Cybersecurity experts say that the threat actors behind the Black Basta and CACTUS ransomware families have started to utilize the same BackConnect (BC) module, which may indicate that affiliates previously associated with the Black Basta group may have transitioned to CACTUS.
According to recent Trend Micro’s report, the BC module, tracked as QBACKCONNECT, allows attackers to remotely control infected systems. Once deployed on a victim's machine, this module allows the threat actors to execute commands, steal sensitive data such as login credentials, financial information, and personal files, and maintain persistent control over the compromised system. The BC module was linked to notorious malware loader QakBot in late January 2025 by security teams at Walmart and Sophos, with Sophos assigning the cluster the label STAC5777.
In a recent CACTUS attack the encryption of the victim's data ultimately failed, suggesting that while these groups share many tools and techniques, they may still be refining their operations.
Recent attacks by Black Basta have increasingly employed email bombing tactics to trick victims into installing Quick Assist, a legitimate remote support tool. In the attacks, the perpetrators pose as IT support or helpdesk personnel to manipulate the victim into allowing access. Once Quick Assist is installed, it facilitates the sideloading of a malicious DLL loader named REEDBED, which is delivered through a legitimate Microsoft OneDrive update tool (OneDriveStandaloneUpdater.exe). This loader, once activated, decrypts and runs the BC module, enabling the attackers to execute their operations.
This shift in tactics follows the disruption of QakBot infrastructure, which had historically been used by Black Basta to gain initial access to victim networks. Trend Micro says that the CACTUS ransomware group is also leveraging the BackConnect module for remote control. However, CACTUS goes beyond mere system infiltration, engaging in post-exploitation activities such as lateral movement and data exfiltration.
A recent leak of Black Basta's internal chat logs provided insight into the group's operational processes. The logs revealed that Black Basta members shared valid credentials, some of which were obtained from information stealer logs. The leaks exposed the group's common methods for initial access, which typically involve exploiting Remote Desktop Protocol (RDP) portals and Virtual Private Network (VPN) endpoints.
