March 4, 2025 | Impress IT Solutions | Cybersecurity & Threat Intelligence
Cybercriminals deploying Black Basta and CACTUS ransomware have been found using the same BackConnect (BC) module to maintain persistent access to compromised systems. This discovery suggests that former Black Basta affiliates may have shifted their operations to CACTUS, bringing advanced threats to businesses in West Houston.
The Danger of BackConnect Malware
Once infiltrated, the BC module provides attackers with extensive remote control capabilities, enabling them to execute commands, steal sensitive data, and compromise login credentials. According to cybersecurity firm Trend Micro, this tool allows hackers to exfiltrate financial data and personal files, putting businesses at serious risk.
Initially observed in January 2025 by Walmart’s Cyber Intelligence team and cybersecurity firm Sophos (which labeled the cluster STAC5777), the BC module overlaps with the notorious QakBot loader, further emphasizing its sophisticated nature.
How Ransomware Gangs Gain Access
Black Basta has been using email bombing tactics to trick employees into installing Quick Assist, posing as IT support or helpdesk personnel. Once access is gained, cybercriminals exploit Microsoft OneDrive’s updater (OneDriveStandaloneUpdater.exe) to sideload a malicious DLL file (“winhttp.dll”), which ultimately decrypts and runs the BC module.
Trend Micro reports that CACTUS ransomware actors have adopted the same tactics, using BackConnect for post-exploitation activities such as lateral movement and data exfiltration. However, in at least one instance, their encryption attempts failed, possibly due to improved security defenses.
The Connection Between Black Basta and CACTUS
Recent leaks from Black Basta chat logs have revealed internal operations, including the sharing of stolen credentials sourced from information stealer logs. The primary attack vectors include:
- Compromised Remote Desktop Protocol (RDP) portals
- Exploited VPN endpoints
- Social engineering tactics such as vishing (voice phishing) and Quick Assist misuse
Cybersecurity experts suggest that some members of the Black Basta group have transitioned to CACTUS, given the striking similarities in their attack methodologies. This evolution highlights the need for West Houston businesses to stay ahead of emerging cyber threats.
How Impress IT Solutions Protects Your Business
At Impress IT Solutions in West Houston, we specialize in fortifying businesses against evolving ransomware threats. Our cybersecurity strategies include:
- 24/7 Threat Monitoring: Detect and mitigate threats before they infiltrate your network.
- Advanced Endpoint Protection: Prevent malware from executing on your systems.
- Employee Training Programs: Reduce human error by educating staff on phishing and social engineering tactics.
- Secure Backup Solutions: Ensure business continuity with encrypted, offsite backups resistant to ransomware attacks.
- Zero Trust Network Access (ZTNA): Implement strict verification controls to block unauthorized access.
Stay Protected with Impress IT Solutions
With ransomware groups like Black Basta and CACTUS evolving their attack strategies, it’s more critical than ever to secure your business. Contact Impress IT Solutions today to assess your cybersecurity posture and safeguard your operations against emerging cyber threats.
Get in touch with our West Houston team today to schedule a free cybersecurity assessment and ensure your business is protected from the latest ransomware tactics.
Cyber Incident Prevention Best Practices For
Your Small Business