Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware

New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.

In January, Zscaler discovered a Zloader malware sample that contained what appeared to be a new DNS tunneling feature. Further research by Walmart indicated that Zloader was dropping a new proxy malware called BackConnect that contained code references to the Qbot (QakBot) malware.

BackConnect is malware that acts as a proxy tool for remote access to compromised servers. BackConnect allows cybercriminals to tunnel traffic, obfuscate their activities, and escalate attacks within a victim’s environment without being detected.

Both Zloader, Qbot, and BackConnect are all believed to be linked to the Black Basta ransomware operation, with members utilizing the malware to breach and spread through corporate networks.

These ties are further strengthened by a recent BlackBasta data leak that exposed the operation’s internal conversations, including those between the ransomware gang’s manager and someone believed to be the developer of Qbot.

The links

Black Basta is a ransomware gang that launched in April 2022. It is believed to include members of the Conti Ransomware gang, which shut down in May 2022 after suffering a massive data leak of source code and internal conversations.

The ransomware gang has historically used Qakbot to gain initial access to corporate networks. However, after a 2023 law enforcement operation disrupted Qbot’s operations, the Black Basta operation has looked for alternative malware to breach networks.

The group’s pivot to BackConnect suggests they are still working with the developers connected to the Qbot operation.

In a new report by Trend Micro, researchers have found that the Cactus ransomware group is also utilizing BackConnect in attacks, indicating a potential overlap in members between both groups.

In the Black Basta and Cactus attacks seen by Trend Micro, the threat actors utilized the same social engineering attack of bombarding a target with an overwhelming number of emails, a tactic generally associated with Black Basta.

The threat actors would then contact the target through Microsoft Teams, posing as an IT help desk employee, ultimately tricking the victim into providing remote access via Windows Quick Assist.

While the attack flow for the Black Basta and Cactus attacks are not identical, they were very similar, with Trend Micro finding the Cactus threat actor utilizing command and control servers usually associated with Black Basta.

Cactus ransomware emerged in early 2023 and has since targeted a range of organizations using tactics similar to Black Basta’s.

BleepingComputer’s previous reporting on Cactus also showed links between the two ransomware gangs, with Cactus utilizing a PowerShell script called TotalExec that was often seen in Black Basta ransomware attacks.

Furthermore, the Black Basta ransomware gang adopted an encryption routine that was initially unique to Cactus ransomware attacks, further strengthening the ties between both groups.

The shared use of tactics, BackConnect, and other operational similarities, raises questions about whether Cactus ransomware is a rebrand of Black Basta or simply an overlap between members.

However, BleepingComputer has learned that Black Basta has been slowly fading away since December 2024, with their leak site offline through most of 2025.

It is believed that many of the Black Basta members had already begun to move to other ransomware gangs, like Cactus, with the recent data leak being the final nail in the coffin.