access.
The campaign, which saw a notable increase in activity last month and dates back to at least May 2025, primarily focuses on senior leadership to secure highly privileged access. Approximately three-quarters of the targeted individuals hold executive, director, or managerial positions, according to researchers involved in the report.
Former Black Basta Affiliates Hint at Resurgence
The emergence of this threat actor group is closely linked to the scattering of Black Basta affiliates following the leak of the ransomware group’s internal chat logs in February 2025. This data provided cybersecurity researchers and law enforcement with critical insights into the group’s operational methods and structure. Meanwhile, German authorities publicly identified Oleg Evgenievich Nefedov, a Russian national, as the alleged leader of Black Basta in January. Nefedov, now on Europol and Interpol’s most-wanted lists, is accused of leading the ransomware operation since 2022, extorting over 100 companies in Germany and an additional 600 globally.
ReliaQuest’s analysis indicates that the current campaign shares significant similarities with past Black Basta operations. These consistent tactics, techniques, and procedures, including the use of specific remote access tools and a focus on historically favored industries, suggest experienced operators are leveraging a known and effective playbook.
Indicators of Sophistication and Speed
Researchers highlighted a high degree of speed and coordination in the attacks, which points to seasoned actors. “We’re careful not to treat any one artifact as definitive proof, but taken together, the similarities are strong enough that we assess it is highly likely former affiliates or closely aligned operators are involved,” ReliaQuest researchers stated.
Following the shutdown of Black Basta’s data leak site after the chat log leak, it is typical for cybercriminals to disperse and form new alliances. Cybersecurity professionals had previously warned of continued targeting by former Black Basta members. ReliaQuest’s report includes indicators of compromise, released after observing a sharp increase in activity in March. The firm noted a particular emphasis on targeting senior employees in this recent wave of attacks.
The operators of the current campaign are reportedly moving with remarkable alacrity. Parts of their operational workflow appear to be highly streamlined or automated, facilitating rapid scaling and making it difficult for defenders to intervene before initial network access is established. This speed and efficiency are key characteristics of sophisticated threat actors.
According to ReliaQuest, the top five sectors targeted in these Black Basta-style attacks are manufacturing, professional services, finance and insurance, construction, and technology. Attack methodologies include bombarding targeted employees with a multitude of emails within a short timeframe, followed by direct messages on Microsoft Teams or phone calls impersonating IT support personnel. In some observed instances, attackers achieved remote access mere minutes after the initial email barrage.
While the attackers’ primary objective is likely extortion, ReliaQuest cautioned against assuming every incident culminates in ransomware encryption. “Based on what we’ve observed, the intrusion chain is built to gain access quickly, understand the environment, and create options for follow-on monetization,” the researchers explained. “That could lead to data theft, extortion without encryption, or ransomware deployment, depending on the victim and the opportunity.”
ReliaQuest has not disclosed the exact number of organizations that have fallen victim to this specific campaign. The firm’s findings provide crucial intelligence for organizations to fortify their defenses against these evolving threats. Future monitoring will likely focus on the continued activity of these actors and their potential adaptation to security measures.