Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

December 04, 2023NewsroomRansomware / Cyber ​​​​Attack

CACTUS Ransomware

Microsoft has warned of a new wave of CACTUS ransomware attacks that take advantage of malvertising baits to deploy DanaBot as an initial access vector.

DanaBot infections led to “hands-on-keyboard activity by the operator of the ransomware Storm-0216 (Twisted Spider, UNC2198), which led to the deployment of the CACTUS ransomware,” the Microsoft Threat Intelligence team SAYS in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool in the line of Emotet, TrickBot, QakBot, and IcedID that can act as a thief and an entry point for the next stage payloads.

UNC2198, for its part, has previously been observed infecting IcedID endpoints to spread ransomware families such as Maze and Egregor, as detailed by Mandiant owned by Google in February 2021.


Per Microsoft, the threat actor also took advantage of the initial access provided by QakBot infections. The transformation of DanaBot was likely the result of a coordinated law enforcement operation in August 2023 that destroyed QakBot’s infrastructure.

“The current Danabot campaign, first observed in November, appears to be using a private version of information-stealing malware instead of the malware-as-a-service offering,” Redmond added.

The credentials obtained by the malware are transmitted to a server controlled by the actor, which is followed by lateral movement through RDP sign-in attempts and finally access is granted to Storm-0216.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that actively exploit critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate network.

It also follows the discovery of a new macOS ransomware strain called tortoise written in the Go programming language and signed with an adhoc signature, thus preventing it from being executed at launch due to Gatekeeper protections.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment