{
  "name": "Black Basta: Defense Evasion Capability Embedded in Ransomware Payload",
  "slug": "black-basta-defense-evasion-capability-embedded-in-ransomware-payload",
  "description": "A recent Black Basta ransomware campaign incorporated a bring-your-own-vulnerable-driver (BYOVD) defense evasion component within the payload itself, a departure from typical practices. The ransomware exploited a vulnerable NsecSoft NSecKrnl driver to terminate security processes. This approach, previously seen in Ryuk and Obscura attacks, may indicate a trend towards bundling additional capabilities in ransomware payloads. The attack also involved a long dwell time and post-deployment activity using GotoHTTP. The Cardinal group, responsible for Black Basta, had been quiet following a chat log leak in 2025 but appears to be resuming activities. This development raises questions about future ransomware tactics and the potential advantages of embedding defense evasion capabilities within payloads.",
  "published": "2026-02-05T19:21:26+00:00",
  "created_at": "2026-02-05T19:21:26+00:00",
  "modified_at": "2026-02-05T19:40:42+00:00",
  "created_at_opencti": "2026-02-05T19:21:26+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-05",
    "CVE-2025-68947",
    "black basta",
    "byovd",
    "cardinal",
    "defense evasion",
    "gotohttp",
    "nseckrnl",
    "ransomware",
    "vulnerable driver"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "5213706ae67a7bf9fa2c0ea5800a4c358b0eaf3fe8481be13422d57a0f192379"
      },
      {
        "id": "",
        "name": "230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9"
      },
      {
        "id": "",
        "name": "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261"
      },
      {
        "id": "",
        "name": "bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e"
      },
      {
        "id": "",
        "name": "e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4"
      },
      {
        "id": "",
        "name": "6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d"
      }
    ],
    "malware": [
      {
        "id": "3b09b708-d42b-4fc4-a892-b5b7e8cb0656",
        "name": "GotoHTTP",
        "slug": "gotohttp"
      },
      {
        "id": "legacy:malware:4b474c7d91ebdc7d",
        "name": "Black Basta - S1070",
        "slug": "black-basta-s1070"
      }
    ],
    "intrusion_sets": [
      {
        "id": "413e5508-2976-49b9-8de3-2d661f0977a0",
        "name": "Cardinal",
        "slug": "cardinal"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-68947"
      }
    ]
  },
  "external_refs": [
    "https://www.security.com/threat-intelligence/black-basta-ransomware-byovd",
    "https://otx.alienvault.com/pulse/6984fbc6de215c312d2f6c53"
  ]
}