All news with #backdoor found tag

Russian-Origin Threat Actors Target Ukrainian Organizations

🔴 Symantec and Carbon Black reported a Russian-origin campaign that targeted a large business services firm and a local government entity in Ukraine, relying on web shells and living-off-the-land techniques to reduce detection. Early activity began on June 27, 2025 with deployment of the LocalOlive web shell, PowerShell exclusions, scheduled memory dumps and credential-theft attempts. Operators used dual-use tools (OpenSSH, RDP changes, winbox64.exe), PowerShell backdoors and native Windows utilities to maintain persistence while minimizing custom malware use. Researchers noted strong Windows tradecraft but could not conclusively attribute the intrusions to a named Russian group.

BlueNoroff Returns with GhostCall and GhostHire Campaigns

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.

Atroposia RAT Emerges on Dark Web with Modular Toolset

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.

Atroposia RAT Kit Lowers Barrier for Cybercriminals

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

Researchers Expose GhostCall and GhostHire Campaigns

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.

Atroposia RAT Adds Local Vulnerability Scanner, UAC Bypass

🛡️ Atroposia is a new malware-as-a-service platform offering a modular remote access trojan for a $200 monthly subscription, combining persistent access, stealthy remote desktop, data theft, and a built-in local vulnerability scanner. Researchers at Varonis say the RAT can bypass UAC, perform host-level DNS hijacks, capture credentials and clipboard data, and compress and exfiltrate targeted files with minimal traces. Its vulnerability-audit plugin identifies missing patches and outdated software so attackers can prioritize exploits, making it particularly dangerous in corporate environments. Users should download only from official sources, avoid pirated software and torrents, and refrain from executing unfamiliar commands found online.

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

Weekly Cyber Recap: WSUS Exploited and LockBit 5.0 Surge

⚠️ Microsoft released an out-of-band patch for a critical WSUS remote code execution (CVE-2025-59287) after researchers observed active exploitation that drops a .NET executable and Base64 PowerShell payloads. LockBit has resurfaced with a new multi-platform 5.0 variant claiming victims, while a modified Telegram Android app distributing the Baohuo backdoor has infected tens of thousands of devices. Reporting also shows the F5 breach began in late 2023 and has since widened, underscoring the need for urgent patching and threat hunting.

Agenda (Qilin) weaponizes Linux binaries against Windows

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.

Qilin Ransomware Employs Linux Payloads and BYOVD Tactics

🔒 Qilin (aka Agenda, Gold Feather, Water Galura) has sharply increased operations in 2025, claiming dozens of victims monthly and peaking at 100 leak-site postings in June. Cisco Talos and Trend Micro analyses show affiliates gain initial access via leaked admin credentials, VPN interfaces and RDP, then harvest credentials with tools like Mimikatz and SharpDecryptPwd. Attackers combine legitimate remote-management software (for example AnyDesk, ScreenConnect, Splashtop) with a BYOVD vulnerable driver to disable defenses, exfiltrate data, and deploy a Linux ransomware binary on Windows systems before encrypting files and removing backups.

APT36 Targets Indian Government with Golang DeskRAT

🔐 Sekoia observed Transparent Tribe (APT36) conducting spear-phishing campaigns in Aug–Sep 2025 that deliver a Golang remote access trojan dubbed DeskRAT. The attacks use ZIP attachments containing malicious .desktop files that display a decoy PDF while executing the payload, specifically targeting BOSS Linux systems. DeskRAT establishes WebSocket C2, supports multiple persistence mechanisms, and includes modules for harvesting and exfiltrating WhatsApp and Chrome data. Researchers also reported the use of "stealth servers" and a shift from cloud-hosted distribution to dedicated staging infrastructure.

PhantomCaptcha spear-phishing targets NGOs and regions

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.

Lazarus Targets European Drone Makers in Espionage

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.

GlassWorm self-spreading worm targets VS Code extensions

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.

Pakistan-linked APT36 deploys DeskRAT against BOSS Linux

🔍 Sekoia.io researchers uncovered a cyber-espionage campaign, beginning June 2025, that targets Indian government Linux systems using a new Golang RAT named DeskRAT. The operation primarily abused the Indian government‑endorsed BOSS Linux distribution via phishing ZIPs that executed Bash downloaders and displayed decoy PDFs. Attackers used dedicated staging servers and a new operator dashboard to manage victims and exfiltrate files.

Lazarus Group's Operation DreamJob Hits EU Drone Firms

🛡️ ESET attributes a March 2025 wave of cyber-espionage against three European defense firms to the North Korea-aligned Lazarus Group, describing it as a renewed phase of Operation DreamJob. Targets tied to UAV development were lured with convincing fake job offers that delivered trojanized PDF readers and chained loaders. The primary payload, ScoringMathTea, is a remote access Trojan that provides attackers full control, and researchers found malicious components disguised as legitimate open-source tools.

Microsoft Blocks Ransomware Campaign Targeting Teams Users

🛡️ Microsoft said it disrupted a ransomware campaign that used fake Teams installers to deliver a backdoor and prepare for encryption operations. Attackers lured victims with impersonated MSTeamsSetup.exe files hosted on malicious domains, which installed a loader and a fraudulently signed Oyster backdoor. The group identified as Vanilla Tempest intended to follow with Rhysida ransomware. Microsoft revoked over 200 fraudulent code-signing certificates and says a fully enabled Defender Antivirus will block the threat.

Lazarus Operation DreamJob Targets European Defense

🔍 North Korean-linked Lazarus actors ran an Operation DreamJob campaign in late March that targeted three European defense companies involved in UAV technology. Using fake recruitment lures, victims were tricked into installing trojanized open-source applications and plugins which loaded malicious payloads via DLL sideloading. Final-stage malware included the ScoringMathTea RAT, while an alternate chain used the BinMergeLoader (MISTPEN) to abuse Microsoft Graph API tokens. ESET published extensive IoCs to aid detection.

Lazarus Targets UAV Sector with Operation DreamJob

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

Iranian MuddyWater Targets 100+ Governments with Phoenix

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.