Flare

Black Basta Internal Chat Leak - initial observations On February 20, 2025, an unknown individual using the handle ExploitWhispers released a file allegedly containing a leaked internal chat from the cybercrime group Black Basta on Telegram. The file is a JSON dataset containing 196,045 messages, primarily in Russian, from a Matrix chat group from September 18, 2023, to September 28, 2024. A preliminary analysis suggests that most, if not all, of the data appears legitimate. However, as the leaker's identity and motivations remain unknown, the possibility of data manipulation cannot be ruled out. Black Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022 and has since targeted over 500 organizations worldwide, spanning sectors such as healthcare, manufacturing, and utilities. Notable victims include Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall. No new victims have been recorded since January 2025. The group was founded by Conti Team 3, also known as Tramp's (or Trump's) team (with no relation to the politician). Here are some of the first observations we made: ?? The group periodically changes Matrix servers for OSPEC reasons. In September 2024, the leader decided to migrate to a new server. ?? Black Basta operates as a highly structured and hierarchical entity with at least two offices working during Moscow business hours. ?? According to unverified claims from the leaker, the real identity of the group’s leader, Trump (aka gg), could be Oleg Nefedov. ?? Key members work together in the same offices, while remote work is rare and requires leader approval. In return, these members have a cook and dedicated drivers. The youngest members of the gang claimed to be 17 years old. ?? Each member specializes in different tasks, such as infrastructure management, initial access, malware and C2 obfuscation, development, and negotiations.? ??The group buys services from other cybercriminals, including crypting (the obfuscation of a payload), hosting, spam, and initial access to compromised networks. ?? Black Basta is constantly acquiring new exploits and vulnerabilities to expand its attack capabilities and is willing to invest significant sums in these efforts. ?? The group actively uses social engineering and call harassment techniques to gain access to corporate targets. ??In the spring of 2024, the leader planned to rebrand Black Basta and develop new ransomware, but the programmer hired to do this scammed him. The leader claims to have strong business connections that protect him, while members like “chuk” claim to be in contact with the Russian criminal defence attorney Arkady Bukh.?

Final Call: Secure Your Spot for the Flare Academy Cyber Investigations Workshop Time is running out to join Nick Ascoli and Baptiste Robert for an exclusive live session on advanced cyber investigative techniques. If you’re in threat intelligence, cybersecurity, or digital forensics, this is an opportunity you don’t want to miss. Date: March 18th Location: Live Online Session What You’ll Learn: ● Cross-platform identity linking to uncover hidden connections ● Linguistic pattern matching to detect threat actor signatures ● Mapping malicious infrastructure and identifying relationships ● Timeline reconstruction to analyze attack sequences ● Cryptocurrency transaction analysis to trace illicit activity This session will explore real-world case studies, common mistakes threat actors make, and how to maintain operational security while conducting investigations. Registration is still open. Secure your spot now! https://lnkd.in/ec8_MH3n #Cybersecurity #ThreatIntelligence #DigitalForensics #OSINT #Infosec

This Friday, Tammy Harper will be hosting a TI Friday at 12:30pm EST. Join us to chat about all things threat intel and to start unwinding for your weekend with a casual hangout in our Flare Academy Discord ?? If you're not already in our Discord Community, click the link in the comments! #cyber #infosec #threatintel

How do you unmask cybercriminals without tipping them off? ?? Flare's next free training, Deanonymizing Threat Actors, is happening March 18th at 11 AM ET, and they asked me to help spread the word. Honestly I’d be sharing this one anyway, it’s too cool ?? They even have Baptiste Robert from Predicta Labs joining the party!! Diving into OSINT techniques, digital footprint analysis, and the role of crypto in cybercrime… this one’s gonna be awesome. Check it out and register here: https://lnkd.in/gydw7aJH

Heading to the CCTX 7th Annual Symposium? Connect with Mark MacDonald and Moe Abufool on-site to learn how Flare provides your security team with actionable intelligence and automated remediation for threats across the clear & dark web. See you there! ??Sheraton Centre, Toronto | March 5, 2025

How is your organization navigating compliance measures like DORA, NIS2, and IT Security Act 2.0? We had the opportunity to speak with our customer greenhats GmbH in Germany about their approach to threat exposure management along with data protection for their customers with Flare. Learn more about how greenhats scaled their business, generated greater revenue, and elevated their security posture with automated identity intelligence monitoring?? https://lnkd.in/gmcHkvyC #Cybersecurity #MSSP

According to this article on Medium.com, Flare is one of the top 15 Dark Web Monitoring Tools on the market! Special notes go out to Flare's "intuitive design and ability to surface actionable insights". Check out the full review below! https://lnkd.in/eMa38y46 #DarkWeb #OSINT #Infosec

Flare has been voted 'Best in Show' in the February edition of The ChannelPro Network Deep Dive Online Showcase! Showcased alongside numerous competitors, Flare won the audience's popular vote! Curious to see what made us stand out? Check out our product below! https://lnkd.in/d2XK-J7c #Cybersecurity #Innovation #Infosec

A Director of Technology in the Insurance Industry gives Flare a 5/5 Rating in Gartner Peer Insights? Security Threat Intelligence Products and Services Market! Read the full review here:?https://gtnr.io/1vBw99UQY #gartnerpeerinsights"

Many believed that Telegram's popularity amongst threat actors would plummet after Telegram's CEO's arrest and later series of announcements that the platform would cooperate with law enforcement. However, nearly six months later, the messaging app remains a hub for cybercrime. Though there's been an increase in users on alternative platforms like Signal, Telegram remains the dominant force in the cybercriminal underground, with no significant decline in activity. For better or worse, its presence appears unshaken. To explore why Telegram continues to thrive, read our latest blog from Flare Research below: https://lnkd.in/g_rDuid4 #Telegram #Cybersecurity