In a recent development, threat actors have been found to employ the Black Basta and CACTUS ransomware families with the common use of the BackConnect (BC) module to maintain persistent control over compromised hosts. This indicates a potential shift of affiliates from Black Basta to CACTUS ransomware operations.
According to an analysis by Trend Micro, the BC module allows attackers to execute various remote control commands on the infected machines, enabling them to extract sensitive data such as login credentials, financial records, and personal files. The cybersecurity company has been monitoring the BC module as QBACKCONNECT due to its similarities with the QakBot loader. This module was initially documented in late January 2025 by Walmart’s Cyber Intelligence team and Sophos, with the latter naming the cluster STAC5777.
Over the past year, Black Basta ransomware attacks have increasingly utilized email bombing techniques to deceive potential targets into installing Quick Assist after being contacted by threat actors posing as IT support personnel. This initial access is then used to load a malicious DLL loader called REEDBED using OneDriveStandaloneUpdater.exe, a legitimate executable responsible for updating Microsoft OneDrive, ultimately leading to the decryption and execution of the BC module.
In a recent incident observed by Trend Micro, a CACTUS ransomware attack employed similar tactics to deploy the BackConnect module, along with additional post-exploitation activities like lateral movement and data exfiltration. However, the encryption of the victim’s network was unsuccessful in this case.
The convergence of tactics between Black Basta and CACTUS ransomware operations becomes significant in light of the leaked Black Basta chat logs, which provided insights into the inner workings and organizational structure of the e-crime gang. It has been revealed that members of the group share valid credentials sourced from information stealer logs, with Remote Desktop Protocol (RDP) portals and VPN endpoints being some of the prominent initial access points.
Trend Micro points out that threat actors are employing tactics such as vishing, Quick Assist, and BackConnect to deploy Black Basta ransomware and suggests a transition of members from the Black Basta group to the CACTUS ransomware group. This conclusion is drawn from the analysis of similar tactics, techniques, and procedures (TTPs) used by both groups.
The use of common modules and tactics by different ransomware groups underscores the evolving nature of cyber threats and the need for organizations to remain vigilant against such malicious activities. The cybersecurity landscape continues to pose challenges, requiring continuous monitoring and proactive measures to protect sensitive data and infrastructure from cyber attacks.