BLACK Basta has reemerged with a new BYOVD approach, embedding a vulnerable driver directly into its ransomware payload. Researchers from the Symantec and Carbon Black Threat Hunter Team identified the bundled driver as NSecSoft NSecKrnl, which last month was associated with a medium-severity vulnerability tracked as CVE-2025-68947.
The team noted that BYOVD techniques remain a popular defence-evasion method, enabling the ransomware to target security products and potentially disable them to ease encryption of files. In this case, the attack appeared to encrypt some files, although the researchers said the NSecKrnl driver likely failed to kill their product, which continued to function after the intrusion.
The incident marks a first for Black Basta in weaponising and embedding a driver with its payload, underscoring the growing appeal of bundled capabilities for affiliates and the broader BYOVD trend. According to Dark Reading, the report highlights ongoing challenges and calls for broader protections beyond reactive blocklists and driver-signature controls. February 9, 2026.