FOCUS MODE
EXTRACT IOC
0Trash

Threat Context Monthly: Executive Intelligence Briefing for February 2025 – Black Basta, & M_A_G_A

iocOne
Threat Context Monthly: Executive Intelligence Briefing for February 2025 – Black Basta, & M_A_G_A
This article highlights the recent activities of the Black Basta ransomware group, focusing on their internal operations and significant data leaks. Furthermore, it discusses another threat actor, M_A_G_A, who is engaged in distributing malware. The insights provided shed light on the evolving tactics and techniques employed by these cybercriminals. Affected: Black Basta, M_A_G_A, organizations in defense, manufacturing, finance, healthcare, global corporations

Keypoints :

  • Black Basta is a Russian-speaking ransomware group operating since April 2022.
  • Utilizes a double-extortion technique and follows a Ransomware-as-a-Service model.
  • Over 450 victims have been reported since the group’s inception.
  • Major data leak of Black Basta’s internal chat logs occurred on February 11, 2025.
  • Internal chats reveal their interest in VPN exploits and targeted attacks on Russian banks.
  • M_A_G_A is active in underground forums offering malware services, including FleshStealer and FleshCrypt.
  • Vulnerability exploitation, particularly in VeraCore and other high-severity flaws, is ongoing.
  • Significant decrease in ransomware payments reported in 2024 due to law enforcement pressure.
  • Emerging phishing techniques, such as device code phishing, are being employed by threat actors.

MITRE Techniques :

  • T1486: Data Encrypted for Impact – Black Basta encrypts data and demands ransom.
  • T1491: Resource Hijacking – Black Basta targets organizational resources for their ransomware operations.
  • T1071: Application Layer Protocol – Black Basta uses messaging apps like Matrix for communication.
  • T1203: Exploitation for Client Execution – Interest in VPN exploits indicates the use of this technique.
  • T0183: Malware-as-a-Service – M_A_G_A’s operation model reflects this technique’s use.

Indicator of Compromise :

  • [Domain] blackbasta[. ]com
  • [Malware] FleshStealer
  • [Malware] FleshCrypt
  • [Vulnerability] CVE-2025-25181
  • [Vulnerability] CVE-2024-57968

Full Story: https://outpost24.com/blog/threat-context-monthly-february-2025-black-basta-maga/
Tags: LEAK, CVE, VPN, HUNTING, INITIAL ACCESS, EXPLOIT, RAAS, VULNERABILITY