All news with #backdoor found tag

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

Malicious npm Package Uses QR Code to Steal Cookies

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

UNC5221 Deploys BRICKSTORM Backdoor Against US Targets

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

BRICKSTORM espionage campaign targeting appliances in US

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

YiBackdoor Linked to IcedID and Latrodectus Code Overlaps

🔒 Zscaler ThreatLabz disclosed a new malware family named YiBackdoor that shares notable source-code overlaps with IcedID and Latrodectus. First observed in June 2025 with limited deployments, YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and load encrypted plugins to expand capabilities. It uses anti-analysis checks, injects into svchost.exe, persists via a Run registry entry that invokes regsvr32.exe with a randomized name, and fetches commands from an embedded encrypted configuration over HTTP. Zscaler warns it could be leveraged to gain initial access for follow-on exploitation, including ransomware.

CISA: Federal Agency Breached via GeoServer RCE Incident

🔒 CISA reported that an unnamed federal civilian agency was breached after actors exploited CVE-2024-36401, an RCE in a public-facing GeoServer, on July 11, 2024. The vendor had patched the flaw on June 30 and CISA added it to the KEV catalogue on July 15; a second GeoServer was compromised on July 24. Attackers deployed open-source tools and web shells such as China Chopper, used living-off-the-land and brute-force techniques, and established persistence. CISA highlighted failures in timely patching, incident-response testing, and continuous EDR monitoring.

QR Codes Used to Hide JavaScript Backdoor in npm Package

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.

RainyDay, Turian and PlugX Variant Abuse DLL Hijacking

🛡️ Cisco Talos describes an ongoing campaign in which Naikon-linked actors abused DLL search order hijacking to load multiple backdoors, including RainyDay, a customized PlugX variant and Turian. The report highlights shared loaders that use XOR and RC4 decryption with identical keys and an XOR-RC4-RtlDecompressBuffer unpacking chain. Talos notes the PlugX variant adopts a RainyDay-style configuration and includes embedded keylogging and persistence, with activity observed since 2022 targeting telecom and manufacturing organizations in Central and South Asia. Talos published IOCs and recommended mitigations for detection and prevention.

Nimbus Manticore Intensifies Cyber-Espionage in Europe

🔍 Check Point Research reports that Iranian-linked actor Nimbus Manticore has escalated cyber-espionage operations across Western Europe, with heightened targeting of organizations in Denmark, Sweden and Portugal. Attackers impersonate recruiters and use convincing fake career portals to deliver personalized credentials and malicious archives. The campaign leverages evolved backdoors—first seen as Minibike, now observed as MiniJunk and MiniBrowse—and employs multi-stage DLL sideloading into legitimate Windows binaries, including Microsoft Defender components, alongside valid code-signing certificates and compiler-level obfuscation to evade detection. Infrastructure hosted via Azure App Service and shielded by Cloudflare provides redundancy and rapid command-and-control recovery.

SonicWall SMA100 Firmware Removes OVERSTEP Rootkit

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

Nimbus Manticore Expands into Europe Targeting Defense

🛡️ Check Point Research reports that Iranian-linked threat actor Nimbus Manticore is expanding operations into Europe, focusing on the defense, telecom and aerospace sectors. The group uses fake job portals and targeted spear‑phishing to deliver malicious files disguised as hiring materials while impersonating prominent aerospace firms. Evolving toolsets such as MiniJunk and MiniBrowse enable stealthy data theft and persistent access, consistent with intelligence-collection objectives linked to IRGC priorities.

Verified Steam Game Drains Streamer's Crypto Donations

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.

Iran-linked UNC1549 Compromises 34 Devices in Telecoms

🔒 PRODAFT links a recruitment-themed espionage campaign to an Iran-affiliated cluster tracked as Subtle Snail and attributed to UNC1549 (aka TA455), reporting infiltration of 34 devices across 11 telecommunications organizations in Canada, France, the UAE, the UK and the US. Operators posed as HR recruiters on LinkedIn and delivered a ZIP-based dropper that uses DLL side-loading to install the modular backdoor MINIBIKE, which harvests credentials, browser data, screenshots, keystrokes and system details. MINIBIKE communicates with C2 infrastructure proxied through Azure services, employs anti-analysis measures and achieves persistence via registry modifications to enable long-term access and data exfiltration.

SystemBC Powers REM Proxy, Compromising ~1,500 VPS

🛡️ Lumen Technologies' Black Lotus Labs reports that SystemBC, a C-based SOCKS5 proxy malware, powers roughly 80% of the REM Proxy network and averages about 1,500 compromised hosts per day. The botnet operates through more than 80 C2 servers and mainly targets VPS instances from major commercial providers, often via dropped shell scripts that install the proxy implant. REM Proxy also advertises pools of compromised Mikrotik routers and open proxies and has been used by actors tied to TransferLoader and the Morpheus ransomware group.

Gamaredon and Turla Collaborate in Attacks on Ukraine

🕵️ ESET researchers report that Russian state-linked groups Gamaredon and Turla collaborated in 2025 campaigns targeting high-value Ukrainian defense systems. In February, investigators observed Turla issuing commands via Gamaredon implants and Gamaredon's PteroGraphin downloader being used to restart Turla's Kazuar backdoor. Kazuar harvested machine metadata while Gamaredon later deployed Kazuar v2 installers in April and June. ESET assesses with high confidence that the interactions reflect a deliberate operational convergence.

Gamaredon and Turla Collaboration Targets Ukraine in 2025

🚨 ESET Research reports the first observed collaboration between Gamaredon and Turla in Ukraine, with telemetry from February to June 2025 showing Gamaredon tools used to deliver and restart Turla’s Kazuar implants. ESET assesses with high confidence that Gamaredon provided initial access and delivery channels while Turla selectively deployed advanced Kazuar implants on higher‑value hosts. The analysis details multiple infection chains involving PteroGraphin, PteroOdd and PteroPaste, and includes technical indicators and remediation guidance.

Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor

🔒ESET researchers observed tools from Russian-linked groups Gamaredon and Turla cooperating to deploy the .NET-based Kazuar backdoor on multiple Ukrainian endpoints in early 2025. Gamaredon delivered PowerShell downloaders — PteroGraphin, PteroOdd and PteroPaste — which retrieved Kazuar payloads via Telegraph, Cloudflare Workers domains and direct IP hosting. Analysts assess with high confidence that Gamaredon provided initial access while Turla leveraged the access for espionage, primarily targeting Ukrainian defense-sector assets.