All news with #backdoor found tag

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

North Korean Group Adopts EtherHiding for Malware Campaign

🔐 Google Threat Intelligence has linked a campaign to UNC5342, a cluster tied to North Korea, that now uses EtherHiding to distribute malware via smart contracts on public blockchains such as BNB Smart Chain and Ethereum. The attackers lure developers through LinkedIn recruitment ruses, move conversations to Telegram or Discord, and deliver npm-package downloaders that chain into BeaverTail, JADESNOW, and the Python backdoor InvisibleFerret. By embedding payloads in on-chain contracts, the group turns blockchains into tamper-resistant dead-drops that are hard to takedown and easy to update, enabling sustained cryptocurrency theft and long-term espionage.

Attackers Use Cisco SNMP Flaw to Deploy Linux Rootkits

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.

Jewelbug Expands Operations into Russia, Symantec Finds

🔎 Symantec attributes a five‑month intrusion (Jan–May 2025) against a Russian IT service provider to a China‑linked group tracked as Jewelbug, connecting it with clusters CL‑STA‑0049/REF7707 and Earth Alux. Attackers accessed code repositories and build systems and exfiltrated data to Yandex Cloud, creating supply‑chain concerns. The campaign used a renamed cdb.exe to run shellcode, bypass allowlisting, dump credentials, establish persistence, and clear event logs. Symantec also ties Jewelbug to recent intrusions in South America, South Asia, and Taiwan that leverage cloud services, DLL side‑loading, ShadowPad, BYOVD techniques, and novel OneDrive/Graph API C2.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.

Flax Typhoon Abused ArcGIS SOE to Maintain Long-Term Access

🔒 Researchers at ReliaQuest found China-linked APT Flax Typhoon modified an ArcGIS Server Object Extension (SOE) into a persistent web shell that executed base64-encoded commands via standard ArcGIS operations. The actor used a hardcoded key, staged tools in a hidden C:\Windows\System32\Bridge directory, and renamed a SoftEther VPN binary to bridge.exe to maintain covert connectivity. The malicious SOE was replicated into backups and golden images, allowing access to survive system recovery while attackers performed discovery, credential harvesting, lateral movement, and covert VPN-based persistence.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

Chinese Hackers Turn ArcGIS Server into Year-Long Backdoor

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.

Signed UEFI Shell Enables Secure Boot Bypass on Framework

⚠️ Researchers at Eclypsium warn that roughly 200,000 Framework Linux systems shipped with legitimately signed UEFI shells containing a dangerous mm (memory modify) command. The command can read and write physical memory and be used to overwrite the gSecurity2 pointer that enforces UEFI signature checks, effectively disabling verification. That failure allows persistent bootkits to load at boot time and survive OS reinstalls. Framework is issuing firmware and DB/DBX updates; users should apply patches or follow temporary mitigations until fixes are available.

Secure Boot bypass risk in Framework Linux laptops

🔒 Eclypsium discovered that Framework shipped signed UEFI shells containing a dangerous mm (memory modify) command that can directly read and write system RAM and be leveraged to disable Secure Boot. By overwriting the gSecurity2 security handler pointer to NULL or redirecting it to a stub that always returns success, the mm command stops signature verification and can permit bootkits to load. Framework estimates roughly 200,000 affected units; users should apply available firmware and DBX updates, restrict physical access, or temporarily remove Framework's DB key in BIOS until patches are applied.

Chinese APT Abuses ArcGIS SOE for Year-Long Persistence

🔒 Researchers say a Chinese state-linked actor, likely Flax Typhoon, exploited a component of the ArcGIS geo-mapping platform to maintain undetected access for over a year. Using valid admin credentials, the attackers uploaded a malicious Java SOE that acted as a web shell, accepting base64-encoded commands via a REST parameter protected by a hardcoded secret. They then installed SoftEther VPN as a Windows service to create an outbound HTTPS tunnel to 172.86.113[.]142 on port 443, enabling persistent lateral movement and credential harvesting even if the SOE were removed.

Chinese APT Abuses ArcGIS Component to Maintain Backdoor

🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.

Stealit Infostealer Campaign Deploys via Fake VPN Apps

🛡️ FortiGuard Labs has identified a campaign distributing the Stealit infostealer via disguised game and VPN installers shared on file‑hosting sites and platforms like Discord. Attackers use Node.js Single Executable Apps (SEA) and PyInstaller bundles, heavy obfuscation and multiple anti‑analysis techniques to avoid detection. Once executed, Stealit harvests data from browsers, game clients, messaging apps and cryptocurrency wallets, and its operators rotate C2 domains while marketing the toolkit commercially.

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

From HealthKick to GOVERSHELL: UTA0388's Malware Evolution

🔎 Volexity attributes a series of tailored spear‑phishing campaigns to a China‑aligned actor tracked as UTA0388, which delivers a Go-based implant named GOVERSHELL. The waves used multilingual, persona-driven lures and legitimate cloud hosting (Netlify, Sync, OneDrive) to stage ZIP/RAR archives that deploy DLL side‑loading and a persistent backdoor. As many as five GOVERSHELL variants emerged between April and September 2025, succeeding an earlier C++ family called HealthKick. Volexity also observed the actor abusing LLMs such as ChatGPT to craft phishing content and automate workflows.

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.

AI-Powered Cyberattacks Escalate Against Ukraine in 2025

🔍 Ukraine's SSSCIP reported a sharp rise in AI-enabled cyber operations in H1 2025, documenting 3,018 incidents versus 2,575 in H2 2024. Analysts found evidence that attackers used AI not only to craft phishing lures but also to generate malware samples, including a PowerShell stealer identified as WRECKSTEEL. Multiple UAC clusters—such as UAC-0219, UAC-0218, and UAC-0226—deployed stealers and backdoors via booby-trapped archives, SVG attachments, and ClickFix-style tactics. The report also details zero-click exploitation of Roundcube and Zimbra flaws and widespread abuse of legitimate cloud and collaboration services for hosting and data exfiltration.

Nezha Agent Linked to New Web Application Compromises

🔍 Huntress analysts uncovered a sophisticated campaign beginning in August 2025 that used log poisoning to plant a PHP web shell and then manage compromised servers via AntSword. The operators downloaded a file named 'live.exe' — identified as the open-source Nezha agent — which connected to a command server at c.mid[.]al and enabled remote tasking. Nezha was used to execute PowerShell commands to disable Windows Defender and to deploy 'x.exe', a Ghost RAT variant that persisted as 'SQLlite'. More than 100 systems, primarily in Taiwan, Japan, South Korea and Hong Kong, were observed communicating with the attackers' dashboard.

Threat actors repurpose open-source monitor as beacon

⚠️ Attackers linked to China turned a benign open-source network monitoring agent into a remote access beacon using log poisoning and a tiny web shell. Huntress says they installed the legitimate Nezha RMM via a poisoned phpMyAdmin log and then deployed Ghost RAT for deeper persistence. The intrusion affected more than 100 hosts across Taiwan, Japan, South Korea, and Hong Kong and was contained in August 2025.

XWorm Backdoor Returns with Ransomware and 35+ Plugins

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.