The Black Basta ransomware group is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign using an .IMG file as the initial compromise vector.

More than 10 different customers have been targeted by the campaign in the last two weeks, mostly focused on companies based in the US.

According to a threat advisory posted by the Cybereason Global SOC (GSOC) on Nov. 23, the infections begin with either a spam or phishing email, which contain malicious URL links, with Black Basta deploying Qakbot as the primary method to maintain a presence on victims’ networks.