The Cactus ransomware strain has been targeting corporate networks by exploiting critical vulnerabilities in the Qlik data analytics platform. The ransomware operators have also been utilizing the DanaBot malware, which is distributed through malvertising, to aid in their attacks. Cactus ransomware, which emerged in March, has recently ramped up its operations and has been involved in a surge of ransomware activities. The ransomware operators take advantage of security flaws in Qlik to initiate new processes and gain remote access. They employ legitimate tools like AnyDesk and Rclone to establish persistence and exfiltrate data. Additionally, the DanaBot malware collects user credentials and other information, sending them to a command and control server. The malware then performs lateral movement and hands off to another malware called Storm-0216, which has been linked to the Maze Cartel, a group known for deploying Maze and Egregor ransomware. The Cactus ransomware attacks have reached record-breaking levels of ransomware activity [ee3ec197].