Mar 04, 2025Ravie LakshmananCybercrime / Threat Intelligence

Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS.

“Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine,” Trend Micro said in a Monday analysis. “This enables them to steal sensitive data, such as login credentials, financial information, and personal files.”

It’s worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart’s Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.

Over the past year, Black Basta attack chains have increasingly leveraged email bombing tactics to trick prospective targets into installing Quick Assist after being contacted by the threat actor under the guise of IT support or helpdesk personnel.

The access then serves as a conduit to sideload a malicious DLL loader (“winhttp.dll”) named REEDBED using OneDriveStandaloneUpdater.exe, a legitimate executable responsible for updating Microsoft OneDrive. The loader ultimately decrypts and runs the BC module.

Trend Micro said it observed a CACTUS ransomware attack that employed the same modus operandi to deploy BackConnect, but also go beyond it to carry out various post-exploitation actions like lateral movement and data exfiltration. However, efforts to encrypt the victim’s network ended in failure.

The convergence of tactics assumes special significance in light of the recent Black Basta chat log leaks that laid bare the e-crime gang’s inner workings and organizational structure.

Specifically, it has emerged that members of the financially motivated crew shared valid credentials, some of which have been sourced from information stealer logs. Some of the other prominent initial access points are Remote Desktop Protocol (RDP) portals and VPN endpoints.

“Threat actors are using these tactics, techniques, and procedures (TTP) — vishing, Quick Assist as a remote tool, and BackConnect — to deploy Black Basta ransomware,” Trend Micro said.

“Specifically, there is evidence suggesting that members have transitioned from the Black Basta ransomware group to the CACTUS ransomware group. This conclusion is drawn from the analysis of similar tactics, techniques, and procedures (TTPs) being utilized by the CACTUS group.”