BlackSuit Affiliates Continue Social Engineering Attacks with Upgraded Java RAT and Cloud Abuse

Rapid7’s latest threat intelligence report shines a spotlight on the evolving tactics of threat actors formerly affiliated with the Black Basta ransomware group. While social engineering incidents linked directly to Black Basta have declined since December 2024, the void appears to be filled by BlackSuit affiliates, who have adopted — and in some cases expanded — their predecessor’s playbook.

“Evidence now suggests that BlackSuit affiliates have either adopted Black Basta’s strategy or absorbed members of the group,” Rapid7 noted in its executive summary.

The attack chain begins with an email bombing campaign, where a user is signed up to thousands of public mailing lists in minutes, rendering their inbox nearly unusable. This sets the stage for the next phase: direct contact from the attacker.

“The operator will flood targeted users with a high volume of emails… effectively creating a denial of service attack,” explains Rapid7.

Attackers then reach out — typically via Microsoft Teams or phone calls with spoofed numbers — pretending to be IT support. The objective is convince the user to launch Windows Quick Assist or a fake version of it, enabling remote access and credential theft.

Once in conversation, the threat actor coaxes the user into visiting malicious domains mimicking legitimate Quick Assist portals, or launching fake authentication windows using malware utilities like the Java RAT.

“BlackSuit affiliates… may also direct the user to a malicious domain that hosts a fake Quick Assist login page,” the report reveals.

Rapid7 confirmed that in some cases, users were pressured into providing MFA codes over the phone, and once inside the system, operators grabbed VPN configurations to further penetrate corporate networks.

The Java Remote Access Trojan (RAT) deployed in these campaigns has undergone considerable evolution over the past year. Initially distributed as identity.jar, the malware now uses Google Drive and Sheets for command-and-control (C2), has string and control flow obfuscation, and AES-256 encrypted configuration files.

“The Java malware now abuses cloud-based file hosting services provided by both Google and Microsoft… to proxy commands through the respective cloud service provider’s servers,” notes Rapid7.

Its built-in commands range from launching fake login prompts, establishing SOCKS5 tunnels, and even stealing browser-stored credentials. One standout command, loginform, presents a fake Windows Security window that traps users in a loop until they enter their password.

In more advanced incidents, BlackSuit actors distribute QEMU virtual machines configured with tools like ScreenConnect and QDoor (a Rust-based C2 proxy), bundled in a .qcow2 image.

“The image contains a Windows 7 Ultimate virtual machine configured to automatically logon and execute… a ScreenConnect installer,” Rapid7 explains.

More recent payloads are smaller and run TinyCore Linux, with embedded malware executing only after verifying network connectivity to attacker-controlled servers. Some binaries use port 53 (normally for DNS) to tunnel encrypted C2 traffic, a stealth tactic that evades many standard network defenses.

One particularly concerning discovery was the use of live test environments by attackers to validate malware behavior before broad deployment. Rapid7 found debug outputs, console logs, and Google Drive revision histories indicating hands-on testing of credential harvesting, Java execution, and obfuscated shellcode injection.

“Command log snippets… give a unique in-console view of what the threat actor saw while they were hands-on-keyboard and executing commands.”

In one example, a Rust executable named testapp.exe merely spawned a confirmation message box. In others, it served as a loader for custom SSH tunneling payloads, aiding post-exploitation persistence.

To defend against this threat, Rapid7 advises:

• Block external domains in Microsoft Teams unless whitelisted.
• Standardize and restrict remote tools like Quick Assist, AnyDesk, or ScreenConnect.
• Mandate MFA, especially for VPN access.
• Conduct user awareness training on help desk impersonation scams.
• Monitor and block outbound traffic to known cloud abuse patterns.

Related Posts:

• BlackSuit’s Advanced Ransomware Tactics Exposed: Masquerades as Antivirus
• Researchers Reveal Sophisticated BlackSuit Ransomware Attack
• Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
• Gemini Code Assist: Google’s AI Coding Power for All
• Ignoble Scorpius Strikes Again: The Rise of BlackSuit Ransomware