Danger actors who deploy black bags and cactus ransomware families have been found to rely to rely on the same back connect (BC) module to maintain constant control over the infected hosts, a sign that already infections may have infected in cactus by colleagues associated with black bags.
Trend Micro said in Monday’s analysis, “Once infiltrated, it gives the attackers a wide range of remote control capabilities, allowing them to execute the command on the infected machine.” “This enables them to steal sensitive data, such as login credentials, financial information and individual files.”
It is worth noting that the details of the BC module, which is tracking as a QBACKONNECT to overlap with Cybercity Company Cakbot loader, was first documented by both Walmart’s cyber intelligence team and Sofos at the end of January 2025, after which the cluster name Stack 577777777777777777777777777777777777
In the last one year, the Black Basta Attack Chen has rapidly benefitted from the email bombing strategy to set up possible goals in setting up quick assistance after the actor contacts the guise of IT support or helpdesk personnel.
This access then serves as a drain to load a malicious DLL loader (“Winhttp.dll”), which was named Oncerivestandaloneupdater.Exe, which is a valid executionable to update Microsoft ONEDRIVE. The loader eventually decips and runs the BC module.
Trend Micro said it visited a cactus ransomware attack, in which the same modus operandi was employed to deploy the back connectivity, but also goes ahead of it to perform various post-exclusive works such as lateral movements and data exfoliation. However, attempts to encry the victim’s network ended in failure.
The convergence of the strategy considers special significance in the light of the recent black bag chat logs leaks that bare the internal functioning and organizational structure of the e-crime gang.
In particular, it has been revealed that the economically motivated crew members have shared valid credentials, some of which have been obtained from the login log. Some of the other major early access points are remote desktop protocols (RDP) portals and VPN andpoints.
Trend Micro said, “The actor of danger is using these strategies, techniques and procedures (TTPs) – expeditious assistance in the form of wishing, remote tools, and back connect – to deploy black bag bag ransomware,” Trend Micro said.
“In particular, there is evidence that members have transfusted in the Cactus Rancemware Group from the Black Basta Rancemware Group. This conclusion is designed from analysis of similar strategies, techniques and procedures (TTPs) being used by the Cactus Group.”
