Researchers have recently uncovered significant overlaps in the tactics and techniques used by the threat actors responsible for the deployment of the Black Basta and CACTUS ransomware families. This discovery has led to speculation that some affiliates have transitioned from working with Black Basta to collaborating with CACTUS, indicating a possible shift or merger within these cybercriminal communities. A central component of these attacks is the BackConnect (BC) module, also known as QBACKCONNECT, which provides attackers with remote control over infected machines. This versatile tool has facilitated a range of malicious activities, including executing commands, stealing sensitive data, and maintaining persistent access to compromised systems.
Use of the BackConnect (BC) Module
The BC module has been linked to the notorious QakBot loader and was first documented in early 2025 by Walmart’s Cyber Intelligence team and Sophos, with the latter naming the cluster STAC5777. This highly sophisticated piece of malware enables threat actors to seamlessly infiltrate and control targeted networks, effectively allowing them to execute a variety of post-exploitation tasks. The capabilities of the BC module were prominently featured in a recent attack by the Black Basta group, which used email bombing tactics to trick targets into installing Quick Assist software by impersonating IT support personnel. This initial access method allowed for the sideloading of a malicious DLL loader known as REEDBED via OneDriveStandaloneUpdater.exe to run the BC module. This innovative approach emerged after law enforcement successfully dismantled the infrastructure associated with QakBot.
Trend Micro’s analysis revealed a strikingly similar pattern in a CACTUS ransomware attack, which also employed the BC module for post-exploitation activities. The attackers in this case used the BC module to achieve lateral movement within the network and exfiltrate sensitive data, although the encryption attempt ultimately failed. These shared methodologies between Black Basta and CACTUS suggest a high level of coordination or shared resources, contributing to the growing evidence of collaboration between these ransomware groups. Furthermore, the deployment of the BC module in both attacks underscores its critical role in the operational toolkit of these cybercriminals.
Shared Tools and Techniques
Another notable similarity between Black Basta and CACTUS ransomware groups is their use of a PowerShell script called TotalExec, which automates the deployment of the encryptor. This script has been identified in attacks attributed to both groups, further supporting the theory that members have moved from one faction to the other or that there is a shared pool of resources and expertise. The recent leaks of Black Basta chat logs have provided additional insights into the operational tactics of the group, revealing that they often share valid credentials sourced from information stealer logs to facilitate their activities.
Initial access points for these groups frequently include Remote Desktop Protocol (RDP) portals and VPN endpoints, which are highly coveted targets for cybercriminals seeking to infiltrate corporate networks. By exploiting vulnerabilities in these access points, both Black Basta and CACTUS have been able to compromise systems, gain a foothold within the network, and execute their ransomware payloads. The use of shared tools and techniques highlights the evolving nature of ransomware operations and the increasing sophistication of these threat actors.
Conclusion and Future Considerations
Researchers have recently identified significant overlaps in tactics and techniques employed by threat actors behind the Black Basta and CACTUS ransomware families. This discovery has led to speculation that some affiliates may have moved from working with Black Basta to collaborating with CACTUS, suggesting a possible transition or merge within these cybercriminal groups. A key component of these attacks is the BackConnect (BC) module, also referred to as QBACKCONNECT. This tool provides attackers with remote control over infected systems, enabling them to execute commands, steal sensitive data, and maintain persistent access to compromised machines. The revelation of these overlaps indicates that cybercriminals are sharing strategies and tools, which presents an evolving threat landscape. Consequently, organizations must strengthen their cybersecurity defenses to counteract these sophisticated and persistent attacks. Ongoing vigilance and updated security measures are crucial to safeguarding sensitive information from these advanced threats.