According to research, threat actors using the Black Basta and CACTUS ransomware families rely on the same BackConnect (BC ) module to maintain persistent control over infected hosts, a sign that affiliates who were previously associated with Black Basta may have switched to CACTUS.
In a Monday research, Trend Micro stated that after infiltrated, it gives adversaries a wide range of remote control options, enabling them to execute orders on the sick machine. They can also grab sensitive information, including login credentials, financial data, and personal data, according to the statement.
The security company is tracking the BC unit as QBACKCONNECT because there are overlaps with the QakBot load, and it’s worth noting that both Walmart’s Cyber Intelligence staff and Sophos, the latter of whom gave the cluster the name STAC5777, primary document the cluster in late January 2025.
Black Basta strike stores have used email bombing strategies to deceive potential targets into installing Quick Assist after being contacted by the risk actor via the pretext of IT support or helpdesk personnel over the past year.
The access then serves as a means of sideloading a malicious DLL ( “winhttp” ) loader. using OneDriveStandaloneUpdater, dll” ) named REEDBED. files, a genuine executable that updates Microsoft OneDrive. In the end, the load runs the BC package.
Trend Micro reported that it had witnessed a CACTUS ransomware assault that used the same ruse to install BackConnect but likewise went beyond it and carried out several post-exploitation actions like lateral movement and data exfiltration. However, attempts to encode the victim’s community failed.
In light of recent Black Basta chat logs leaks, which exposed the organization and internal workings of the e-crime gang, the integration of tactics takes on new significance.
Particularly, it has become clear that members of the economically determined crew had authentic credentials, some of which came from info stealer logs. Remote Desktop Protocol ( RDP ) portals and VPN endpoints are two other notable initial access points.
” Threat actors are using these tactics, techniques, and procedures ( TTP ) to deploy Black Basta ransomware,” according to Trend Micro, including using Quick Assist as a remote tool and BackConnect.
” Especially, there is proof that members of the Black Basta ransomware group have switched to the CACTUS malware party. This conclusion is derived from the analysis of comparable tactics, techniques, and procedures ( TTPs ) being used by the CACTUS group.