Cybersecurity researchers have identified that the Black Basta and Cactus ransomware groups are now using the BackConnect malware, also known as QBACKCONNECT due to its similarities with the QakBot loader, to maintain persistent control over compromised systems. This development allows these groups to execute commands remotely and steal sensitive data such as login credentials and financial information. The BackConnect malware was first documented in late January 2025 and has been observed in attack chains where threat actors use social engineering tactics, including email flooding and impersonation via Microsoft Teams, to gain initial access to systems. Once access is achieved, attackers often use legitimate tools like Quick Assist and OneDriveStandaloneUpdater.exe to sideload malicious DLLs, enabling further network manipulation. The malware is then used to establish command and control (C&C) connections, with several IP addresses identified as part of this infrastructure. The QakBot takedown in 2023 forced Black Basta to seek alternative methods, leading to the increased use of BackConnect. Since October 2024, most incidents involving Black Basta have occurred in North America, with 21 breaches, followed by Europe with 18. The US has been the hardest hit, with 17 affected organizations, while Canada and the UK each experienced five breaches. In terms of industry impact, manufacturing has seen the highest number of attacks with 10 victims, followed by financial and investment consulting, and real estate, each with six victims. In a related development, a zero-day vulnerability in Paragon Partition Manager's BioNTdrv.sys driver (CVE-2025-0289) has been exploited in ransomware attacks. This flaw allows attackers with local access to escalate privileges and execute malicious code on Windows systems. Additionally, VMware has reported three critical vulnerabilities in its ESXi, Workstation, and Fusion products, which are being actively exploited. These vulnerabilities could allow remote code execution and information disclosure, posing significant risks to affected systems. Further analysis revealed that attackers are using advanced lateral movement techniques such as Server Message Block (SMB) and Windows Remote Management (WinRM) to expand their presence within compromised networks. They have also compromised ESXi hosts, deploying the SystemBC proxy malware via a binary named socks.out, and used WinSCP for file transfers. The Cactus Group has been identified in these operations, and recent leaks from Black Basta's internal communications suggest that some members have transitioned to the Cactus group. Trend Micro has been noted as a significant challenge to these operations, with attackers discussing ways to bypass its protections.