Threat Actor Profile

Cactus

First spotted in March 2023, this double-extortion operation quickly made a name for itself by hitting large commercial entities. They’re known for exploiting VPN vulnerabilities, but their most unique move is encrypting their own binary to avoid detection. Ouch.

Threat Actor Profile

Cactus

Fancy Bear TTPs

Aenean interdum tempor lectus, nec rutrum nisl interdum ut. Aliquam mattis felis vulputate dui ultrices, ac finibus ligula interdum. Proin metus enim, sagittis fringilla viverra quis, pulvinar sit amet quam. Donec eget ullamcorper nibh. Praesent a nisl eu nunc interdum efficitur.

Country of Origin

The exact origin of the Cactus group is currently unknown. While definitive proof is lacking, some researchers speculate a possible connection to a Malaysian hacktivist group with the same name. However, these connections are unconfirmed, and the group's true location remains a mystery.

Members

Like its leadership, the number of members and their aliases are unknown. Cactus operates as a Ransomware-as-a-Service (RaaS) group, which means they partner with affiliates to carry out attacks. This model obscures the core group's size and makes it difficult to attribute attacks to specific individuals. The operators appear to be highly skilled, suggesting a small, experienced team at the core.

Leadership

Who's calling the shots at Cactus? We don't know for sure. The leadership structure and the identities of its key figures are kept tightly under wraps. Given the group's sophistication and rapid growth, it's likely run by experienced cybercrime veterans who know how to stay in the shadows.

Tactics

The primary goal for Cactus is simple: financial gain. They achieve this through a double-extortion model. First, they encrypt your critical data, bringing business operations to a grinding halt. Then, they threaten to leak the sensitive information they stole before encryption, adding public humiliation and regulatory fines to your list of problems.

Techniques

Cactus gets its foot in the door by exploiting known vulnerabilities in public-facing applications, particularly VPN appliances (like Fortinet and Qlik Sense) and other remote access services. Once inside, they use "Living-off-the-Land" (LotL) tactics, abusing legitimate tools like PowerShell, Rclone, and remote management software (AnyDesk, Splashtop) to blend in with normal network traffic and evade detection.

Procedures

The Cactus attack chain is a well-oiled machine.

  • Initial Access: They gain entry by exploiting unpatched VPNs, conducting phishing campaigns, or buying stolen credentials from dark web forums.

  • Persistence & Discovery: They create an SSH backdoor and use scheduled tasks to maintain access. They then scan the network using tools like SoftPerfect Network Scanner to map out the environment and find more targets.

  • Credential Access: The group dumps credentials from LSASS and web browsers to escalate privileges and move laterally.

  • Defense Evasion: Here’s their signature move. Cactus encrypts its own ransomware binary to avoid being flagged by antivirus solutions. They also use scripts to uninstall common security tools.

  • Exfiltration & Impact: Before deploying the ransomware, they steal data using tools like Rclone. Finally, a PowerShell script automates the encryption process across the network, leaving behind their ransom note, "cAcTuS.readme.txt."

Want to shut down threats before they start?

Indicators of Compromise (IOCs)

Organizations should monitor for:

  • Known Fancy Bear malware signatures (e.g., XAgent, ADVSTORESHELL).
  • Suspicious domains mimicking government or defense entities.
  • Zero-day exploits in applications like Microsoft Windows and Adobe Flash.
  • Abnormal network traffic patterns indicating command-and-control communications.

Key Victims

Fancy Bear targets include:

  • Governments (United States, Germany, France, Ukraine, and others).
  • Military Organizations (focus on NATO-aligned entities).
  • Media Outlets and Journalists (especially those covering Kremlin-related topics).
  • Critical Infrastructure (energy, aerospace, and defense).
  • International Sporting Organizations (e.g., WADA).
  • Political Groups (e.g., the Democratic National Committee).

Notable Cyber Attacks

Aenean interdum tempor lectus, nec rutrum nisl interdum ut. Aliquam mattis felis vulputate dui ultrices, ac finibus ligula interdum. Proin metus enim, sagittis fringilla viverra quis, pulvinar sit amet quam. Donec eget ullamcorper nibh. Praesent a nisl eu nunc interdum efficitur.

Notable Cyberattacks

The January 2024 attack on Schneider Electric put Cactus in the headlines. The group breached the company's Sustainability Business division, which serves major clients like Walmart, Hilton, and PepsiCo. Cactus claimed to have exfiltrated 1.5 TB of data before deploying the ransomware, demonstrating their ability to hit high-value, global targets.

Glitch effectGlitch effect

How to Defend Against Cactus

1

Patch, Patch, Patch: Cactus loves exploiting known VPN vulnerabilities. Keep your systems updated to close those easy entry points.

2

Use Strong Authentication: Implement multi-factor authentication (MFA) across all services. Stolen passwords won't get them very far if they can't bypass MFA.

3

Educate Your Team: Train employees on the importance of spotting phishing emails and understanding the importance of strong, unique passwords.

4

Segment Your Network: Isolate critical systems to make it harder for attackers to move laterally if they do get in.

5

Monitor Your Environment: You can't stop what you can't see. Huntress Managed EDR provides 24/7 monitoring by human threat hunters who can spot the subtle "Living-off-the-Land" techniques Cactus uses. We detect suspicious PowerShell scripts, anomalous remote access, and other behaviors that signal a compromise before the encryption even starts.

Law Enforcement & Arrests

As of late 2025, there have been no publicly announced arrests or law enforcement operations specifically targeting the Cactus ransomware group. These groups are notoriously difficult to track, but global agencies are actively working to dismantle RaaS operations.

References

Related Threat Actor Profiles

Notable developments include the U.S. indictment of GRU-affiliated officers in 2018. Despite these measures, Fancy Bear remains operational, emphasizing the challenges of deterring state-sponsored cyber actors.

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free