Menu
Browse

Cyber Threat Actor: Bassterlord

Actor Type Location Known Incidents
 Icon
Criminal
Russia
2 incidents
Profile

Bassterlordis the alias used by a threat actor known to operate from Russia, as indicated by the location information associated with the actor’s forum presence. The actor first came to public attention in March 2020 when they advertised administrative access to an Indian State Tax Office network on a Russian‑language hacking forum, claiming control of four devices and possession of roughly 800 GB of data that included government documents, network shares and personal details such as PAN cards, phone numbers and email addresses linked to Gujarat residents. The offering was made via the forum, Telegram and email, and the actor provided screenshots as proof of access, which showed Remote Desktop Protocol connections, an admin‑named desktop folder and shared drives, suggesting that the actor had achieved administrative privileges and moved laterally within the compromised environment. The actor’s history on the forum includes prior sales of legitimate RDP access to corporate systems, with no recorded complaints from other users, establishing a reputation as a trusted member who routinely monetises network access.

The actor’s typical targeting appears to focus on government and corporate sectors, with the Indian tax office incident representing a government‑sector victim in India and the earlier corporate RDP sales indicating a broader interest in private‑sector networks. The strategic objective evident from the activity is financial gain, as the actor explicitly offered the compromised access for sale rather than deploying the data for espionage or disruption; the volume of data cited (approximately 800 GB) was noted as unlikely to have been exfiltrated for direct use, reinforcing the interpretation that the primary motive was the sale of access credentials. In terms of tactics, techniques and procedures, the actor relied on compromising Remote Desktop Protocol—either through exploiting known RDP flaws, using default credentials or conducting brute‑force attacks—to gain an initial foothold. Once inside, the actor demonstrated lateral movement by accessing network shared drives and multiple devices, as evidenced by the screenshots showing shared folders and an admin‑named directory. No specific malware families or custom tooling are referenced in the available material; the actor’s tooling style appears to consist of leveraging native remote‑access utilities and legitimate administrative functions to maintain presence and facilitate movement.

Attribution to a specific state sponsor or criminal consortium is not publicly established; the only confirmed affiliation is the actor’s base of operations in Russia, as noted in the location field. The most significant publicly reported operation is the March 2020 Indian tax office incident, which exemplifies the actor’s method of advertising and selling RDP access after verifying control through screenshots and lateral movement. Prior to this, the actor had a track record of selling corporate RDP access on the same forum without incident, indicating a recurring pattern of monetising remote‑access capabilities. After the forum post was exposed, the actor ceased advertising the tax office access, though the earlier corporate‑access sales continued until the public disclosure prompted a halt to that specific offering. The available information therefore describes a financially motivated actor who exploits RDP weaknesses to gain and sell administrative access, primarily targeting governmental and corporate networks in India while operating from a Russian base.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source