All news with #backdoor found tag

Resurgence of Mirai-Based IoT Malware: Gayfemboy Campaign

🛡️ FortiGuard Labs reports the resurgence of a Mirai-derived IoT malware family, publicly known as “Gayfemboy,” which reappeared in July 2025 targeting vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco devices. The campaign delivers UPX-packed payloads via predictable downloader scripts named for product families and uses a modified UPX header and architecture-specific filenames to evade detection. At runtime the malware enumerates processes, kills competitors, implements DDoS and backdoor modules, and resolves C2 domains through public DNS resolvers to bypass local filtering. FortiGuard provides AV detections, IPS signatures, and web-filtering blocks; organizations should patch and apply network defenses immediately.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

Static Tundra: Russian State Actor Targets Cisco Devices

🔒 Cisco Talos identifies the threat cluster Static Tundra as a long-running, Russian state-sponsored actor that compromises unpatched and end-of-life Cisco networking devices to support espionage operations. The group aggressively exploits CVE-2018-0171 and leverages weak SNMP community strings to enable local TFTP retrieval of startup and running configurations, often exposing credentials and monitoring data. Talos also observed persistent firmware implants, notably SYNful Knock, and recommends immediate patching or disabling Smart Install, strengthening authentication, and implementing configuration auditing and network monitoring to detect exfiltration and implanted code.

Dissecting PipeMagic: Architecture of a Modular Backdoor

🔍 Microsoft Threat Intelligence details PipeMagic, a modular backdoor used by Storm-2460 that masquerades as an open-source ChatGPT Desktop Application. The malware is deployed via an in-memory MSBuild dropper and leverages named pipes and doubly linked lists to stage, self-update, and execute encrypted payload modules delivered from a TCP C2. Analysts observed exploitation of CVE-2025-29824 for privilege escalation followed by ransomware deployment, with victims across IT, finance, and real estate in multiple regions. The report includes selected IoCs, Defender detections, and mitigation guidance to help defenders detect and respond.

UAT-7237 Targets Taiwanese Web Hosting Infrastructure

🔍 Cisco Talos describes UAT-7237, a Chinese‑speaking APT active since 2022 that compromised a Taiwanese web hosting provider to establish long‑term persistence. The actor relies largely on open‑source tooling, customized utilities and a tailored shellcode loader tracked as SoundBill, which can decode and execute Cobalt Strike beacons. UAT-7237 favors SoftEther VPN and RDP for access rather than mass web‑shell deployment. Talos provides IOCs and mitigation guidance for detection and blocking.

Malvertising Campaign Delivers PS1Bot Multi-Stage Malware

🔍 Cisco Talos reports an active malvertising campaign delivering a multi-stage PowerShell/C# malware framework dubbed PS1Bot. The modular framework executes modules in-memory to minimize artifacts and supports information theft, keylogging, screenshot capture and cryptocurrency wallet exfiltration. Delivery begins with SEO-poisoning archives containing a downloader that writes a polling PowerShell script to C:\ProgramData and executes received code with Invoke-Expression.

Full PowerShell RAT Campaign Targets Israeli Organizations

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.

ReVault: Deep Analysis of Dell ControlVault3 Firmware

🔒 This deep-dive by Philippe Laulheret (Talos) dissects Dell's ControlVault3 ecosystem, exposing firmware decryption, memory-corruption flaws, and exploit chains that cross the device/host boundary. The researchers recovered hardcoded keys, reverse-engineered the SCD/SMAU update mechanism, and achieved arbitrary code execution in firmware, enabling persistence and a demonstrated Windows Hello bypass. Practical attacks include forging SCD blobs, backdooring firmware to escalate to SYSTEM, and physically extracting the USH board over USB for rapid compromise.

Project AK47 Linked to SharePoint ToolShell Exploits

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

ToolShell SharePoint Zero-Days Exploited in the Wild

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.

Unmasking AsyncRAT: Mapping Forks and Variants in the Wild

🛡️ ESET Research reviews the sprawling ecosystem of AsyncRAT, an open-source C# remote access trojan first published in 2019, and the many forks that have proliferated since. The post maps major families—most notably DcRat and VenomRAT—and outlines rapid identification techniques based on client configuration, embedded certificates, and behavior. It highlights uncommon plugins (USB spreaders, screamers, clipboard clippers, distributed brute modules) and stresses evolving obfuscation and evasion tactics.

ESET APT Activity Report - Q4 2024 to Q1 2025 Overview

🔍 The latest ESET APT Activity report and podcast episode summarize intrusion activity observed across Q4 2024–Q1 2025, highlighting persistent and evolving adversary techniques. ESET researchers spotlight China-aligned actors such as UnsolicitedBooker, which repeatedly targeted the same organization with the MarsSnake backdoor, and tool-sharing trends centered on groups like Worok. The report also covers Russia-aligned operations — Sednit’s expanded Operation RoundPress against webmail platforms, ongoing Gamaredon obfuscation in Ukraine, and Sandworm’s use of the ZEROLOT wiper — plus activity from other regional actors that complicate attribution and detection.

Fake Reservation Links Target Travel and Hospitality Industry

✈️ A longtime threat group tracked as TA558 has resumed phishing campaigns that spoof hotel or reservation notices to lure travelers into downloading malware. Campaigns increasingly deliver ISO and RAR container files via URLs that, when decompressed, execute batch scripts and PowerShell helpers to fetch RATs such as AsyncRAT. TA558 has shifted from macro-laden Office documents to containerized attachments after Microsoft limited macros. Travel organizations and customers should be wary of unexpected reservation emails and avoid opening unknown archives.