IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
Flux result a694726b 7de5 48ce 9beb 896d40041b0f
#
UC
#
MFA
#
Phishing

Former Black Basta affiliates target executives in Teams

Thu, 16th Apr 2026 (Yesterday)
Author image
By Joseph Gabriel Lagonsin, News Editor

ReliaQuest has reported a rise in cyber attacks it links to suspected former Black Basta affiliates, with activity increasingly aimed at senior executives.

According to the cyber security firm, 56% of the Microsoft Teams phishing activity it has tracked since the group's decline in early 2025 occurred in the first four months of 2026, with 32% in March alone. The campaign combines mass email bombing with help desk impersonation over Teams to gain remote access to targets.

ReliaQuest said the pattern points to a single organised effort rather than unrelated imitators, stating: "We assess with high confidence this is a unified campaign by former affiliates, not independent copycats."

Leadership focus

The analysis found that attackers have shifted their attention to higher-ranking staff. From March 1 to April 1, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026.

That marks a change from earlier activity, when some lower-ranking staff with management-sounding titles were also targeted. The latest pattern suggests attackers have refined automated reconnaissance to identify people with greater access from the outset.

Manufacturing and professional, scientific, and technical services were the most affected sectors, each accounting for 26% of all Black Basta-style incidents observed in 2026. The concentration is notable because disruption in those industries can quickly translate into operational and financial pressure.

Faster intrusions

The attacks begin with a flood of emails intended to overwhelm a user's inbox and create confusion. Within minutes, that is followed by a Teams message or phone call from someone posing as internal IT support.

In some cases, attackers moved from the first chat contact to running malicious scripts in as little as 12 minutes. Chats aimed at different users were also often launched within minutes of one another, with one case showing messages initiated just 29 seconds apart.

That pace suggests some automation in the early stage of the intrusion. It also reduces the time available for security teams to identify the email bombardment, warn users, and stop an incoming remote session.

Remote access tools

The attackers relied on a rotating set of remote monitoring and management tools. ReliaQuest identified Supremo Remote Desktop as a main tool in the current campaign and also noted the use of Quick Assist, which is built into Windows 11.

Once a target joins the remote session, the attackers can take control of the machine and run scripts disguised as legitimate utilities. One example cited in the analysis was a file named MailAccountWizard.jar, presented in a way that supports the false claim that IT staff are fixing the email issue.

ReliaQuest said it had not observed ransomware being deployed in the incidents covered by the report. Even so, the steps seen in these intrusions are consistent with activity that often precedes ransomware and extortion attempts.

Attribution questions

Black Basta emerged as a prominent Russia-linked ransomware-as-a-service group in 2022 and faded after internal chat logs were leaked in 2025. ReliaQuest said the current activity mirrors the group's historic methods, including manufacturing-sector targeting, help desk impersonation, and the use of alternating remote access tools.

Some later-stage elements, however, do not point neatly to one group. Extortion activity has at times aligned with Chaos ransomware, while some tooling and naming conventions have overlapped with FIN7, suggesting a broader ecosystem in which operators and methods are reused.

ReliaQuest outlined three plausible explanations: former Black Basta affiliates have regrouped under another name, those affiliates are working with another ransomware or extortion cluster, or a separate actor has adopted the same methods because they remain effective. Its assessment was that former affiliates are likely involved, either regrouping or collaborating with others.

Defensive measures

Companies should review procedures for help desk requests involving remote access. ReliaQuest recommended using out-of-band verification, restricting which remote access tools can run inside an organisation, and carrying out targeted simulations for senior staff.

The findings highlight a familiar issue for corporate defenders: attacks that rely on impersonation and urgency can bypass technical safeguards if internal processes are weak.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Dropbox launches three apps inside ChatGPT for work
Cyber insurance now common among North American SMBs

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment