Threat Actor Profile
Cactus
First spotted in March 2023, this double-extortion operation quickly made a name for itself by hitting large commercial entities. They’re known for exploiting VPN vulnerabilities, but their most unique move is encrypting their own binary to avoid detection. Ouch.
Threat Actor Profile
Cactus
Country of Origin
The exact origin of the Cactus group is currently unknown. While definitive proof is lacking, some researchers speculate a possible connection to a Malaysian hacktivist group with the same name. However, these connections are unconfirmed, and the group's true location remains a mystery.
Members
Like its leadership, the number of members and their aliases are unknown. Cactus operates as a Ransomware-as-a-Service (RaaS) group, which means they partner with affiliates to carry out attacks. This model obscures the core group's size and makes it difficult to attribute attacks to specific individuals. The operators appear to be highly skilled, suggesting a small, experienced team at the core.
Leadership
Who's calling the shots at Cactus? We don't know for sure. The leadership structure and the identities of its key figures are kept tightly under wraps. Given the group's sophistication and rapid growth, it's likely run by experienced cybercrime veterans who know how to stay in the shadows.
Cactus TTPs
Cactus isn't just another ransomware variant; these attackers are crafty. They use a mix of clever techniques to breach networks, stay hidden, and pressure victims into paying up.
Tactics
The primary goal for Cactus is simple: financial gain. They achieve this through a double-extortion model. First, they encrypt your critical data, bringing business operations to a grinding halt. Then, they threaten to leak the sensitive information they stole before encryption, adding public humiliation and regulatory fines to your list of problems.
Techniques
Cactus gets its foot in the door by exploiting known vulnerabilities in public-facing applications, particularly VPN appliances (like Fortinet and Qlik Sense) and other remote access services. Once inside, they use "Living-off-the-Land" (LotL) tactics, abusing legitimate tools like PowerShell, Rclone, and remote management software (AnyDesk, Splashtop) to blend in with normal network traffic and evade detection.
Procedures
The Cactus attack chain is a well-oiled machine.
Initial Access: They gain entry by exploiting unpatched VPNs, conducting phishing campaigns, or buying stolen credentials from dark web forums.
Persistence & Discovery: They create an SSH backdoor and use scheduled tasks to maintain access. They then scan the network using tools like SoftPerfect Network Scanner to map out the environment and find more targets.
Credential Access: The group dumps credentials from LSASS and web browsers to escalate privileges and move laterally.
Defense Evasion: Here’s their signature move. Cactus encrypts its own ransomware binary to avoid being flagged by antivirus solutions. They also use scripts to uninstall common security tools.
Exfiltration & Impact: Before deploying the ransomware, they steal data using tools like Rclone. Finally, a PowerShell script automates the encryption process across the network, leaving behind their ransom note, "cAcTuS.readme.txt."
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
The January 2024 attack on Schneider Electric put Cactus in the headlines. The group breached the company's Sustainability Business division, which serves major clients like Walmart, Hilton, and PepsiCo. Cactus claimed to have exfiltrated 1.5 TB of data before deploying the ransomware, demonstrating their ability to hit high-value, global targets.
Law Enforcement & Arrests
As of late 2025, there have been no publicly announced arrests or law enforcement operations specifically targeting the Cactus ransomware group. These groups are notoriously difficult to track, but global agencies are actively working to dismantle RaaS operations.
How to Defend Against Cactus
Patch, Patch, Patch: Cactus loves exploiting known VPN vulnerabilities. Keep your systems updated to close those easy entry points.
Use Strong Authentication: Implement multi-factor authentication (MFA) across all services. Stolen passwords won't get them very far if they can't bypass MFA.
Educate Your Team: Train employees on the importance of spotting phishing emails and understanding the importance of strong, unique passwords.
Segment Your Network: Isolate critical systems to make it harder for attackers to move laterally if they do get in.
Monitor Your Environment: You can't stop what you can't see. Huntress Managed EDR provides 24/7 monitoring by human threat hunters who can spot the subtle "Living-off-the-Land" techniques Cactus uses. We detect suspicious PowerShell scripts, anomalous remote access, and other behaviors that signal a compromise before the encryption even starts.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
