Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS.
“Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine,” Trend Micro said in a Monday analysis. “This enables them to steal sensitive data, such as login credentials, financial information, and personal files.”
It’s worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart’s Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.
Over the past year, Black Basta attack chains have increasingly leveraged email bombing tactics to trick prospective targets into installing Quick Assist after being contacted by the threat actor under the guise of IT support or helpdesk personnel.
The access then serves as a conduit to sideload a malicious DLL loader (“winhttp.dll”) named REEDBED using OneDriveStandaloneUpdater.exe, a legitimate executable responsible for updating Microsoft OneDrive. The loader ultimately decrypts and runs the BC module.
Trend Micro said it observed a CACTUS ransomware attack that employed the same modus operandi to deploy BackConnect, but also go beyond it to carry out various post-exploitation actions like lateral movement and data exfiltration. However, efforts to encrypt the victim’s network ended in failure.
The convergence of tactics assumes special significance in light of the recent Black Basta chat log leaks that laid bare the e-crime gang’s inner workings and organizational structure.
Specifically, it has emerged that members of the financially motivated crew shared valid credentials, some of which have been sourced from information stealer logs. Some of the other prominent initial access points are Remote Desktop Protocol (RDP) portals and VPN endpoints.
“Threat actors are using these tactics, techniques, and procedures (TTP) — vishing, Quick Assist as a remote tool, and BackConnect — to deploy Black Basta ransomware,” Trend Micro said.
“Specifically, there is evidence suggesting that members have transitioned from the Black Basta ransomware group to the CACTUS ransomware group. This conclusion is drawn from the analysis of similar tactics, techniques, and procedures (TTPs) being utilized by the CACTUS group.”
14 thoughts on “Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates”
amtgyv
excellent post.Never knew this, appreciate it for letting me know.
e8sbz5
5iwgyv
hm0m5m
i9b7kn
h589h1
5mlazh
6asih6
dcqs61
kifap0
f88xa8
https://honda-fit.ru/forums/index.php?autocom=gallery&req=si&img=6933
Winston here from Iowa. I’m always watching for new sites and looking at older ones and thought I’d reach out to see if you could use a hand driving targeted traffic, automating repetitive tasks, or some good old fashioned bulk targeted outreach campaigns to lists I already own.
I’ve been doing this for over 20 years — building sites, editing videos, crafting bulk email campaigns (I even provide the targeted lists as I mentioned), running traffic, creating custom software, fixing and optimizing WordPress sites, I’ll even pay for any plugins you might want/need. If a solution exists, I’ve probably built it or bought it — and if I haven’t, I will for your project. I’m happy to shoulder 90% of the cost with tools, lists, licenses, and tech I already own.
All I ask is a flat $99/month for my time, month to month — no catch. I don’t mean to impose, I just wanted to offer real help if you’re open to it.
Quick background: born and raised in the Midwest, married, three girls. If I can support them by helping you using everything I’ve built over the years, that’s the kind of win-win I can imagine. It still amazes me how few people actually help the way I do — and I’d love the chance to show you.
If you need anything at all, just ask, doesn’t cost anything to do that.
P.S. – If I missed something you might need help with, just ask. I only scratched the surface here.
All the best,
Winston
Cell: 1-319-435-1790
Chat with me anytime: https://kutt.it/deserve