{
	"id": "637cbfe0-21c6-4a7e-8f5c-21ab899247a7",
	"created_at": "2026-04-06T00:21:46.856421Z",
	"updated_at": "2026-04-10T03:21:11.728908Z",
	"deleted_at": null,
	"sha1_hash": "81e2bacff84095002321e159120e309d989d3fc8",
	"title": "Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1233813,
	"plain_text": "Black Basta and Cactus Ransomware Groups Add BackConnect\r\nMalware to Their Arsenal\r\nBy Catherine Loveria, Stephen Carbery, Jovit Samaniego, Adam O'Connor, Ian Kenefick, Gabriel Cardoso, Lucas Silva, Jack\r\nWalsh ( words)\r\nPublished: 2025-03-03 · Archived: 2026-04-05 22:43:59 UTC\r\nRansomware\r\nIn this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to\r\nmaintain persistent control and exfiltrate sensitive data from compromised machines.\r\nBy: Catherine Loveria, Stephen Carbery, Jovit Samaniego, Adam O'Connor, Ian Kenefick, Gabriel Cardoso, Lucas Silva,\r\nJack Walsh Mar 03, 2025 Read time: 10 min (2650 words)\r\nSave to Folio\r\nSummary\r\nAttackers utilized social engineering to lure the victims into giving them initial access. Attackers abused Microsoft\r\nTeams for impersonation and privilege escalation. Attackers abused Quick Assist and similar remote access software\r\nto manipulate users into granting unauthorized access.\r\nOneDriveStandaloneUpdater.exe, which is responsible for updating OneDrive, was abused to side-load malicious\r\nDLLs, which provided the attackers access to internal networks.The attacker utilized the BACKCONNECT malware\r\nto control the compromised machine persistently. \r\nAs reported by researchersopen on a new tab, this new BackConnect malware (which Trend Micro detects as\r\nQBACKCONNECT) has artefacts which suggest links to QakBot, a loader malware which was the subject of a\r\ntakedown effort dubbed ‘Operation Duckhunt’ in 2023. QakBot infections were the predominant initial access\r\nmethod utilised by Black Basta threat actors before the takedown forced the threat actors to find alternative methods.\r\nWinSCP usage was utilized soon after.\r\nAttackers hosted and distributed malicious files using a commercial cloud storage service, taking advantage of its\r\nease of use, widespread adoption, and misconfigured or publicly accessible storage buckets.\r\nTrend Micro Threat Intelligence data indicates that since October 2024, most incidents occurred in North America\r\n(21 breaches), followed by Europe (18). The US was the hardest hit, with 17 affected organizations, while Canada\r\nand the UK each experienced five breaches.\r\nThe Trend Micro™ Managed XDRopen on a new tab and Incident Response (IR) teams recently analyzed incidents where\r\nthreat actors deploying Black Basta and Cactus ransomware used the same BackConnect malware to strengthen their\r\nfoothold on compromised machines.\r\nThe BackConnectopen on a new tab malware is a tool that cybercriminals use to establish and maintain persistent control\r\nover compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to\r\nexecute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial\r\ninformation, and personal files.\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 1 of 16\n\nIn 2023, the group behind Black Bastaopen on a new tab reportedly extorted US$107 millionopen on a new tab in Bitcoins\r\nfrom their victims. Based on data from Trend Micro Threat Intelligenceopen on a new tab on the attacks carried out by the\r\nBlack Basta ransomware group since October 2024, the majority of incidents occurred in North America, accounting for 21\r\nbreaches, followed by Europe with 18. The US was the hardest hit, with 17 affected organizations, while Canada and the UK\r\neach had five breaches. In terms of Black Basta’s impact across industries, manufacturing had the highest number of attacks\r\nwith 11 victims, followed by real estate and construction with nine victims, then financial services with six victims.\r\nThe attack chains’ methods might not be technically groundbreaking, but how they layer social engineering with the abuse\r\nof legitimate tools and cloud-based infrastructure enables them to blend malicious activity into normal enterprise workflows.\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 2 of 16\n\nBlack Basta ransomware attack chain\r\nInitial access\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 3 of 16\n\nOur Managed XDR team analyzed a case involving a technique similar to the one used by the DarkGate malwareopen on a\r\nnew tab where the user experienced email flooding before being contacted by external actor posing as IT support or\r\nhelpdesk. In this sample case, the external email address is admin_52351@brautomacao565[.]onmicrosoft[.]com.   \r\nDuring the call, the user was persuaded by the attacker to grant him access through the built-in Quick Assist tool. It allows\r\nusers to share their Windows device remotely, enabling screen viewing, annotations, and full control for troubleshooting.\r\nMicrosoft has previously published their own analysisopen on a new tab of how threat actors exploit this by impersonating\r\nIT support to gain unauthorized access. This tactic, observed since late last year, has been attributed to Black Basta\r\nransomwareopen on a new tab.\r\nExecution\r\nAfter gaining initial access, the attacker downloaded two different malicious .bpx files from a commercial cloud storage\r\nprovider. Reportsopen on a new tab have observed how threat actors frequently abuse commercial cloud storage services for\r\nmalware distribution due to their ease of use, widespread adoption, and the risk of misconfigured or publicly accessible\r\nbuckets.\r\nThe following are the downloaded files from the first case:\r\nC:\\Users\\\u003cuser\u003e\\Downloads\\kb052117-01.bpx\r\nC:\\Users\\\u003cuser\u003e\\Downloads\\kb052123-02.bpx\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 4 of 16\n\nBased on our threat intelligence, the attacker concatenates the two .bpx files into “pack.zip”. In this case, the attacker used\r\nthe command type kb052117-01.bpx kb052123-02.bpx  \u003e pack.zip that will concatenate the two .bpx files into a pack.zip,\r\nthe content of which will be unpacked using Tar. The name of the bpx files varies from case to case.\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 5 of 16\n\nThe following files were created after the extraction of pack.zip:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\arch1284.cab\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\arch1271.cab\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 6 of 16\n\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 7 of 16\n\nThe file arch1271.cab was extracted to place those extracted files into the OneDrive folder:\r\nCommand: expand  \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\arch1271.cab\" -F:* \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\"\r\nThe following files were created/dropped after the extraction:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\winhttp.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\libssl-3-x64.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\vcruntime140.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\libcrypto-3-x64.dll\r\nThe OneDriveStandaloneUpdater.exe process was later launched noninteractively via cmd.exe with the following command-line instruction:\r\nCLI command: \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe\" -\r\nEmbedding.\r\nResearchopen on a new tab says that winhttp.dll is a malicious loader that is sideloaded by the Onedrive executable. This\r\nloader  decrypts the backdoor from a dat file named settingsbackup.dat which is also contained in pack.zip\r\nContents of pack.zip:\r\nlibcrypto-3-x64.dll (e45b73a5f9cdf335a17aa97a25644489794af8e1)\r\nlibssl-3-x64.dll (9c8dea7602a99aa15f89a46c2b5d070e3ead97f9)\r\nSettingsbackup.dat (11ec09ceabc9d6bb19e2b852b4240dc7e0d8422e)\r\nVcruntime140.dll (00149b7a66723e3f0310f139489fe172f818ca8e)\r\nWinhttp.dll (232fdfde3c0e180ad91ebeb863bfd8d58915dd39)\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 8 of 16\n\nAfter the update process, several key configuration files were modified by the OneDrive Standalone Updater:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\.ses\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\PreSignInSettingsConfig.json\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\Update.xml\r\nCommand and control (C\u0026C) and post-installation activities\r\nWe observed OneDrive Standalone Updater connecting to the external IP 38.180.25[.]3, which is flagged as Dangerous and\r\ncategorized as C\u0026C server.\r\nThe attacker also added the following registry entry to store their BackConnect IPs:\r\nreg  add \"HKCU\\SOFTWARE\\TitanPlus\" /v 1 /t REG_SZ /d \"38.180.25.3A443;45.8.157.199A443;5.181.3.164A443\" /f\r\nBased on Trend Micro Threat Intelligenceopen on a new tab, the IPs used in the above registry key are associated with Black\r\nBasta, with the IPs classified as C\u0026C servers.\r\nCactus ransomware attack chain\r\nThe Trend Micro IR team encountered an evolution of the attack chain we detailed earlier. While the initial tactics closely\r\nmirrored the campaign, we observed several additional techniques that provide further insight into the adversary’s evolving\r\nmethods.\r\nAttack chain and initial intrusion\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 9 of 16\n\nThe campaign used familiar methods:\r\nEmail bombing and social engineering: An email flood was launched, followed by contact via Microsoft Teams\r\nfrom the address admin_734@gamicalstudio[.]onmicrosoft[.]com. Using the previously observed social engineering\r\ntechniques, the victim was persuaded to grant remote access via Quick Assist.\r\nMalicious file downloads and archive manipulation: Two .bpx files were downloaded, then concatenated into a\r\nsingle archive (pack.zip), which, upon extraction, produced files similar to those seen in the earlier attack.:\r\nC:\\Users\\\u003cuser\u003e\\Downloads\\kb153056-01.bpx\r\nC:\\Users\\\u003cuser\u003e\\Downloads\\kb153064-02.bpx\r\nThe same files were created upon extracting the ‘.cab’ archives:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\wscapi.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\libssl-3-x64.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\vcruntime140.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\OneDrive\\libcrypto-3-x64.dll\r\n“HKCU\\SOFTWARE\\TitanPlus” was also added as registry to store BACKCONNECTC2 IP addresses:\r\nadd \"HKLM\\SOFTWARE\\TitanPlus\" /v 1 /t REG_SZ /d\r\n\"45B8B157B199A443;5B181B3B164A443;38B180B25B3A443\"\r\n45.8.157[.]199;443;5.181.3[.]164;443;38.180.25[.]3;443\r\nThe same C\u0026C infrastructure was observed in case with Black Basta, being utilized with BackConnect:\r\n45[.]8[.]157[.]199\r\n5[.]181[.]3[.]164\r\n38[.]180[.]25[.]3\r\n185[.]190[.]251[.]16\r\n207[.]90[.]238[.]52\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 10 of 16\n\n89[.]185[.]80[.]86\r\nLateral movement and ransom\r\nBuilding on the initial foothold, the adversary used advanced lateral movement techniques to expand their presence:\r\nServer Message Block (SMB) and Windows Remote Management (WinRM): The attacker utilized SMB via shared\r\nfolders and used WinRM to remotely execute commands and scripts, allowing them to traverse the network.\r\nESXi host compromise: Notably, we identified the compromise of ESXi hosts. A binary, socks.out — believed to be the\r\nSystemBC proxy malware — was deployed. By enabling an SSH session as the root user, they:\r\nDisabled the ExecInstalledOnly setting (which normally restricts execution to binaries installed via official VIBs).\r\nTurned off the firewall, thereby permitting unauthorized binaries to run.\r\nThis sequence of actions culminated in the execution of the socks.out binary without interference from system protections.\r\nAnalysis further revealed that the attackers leveraged WinSCP—an open-source file transfer client—as part of their\r\noperational process:Leveraging WinSCP:  WinSCP was employed to facilitate file transfers within the compromised\r\nenvironment. Firewall logs confirmed notable network activity involving WinSCP connecting to a newly registered,\r\nsuspicious domain.Pumpkinrab[.]com – 208[.]115[.]200[.]146.\r\n The adversary deployed WinSCP across multiple compromised hosts, suggesting that the tool was distributed to streamline\r\ntheir operations.\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 11 of 16\n\nOur incident response efforts successfully subverted the attempt to encrypt the victim’s network. However, the sequence of\r\nevents clearly indicates that encryption was their intended next step. A ransom note was sent via email, with the attackers\r\nidentifying themselves as the “Cactus Group.”\r\nThe Black Basta chat log leaks\r\nOn February 11, 2025, a significant leak exposed the internal communications and organizational structure of the Black\r\nBasta group. According to the published information, the data was released due to an internal misunderstanding. The group\r\nhas reportedly targeted Russian banks.  The leaked archive contains messages exchanged in Black Basta's internal chat\r\nrooms between September 18, 2023, and September 28, 2024.\r\nAnalysis of the messages uncovers a broad spectrum of information, such as phishing templates and their target emails,\r\ncryptocurrency addresses, victims' credentials, and information about gang members. The information was firstly published\r\nby PRODAFT.open on a new tab\r\nWhile reviewing the leak data we have observed messages indicating that Black Basta operators recognize Trend Micro as\r\na significant obstacle and discuss ways to bypass it.  Here are their key views:\r\n1. Trend Micro is a Major Security Challenge\r\nOne actor explicitly states that Trend Micro is widely used and must be bypassed:\r\n\"TrendMicro много где стоит, надо обходить\" (\"Trend Micro is used in many places, we need to bypass it\").\r\nAnother user confirms that Trend Micro XDR is particularly difficult to evade:\r\n\"мелкий не может обходить Trend Micro XDR\" (\"Melky can't bypass Trend Micro XDR\").\r\n2. Testing and Workarounds\r\nSome group members discuss testing Trend Micro detection capabilities using brute-force techniques:\r\n\"с трендом все ок на бруте должно быть\" (\"With Trend, everything should be fine on brute\").\r\nThere is also mention of Trend Micro being a persistent issue in their operations, frustrating them when trying to\r\nbypass its protections.\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 12 of 16\n\nAdditionally, some of the key members of Black Basta have left the group to join the Cactus Ransomware operation, as\r\nobserved in the TTPs overlaps between the two groups. Based on that context, Trend assesses that Cactus will remain highly\r\nactive, and the experienced members of Basta will carry on their attacks under the Cactus operation. The future of Black\r\nBasta is unknown at this moment. It might implode because of the leaks, as was the case with Conti.\r\nSecuring the enterprise beyond traditional defenses\r\nSince early October 2024, activity related to the Black Basta ransomware social engineeringopen on a new tab campaign has\r\nsurged. First reported in May, the campaign has evolved with updated tacticsopen on a new tab, improved malware\r\npayloads, and the use of Microsoft Teams for lures.\r\nThe attacks start with an email bombing campaign, followed by direct contact via Teams, where the attacker impersonates\r\nan IT staff. Victims are tricked into installing remote management tools or executing a remote shell, sometimes bypassing\r\nmultifactor authentication (MFA) via QR codes. Once granted access, additional malware such DarkGate, and custom\r\npayloads are deployed to enumerate the environment, extract credentials, and steal VPN configuration files.   \r\nOur intelligence indicates that threat actors are using these tactics, techniques, and procedures (TTP) — vishing, Quick\r\nAssist as a remote tool, and BACKCONNECT — to deploy Black Basta ransomware.\r\nSince January 2025, our Threat Intelligence teams have observed a likely shift in affiliations among certain threat actors\r\nassociated with Black Basta. Specifically, there is evidence suggesting that members have transitioned from the Black Basta\r\nransomware group to the Cactus ransomware group. This conclusion is drawn from the analysis of similar tactics,\r\ntechniques, and procedures (TTPs) being utilized by the Cactus group.\"\r\nTo mitigate the risk of ransomware and similar attacks, organizations should consider the following key measures:\r\nRestrict remote assistance tools. Disable unauthorized usage of remote access tools. Implement strict policies for\r\nremote assistance usage, requiring approval or verification. Layering access control, monitoring, and authentication\r\nmeasures helps reduce the risks associated with remote assistance tools.\r\nTrain employees on social engineering. Regularly educate users about phishing scams and fake remote assistance\r\nattempts, reinforcing verification of all unsolicited requests. Companies should actively test, measure, and improve\r\nuser response rates through behavior-driven training programs to enhance employee resilience against evolving social\r\nengineering tactics.\r\nApply Microsoft’s security best practices for Microsoft Teamsopen on a new tab to safeguard Teams users.\r\nCompanies should also treat Teams as a critical enterprise communication tool that requires the same level of security\r\nmonitoring as email. Apply security to third-party integrations and external communications to prevent\r\nimpersonation attacks.\r\nProactive security with Trend Vision One\r\nTrend Vision Oneopen on a new tab™ is an enterprise cybersecurity platform that simplifies security and helps enterprises\r\ndetect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s\r\nattack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and\r\nthreat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk\r\ninsights, earlier threat detection, and automated risk and threat response options in a single solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One open on a new tabcustomers can access a range of Intelligence Reports\r\nand Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 13 of 16\n\nallows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious\r\nactivities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nBlack Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal\r\nTrend Vision One Threat Insights App\r\nEmerging Threats:  Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenalopen\r\non a new tab\r\nHunting queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nusing data within their environment. Note that this can also be triggered by normal activity.\r\nDetection of DLL side-loading involves identifying modified DLLs that replace legitimate ones to execute\r\nunauthorized code.\r\neventSubId: 603 AND (request:filters*.s3.us-east-2.amazonaws.com OR request:sfu*.s3.us-east-2.amazonaws.com)\r\nAND objectFilePath:kb*.bpx\r\nservice: MicrosoftTeams AND principalName: *.onmicrosoft.com AND actionName:(ChatCreated OR MessageSent)\r\n \r\ntags:\r\nXSAE.F8809 (QuickAssist Remote Session Established)\r\nXSAE.F11212 (TitanPlus Installation)\r\nXSAE.F11530 (Anomalous Connection from OneDrive Binary)\r\nXSAE.F11531 (Cabinet File Expanded via Lolbin)\r\nXSAE.F11532 (Cabinet File Expansion via Lolbin)\r\nXSAE.F11534 (TitanPlus Installation - Process Create)\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a new tab.\r\nIndicators of compromise (IoCs)\r\nSha256 Filename Detection\r\n b79c8b7fabb650bcae274b71ee741f4d2d14a626345283a268c902f43edb64fd\r\n \r\nwinhttp.dll Backdoor.Win64.REEDBED.A\r\n60bca9f0134b9499751f6a5b754a9a9eff0b44d545387fffc151b5070bd3a26a wscapi.dll  \r\n623a43b826f95dc109f7b46303c6566298522b824e86a928834f12ac7887e952 run2.bat  \r\nURL/IP Rating - Category\r\n38.180.25[.]3 C\u0026C Server\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 14 of 16\n\n45.8.157[.]199 C\u0026C Server\r\n5[.]181[.]3[.]164 C\u0026C Server\r\n185[.]190[.]251[.]16 C\u0026C Server\r\n207[.]90[.]238[.]52 C\u0026C Server\r\n89[.]185[.]80[.]86 C\u0026C Server\r\npumpkinrab[.]com Malware Accomplice\r\nhxxps://sfu11[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052117-01[.]bpx  \r\nhxxps://sfu11[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052123-02[.]bpx  \r\nhxxps[://]filters14[.]s3[.]us-east-2[.]amazonaws[.]com/  \r\nThreat hunting\r\nHere are other BACKCONNECT-related IPs based on Trend Micro Threat Intelligence:\r\n5.181.159[.]48\r\n45.128.149[.]32\r\n207.90.238[.]46\r\n45.8.157[.]158\r\n195.123.233[.]19\r\n178.236.247[.]173\r\n195.123.241[.]24\r\n20.187.1[.]254\r\n5.78.41[.]255\r\n38.180.192[.]243\r\n207.90.238[.]52\r\n89.185.80[.]251\r\n91.90.195[.]91\r\n45.8.157[.]162\r\n20.82.136[.]218\r\n45.8.157[.]146\r\n5.181.3[.]164\r\n195.123.233[.]148\r\n45.8.157[.]199\r\n89.185.80[.]86\r\n195.211.96[.]135\r\n38.180.25[.]3\r\n38.180.135[.]232\r\n185.190.251[.]16\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 15 of 16\n\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nhttps://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html"
	],
	"report_names": [
		"black-basta-cactus-ransomware-backconnect.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81e2bacff84095002321e159120e309d989d3fc8.pdf",
		"text": "https://archive.orkl.eu/81e2bacff84095002321e159120e309d989d3fc8.txt",
		"img": "https://archive.orkl.eu/81e2bacff84095002321e159120e309d989d3fc8.jpg"
	}
}