The cyberattack, designated “Navigating Through The Fog,” was a multi-stage intrusion that culminated in the deployment of Black Basta ransomware across an enterprise network. The incident began with a phishing email and involved the use of multiple well-known tools for discovery, lateral movement, and data exfiltration before the final encryption stage was initiated by the threat actors.

Initial Access and Discovery Phase

The threat actor gained initial access through a phishing campaign. An employee executed a malicious macro-enabled document attached to an email, which led to the deployment of the IcedID loader. Once active, IcedID established a command-and-control (C2) channel and served as the entry point for subsequent attacker activity. The operator then performed initial reconnaissance using native Windows utilities. Commands such as whoami, ipconfig /all, and net view were executed to gather information about the user context, network configuration, and accessible network shares. The actors also enumerated Active Directory using tools like AdFind to map out the domain structure and identify high-value targets, including domain controllers.

Lateral Movement and Ransomware Deployment

Following discovery, the threat actor deployed Cobalt Strike beacons to maintain persistence and facilitate lateral movement. The actor leveraged compromised credentials to move across the network, primarily using Remote Desktop Protocol (RDP) for interactive access and PsExec to execute commands on remote systems. Once they obtained domain administrator privileges, the attackers prepared for the final stage of the attack. They used the Rclone tool to exfiltrate sensitive data to a cloud storage provider. For the final payload deployment, the actor created a Group Policy Object (GPO) on a domain controller. This GPO was configured to distribute and execute the Black Basta ransomware binary on all connected endpoints, leading to widespread file encryption.

Source: https://thedfirreport.com/2025/04/28/navigating-through-the-fog/