Russian Ransomware Groups Deploy Email Bombing and Teams Vishing
Summary:
Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion. Sophos is tracking these threats as STAC5143 and STAC5777. STAC5777 shares similarities with the financially motivated group Storm-1811, known for deploying Black Basta ransomware, while STAC5143 appears to be a newly identified cluster with potential links to the prolific FIN7 threat actors.
Both campaigns rely on a combination of spam and impersonation to deceive victims. The attack typically begins with a flood of spam emails, sometimes numbering up to 3,000 in an hour. This is followed by a fake Microsoft Teams call from someone posing as IT support, urging the victim to install remote access software such as Quick Assist or use Teams screen sharing. These tactics enable the attackers to take control of the victim’s machine and install malware. Since November 2024, Sophos has recorded at least 15 incidents using these methods, with half occurring in the past two weeks.
Security Officer Comments:
STAC5143 has shown overlapping tactics with FIN7, including the use of Python-based malware and obfuscation techniques, as well as the RPivot tool. However, it diverges in its target profile, focusing on smaller organizations in different industries. STAC5777 employs more "hands-on-keyboard" activities, scripted commands, and tools like RDP and Windows Remote Management to infiltrate networks. In one observed case, it deployed Black Basta ransomware, highlighting its capability for aggressive and targeted extortion.
Suggested Corrections:
To mitigate such threats, Sophos urged organizations to:
https://www.infosecurity-magazine.com/news/ransomware-email-bombing-teams/
https://news.sophos.com/en-us/2025/...-using-email-bombing-microsoft-teams-vishing/
Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion. Sophos is tracking these threats as STAC5143 and STAC5777. STAC5777 shares similarities with the financially motivated group Storm-1811, known for deploying Black Basta ransomware, while STAC5143 appears to be a newly identified cluster with potential links to the prolific FIN7 threat actors.
Both campaigns rely on a combination of spam and impersonation to deceive victims. The attack typically begins with a flood of spam emails, sometimes numbering up to 3,000 in an hour. This is followed by a fake Microsoft Teams call from someone posing as IT support, urging the victim to install remote access software such as Quick Assist or use Teams screen sharing. These tactics enable the attackers to take control of the victim’s machine and install malware. Since November 2024, Sophos has recorded at least 15 incidents using these methods, with half occurring in the past two weeks.
Security Officer Comments:
STAC5143 has shown overlapping tactics with FIN7, including the use of Python-based malware and obfuscation techniques, as well as the RPivot tool. However, it diverges in its target profile, focusing on smaller organizations in different industries. STAC5777 employs more "hands-on-keyboard" activities, scripted commands, and tools like RDP and Windows Remote Management to infiltrate networks. In one observed case, it deployed Black Basta ransomware, highlighting its capability for aggressive and targeted extortion.
Suggested Corrections:
To mitigate such threats, Sophos urged organizations to:
- Ensure Microsoft 365 is configured to restrict Teams calls from outside organizations, or at least only to trusted business partners
- Restrict use of remote access applications
- Monitor for sources of potentially malicious inbound Teams and Outlook traffic
- Update employee awareness programs to include email bombing and Teams vishing
https://www.infosecurity-magazine.com/news/ransomware-email-bombing-teams/
https://news.sophos.com/en-us/2025/...-using-email-bombing-microsoft-teams-vishing/