All news with #backdoor found tag

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

MuddyWater Exploits Compromised Mailboxes in Global Phishing

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

PassiveNeuron APT Uses Neursite and NeuralExecutor

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

Russian Star Blizzard shifts to 'Robot' malware families

🔐 The Russian state-backed Star Blizzard group (aka ColdRiver/UNC4057) has shifted to modular, evolving malware families — NOROBOT, YESROBOT, and MAYBEROBOT — delivered through deceptive ClickFix pages that coerce victims into executing a fake "I am not a robot" CAPTCHA. NOROBOT is a malicious DLL executed via rundll32 that establishes persistence through registry changes and scheduled tasks, stages components (including a Windows Python 3.8 install), and, after iteration, primarily delivers a PowerShell backdoor. Google Threat Intelligence Group and Zscaler observed the transition from May through September and reported that ColdRiver abandoned the previously exposed LostKeys tooling shortly after disclosure. GTIG has published IoCs and YARA rules to help defenders detect these campaigns.

Coldriver Deploys New 'NoRobot' Malware Suite, 2025

🛡️ Google Threat Intelligence Group (GTIG) has observed the Russian-linked Coldriver group deploying a new, staged malware ecosystem tracked as NoRobot, YesRobot and MaybeRobot. GTIG's October 20, 2025 report shows the campaign replaces the previously disclosed LostKeys strain and begins with a 'ClickFix-style' ColdCopy phishing lure that tricks victims into running a malicious DLL via rundll32.exe. NoRobot functions as a downloader using split-key cryptography and staged payloads; operators briefly used a Python-based backdoor (YesRobot) before switching to a more flexible PowerShell backdoor (MaybeRobot) to reduce detection.

Google: Three New COLDRIVER Malware Families Identified

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.

Snappybee, Citrix Flaw Used to Breach European Telecom

🔒 A European telecommunications organization was targeted in the first week of July 2025, according to Darktrace, with a threat actor linked to the China-associated group Salt Typhoon gaining initial access via a vulnerable Citrix NetScaler Gateway. The intruders pivoted to Citrix VDA hosts in an MCS subnet and used SoftEther VPN to mask their origin. They deployed Snappybee (aka Deed RAT) via DLL side-loading alongside legitimate antivirus executables; the backdoor called home to aar.gandhibludtric[.]com. Darktrace says the activity was detected and remediated before significant escalation.

New Russian COLDRIVER Malware: NOROBOT and ROBOTs Variants

🤖 Google Threat Intelligence Group (GTIG) attributes a rapid malware retooling to the Russia-aligned COLDRIVER group after the May 2025 LOSTKEYS disclosure. The campaign uses a COLDCOPY “ClickFix” lure that coerces users to run a malicious DLL via rundll32; the DLL family is tracked as NOROBOT. Early NOROBOT variants fetched a noisy Python backdoor named YESROBOT, which was quickly replaced by a lighter, extensible PowerShell backdoor called MAYBEROBOT. GTIG published IOCs, YARA rules, and protective measures including Safe Browsing coverage and targeted alerts.

Salt Typhoon Exploits Citrix NetScaler in Global Attacks

🔒In a global intrusion tracked by Darktrace, the China-linked group Salt Typhoon exploited a Citrix NetScaler Gateway vulnerability to gain access and maintain persistence. Attackers employed DLL sideloading to deploy the SNAPPYBEE (Deed RAT) backdoor alongside legitimate antivirus executables, then moved laterally to Citrix Virtual Delivery Agent hosts while obscuring origin via SoftEther VPN infrastructure. C2 channels used HTTP (with Internet Explorer user-agent headers and URIs like "/17ABE7F017ABE7F0") and unidentified TCP protocols; the domain aar.gandhibludtric[.]com has prior links to the group. Darktrace emphasised the need for anomaly-based behavioural detection to surface such stealthy activity early.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft Threat Intelligence has revoked more than 200 code-signing certificates that were fraudulently used to sign counterfeit Microsoft Teams installers delivering a persistent backdoor and ransomware. The campaign, tracked as Vanilla Tempest (also known as Vice Spider/Vice Society), employed SEO poisoning and malvertising to lure users to spoofed download sites hosting fake MSTeamsSetup.exe files that deployed the Oyster backdoor and ultimately Rhysida ransomware. Microsoft says the actor abused Trusted Signing and services such as SSL.com, DigiCert and GlobalSign to sign malicious binaries. A fully enabled Microsoft Defender Antivirus detects and blocks these threats, and Microsoft provides guidance through Microsoft Defender for Endpoint for mitigation and investigation.

UK Weighed Destroying Data Hub After Decade-Long Intrusion

🔐 British officials briefly considered physically destroying a government data hub after uncovering a decade-long intrusion attributed to China-aligned actors. The breach reportedly exposed official-sensitive and secret material on government servers, though no top secret data was taken. Rather than demolish the facility, the government implemented alternative protections and commissioned a classified review. Cybersecurity experts say the episode underscores the critical need to secure supply chains and hunt long-term APT presence.

North Korean Actors Abuse Blockchains for Malware Delivery

🛡️ Google Threat Intelligence Group (GTIG) reports that North Korean-linked UNC5342 is using a method called EtherHiding to deliver malware and facilitate cryptocurrency theft by embedding encrypted payloads in smart contracts on Ethereum and BNB Smart Chain. The technique turns immutable contracts into resilient, hard-to-takedown command-and-control infrastructure. Initial lures include fake recruiter messages, poisoned npm packages and malicious GitHub repositories; a JavaScript downloader named JADESNOW fetches and decrypts subsequent backdoors such as INVISIBLEFERRET.

North Korean Hackers Use EtherHiding to Steal Crypto

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

Hackers Deploy Rootkit via Cisco SNMP Zero-Day on Switches

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.