Better Security, Together

In February 2025, a major leak exposed over 200,000 internal messages from the Black Basta ransomware gang, revealing critical insights into their operations. The leak, shared by “ExploitWhispers,” highlights the group’s tactics, including the exploitation of high-severity vulnerabilities such as CVE-2019-19781 in Citrix NetScaler (CVSS 9.8), CVE-2021-34473 in Microsoft Exchange (CVSS 9.8), and CVE-2018-13379 in Fortinet FortiOS (CVSS 9.8). These CVEs have been actively targeted by Black Basta. Additionally, the discussions show that SMB misconfigurations, exposed RDP servers, and weak authentication mechanisms are routinely exploited, often relying on default VPN credentials or brute-forcing stolen credentials.

The leak also provides insights into the gang’s leadership and operations. Key figures, including “Tramp” (Oleg Nefedov), have been identified, and the group has focused on exploiting known vulnerabilities in critical infrastructure sectors. Black Basta’s use of malware droppers and reliance on social engineering tactics demonstrates their evolving attack methods. This information underscores the importance of patching known vulnerabilities, especially those actively exploited in the wild, to mitigate the risk of a breach.

Security researchers have observed a new malware campaign distributing infostealers such as LummaC2 and ACRStealer under the guise of illegal programs like cracks and keygens. ACRStealer employs a Dead Drop Resolver (DDR) technique similar to Vidar and LummaC2, using a legitimate web platform as an intermediary command-and-control (C2) server. Threat actors encode the actual C2 domain in Base64 on a specific webpage, which the malware then accesses and parses to retrieve the real C2 address. This method allows the malware to communicate covertly and execute malicious activities. While Steam has previously been used as an intermediary C2, recent malware campaigns have shifted to leveraging Google Docs (Forms and Presentations) and Telegra.ph for this purpose.

ACRStealer continuously modifies the placement of C2 strings across various platforms, making detection difficult. Currently, these strings are inserted into the ‘summary’ field of certain web services, making them invisible in a standard web browser and only detectable in the page source. The malware constructs the actual C2 URL by combining the retrieved domain with a hardcoded UUID identifier, then downloads configuration data encrypted with Base64 and XOR.

The configuration file used to communicate with the C2 server contains sensitive data stolen from the infected system, including browser data, text files, cryptocurrency wallets, FTP credentials, chat applications, email clients, remote access tools, terminal programs, VPN configurations, password managers, databases, and browser extension plugins. Depending on its configuration, the malware compresses collected files into a ZIP archive before transmitting them to the C2 server.