All news with #backdoor found tag

Russia-backed APT28 Deploys 'NotDoor' Outlook Backdoor

🛡️ Researchers at S2 Grupo’s LAB52 disclosed NotDoor, a VBA-based Outlook backdoor attributed to Russia-backed APT28 that monitors incoming mail for trigger phrases to exfiltrate data, upload files and execute arbitrary commands. The malware abuses Outlook event-driven macros, employs DLL side-loading via a signed OneDrive.exe to load a malicious SSPICLI.dll, and persists by disabling security prompts and enabling macros. Organizations are advised to disable macros by default, monitor Outlook activity and inspect email-based triggers.

Malicious npm Package Masquerades as Nodemailer Library

⚠️ A malicious npm package named nodejs-smtp impersonating the popular nodemailer library was discovered to both send mail and inject malware into Electron-based desktop cryptocurrency wallets. When imported, it unpacked and tampered with Atomic Wallet on Windows, replacing vendor files and repackaging the app to silently redirect transactions to attacker-controlled addresses. Socket's researchers prompted npm to remove the package and suspend the account.

MystRodX Backdoor Uses DNS and ICMP for Stealthy Control

🛡️ QiAnXin XLab warns of a stealthy backdoor named MystRodX (aka ChronosRAT) that leverages layered encryption and flexible network options to hinder detection. The C++ implant supports file management, port forwarding, reverse shells and socket control, and can run actively or as a passive "wake-up" backdoor triggered by crafted DNS queries or ICMP payloads. A multi-stage dropper with anti-debug and VM checks decrypts components and an AES-encrypted configuration that contains C2 endpoints, ports and the backdoor mode.

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

APT37 Spear-Phishing Campaign Targets South Korean Officials

🛡️ Seqrite attributes a large-scale spear-phishing operation, dubbed Operation HanKook Phantom, to APT37, a North Korea–linked group targeting South Korean government and intelligence personnel. Attackers distributed malicious LNK shortcuts disguised as a legitimate National Intelligence Research Society newsletter and a statement from Kim Yo-jong, which triggered downloads and execution of payloads including RokRAT. The campaign employed in-memory execution, fileless PowerShell, XOR decryption, LOLBins and covert exfiltration techniques to blend with normal traffic and evade detection.

Abandoned Sogou Zhuyin Update Server Used in Espionage

📡 Trend Micro reports that threat actors leveraged an abandoned Sogou Zhuyin update server to distribute multiple malware families, including C6DOOR, GTELAM, DESFY, and TOSHIS. The campaign, tracked as TAOTH and identified in June 2025, used hijacked automatic updates, spear-phishing, and fake cloud/login pages to target dissidents, journalists, researchers, and business figures across East Asia. The adversary registered the lapsed domain sogouzhuyin[.]com in October 2024 and exploited third-party cloud services like Google Drive to conceal callbacks and exfiltrate data.

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.

VS Code Marketplace Flaw Lets Deleted Extensions Be Reused

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.

Salt Typhoon Exploits Router Flaws to Breach 600 Orgs

🔒Salt Typhoon, a China-linked APT, exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks edge devices to compromise and persistently control routers worldwide. The actors modified device configurations, created GRE tunnels, and used on-box Linux containers to stage tools and exfiltrate data. Agencies from 13 countries linked the campaign to three Chinese firms and warned of espionage impacting telecoms, government, transport, lodging, and military sectors.

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.

Storm-0501 Deletes Azure Data and Backups After Exfiltration

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.

BadCam: Reflashed Webcams Enable BadUSB-Style Attacks

🔒 Researchers demonstrated BadCam, a BadUSB-style attack presented at BlackHat that reflashes a webcam's firmware so a standard camera can act as a programmable HID device. The proof-of-concept targeted Lenovo 510 FHD and Lenovo Performance FHD models using a SigmaStar SoC, exploiting lack of cryptographic firmware verification and Linux USB Gadget support to present keyboard/network interfaces. Standard scans and OS reinstalls won't remove such implants, so organizations should apply firmware patches, USB control policies, and HID monitoring to mitigate the risk.

Storm-0501 Shifts to Cloud-Based Ransomware Tactics

🔒 Microsoft Threat Intelligence reports that financially motivated actor Storm-0501 has shifted from on‑premises endpoint encryption toward cloud‑native ransomware tactics emphasizing rapid data exfiltration, destruction of backups, and extortion. The actor leverages compromised Entra Connect sync accounts, DCSync, and hybrid‑joined devices to escalate to Global Administrator and gain full Azure control. In cloud environments they abuse Azure operations (listing storage keys, AzCopy exfiltration, snapshot and resource deletions) and create malicious federated domains for persistence and impersonation. Microsoft recommends hardening sync configurations, enforcing phishing‑resistant MFA, enabling Defender for Cloud and storage protections, and applying least‑privilege access controls.

ShadowSilk Campaign Hits Central Asian Governments

🔍 Group-IB links a broad cyber-espionage campaign, active since 2023 and ongoing into mid‑2025, to the ShadowSilk cluster targeting Central Asian and Asia‑Pacific government organizations. The operation, which has compromised at least 35 government victims, primarily seeks data theft and distributes stolen material on dark web forums. ShadowSilk uses phishing with password‑protected archives, commodity web panels such as JRAT and Morf Project, and post‑compromise tools like Cobalt Strike and Metasploit. Researchers found indicators of both Russian‑ and Chinese‑language operators and advise stronger email defenses, strict application control, regular patching and proactive threat hunting.

ShadowSilk Targets 35 Government Entities in APAC Region

🔎 Group-IB attributes a new cluster dubbed ShadowSilk to recent intrusions against 35 government and related organizations across Central Asia and APAC. The operators employ spear-phishing with password-protected archives to deploy a custom loader that conceals command-and-control traffic using Telegram bots and achieves persistence via Windows Registry modifications. Observed tooling includes web shells (ANTSWORD, Behinder, Godzilla, FinalShell), tunneling utilities, Cobalt Strike, and bespoke credential-stealing components used to exfiltrate data.

Joint Advisory: Countering PRC APT Compromise of Networks

🔒 CISA, the NSA, the FBI, and international partners issued a joint advisory describing People’s Republic of China state-sponsored APT actors compromising networks worldwide to support long-term espionage. Investigations through July 2025 reveal these actors exploit vulnerabilities in large backbone provider edge and customer edge routers—often modifying firmware and configurations to evade detection and maintain persistent access. Affected sectors include telecommunications, government, transportation, lodging, and defense. The advisory urges network defenders, especially in high-risk sectors, to actively hunt for intrusions and apply the recommended mitigations.

Citrix Patches NetScaler Zero-Days as Active Exploits Continue

🔒Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), including pre-auth remote code execution observed in the wild. The vendor provided fixes for affected 14.1, 13.1 and 12.1-FIPS/NDcPP builds and said no workaround is available. Security researchers and CISA urged immediate patching and forensic checks for potential backdoors.

Hook Android Trojan Evolves with Ransomware Features

🛡️Researchers at Zimperium zLabs have detected a new variant of the Hook Android banking Trojan that expands beyond banking fraud to include ransomware-style overlays and advanced surveillance tools. The sample supports 107 remote commands, 38 of which are newly introduced, enabling fake NFC prompts, lock-screen bypasses, transparent gesture-capturing overlays and real-time screen streaming. Operators are distributing malicious APKs via GitHub repositories and continue to exploit Android Accessibility Services for automated fraud and persistent control. Industry observers warn the campaign is global and rapidly escalating, increasing risks to both enterprises and individual users.