Former Black Basta Affiliates Linked to CACTUS Ransomware Tactics: What Businesses Need to Know

Описание: March 4, 2025 | Impress IT Solutions | Cybersecurity & Threat Intelligence

Cybercriminals deploying Black Basta and CACTUS ransomware have been found using the same BackConnect (BC) module to maintain persistent access to compromised systems. This discovery suggests that former Black Basta affiliates may have shifted their operations to CACTUS, bringing advanced threats to businesses in West Houston.

The Danger of BackConnect Malware

Once infiltrated, the BC module provides attackers with extensive remote control capabilities, enabling them to execute commands, steal sensitive data, and compromise login credentials. According to cybersecurity firm Trend Micro, this tool allows hackers to exfiltrate financial data and personal files, putting businesses at serious risk.

Initially observed in January 2025 by Walmart’s Cyber Intelligence team and cybersecurity firm Sophos (which labeled the cluster STAC5777), the BC module overlaps with the notorious QakBot loader, further emphasizing its sophisticated nature.

How Ransomware Gangs Gain Access

Black Basta has been using email bombing tactics to trick employees into installing Quick Assist, posing as IT support or helpdesk personnel. Once access is gained, cybercriminals exploit Microsoft OneDrive’s updater (OneDriveStandaloneUpdater.exe) to sideload a malicious DLL file ("winhttp.dll"), which ultimately decrypts and runs the BC module.

Trend Micro reports that CACTUS ransomware actors have adopted the same tactics, using BackConnect for post-exploitation activities such as lateral movement and data exfiltration. However, in at least one instance, their encryption attempts failed, possibly due to improved security defenses.

The Connection Between Black Basta and CACTUS

Recent leaks from Black Basta chat logs have revealed internal operations, including the sharing of stolen credentials sourced from information stealer logs. The primary attack vectors include:

Compromised Remote Desktop Protocol (RDP) portals
Exploited VPN endpoints
Social engineering tactics such as vishing (voice phishing) and Quick Assist misuse

Cybersecurity experts suggest that some members of the Black Basta group have transitioned to CACTUS, given the striking similarities in their attack methodologies. This evolution highlights the need for West Houston businesses to stay ahead of emerging cyber threats.

How Impress IT Solutions Protects Your Business

At Impress IT Solutions in West Houston, we specialize in fortifying businesses against evolving ransomware threats. Our cybersecurity strategies include:

24/7 Threat Monitoring: Detect and mitigate threats before they infiltrate your network.
Advanced Endpoint Protection: Prevent malware from executing on your systems.
Employee Training Programs: Reduce human error by educating staff on phishing and social engineering tactics.
Secure Backup Solutions: Ensure business continuity with encrypted, offsite backups resistant to ransomware attacks.
Zero Trust Network Access (ZTNA): Implement strict verification controls to block unauthorized access.

Stay Protected with Impress IT Solutions

With ransomware groups like Black Basta and CACTUS evolving their attack strategies, it’s more critical than ever to secure your business. Contact Impress IT Solutions today to assess your cybersecurity posture and safeguard your operations against emerging cyber threats.

Get in touch with our West Houston team today to schedule a free cybersecurity assessment and ensure your business is protected from the latest ransomware tactics.

https://www.impresscomputers.com/2025...


Impress Computers
21733 Provincial Blvd
Ste 110
Katy TX 77450
281-647-9977

FREE EXECUTIVE REPORT

Cyber Incident Prevention Best Practices For
Your Small Business
Networking
Network Support
Managed Services