< ciso
brief />
Tag Banner

All news with #persistence tag

50 articles

DragonForce hid C&C traffic in Microsoft Teams

🔒 Researchers report that DragonForce operators covertly used Microsoft Teams TURN relay servers to mask command-and-control traffic while infiltrating a major US services firm during a 2025 campaign. The attackers deployed a Go-based RAT, named Backdoor.Turn, which obtained anonymous Teams visitor tokens and established QUIC sessions to attacker-controlled servers. They also exploited an undocumented Huawei driver vulnerability and modified system settings to maintain persistence, exfiltrate data and deploy DragonForce ransomware.
read more →

Chinese APT UNC5221 uses new backdoors to persist

🛡️ Volexity researchers attribute prolonged intrusions to the Chinese espionage group UNC5221 (aka VerdantBamboo), which used the Brickstorm backdoor plus previously undocumented malware Plenet and AgentPSD to maintain access. The actor compromised an MSP and victim systems, remaining undetected for at least 18 months and returning after remediation. Plenet is a cross-platform .NET backdoor; AgentPSD is a Python reverse shell used as fallback persistence.
read more →

ThreatsDay bulletin: escalating cyber intrusion trends

🛡️ Cisco patched a high-severity SSRF in Unified Communications Manager, while Russia reported large-scale mobile spyware targeting officials and ongoing investigations. Threat actors continue to distribute VIP Keylogger via layered social engineering and JavaScript loaders, and DriveSurge operates a widespread malware delivery network using ClickFix and FakeUpdates. U.S. sanctions hit major Iranian crypto exchanges; RMM and trusted tools are increasingly abused for persistence and privilege escalation.
read more →

ClickFix Abuses PySoxy for Dual-Channel Persistence

🛡️ReliaQuest researchers observed ClickFix intrusions that now leverage the open-source proxy PySoxy to establish a secondary encrypted C2 path alongside an initial PowerShell controller. The April campaign used scheduled tasks for persistence and deployed Python tooling to C:\ProgramData to execute compiled .pyc modules, turning endpoints into proxy relays. This dual-channel design preserves access if the PowerShell channel is disrupted, forcing broader containment and new hunting approaches.
read more →

ClickFix and PySoxy Combined to Maintain Persistence

🔐 ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.
read more →

PamDOORa: PAM-Based Linux Backdoor Enables Persistent SSH

🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.
read more →

Venomous#Helper Phishing Uses Signed RMM to Install Backdoor

🛡️ A sustained phishing campaign named Venomous#Helper is abusing signed remote monitoring and management (RMM) tools to install persistent backdoors on Windows hosts. Researchers at Securonix say attackers used SSA-branded lures that redirected via a compromised Mexican domain to a signed JWrapper binary masquerading as a government document. The payload deploys a cracked SimpleHelp build alongside a ConnectWise ScreenConnect relay, creating dual access channels and robust persistence mechanisms that evade basic gateway and EDR checks.
read more →

Deep#Door Python Backdoor Evades Detection On Windows

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.
read more →

Stealthy Python RAT 'DEEP#DOOR' Uses Public Tunneling

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.
read more →

Persistent 'Firestarter' Backdoor Hits Cisco Firewalls

🛡️ Security teams are being urged to inspect Cisco ASA and Firepower devices following discovery of a resilient backdoor called Firestarter that can persist after patching and survive normal reboots. CISA and the UK’s NCSC recommend generating a core dump and running their published YARA rules (or scanning a disk image) to detect the implant. If an infection is confirmed, the advisory states the device must be physically disconnected from all power sources, including redundant and backup supplies, for at least one minute or be fully reimaged — a standard reboot or power cycle is not sufficient.
read more →

Firestarter Backdoor Survives Cisco Firewall Patches

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.
read more →

FIRESTARTER Backdoor Persists on Cisco ASA/Firepower

🔒 CISA and the U.K. NCSC disclosed that a federal civilian agency's Cisco Firepower device running ASA firmware was compromised in September 2025 by a persistent backdoor dubbed FIRESTARTER. The ELF bootkit alters the startup mount list and attempts to hook LINA to execute arbitrary shellcode and sustain post-patching persistence. Cisco recommends reimaging; a cold power cycle is a temporary mitigation.
read more →

Microsoft Warns: WhatsApp-Delivered VBS Campaign Surfaces

⚠ Microsoft has alerted to a late-February 2026 campaign that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files which trigger a multi-stage infection chain. According to Microsoft Defender, the scripts create hidden folders under C:\ProgramData, drop renamed Windows utilities (for example, curl.exe as netapi.dll and bitsadmin.exe as sc.exe), and retrieve secondary payloads from trusted cloud providers. Attackers then attempt UAC tampering, modify registry entries, and install unsigned MSI packages to secure persistence and remote access, with some installers deploying legitimate remote‑access tools.
read more →

WhatsApp VBS Malware Campaign Delivers MSI Backdoors

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.
read more →

Kubernetes Controllers as Stealthy Persistent Backdoors

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.
read more →

China-Linked Red Menshen Uses Stealthy BPFDoor Implants

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.
read more →

Silver Dragon: China-Nexus Espionage Targeting Governments

🐉 Silver Dragon is a China-nexus cyber espionage group focusing on government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains access through exploitation of public-facing servers and targeted phishing campaigns. It maintains long-term persistence by hijacking legitimate Windows services and deploying a custom backdoor, GearDoor, which uses Google Drive for covert C2, blending malicious activity with trusted services to evade detection.
read more →

Ransomware Shift: Stealthy, Long-Term Access Tactics

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.
read more →

Android malware uses Gemini AI to persist on devices

🔐 ESET researchers have identified an Android implant, dubbed PromptSpy, that leverages generative AI to maintain persistence on victims' devices and represents an evolution of earlier VNCSpy samples. The implant sends serialized UI snapshots to Google's Gemini, receives step-by-step Accessibility Service actions to keep the malicious app pinned in Recent Apps, and executes those actions while a VNC module provides remote viewing and control. The initial dropper impersonated JPMorgan Argentina and distributed via mgardownload[.]com; communications use AES-encrypted VNC to a hardcoded C2 at 54.67.2[.]84. PromptSpy also overlays invisible UI elements to block uninstallation; the only reliable removal is rebooting into Safe Mode.
read more →

UNC6201 Targets Dell RecoverPoint Zero-Day, Deploys GRIMBOLT

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.
read more →