Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. The key focuses this month are on the threat groups Black Basta and M_A_G_A, plus plenty more observed highlights from the team. Here’s what you need to know from February. 

Spotlight threat: Black Basta chats data leak – Ransomware group internal operations 

The “Black Basta Group” is a Russian-speaking ransomware group active since April 2022 known for deploying a ransomware with the homonymous name. They follow the double-extortion technique and operate under the Ransomware-as-a-Service (RaaS) business model.     

According to Outpost24 KrakenLabs data, since its inception Black Basta has been one of the most prolific ransomware groups with more than 450 victims published in their data leak site (DLS). Furthermore, the gang was responsible for major attacks against global companies from sectors such as defense, manufacturing, finance or healthcare collecting more than US$ 100 million in ransomware payments only from 2022 to 2023. 

On February 11, 2025, a major leak exposed Black Basta’s internal chat logs in the messaging app Matrix. The chats were leaked by a user named “ExploitWhispers” who claimed they leaked the data because the group was targeting Russian banks. The leak contained 196,045 messages from September 18th, 2023, to September 28th, 2024.   

Leak analysis  

Analysts from PRODAFT, Outpost24 KrakenLabs, and other cybersecurity researchers analyzed the leak and reported interesting insights from the gang related to their membership and their internal relationships, the relation with other cybercriminal groups, and their evolving TTP’s. 

From their internal chats it was observed that Black Basta has a strong interest in VPN exploits for initial access, willing to pay up to US$ 200,000 for Ivanti 0-days.    

The adversary also constantly improves their techniques and learns from other groups, for instance by including social engineering experts to increase success in their attacks. The gang was observed maintaining a spreadsheet containing specific individuals of interest within the targeted organizations. Furthermore, their targets were also carefully selected with special emphasis on finance, industrial manufacturers and energy companies. 

Who is Black Basta?  

According to Black Basta internal chats, the group has multiple members, with a core team of around 5 to 10 individuals which have relevant roles within the organization – about 50 user aliases appear in the full logs, but many are inactive or low-level. Furthermore, the leaks show the complex internal relationships and frequent arguments within team members especially since late 2024.  

The gang’s leader is apparently the user “Tramp” also tracked as “TA577”.  He is considered the mastermind and top leader of Black Basta and likely a founding member of the gang after the 2022 “Conti ransomware group” fallout. This individual showed an authoritarian attitude with his colleagues and sometimes prioritizes personal interest over the threat group goals. 

The user “Bio” served as second-in-command and a chief administrator. Frequently engaged in both strategic discussions and operational details in the chat. This user provided expertise in cryptocurrency handling and laundering, avoiding blockchain tracing and using mixers/exchangers. The malicious actor was a long-time associate of the leader and apparently worked together within the defunct Conti ransomware group.  However, Bio was sidelined in mid-2024 after an encounter with law enforcement. The idea of the essential role the actor plays within the ransomware gang is reinforced with the fact that since Bio’s incident with law enforcement Black Basta group started their decline. 

The user “Lapa” is also a core administrator responsible for coordinating attacks and testing tools used by the gang. The user is considered as one of Black Basta’s main admins, albeit underappreciated and underpaid compared to peers like Bio. Furthermore, Lapa suffered frequently insults from the gang leader Tramp showing the internal tensions among the leadership of the group. 

Other relevant members of the gang are the users “Cortes” which is associated with “Qakbot group” and a user named “Nur” who apparently works as a social engineer. 

The internal chats leak also showed the attempt of the threat actor “Dispossesor” to join the group and Black Basta lack of trust in “Lockbit”. Furthermore, due to internal problems some members of Black Basta abandoned the group and joined other relevant ransomware gangs such as Cactus.   

Spotlight threat: M_A_G_A: Underground forums user advertising FleshStealer 

“M_A_G_A” is a threat actor active in underground forums and Telegram since January 2024, where they operate a Malware-as-a-Service (MaaS) scheme. Specifically, the adversary offers for sale the information stealer named FleshStealer and a crypter named FleshCrypt. 

FleshStealer was first announced in XSS on September 4, 2024. It is a C#-based credential stealer operated through a web-based panel. Prices oscillate between 450 rubles for a month subscription to 4,500 rubles for the unlimited subscription. 

Interestingly, M_A_G_A has been seen asking for help from the other forum users regarding some flaws in their crypter, which leads us to think that they could lack expertise in malware development. Outpost24 KrakenLabs analysts have also observed other M_A_G_A posts searching for software developers in XSS so it is likely that threat actor could have collaborated with more experienced threat actors to develop their tools. 

KrakenLabs observed highlights 

Vulnerability 

VeraCore 0-day exploitation: The “XE Group“, a Vietnamese cybercrime gang active since 2010, has been exploiting a zero-day vulnerability in VeraCore (CVE-2025-25181) alongside a high-severity file upload flaw (CVE-2024-57968) to deploy persistent ASPXSpy web shells and maintain unauthorized remote access to compromised systems. Learn more → 

Malware 

OCR-powered stealer: SparkCat trojan, the first OCR-powered stealer to infiltrate both the Apple Store and Google Play, has been found in at least 21 apps, including food delivery services and AI-powered messengers, with over 242,000 downloads. Using Google ML Kit, SparkCat scans users’ photo galleries for cryptocurrency wallet seed phrases. Learn more → 

Supply chain 

Silk Typhoon supply-chain attack: BeyondTrust disclosed that a compromised API key, obtained via a zero-day flaw in a third-party application, led to unauthorized access affecting 17 Remote Support SaaS customers, including the US Treasury Department. The attackers, linked to China’s Silk Typhoon group, exploited this key to reset local application passwords. Learn more → 

Emerging threat 

Device code phishing – new technique: Microsoft researchers reported a new technique used in a phishing campaign ongoing since August 2024 targeting a wide range of industries in multiple regions. The attacks use a specific technique called “device code phishing” that tricks users to log into productivity apps or the specific client ID for Microsoft Authentication Broker. The threat actor, tracked as “Storm-2372” by Microsoft, captures the tokens from the log in and they can use it later to access compromised accounts. Learn more →  

Malicious machine learning models: Cybersecurity researchers have identified two malicious machine learning models on Hugging Face that exploit a vulnerability in the pickle serialization format to evade detection. These models, which utilize a “broken” pickle file technique, contain a reverse shell payload that connects to a predetermined IP address. Learn more → 

Ransomware 

Decrease in ransomware payments: Chainalysis reported a significant decrease of around 35% in the total volume of ransomware payments during 2024 compared with the previous year 2023. The increasing law enforcement pressure against ransomware gangs, with relevant international disruptive operations against major threat groups and operators arrests together with less company’s paying extortions are some of the reasons behind ransomware payments decline. Learn more → 

What’s new in Threat Context this month? 

Threat actors: M_A_G_A, Suicid, Siphoning Hemlock, barnaul, Magouilleur, LabInstalls, Kzoldyck, Injectioninferno, SilkSpecter, CoderSharp, BlackAPT and more! 

Tools: FleshStealer, MintsLoader, Rugmi, Hannibal Stealer, Kematian Stealer, CloudChat and more! 

How could your organization use threat intelligence?  

Outpost24’s External Attack Surface Management (EASM) platform gives users access to threat intelligence powered by our human-led team, KrakenLabs.

Get in touch to learn more.