< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles

Dual‑RAT phishing targets India tax filers this season

🛡️ Researchers at Cyderes uncovered a phishing campaign impersonating the Indian Tax Department that delivers two remote access trojans via a multi-stage infection chain. Victims receive fake tax assessment emails that prompt them to download a seemingly legitimate ITR utility, which abuses signed Windows binaries to sideload malicious DLLs and perform in-memory execution and process injection. The campaign deploys a Gh0st RAT derivative and a .NET implant related to the QuasarRAT/AsyncRAT family, each communicating with separate C2 servers, providing redundant access even if one implant is blocked.
read more →

Fake Microsoft Teams support call scam targets files

📢 Palo Alto Networks’ Unit 42 warns of a new campaign targeting Microsoft Teams users that begins with a survey email and a malicious PDF. If opened, victims soon receive a voice call claiming to be Microsoft Support; the fake agent requests permission to install a remote access tool and additionally deploys Ether RAT. The Trojan gives attackers full access to the compromised machine, enabling theft of sensitive information and files. Users should be cautious of unsolicited surveys and support calls.
read more →

New Iran-linked hacking group targets Israeli IT

🛡️ Check Point Research has identified a new Iran-linked cyber threat group, dubbed Cavern Manticore, targeting Israeli government and IT organizations since early 2026. The group leverages abused RMM tools and browser-based remote desktop features for initial access and persistence, often deploying malicious updates via SysAid. Researchers observed a previously undocumented modular .NET-based C2 framework composed of a persistent Cavern agent and specialized Cavern modules, designed to evade detection and hinder forensic analysis.
read more →

Suspected China-Nexus Campaign Targets Indian Taxpayers

🛡️ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more →

New Java-based QuimaRAT MaaS Targets All Platforms

🛡️ Cybersecurity researchers have identified QuimaRAT, a modular Java-based remote access trojan offered as malware-as-a-service that targets Windows, Linux, and macOS. The kit includes a builder, loader, dropper, and the RAT itself, with subscription tiers from $150 to $1,200. QuimaRAT uses encrypted plugins, native libraries via JNA, and multiple persistence and delivery techniques to evade protections and maintain robust C2 connectivity.
read more →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

Yarbo robot mower backdoor exposes devices

🛠️ Independent researcher Andreas Makris discovered a universal hardcoded root password and permanent remote-access mechanism in Yarbo robotic mowers that allowed him to control thousands of units remotely. He demonstrated the flaw by hijacking a mower in the U.S. from Germany, showing how attackers could steer the machine, access cameras, and extract owner data. Yarbo has issued updates and plans to make remote access opt-in, but owners should install patches and follow basic IoT security hygiene.
read more →

Attackers Use TON Blockchain to Target Hotels

🛡️ Trend Micro's TrendAI discovered a phishing campaign targeting Booking.com partner accommodations in Japan that uses guest complaint impersonations to trick staff into opening malicious attachments. The delivered malware, TONResolver, is hosted via a smart contract on the TON blockchain and acts as a remote access trojan, establishing persistent backdoor connectivity for follow-up intrusion. Attackers abused scheduling-tool notifications to bypass SPF/DKIM/DMARC protections and used Node.js obfuscation and LNK-based delivery to frustrate detection.
read more →

Mistic backdoor linked to KongTuke access broker

🛡️ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
read more →

Mistic backdoor tied to initial access broker activity

🔍 Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more →

Stealthy Mistic backdoor tied to KongTuke broker

🛡️ Symantec and Zscaler have detected a new backdoor named Mistic (tracked as MTLBackdoor) used in financially motivated intrusions since April, linked to the initial access broker KongTuke/Woodgnat. The malware was observed in attacks against insurance, education, IT, and professional services organizations and was sometimes deployed after ModeloRAT via social-engineering on Microsoft Teams. Mistic is designed for long-term stealth, side-loading as version.dll from a legitimate executable and running payloads in memory while offering file management, remote command execution, configurable C2 check intervals, and a self-deletion kill switch.
read more →

Rokarolla Android trojan targets 217 financial apps

🛡️ A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and supports 137 commands. Distributed via malicious sites posing as Chrome or TikTok installers, it requests Accessibility and other sensitive permissions to gain near-complete control of infected devices. Researchers at Zimperium report it harvests SMS, contacts, keystrokes, screenshots, and lock-screen credentials while displaying phishing overlays and disabling protections like Google Play Protect.
read more →

Rokarolla Android trojan isolates victims from banks

🔒 Researchers have detailed Rokarolla, an Android banking trojan that not only steals credentials but effectively seizes control of phones to isolate victims from banks. The malware spreads via fake sites posing as TikTok or Chrome and uses a dropper impersonating Google Play Protect to install a second-stage payload. Rokarolla abuses Android Accessibility Services, makes itself the default call and SMS handler, hides its icon, mutes alerts and captures screenshots and overlays fake login screens to harvest bank and crypto credentials.
read more →

DragonForce hid C&C traffic in Microsoft Teams

🔒 Researchers report that DragonForce operators covertly used Microsoft Teams TURN relay servers to mask command-and-control traffic while infiltrating a major US services firm during a 2025 campaign. The attackers deployed a Go-based RAT, named Backdoor.Turn, which obtained anonymous Teams visitor tokens and established QUIC sessions to attacker-controlled servers. They also exploited an undocumented Huawei driver vulnerability and modified system settings to maintain persistence, exfiltrate data and deploy DragonForce ransomware.
read more →

Windows SprySOCKS variants used in gov’t targeting

🔎 ESET researchers report Windows versions of the SprySOCKS malware, linked to the Chinese threat actor Earth Lusca, were used in 2023–2024 attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The Windows family includes WIN_DRV with kernel drivers for rootkit-like stealth and WIN_PLUS, a lighter backdoor. Both support TCP/UDP/WebSocket communications, SOCKS proxying, extensive C2 commands, file and process management, and data collection such as keystrokes and clipboard contents.
read more →

ScarCruft uses fake Microsoft alerts to deploy NarwhalRAT

🛡️ Genians Security Center observed North Korea–linked ScarCruft (APT37) sending spear-phishing emails impersonating Microsoft Account security alerts to trick victims into opening ZIP attachments. The archive contains a malicious LNK that triggers a multi-stage chain: batch scripts download a legitimate Python executable, a CAT file, and install NarwhalRAT. Persistence is achieved via scheduled tasks that launch an in-memory payload, enabling keystroke logging, screenshots, audio capture, file exfiltration, and remote command execution.
read more →

Fake AI Guides Used to Deliver AsyncRAT Trojan

🛡️ Fortinet researchers uncovered a campaign where threat actors disguise malware as AI study guides and developer resources to deliver a multi-stage attack culminating in the AsyncRAT trojan. The booby-trapped archives contain shortcut (LNK) files and hidden documents that trigger staged scripts, using trusted system tools and AutoHotkey repurposed as an execution engine to evade detection. Attackers deploy scheduled tasks disguised as Realtek services, process hollowing to run payloads inside legitimate .NET processes, and hide components in decoy files to keep victims unaware while PowerShell stages execute silently.
read more →

OceanLotus Targets Vietnamese Investors and Firms

🔍 ESET links the Vietnam-aligned APT group OceanLotus to two campaigns delivering the SPECTRALVIPER backdoor against a transport construction firm and stock investors via a FireAnt Metakit supply-chain compromise between mid-2024 and March 2026. The actor used DLL side-loading and update-server abuse to deploy loaders and steal host profiles, signaling a shift toward more selective domestic espionage.
read more →

SilabRAT malware targets crypto via session hijacks

🛡️ Group-IB reports a new MaaS remote access trojan called SilabRAT, advertised since late 2025 and offered on dark web forums. The malware uses a hidden VNC (HVNC) and browser-profile cloning to hijack logged-in sessions and evade passwords and MFA, while operators spread it via spam and ClickFix lures. Its capabilities include keystroke logging, clipboard clippers, COM elevation to bypass Chrome app-bound encryption, and persistent access aimed at stealing cryptocurrency.
read more →