Cybersecurity experts have found evidence that the threat actors behind the Black Basta and CACTUS ransomware families are using the same BackConnect (BC) module to maintain persistent control over infected devices. This discovery suggests that affiliates previously linked to Black Basta may have transitioned to using CACTUS.
According to Trend Micro’s analysis released on Monday, “Once an attacker gains access, the BC module offers extensive remote control capabilities, enabling the attacker to execute commands on the compromised This feature enables attackers to access and steal sensitive information, including login details, financial data, and personal documents.
It is important to highlight that the BC module, tracked by Trend Micro as QBACKCONNECT due to its similarities with the QakBot loader, was first documented in late January 2025. Both Walmart’s Cyber Intelligence team and Sophos have contributed to the identification of this module. Sophos has named the related cluster STAC5777.
In the last year, Black Basta’s attack methods have increasingly relied on email bombing campaigns to deceive targets into installing Quick Assist. Victims are contacted by the attackers pretending to be IT support or helpdesk personnel. Once the attacker has access to the victim’s machine, they can use it to deploy a malicious DLL loader, known as REEDBED, via a legitimate executable (OneDriveStandaloneUpdater.exe) responsible for updating Microsoft OneDrive. This loader then decrypts and runs the BC module.
This shift to alternative access methods is tied to a law enforcement operation that dismantled the infrastructure used by QakBot, which Black Basta historically employed for initial network access. The use of QBACKCONNECT is an indication of the close relationship between the Black Basta and QakBot development teams.
Trend Micro also reported observing a CACTUS ransomware attack that utilized similar tactics to deploy BackConnect. However, this attack went further by executing additional post-exploitation actions, such as lateral movement and data exfiltration. Despite these actions, the encryption of the victim’s network ultimately failed.
Another connection between Black Basta and CACTUS involves a PowerShell script called TotalExec, which is used to automate the deployment of ransomware encryption.
The convergence of these tactics is particularly significant following the recent leak of Black Basta chat logs, which revealed insights into the group’s internal operations. These logs showed that members of the financially driven group exchanged valid credentials, some of which were obtained through information-stealer logs. Notable initial access methods include Remote Desktop Protocol (RDP) portals and VPN endpoints.
Trend Micro stated, “Threat actors are using a combination of tactics, techniques, and procedures (TTPs) — such as vishing, Quick Assist as a remote tool, and BackConnect — to deploy Black Basta ransomware.”
The company further explained, “Evidence suggests that some members have transitioned from Black Basta to the CACTUS ransomware group. This conclusion comes from analyzing the shared tactics, techniques, and procedures (TTPs) used by both groups.”
