{ "id": "981142d7-2f61-410c-aec2-bf471a083dfb", "created_at": "2026-04-07T14:43:18.81877Z", "updated_at": "2026-04-10T03:33:41.843278Z", "deleted_at": null, "sha1_hash": "d6244b7db79a62faaa9cb22459750ecefd10a8ab", "title": "CySecurity News - Latest Information Security and Hacking Incidents: Twisted Spider's Dangerous CACTUS Ransomware Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137747, "plain_text": "CySecurity News - Latest Information Security and Hacking\r\nIncidents: Twisted Spider's Dangerous CACTUS Ransomware\r\nAttack\r\nBy CySecurity News, twitter.com/ehackernews\r\nArchived: 2026-04-07 14:22:32 UTC\r\nIn a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces\r\nwith the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through\r\nthe deployment of an initial access trojan known as DanaBot. \r\nSubsequently, Twisted Spider leverages this initial access to execute the deployment of the CACTUS ransomware.\r\nRecent insights from Microsoft Threat Intelligence on X shed light on Storm-0216's tactics. Operating under\r\naliases such as Twisted Spider or UNC2198, this ransomware entity employs an advanced banking Trojan,\r\nDanabot. This intricate pairing of cyber threats showcases the evolving and complex nature of Twisted Spider's\r\nmalicious endeavors. \r\nAdditionally, the security researchers highlighted the adaptive tactics of Storm-0216, which was previously\r\nrecognized for utilizing QakBot's infrastructure for infections. However, following the dismantling of this\r\noperation by law enforcement last summer, the group was compelled to pivot to a different platform. \r\nhttps://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html\r\nPage 1 of 2\n\nThe latest Danabot campaign, initially identified in November, indicates a notable shift. Unlike the previous\r\nmalware-as-a-service model, the group appears to be using a private version of the info-stealing malware.\r\nMicrosoft explained that DanaBot, known for providing hands-on keyboard activity to its partners, has undergone\r\na transformation in its deployment strategy. \r\nThis shift underscores the group's remarkable adaptability and capacity to evolve tactics, particularly in response\r\nto interventions by law enforcement. The ability to navigate and adjust strategies highlights the dynamic nature of\r\ncyber threats and the constant cat-and-mouse game between cybercriminals and those working to counteract their\r\nactivities. \r\nLet’s Understand the Method of the Attack \r\nUpon obtaining the essential login credentials, the Storm-1044 group initiates lateral movement across the\r\nnetwork and various endpoints through Remote Desktop Protocol (RDP) sign-in attempts. Once the initial access\r\nhas been secured, the baton is passed to Twisted Spider. Subsequently, Twisted Spider proceeds to compromise the\r\nendpoints by introducing the CACTUS ransomware. \r\nWhat is CACTUS Ransomware? \r\nCACTUS is emerging as a preferred option among numerous ransomware operators. Recently, Arctic Wolf\r\nresearchers cautioned that hackers exploited three vulnerabilities in the Qlik Sense data analytics solution to\r\ndeploy this specific variant, facilitating the theft of sensitive company data. \r\nWhy it is More Threatening? \r\nIn May, researchers at Kroll made a noteworthy discovery regarding the ransomware's evasion tactics. Laurie\r\nIacono, Associate Managing Director for Cyber Risk at Kroll, revealed that CACTUS employs a unique method to\r\nbypass cybersecurity measures—it essentially encrypts itself. This self-encryption mechanism enhances its ability\r\nto evade detection, posing challenges for antivirus and network monitoring tools, as highlighted by Iacono in\r\ndiscussions with Bleeping Computer.\r\nSource: https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html\r\nhttps://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html" ], "report_names": [ "twisted-spiders-dangerous-cactus.html" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "ebdb98e5-e5d9-4f9a-b768-474c92ccbd66", "created_at": "2024-02-02T02:00:04.061565Z", "updated_at": "2026-04-10T02:00:03.546201Z", "deleted_at": null, "main_name": "Storm-1044", "aliases": [ "DEV-1044" ], "source_name": "MISPGALAXY:Storm-1044", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775572998, "ts_updated_at": 1775792021, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6244b7db79a62faaa9cb22459750ecefd10a8ab.pdf", "text": "https://archive.orkl.eu/d6244b7db79a62faaa9cb22459750ecefd10a8ab.txt", "img": "https://archive.orkl.eu/d6244b7db79a62faaa9cb22459750ecefd10a8ab.jpg" } }