All news with #persistence tag

🦠 Picus Security's Red Report 2026 analyzed over 1.1 million malicious files and 15.5 million actions, finding attackers favor stealthy persistence and evasion to silently exfiltrate data for extortion. Process injection accounted for 30% of techniques, while adversaries routed C2 through high-reputation services like OpenAI and AWS and used stolen browser passwords to masquerade as users. The report warns that virtualization/sandbox evasion and increased technique counts make detection more challenging.

🔍 The Picus Red Report 2026 analyzed more than 1.1 million malicious files and 15.5 million adversarial actions across 2025 and finds attackers shifting from disruptive ransomware to long-lived, stealthy residency. Rather than encrypting systems, adversaries focus on credential theft, process injection, sandbox evasion and quiet data exfiltration. The report urges defenders to prioritize behavior-based detection, credential hygiene and continuous adversarial validation to restore visibility.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.

🔒 Cybersecurity researchers describe a two-wave phishing campaign that uses fake Greenvelope invitations to harvest Microsoft Outlook, Yahoo! and AOL credentials, then leverages those stolen logins to register and deploy legitimate LogMeIn RMM tools. Attackers deliver a signed executable, GreenVelopeCard.exe, containing a JSON configuration that silently installs LogMeIn Resolve and connects to an attacker-controlled URL. The RMM is configured for persistent, elevated access and hidden scheduled tasks to ensure survival and ongoing remote control.

⚠️ Threat actors tied to DPRK-backed Contagious Interview are weaponizing Visual Studio Code project configurations to execute malicious payloads when developers open and trust cloned repositories. Jamf Threat Labs observed attackers embedding commands in tasks.json that spawn shell processes to fetch and run obfuscated JavaScript via Node.js, establishing a persistent backdoor that can survive closing the IDE. Users should vet unfamiliar repos, inspect task and package files, and avoid running npm install without review.

🚨 ReliaQuest warns that Storm-0249 appears to be evolving from an initial access broker into an active operator, adopting domain spoofing, DLL side-loading and fileless PowerShell execution to facilitate ransomware intrusions. The actor used a Microsoft-mimicking URL and the Windows Run dialog to fetch and execute a PowerShell script that installed a trojanized SentinelOne DLL via a malicious MSI. This technique leverages living-off-the-land utilities and signed processes to maintain persistence and evade detection.

🔍 CrowdStrike identified a China-nexus adversary, WARP PANDA, conducting covert intrusions against VMware vCenter and cloud infrastructure throughout 2025, deploying novel Golang implants and the backdoor BRICKSTORM. Operations emphasized stealth—log clearing, timestomping, unregistered VMs, and tunnelling via vCenter/ESXi/guest VMs—enabling long-term persistence and data staging from live VM snapshots. WARP PANDA also exfiltrated Microsoft 365 and SharePoint content, registered MFA devices, and abused cloud services for C2, prompting recommendations for tighter ESXi/vCenter controls and robust EDR on guests.

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.

🛡️ Bitdefender researchers describe how the Russia-aligned APT group Curly COMrades enabled Windows Hyper-V to deploy a minimal Alpine Linux VM on compromised Windows 10 hosts, creating a hidden execution environment. The compact VM (≈120MB disk, 256MB RAM) hosted two libcurl-based implants, CurlyShell (reverse shell) and CurlCat (HTTP-to-SSH proxy), enabling C2 and tunneling that evaded many host EDRs. Attackers used DISM and PowerShell to enable and run the VM under the deceptive name "WSL," and also employed PowerShell and Group Policy for credential operations and Kerberos ticket injection. Bitdefender warns that VM isolation can bypass EDR and recommends layered defenses including host network inspection and proactive hardening.

🔒 Attackers are deploying a persistent backdoor using OpenSSH and a customized Tor hidden service to target defense-related organizations in Russia and Belarus. The Operation SkyCloak campaign uses weaponized ZIP attachments and LNK-triggered PowerShell stagers that perform sandbox evasion and write an .onion hostname into the user's roaming profile. Persistence is established via scheduled tasks that run a renamed sshd.exe and a bespoke Tor binary using obfs4, enabling SSH, SFTP, RDP and SMB access over Tor.

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.

🔒 Researchers at ReliaQuest found China-linked APT Flax Typhoon modified an ArcGIS Server Object Extension (SOE) into a persistent web shell that executed base64-encoded commands via standard ArcGIS operations. The actor used a hardcoded key, staged tools in a hidden C:\Windows\System32\Bridge directory, and renamed a SoftEther VPN binary to bridge.exe to maintain covert connectivity. The malicious SOE was replicated into backups and golden images, allowing access to survive system recovery while attackers performed discovery, credential harvesting, lateral movement, and covert VPN-based persistence.

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.

⚠️ Researchers at Eclypsium warn that roughly 200,000 Framework Linux systems shipped with legitimately signed UEFI shells containing a dangerous mm (memory modify) command. The command can read and write physical memory and be used to overwrite the gSecurity2 pointer that enforces UEFI signature checks, effectively disabling verification. That failure allows persistent bootkits to load at boot time and survive OS reinstalls. Framework is issuing firmware and DB/DBX updates; users should apply patches or follow temporary mitigations until fixes are available.

🔒 Eclypsium discovered that Framework shipped signed UEFI shells containing a dangerous mm (memory modify) command that can directly read and write system RAM and be leveraged to disable Secure Boot. By overwriting the gSecurity2 security handler pointer to NULL or redirecting it to a stub that always returns success, the mm command stops signature verification and can permit bootkits to load. Framework estimates roughly 200,000 affected units; users should apply available firmware and DBX updates, restrict physical access, or temporarily remove Framework's DB key in BIOS until patches are applied.

🔒 Researchers say a Chinese state-linked actor, likely Flax Typhoon, exploited a component of the ArcGIS geo-mapping platform to maintain undetected access for over a year. Using valid admin credentials, the attackers uploaded a malicious Java SOE that acted as a web shell, accepting base64-encoded commands via a REST parameter protected by a hardcoded secret. They then installed SoftEther VPN as a Windows service to create an outbound HTTPS tunnel to 172.86.113[.]142 on port 443, enabling persistent lateral movement and credential harvesting even if the SOE were removed.

🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.