Black Basta and CACTUS Ransomware Groups Show Overlapping Tactics

Article Highlights
Off On

Researchers have recently uncovered significant overlaps in the tactics and techniques used by the threat actors responsible for the deployment of the Black Basta and CACTUS ransomware families. This discovery has led to speculation that some affiliates have transitioned from working with Black Basta to collaborating with CACTUS, indicating a possible shift or merger within these cybercriminal communities. A central component of these attacks is the BackConnect (BC) module, also known as QBACKCONNECT, which provides attackers with remote control over infected machines. This versatile tool has facilitated a range of malicious activities, including executing commands, stealing sensitive data, and maintaining persistent access to compromised systems.

Use of the BackConnect (BC) Module

The BC module has been linked to the notorious QakBot loader and was first documented in early 2025 by Walmart’s Cyber Intelligence team and Sophos, with the latter naming the cluster STAC5777. This highly sophisticated piece of malware enables threat actors to seamlessly infiltrate and control targeted networks, effectively allowing them to execute a variety of post-exploitation tasks. The capabilities of the BC module were prominently featured in a recent attack by the Black Basta group, which used email bombing tactics to trick targets into installing Quick Assist software by impersonating IT support personnel. This initial access method allowed for the sideloading of a malicious DLL loader known as REEDBED via OneDriveStandaloneUpdater.exe to run the BC module. This innovative approach emerged after law enforcement successfully dismantled the infrastructure associated with QakBot.

Trend Micro’s analysis revealed a strikingly similar pattern in a CACTUS ransomware attack, which also employed the BC module for post-exploitation activities. The attackers in this case used the BC module to achieve lateral movement within the network and exfiltrate sensitive data, although the encryption attempt ultimately failed. These shared methodologies between Black Basta and CACTUS suggest a high level of coordination or shared resources, contributing to the growing evidence of collaboration between these ransomware groups. Furthermore, the deployment of the BC module in both attacks underscores its critical role in the operational toolkit of these cybercriminals.

Shared Tools and Techniques

Another notable similarity between Black Basta and CACTUS ransomware groups is their use of a PowerShell script called TotalExec, which automates the deployment of the encryptor. This script has been identified in attacks attributed to both groups, further supporting the theory that members have moved from one faction to the other or that there is a shared pool of resources and expertise. The recent leaks of Black Basta chat logs have provided additional insights into the operational tactics of the group, revealing that they often share valid credentials sourced from information stealer logs to facilitate their activities.

Initial access points for these groups frequently include Remote Desktop Protocol (RDP) portals and VPN endpoints, which are highly coveted targets for cybercriminals seeking to infiltrate corporate networks. By exploiting vulnerabilities in these access points, both Black Basta and CACTUS have been able to compromise systems, gain a foothold within the network, and execute their ransomware payloads. The use of shared tools and techniques highlights the evolving nature of ransomware operations and the increasing sophistication of these threat actors.

Conclusion and Future Considerations

Researchers have recently identified significant overlaps in tactics and techniques employed by threat actors behind the Black Basta and CACTUS ransomware families. This discovery has led to speculation that some affiliates may have moved from working with Black Basta to collaborating with CACTUS, suggesting a possible transition or merge within these cybercriminal groups. A key component of these attacks is the BackConnect (BC) module, also referred to as QBACKCONNECT. This tool provides attackers with remote control over infected systems, enabling them to execute commands, steal sensitive data, and maintain persistent access to compromised machines. The revelation of these overlaps indicates that cybercriminals are sharing strategies and tools, which presents an evolving threat landscape. Consequently, organizations must strengthen their cybersecurity defenses to counteract these sophisticated and persistent attacks. Ongoing vigilance and updated security measures are crucial to safeguarding sensitive information from these advanced threats.

Explore more

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME

Trend Analysis: Artificial Emotional Intelligence in CX

In the rapidly evolving landscape of customer engagement, one of the most groundbreaking innovations is artificial emotional intelligence (AEI), a subset of artificial intelligence (AI) designed to perceive and engage with human emotions. As businesses strive to deliver highly personalized and emotionally resonant experiences, the adoption of AEI transforms the customer service landscape, offering new opportunities for connection and differentiation.

Will Telemetry Data Boost Windows 11 Performance?

The Telemetry Question: Could It Be the Answer to PC Performance Woes? If your Windows 11 has left you questioning its performance, you’re not alone. Many users are somewhat disappointed by computers not performing as expected, leading to frustrations that linger even after upgrading from Windows 10. One proposed solution is Microsoft’s initiative to leverage telemetry data, an approach that