Microsoft has issued a warning about a recent surge in CACTUS ransomware attacks employing malvertising tactics with DanaBot as the initial access vector. DanaBot, also known as Storm-1044, is a multifunctional tool capable of stealing data and serving as an entry point for subsequent payloads. The ransomware operator, identified as Storm-0216 (Twisted Spider, UNC2198), orchestrates the attacks following DanaBot infections. UNC2198, previously linked to IcedID infections leading to Maze and Egregor ransomware, appears to have shifted to DanaBot after a coordinated law enforcement operation disrupted QakBot's infrastructure. The current campaign, detected in November, indicates the use of a private version of DanaBot. The threat actor gains access to credentials, utilizes lateral movement through RDP sign-in attempts, and eventually hands over control to Storm-0216.