- The Samsung Galaxy S25 Edge was sneakily the best announcement at Unpacked 2025
- What Intel needs to do to get its mojo back
- Optimizing AI Workloads with NVIDA GPUs, Time Slicing, and Karpenter (Part 2)
- Stratoshark brings Wireshark-style analysis to cloud system calls
- Everything announced at Samsung Unpacked 2025: Galaxy S25 Edge, Ultra, Gemini AI, more
Russian Ransomware Groups Deploy Email Bombing and Teams Vishing
Security experts have warned that two ransomware groups are attempting to trick corporate victims into providing remote access to their machines, for data exfiltration and possible extortion.
Sophos said it was tracking the threats as STAC5143 and STAC5777. The latter shares characteristics of Storm-1811 – a financially motivated cybercrime group known to deploy Black Basta ransomware. STAC5143 is a “previously unreported threat cluster” with possible links to prolific threat actors FIN7.
Both campaigns observed by Sophos in its incident response engagements with customers used similar tactics:
- First, a victim is bombarded with large volumes of spam emails – potentially up to 3000 in less than an hour
- They subsequently receive a Teams call from someone purporting to be from IT and offering assistance
- That individual will then urge the victim to install remote access software like Quick Assist, or use Teams screen sharing, to take control of the machine and install malware
Sophos claimed that these incidents began in November 2024 and it has observed at least 15 attacks using such tactics in the past three months, with half of them coming in the past two weeks.
The end goal is data theft and extortion, it noted.
Read more on remote access threats: CISA and Partners Publish Guide for Remote Access Security.
STAC5143’s tactics techniques and procedures (TTPs) overlap to a certain extent with FIN7, although they also diverge in other ways, Sophos admitted.
“Sophos assesses with medium confidence that the Python malware used in this [STAC5143] attack is connected to the threat actors behind FIN7/Sangria Tempest,” it explained.
“The obfuscation method is identical to previous and FIN7 has been known to use the RPivot tool in attacks.”
However, the attack chain was apparently different, and the targeted organizations were smaller and in different business sectors than FIN7’s usual victims.
STAC5777 differs slightly from STAC5143 in relying on more “hands-on-keyboard” activity and scripted commands. It also uses RDP and Windows Remote Management to access other computers on a targeted network, and in one case, deployed Black Basta ransomware.
Take These Steps to Prevent a Breach
To mitigate such threats, Sophos urged organizations to:
- Ensure Microsoft 365 is configured to restrict Teams calls from outside organizations, or at least only to trusted business partners
- Restrict use of remote access applications
- Monitor for sources of potentially malicious inbound Teams and Outlook traffic
- Update employee awareness programs to include email bombing and Teams vishing
“Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon,” Sophos concluded.
