{"id":207832,"date":"2025-03-05T05:15:18","date_gmt":"2025-03-05T11:15:18","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/03\/researchers-link-cactus-ransomware-tactics-to-former-black-basta-affiliates"},"modified":"2025-03-05T05:15:18","modified_gmt":"2025-03-05T11:15:18","slug":"researchers-link-cactus-ransomware-tactics-to-former-black-basta-affiliates","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/03\/researchers-link-cactus-ransomware-tactics-to-former-black-basta-affiliates","title":{"rendered":"Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/researchers-link-cactus-ransomware-tactics-to-former-black-basta-affiliates2.jpg\"><\/a><\/p>\n<p>Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS.<\/p>\n<p>\u201cOnce infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine,\u201d Trend Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/black-basta-cactus-ransomware-backconnect.html\" rel=\"noopener\" target=\"_blank\">said<\/a> in a Monday analysis. \u201cThis enables them to steal sensitive data, such as login credentials, financial information, and personal files.\u201d<\/p>\n<p>It\u2019s worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was <a href=\"https:\/\/thehackernews.com\/2025\/01\/qakbot-linked-bc-malware-adds-enhanced.html\" rel=\"noopener\" target=\"_blank\">first documented<\/a> in late January 2025 by both Walmart\u2019s Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. \u201cOnce infiltrated, it grants attackers a wide range of remote control capabilities, allowing [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,45],"tags":[],"class_list":["post-207832","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-finance"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/207832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=207832"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/207832\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=207832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=207832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=207832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}