The Black Basta ransomware group has joined hands with QBot to gain initial access to corporate environments. QBot is known for stealing Windows domain and bank credentials and dropping additional payloads.

The partnership

Researchers from the NCC Group have reported about the ongoing partnership between Qbot and Black Basta operators in the recent incident response. Further, researchers have identified some new TTPs used for this attack.
  • QBot is usually used for initial access, however, Black Basta has used it to spread laterally inside a victim's network.
  • The malware remotely creates a temporary service on the host and configures it to run its DLL using regsvr32[.]exe.
  • Once set up, QBot can infect network shares and drives, brute-force AD accounts, or use the SMB to create copies of itself or spread via default admin shares using current user credentials.
Additionally, the attackers were spotted using Cobalt Strike beacons during the compromise.

Evading detection

  • The attackers disable Windows Defender to evade detection and limit the chances of stopping the encryption process.
  • They run PowerShell commands to create a GPO on a compromised Domain Controller that makes changes on the Windows Registry.


The partnership between Black Basta and QBot seems to be working well for them. However, QBot is still propagated via malicious emails, users should stay alert while opening attachments from unknown users. Further, organizations should subscribe to a threat intelligence service for better protection.
Cyware Publisher