All news with #backdoor found tag

Ukraine Alerts to CABINETRAT Backdoor Delivered via XLLs

⚠ The Computer Emergency Response Team of Ukraine (CERT‑UA) warns of targeted attacks using a new backdoor dubbed CABINETRAT distributed via malicious Excel add-ins (XLL) concealed inside ZIP archives shared over Signal. The XLL implants an EXE in Startup, places BasicExcelMath.xll in the Excel XLSTART folder and drops a PNG that hides shellcode. It employs registry persistence and robust anti-VM checks, and the C-based backdoor performs reconnaissance, remote command execution, file operations and data exfiltration over TCP.

Battering RAM: DDR4 Interposer Breaks Cloud Memory

🔒 Researchers at KU Leuven and the University of Birmingham disclosed Battering RAM, a low-cost DDR4 interposer attack that can undermine hardware memory encryption used in cloud environments. The $50 interposer sits transparently in the memory path, passes boot-time trust checks, and can be toggled to redirect physical addresses to attacker-controlled locations to corrupt or replay encrypted memory. The team says the technique can bypass protections such as SGX and SEV-SNP, and that meaningful mitigation would require architectural redesign of memory encryption.

Phantom Taurus: China-linked APT Targets Diplomacy

🔍 Palo Alto Networks Unit 42 has attributed a two-and-a-half-year campaign of espionage to a previously undocumented China-aligned actor dubbed Phantom Taurus, which has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. The group uses a bespoke .NET malware suite called NET-STAR to compromise Internet Information Services (IIS) web servers and maintain stealthy access. Observed techniques include exploitation of on-premises IIS and Microsoft Exchange flaws, in-memory payload execution, timestomping and AMSI/ETW bypasses, enabling persistent data collection tied to geopolitical events.

Phantom Taurus: NET-STAR .NET IIS Backdoor Revealed

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.

Chinese Hackers Exploit Enterprise Network Appliances

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

First Malicious MCP Server Found in NPM Postmark Package

🛡️ Cybersecurity researchers at Koi Security reported the first observed malicious Model Context Protocol (MCP) server embedded in an npm package, a trojanized copy of the postmark-mcp library. The malicious change, introduced in version 1.0.16 in September 2025 by developer "phanpak", added a one-line backdoor that BCCs every outgoing email to phan@giftshop[.]club. Users who installed the package should remove it immediately, rotate any potentially exposed credentials, and review email logs for unauthorized BCC activity.

China-linked PlugX and Bookworm Target Asian Telecoms

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

New COLDRIVER ClickFix Campaign Uses BAITSWITCH, SIMPLEFIX

🔍 Zscaler details a new COLDRIVER ClickFix campaign that deploys two lightweight families: BAITSWITCH, a DLL downloader, and SIMPLEFIX, a PowerShell backdoor. Victims are lured to execute a malicious DLL via a fake CAPTCHA; BAITSWITCH fetches SIMPLEFIX while presenting a Google Drive decoy. The chain stores encrypted payloads in the Windows Registry, uses a PowerShell stager, and clears the Run dialog to erase traces. Zscaler notes the campaign targets NGOs, human-rights defenders, think tanks, and exiles connected to Russia.

ArcaneDoor Targets Cisco ASA Firewalls in New Campaign

🔒 Cisco has linked a renewed campaign exploiting Cisco ASA 5500-X devices to the espionage-focused ArcaneDoor threat actor. The operation leveraged zero-day flaws, notably CVE-2025-20333 and CVE-2025-20362, to implant malware, modify ROMMON for persistence and evade detection by disabling logging and intercepting CLI commands. Observed compromises affected older ASA models lacking Secure Boot/Trust Anchor protections; Cisco and national authorities urge immediate remediation. Temporary mitigations include disabling SSL/TLS VPN web services and IKEv2 client services while applying vendor fixes and conducting forensics.

Roblox executors: cheat tools that bring security risks

⚠️ Downloading third-party Roblox "executors" — tools that inject and run unauthorized scripts in games — can lead to account bans and serious security incidents. Malicious actors distribute fake or trojanised versions of popular tools such as Synapse X and Solara, sometimes bundling ransomware or backdoors. These installers may ask users to disable antivirus protections, which is a clear warning sign. Parents should steer children toward official features and avoid unverified downloads to keep accounts and devices safe.

Malicious npm 'postmark-mcp' Release Exfiltrated Emails

📧 A malicious npm package posing as the official postmark-mcp project quietly added a single line of code to BCC all outgoing emails to an external address. Koi Security found the backdoor in version 1.0.16 after prior releases through 1.0.15 were verified clean. The tainted release was available for about a week and logged roughly 1,500 downloads. Users are advised to remove the package, rotate potentially exposed credentials, and run MCP servers in isolated containers before upgrading.

Talos: New PlugX Variant Targets Telecom and Manufacturing

🔍 Cisco Talos revealed a new PlugX malware variant active since 2022 that targets telecommunications and manufacturing organizations across Central and South Asia. The campaign leverages abuse of legitimate software, DLL-hijacking techniques and stealthy persistence to evade detection, and it shares technical fingerprints with the RainyDay and Turian backdoors. Talos describes the activity as sophisticated and ongoing. Organizations should update endpoint, email and network protections, review DLL-hijack mitigations and proactively hunt for related indicators.

XCSSET Evolves: New Clipboard, Firefox, Persistence Modules

🔍 Microsoft Threat Intelligence describes a new XCSSET variant that infects Xcode projects and expands capabilities to include clipboard hijacking, Firefox data theft, and additional persistence via LaunchDaemon entries. The actor uses run-only compiled AppleScripts, AES-based encryption, and layered obfuscation to evade analysis. A bnk submodule monitors and can replace wallet addresses in the clipboard while a new Mach-O binary targets Firefox data. Organizations are advised to patch promptly, inspect Xcode project sources, and deploy Microsoft Defender for Endpoint.

Phishing-to-PureRAT: Vietnamese Actor Upgrades Stealer

🛡️ Huntress researchers uncovered a multi-stage phishing operation that began with a Python-based infostealer and culminated in the deployment of PureRAT. The campaign used a ZIP lure containing a signed PDF reader and a malicious version.dll to achieve DLL sideloading, then progressed through ten staged loaders that shifted from obfuscated Python to compiled .NET binaries. Attackers used process hollowing against RegAsm.exe, patched Windows defenses (AMSI and ETW), and ultimately unpacked PureRAT, which communicates over encrypted C2 channels and can load additional modules. Metadata linking the activity to the handle @LoneNone and to the PXA Stealer family, plus a C2 server traced to Vietnam, supports attribution to Vietnamese threat actors.

North Korean hackers deploy new AkdoorTea backdoor

🛡️ ESET attributes a widespread recruitment-based intrusion campaign to the North Korea-linked cluster tracked as DeceptiveDevelopment, revealing a previously undocumented Windows backdoor called AkdoorTea. Active since late 2022, the operation targets software developers on Windows, Linux, and macOS, particularly in cryptocurrency and Web3, using fake recruiter outreach, video assessments and coding tasks to deliver multi-platform malware such as BeaverTail, TsunamiKit and Tropidoor. The group favors scale and social engineering while reusing dark-web projects and rented malware rather than developing wholly novel toolsets.

PXA Stealer Upgrades to Multi-Layer Chain Deploying PureRAT

🔒 A Vietnamese threat group has evolved its custom PXA Stealer campaign into a multi-layered delivery chain that ultimately deploys PureRAT, a feature-rich remote access trojan. Huntress analysts describe a ten-stage sequence beginning with a phishing copyright lure and proceeding through obfuscated Python loaders, layered encoding (Base84, AES, RC4, XOR), and .NET reflective loading. The chain includes AMSI and ETW patching, TLS certificate pinning, registry persistence, and hallowing techniques to evade detection. Huntress linked the activity to the Telegram handle @LoneNone and Vietnamese C2 infrastructure and remediated an intrusion before full module deployment.

Chinese Group Uses BRICKSTORM Backdoor Against US Firms

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

Chinese Backdoor Grants Year-Long Access to US Firms

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

Ransomware-Enabled Heist and npm Worm Supply-Chain Threats

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

New Supermicro BMC Flaws Enable Persistent Backdoors

🔐 Researchers from Binarly disclosed multiple firmware vulnerabilities in Supermicro Baseboard Management Controllers (BMCs) that allow attackers to load unofficial images and install persistent backdoors. A bypass for a previously patched issue (CVE-2024-10237) and a new flaw (CVE-2025-6198) let adversaries manipulate signed regions so digests and signatures still validate. A related confirmed issue is tracked as CVE-2025-7937. Supermicro has released firmware updates; administrators must identify affected models and apply fixes promptly.