A recent discovery has shed light on the tactics employed by threat actors using the Black Basta and CACTUS ransomware families, revealing that they rely on the same BackConnect (BC) module to maintain control over infected hosts. This finding suggests that affiliates previously associated with Black Basta may have transitioned to CACTUS.
According to Trend Micro, once the BC module is infiltrated, it grants attackers remote control capabilities, enabling them to execute commands on the infected machine. This allows them to steal sensitive data, including login credentials, financial information, and personal files, Trend Micro noted in a Monday analysis.
The BC module, tracked by the cybersecurity company as QBACKCONNECT due to its overlap with the QakBot loader, was first documented in late January 2025 by Walmart’s Cyber Intelligence team and Sophos, with the latter designating the cluster as STAC5777.
Over the past year, Black Basta attack chains have increasingly utilized email bombing tactics to trick targets into installing Quick Assist, posing as IT support or helpdesk personnel.
Following the initial compromise, the threat actors use OneDriveStandaloneUpdater.exe, a legitimate executable responsible for updating Microsoft OneDrive, to sideload a malicious DLL loader (“winhttp.dll”) named REEDBED. The loader then decrypts and runs the BC module.
Trend Micro observed a CACTUS ransomware attack that employed the same tactics to deploy BackConnect, and also conducted post-exploitation actions like lateral movement and data exfiltration. However, the encryption attempt was unsuccessful.
This convergence of tactics is significant, especially in light of the recent leak of Black Basta chat logs, which exposed the e-crime gang’s inner workings and organizational structure, as well as a detailed analysis of their operations.
It has been found that members of the financially motivated crew shared valid credentials, some of which were sourced from information stealer logs. Other prominent initial access points include Remote Desktop Protocol (RDP) portals and VPN endpoints, as reported.
According to Trend Micro, threat actors use tactics such as vishing, Quick Assist, and BackConnect to deploy Black Basta ransomware. Furthermore, there is evidence suggesting that some members have transitioned from the Black Basta ransomware group to the CACTUS ransomware group, as indicated by the similarities in their tactics, techniques, and procedures (TTPs).
The fact that CACTUS ransomware operators are utilizing similar TTPs as Black Basta, including the use of BackConnect, implies a potential shift in allegiance or a merging of operations between the two groups.
