Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

BackConnect

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lunar Spider

"...including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor."

via ctoatncsc substackctoatncsc.substack.com
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

The attacks start with an email bombing campaign, followed by direct contact via Teams, where the attacker impersonates an IT staff.

T1566.003Spearphishing via ServiceEvidence1

Email bombing and social engineering: An email flood was launched, followed by contact via Microsoft Teams from the address admin_734@gamicalstudio[.]onmicrosoft[.]com.

Execution

1 technique
T1059.003Windows Command ShellEvidence1

the attacker used the command type kb052117-01.bpx kb052123-02.bpx > pack.zip ... The file arch1271.cab was extracted ... via cmd.exe

Persistence

1 technique
T1112Modify RegistryEvidence1

The attacker also added the following registry entry to store their BackConnect IPs: reg add "HKCU\SOFTWARE\TitanPlus" /v 1 /t REG_SZ /d "38.180.25.3A443;45.8.157.199A443;5.181.3.164A443" /f

Stealth

1 technique
T1218System Binary Proxy ExecutionEvidence1

The OneDriveStandaloneUpdater.exe process was later launched noninteractively via cmd.exe with the following command-line instruction: "...\OneDriveStandaloneUpdater.exe" -Embedding.

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

The attacker also added the following registry entry to store their BackConnect IPs: reg add "HKCU\SOFTWARE\TitanPlus" /v 1 /t REG_SZ /d "38.180.25.3A443;45.8.157.199A443;5.181.3.164A443" /f

Collection

1 technique
T1560Archive Collected DataEvidence1

the attacker concatenates the two .bpx files into “pack.zip”. In this case, the attacker used the command type kb052117-01.bpx kb052123-02.bpx > pack.zip

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

We observed OneDrive Standalone Updater connecting to the external IP 38.180.25[.]3 , which is flagged as Dangerous and categorized as C&C server.

T1105Ingress Tool TransferEvidence1

After gaining initial access, the attacker downloaded two different malicious .bpx files from a commercial cloud storage provider.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.

INDICATORS OF COMPROMISE

IOCs tracked for this family

36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
26 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app6 months ago
ip.v4●●●●●●●●●●●●View more in app6 months ago
ip.v4●●●●●●●●●●●●View more in app6 months ago
ip.v4●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app1 year ago
email●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
ctoatncsc substackNews
Oct 4, 2025
CTO at NCSC Summary: week ending October 5th

Backdoor component referenced as deployed in a Lunar Spider-linked intrusion to maintain access/enable remote connectivity.

Read more
medium s2wblogNews
Aug 13, 2025
Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium

Malware used for initial access and campaign linkage between BlackBasta and Cactus operations.

Read more
trend micro researchNews
Mar 3, 2025
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal | Trend Micro (US)

BackConnect is a persistent backdoor used to maintain remote control of compromised systems, execute commands, and exfiltrate sensitive data including credentials, financial information, and personal files. In these incidents it was deployed via DLL sideloading through OneDriveStandaloneUpdater.exe and used C2 infrastructure stored in TitanPlus registry keys.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching36

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.