Home > Security > Security News

Black Basta & Cactus Ransomware Leverage MS Teams, Quick Assist, BackConnect in New Campaign

Published on March 4, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
BianLian ransomware

The Black Basta and Cactus ransomware groups have integrated BackConnect malware into their arsenal. Attackers leveraged social engineering via tools like Microsoft Teams, impersonating IT support to convince victims to grant access using remote tools such as Quick Assist.

The OneDriveStandaloneUpdater.exe file was exploited to side-load malicious DLLs, granting unauthorized access to internal networks. The report says commercial cloud storage services were utilized to host and distribute malicious files, taking advantage of misconfigured or publicly accessible storage buckets.

The new strain of BackConnect malware (detected as QBACKCONNECT by Trend Micro) exhibits links to the previously dismantled QakBot, a notorious loader malware, suggesting a pivot in attack methodologies following QakBot's takedown in 2023.

An instance in the Attack Chain Showing the Deployment of the Black Basta Ransomware.
An instance in the Attack Chain Showing the Deployment of the Black Basta Ransomware | Source: Trend Micro

The attackers' methodology emphasizes layering traditional attack vectors with modern tactics. BackConnect malware enables cybercriminals to maintain persistent remote control over infected devices. 

Screenshot of the One Root Cause Analysis (RSA) Showing the Download of the Two .bpx Files.
Screenshot of the One Root Cause Analysis (RSA) Showing the Download of the Two .bpx Files | Source: Trend Micro

Its capabilities include executing commands, exfiltrating sensitive data (e.g., login credentials and financial information), and ensuring unauthorized access long after initial infiltration. 

This makes it a powerful tool for threat actors seeking to blend malicious activities into normal business operations undetected.

According to Trend Micro Threat Intelligence, 39 incidents involving these groups were recorded since October 2024, with North America accounting for 21 breaches. Manufacturing was the most targeted sector, with 10 recorded attacks, followed by financial consulting and real estate (six victims each).

In January, a Sophos security report revealed that two ransomware threat actors, STAC5143 and STAC5777, leveraged MS 365 services and exploited default MS Teams configurations to breach organizations' systems. Once inside, they downloaded a ProtonVPN executable or legitimate MS executables and sideloaded a malicious DLL.

Add a Comment
Related
Novel ToyMaker Initial Access Broker Collaborates with Cactus Ransomware Group 
Threat actor targeting energy and aerospace sectors
Lazarus Group ‘Operation SyncHole’ Targeted at Least Six South Korean Entities 
Blue Shield of California Site Misconfiguration Exposed Sensitive Health Data to Google for Years 
European Parliament Member Hannah Neumann Targeted in Iranian APT42-Linked Hacking Campaign
Google Cookie Prompts
Google Eliminates Cookie Prompts in Chrome, Enhances Incognito Mode with IP Protection
Critical Command Injection Vulnerability in Speedify VPN Could Give Full Control Over Unpatched macOS Systems
Most Popular
Wednesday Season 2
6 Unique Things in the Wednesday Season 2 Teaser: From Enid's Foreshadowed Death to Hyde's Return
Novel ToyMaker Initial Access Broker Collaborates with Cactus Ransomware Group 
Threat actor targeting energy and aerospace sectors
Lazarus Group ‘Operation SyncHole’ Targeted at Least Six South Korean Entities 
Blue Shield of California Site Misconfiguration Exposed Sensitive Health Data to Google for Years 
Predator Badlands
Everything we know About Predator: Badlands – new Monsters & Alien Connections
Robert Irwin
All we know About Dancing With The Stars 2025 (Season 34)
6 Unique Things in the Wednesday Season 2 Teaser: From Enid's Foreshadowed Death to Hyde's Return
Novel ToyMaker Initial Access Broker Collaborates with Cactus Ransomware Group 
Lazarus Group ‘Operation SyncHole’ Targeted at Least Six South Korean Entities 
Blue Shield of California Site Misconfiguration Exposed Sensitive Health Data to Google for Years 
Everything we know About Predator: Badlands – new Monsters & Alien Connections
All we know About Dancing With The Stars 2025 (Season 34)

Most Popular
Wednesday Season 2
6 Unique Things in the Wednesday Season 2 Teaser: From Enid's Foreshadowed Death to Hyde's Return
Novel ToyMaker Initial Access Broker Collaborates with Cactus Ransomware Group 
Threat actor targeting energy and aerospace sectors
Lazarus Group ‘Operation SyncHole’ Targeted at Least Six South Korean Entities 
Blue Shield of California Site Misconfiguration Exposed Sensitive Health Data to Google for Years 
Predator Badlands
Everything we know About Predator: Badlands – new Monsters & Alien Connections
Robert Irwin
All we know About Dancing With The Stars 2025 (Season 34)
6 Unique Things in the Wednesday Season 2 Teaser: From Enid's Foreshadowed Death to Hyde's Return
Novel ToyMaker Initial Access Broker Collaborates with Cactus Ransomware Group 
Lazarus Group ‘Operation SyncHole’ Targeted at Least Six South Korean Entities 
Blue Shield of California Site Misconfiguration Exposed Sensitive Health Data to Google for Years 
Everything we know About Predator: Badlands – new Monsters & Alien Connections
All we know About Dancing With The Stars 2025 (Season 34)

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: