All news with #backdoor found tag

Chinese Cybercrime Group Runs Global SEO Fraud Ring

🔍 UAT-8099, a Chinese-speaking cybercrime group, has been linked to a global SEO fraud operation that targets Microsoft IIS servers to manipulate search rankings and harvest high-value data. The actor gains access via vulnerable or misconfigured file upload features, deploys web shells and privilege escalation to enable RDP, then uses Cobalt Strike and a modified BadIIS module to serve malicious content when requests mimic Googlebot. Infections have been observed across India, Thailand, Vietnam, Canada, and Brazil, affecting universities, telecoms and technology firms and focusing on mobile users.

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

Detour Dog Using DNS to Distribute Strela Stealer Campaigns

🛡️ Infoblox links a threat actor dubbed Detour Dog to campaigns distributing the Strela Stealer, using compromised WordPress sites to host first-stage backdoors such as StarFish. The actor leverages DNS TXT records and modified name servers to deliver Base64-encoded commands and delivery URLs, selectively triggering redirects or remote execution to minimize detection. Infoblox and Shadowserver sinkholed multiple C2 domains in July–August 2025.

Chinese Cybercriminals Hijack IIS Servers for SEO Fraud

🔍 A Chinese-speaking cybercrime group tracked as UAT-8099 is hijacking trusted Microsoft IIS servers worldwide to run SEO scams that redirect users to unauthorized adverts and illegal gambling sites. According to Cisco Talos, attackers exploit server vulnerabilities, upload web shells, and conduct reconnaissance before enabling the guest account, escalating privileges and activating RDP. For persistence they deploy SoftEther VPN, EasyTier and the FRP reverse proxy and install the BadIIS malware variants designed to evade detection.

Chinese-speaking Group UAT-8099 Targets IIS Servers

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

Confucius Targets Pakistan with WooperStealer and Anondoor

🔒 Fortinet researchers attribute a renewed phishing campaign to Confucius, which has repeatedly targeted Pakistani government, military, and defense industry recipients using spear‑phishing and malicious documents. Attack chains observed from December 2024 through August 2025 delivered WooperStealer via DLL side‑loading using .PPSX and .LNK lures, and later introduced a Python implant, Anondoor. The group layered obfuscation and swapped tools and infrastructure to sustain credential theft, screenshot capture, file enumeration, and persistent exfiltration while evading detection.

Confucius Shifts to Python Backdoors Targeting Windows

🛡️ FortiGuard Labs reports that the long-running cyber-espionage group Confucius has shifted tactics against Microsoft Windows users, moving from document stealers like WooperStealer to Python-based backdoors such as AnonDoor. The change, observed between December 2024 and August 2025, favors persistent access and command execution over simple data exfiltration. Researchers describe layered evasion and persistence techniques including DLL side-loading, obfuscated PowerShell, scheduled tasks and stealthy exfiltration to minimize detection. Targeting remains focused in South Asia, particularly Pakistan.

Malicious PyPI soopsocks package abused to install backdoor

⚠️ Cybersecurity researchers flagged a malicious PyPI package named soopsocks that claimed to provide a SOCKS5 proxy while delivering stealthy backdoor functionality on Windows. The package, uploaded by user 'soodalpie' on September 26, 2025, had 2,653 downloads before removal and used VBScript or an executable (_AUTORUN.VBS/_AUTORUN.EXE) to bootstrap additional payloads. Analysts at JFrog reported the executable is a compiled Go binary that runs PowerShell, adjusts firewall rules, elevates privileges, performs reconnaissance and exfiltrates data to a hard-coded Discord webhook.

Confucius Espionage: Evolution from Stealer to Backdoor

🔐 FortiGuard Labs documents the Confucius espionage group’s shift from document-stealing malware to a stealthy Python-based backdoor targeting Microsoft Windows. Recent campaigns used spear-phishing with weaponized Office PPSX files, malicious LNK loaders, and staged PowerShell installers to deploy runtimes and execute AnonDoor modules. The actor leveraged DLL side-loading, scheduled tasks, and HKCU registry Load persistence to maintain stealth and periodic execution. Fortinet urges layered defenses, updated signatures, and user training to mitigate these threats.

Researchers Find Physical Interposer Attacks on Intel, AMD

🔓 Researchers disclosed two physical interposer attacks—Battering RAM and Wiretrap—that bypass Trusted Execution Enclaves on Intel (SGX) and AMD (SEV‑SNP) platforms. Both attacks exploit deterministic memory encryption by inserting an interposer between CPU and DRAM to capture ciphertext in transit. Battering RAM can replay ciphertext and create memory aliases to expose plaintext and implant backdoors, while Wiretrap enables ciphertext-based key recovery. Practical mitigation today is limited to preventing physical access and strengthening supply‑chain and data‑center controls such as those in ISO/IEC 27001.

Chinese APT 'Phantom Taurus' Targets Gov and Telecom

🔎 Researchers at Palo Alto Networks have attributed two years of coordinated espionage to a previously unreported Chinese-aligned threat actor dubbed Phantom Taurus. The group targets government and telecommunications organizations across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, geopolitical events and military operations to maintain persistent covert access. Its toolkit includes a new IIS web-server backdoor suite called NET-STAR, DNS- and remote-access tools, in-memory implants and a wide mix of dual-use utilities. Operators have shifted from Exchange mailbox harvesting via ProxyLogon and ProxyShell exploits to targeted SQL database searches and WMI-driven data extraction.

Phantom Taurus: China-Aligned Hackers Target State, Telecom

🔍Phantom Taurus, newly designated by Unit 42, is a China-aligned cyber-espionage group that has targeted government and telecommunications organizations across Africa, the Middle East and Asia for at least two and a half years. Researchers traced the activity from earlier cluster tracking through a 2024 campaign codename, noting a 2025 elevation to a distinct group. Phantom Taurus has shifted from email-server exfiltration to directly querying SQL Server databases via a custom mssq.bat executed over WMI, and deploys a previously undocumented .NET IIS malware suite dubbed NET-STAR.

Ukraine Alerts to CABINETRAT Backdoor Delivered via XLLs

⚠ The Computer Emergency Response Team of Ukraine (CERT‑UA) warns of targeted attacks using a new backdoor dubbed CABINETRAT distributed via malicious Excel add-ins (XLL) concealed inside ZIP archives shared over Signal. The XLL implants an EXE in Startup, places BasicExcelMath.xll in the Excel XLSTART folder and drops a PNG that hides shellcode. It employs registry persistence and robust anti-VM checks, and the C-based backdoor performs reconnaissance, remote command execution, file operations and data exfiltration over TCP.

Battering RAM: DDR4 Interposer Breaks Cloud Memory

🔒 Researchers at KU Leuven and the University of Birmingham disclosed Battering RAM, a low-cost DDR4 interposer attack that can undermine hardware memory encryption used in cloud environments. The $50 interposer sits transparently in the memory path, passes boot-time trust checks, and can be toggled to redirect physical addresses to attacker-controlled locations to corrupt or replay encrypted memory. The team says the technique can bypass protections such as SGX and SEV-SNP, and that meaningful mitigation would require architectural redesign of memory encryption.

Phantom Taurus: China-linked APT Targets Diplomacy

🔍 Palo Alto Networks Unit 42 has attributed a two-and-a-half-year campaign of espionage to a previously undocumented China-aligned actor dubbed Phantom Taurus, which has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. The group uses a bespoke .NET malware suite called NET-STAR to compromise Internet Information Services (IIS) web servers and maintain stealthy access. Observed techniques include exploitation of on-premises IIS and Microsoft Exchange flaws, in-memory payload execution, timestomping and AMSI/ETW bypasses, enabling persistent data collection tied to geopolitical events.

Phantom Taurus: NET-STAR .NET IIS Backdoor Revealed

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.

Chinese Hackers Exploit Enterprise Network Appliances

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

First Malicious MCP Server Found in NPM Postmark Package

🛡️ Cybersecurity researchers at Koi Security reported the first observed malicious Model Context Protocol (MCP) server embedded in an npm package, a trojanized copy of the postmark-mcp library. The malicious change, introduced in version 1.0.16 in September 2025 by developer "phanpak", added a one-line backdoor that BCCs every outgoing email to phan@giftshop[.]club. Users who installed the package should remove it immediately, rotate any potentially exposed credentials, and review email logs for unauthorized BCC activity.

China-linked PlugX and Bookworm Target Asian Telecoms

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

New COLDRIVER ClickFix Campaign Uses BAITSWITCH, SIMPLEFIX

🔍 Zscaler details a new COLDRIVER ClickFix campaign that deploys two lightweight families: BAITSWITCH, a DLL downloader, and SIMPLEFIX, a PowerShell backdoor. Victims are lured to execute a malicious DLL via a fake CAPTCHA; BAITSWITCH fetches SIMPLEFIX while presenting a Google Drive decoy. The chain stores encrypted payloads in the Windows Registry, uses a PowerShell stager, and clears the Run dialog to erase traces. Zscaler notes the campaign targets NGOs, human-rights defenders, think tanks, and exiles connected to Russia.