All news with #remote access trojan tag

Police Disrupt Rhadamanthys, VenomRAT and Elysium Botnets

🔒 Law enforcement from nine countries disrupted infrastructure used by the Rhadamanthys infostealer, VenomRAT remote access trojan and the Elysium botnet during a phase of Operation Endgame. Coordinated by Europol and Eurojust with private partners, officers seized 20 domains, took down 1,025 servers and executed searches at 11 locations between 10 and 14 November 2025. A key suspect linked to VenomRAT was arrested in Greece, and authorities warn that the dismantled infrastructure contained hundreds of thousands of infected machines and several million stolen credentials, plus access to over 100,000 crypto wallets.

PhantomCaptcha campaign targets Ukraine relief organisations

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

Silver Fox Expands Winos 4.0 Attacks to Japan, Malaysia

🔎 Silver Fox operators have expanded the Winos 4.0 (ValleyRAT) campaign from China and Taiwan to target Japan and Malaysia, and are also deploying a secondary RAT tracked as HoldingHands. The actors use phishing emails with booby‑trapped PDFs, SEO‑poisoned pages and targeted .LNK résumé lures to deliver multiple payloads, including Winos modules and HoldingHands. Observed techniques include DLL sideloading, Task Scheduler recovery abuse, anti‑VM checks and AV termination to maintain persistence and evade detection.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

XWorm 6.0 Returns with 35+ Plugins and Enhanced Theft

🛡️ Trellix researchers detail the return of XWorm 6.0, a modular Windows malware now supporting more than 35 in‑memory DLL plugins and expanded data-theft and persistence capabilities. The actor associated with earlier releases, known as XCoder, is of uncertain status, but v6.0—advertised on forums in June 2025—appears to address a prior RCE flaw while enabling credential theft, keylogging, screen capture, and optional ransomware. Campaigns use phishing, malicious JavaScript, LNK-based PowerShell chains, and process injection to evade detection and execute plugins directly in memory.

Android malware uses VNC to give attackers hands-on access

🔒 Klopatra is a newly observed Android banking and remote access trojan distributed via a sideloaded dropper app called Modpro IP TV + VPN that has infected over 3,000 devices across Europe. The malware abuses Android Accessibility to capture inputs, exfiltrate clipboard content, simulate taps and gestures, and monitor screens. A concealed black‑screen VNC mode lets operators interact with devices and perform manual bank transactions while the device appears idle. Cleafy notes extensive anti-analysis protections, use of commercial packers, and active development since March 2025.

Klopatra Android Banking Trojan Hits 3,000+ Devices

🔒 Cleafy has uncovered Klopatra, a previously undocumented Android banking trojan that has infected over 3,000 devices—predominantly in Spain and Italy. The malware leverages Hidden VNC for remote device control and dynamic overlays to harvest credentials, while integrating the commercial Virbox protection suite and native libraries to evade detection and analysis. Operators distribute Klopatra via social-engineered IPTV droppers, abuse Android accessibility permissions to persist and perform actions, and use a black-screen VNC mode and stolen PINs or patterns to unlock devices and execute rapid fraudulent transfers.

China-linked PlugX and Bookworm Target Asian Telecoms

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

HiddenGh0st, Winos and kkRAT Abuse SEO and GitHub Pages

🚨 Fortinet and Zscaler researchers describe an SEO poisoning campaign that targets Chinese-speaking users by surfacing spoofed download pages and GitHub Pages that host trojanized installers. Attackers manipulated search rankings and registered lookalike domains to trick victims into downloading installers bundling legitimate applications with hidden malware such as HiddenGh0st and Winos. Delivery chains use scripts (for example, nice.js), multi-stage JSON redirects, malicious DLLs and DLL sideloading to evade detection and establish persistence.

AsyncRAT Delivery via ConnectWise ScreenConnect Abuse

⚠️ Cybersecurity researchers disclosed a campaign that abuses ConnectWise ScreenConnect remote sessions to deliver a fileless loader which ultimately executes the AsyncRAT remote-access trojan. Attackers use hands-on-keyboard activity to run a layered VBScript and PowerShell chain that loads obfuscated .NET assemblies and spawns AsyncClient.exe. Persistence is maintained via a scheduled task disguised as "Skype Updater," and stolen credentials, keystrokes, and wallet artifacts are exfiltrated to a DuckDNS command-and-control host.

CHILLYHELL macOS Backdoor and ZynorRAT Cross-Platform RAT

🔍 Researchers have identified two malware strains: a modular macOS backdoor named CHILLYHELL and a Go-based cross-platform RAT called ZynorRAT. Jamf Threat Labs links CHILLYHELL to UNC4487, noting extensive host profiling, multiple persistence techniques, timestomping, and multi-protocol C2 over HTTP and DNS. The notarized CHILLYHELL sample (uploaded to VirusTotal on May 2, 2025) underscores that signed binaries can be malicious. Sysdig analysis shows ZynorRAT is managed via a Telegram bot and supports file exfiltration, screenshots, system enumeration, and persistence on Linux and Windows.

New Malware Campaigns: MostereRAT and ClickFix Risks

🔒 Researchers disclosed linked phishing campaigns delivering a banking malware-turned-RAT called MostereRAT and a ClickFix-style chain distributing MetaStealer. Attackers use an obscure Easy Programming Language (EPL), mutual TLS for C2, and techniques to disable Windows security and run as TrustedInstaller to evade detection. One campaign drops remote-access tools like AnyDesk and VNC variants; another uses fake Cloudflare Turnstile pages, LNK tricks, and a prompt overdose method to manipulate AI summarizers.

Blind Eagle: Five Clusters Target Colombian Government

⚠️ Recorded Future's Insikt Group attributes five distinct activity clusters to the actor Blind Eagle (tracked as TAG-144) active between May 2024 and July 2025. The campaigns largely targeted Colombian government agencies across local, municipal, and federal levels using spear-phishing, cracked and open-source RATs (including AsyncRAT, Remcos, DCRat, and Lime RAT) and legitimate internet services for staging. Operators abused dynamic DNS, VPS and VPN services and leveraged geofencing and compromised accounts to redirect or evade detection.

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

QuirkyLoader Deploys Agent Tesla, AsyncRAT and Keyloggers

🛡️ Researchers disclosed a new .NET-based DLL loader named QuirkyLoader that's been used since November 2024 to deliver information stealers, keyloggers and RATs via email spam. IBM X-Force says attackers send malicious archives from both legitimate providers and self-hosted servers; each archive contains a DLL, an encrypted payload and a real executable used for DLL side-loading. The loader uses process hollowing to inject decrypted payloads into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. Operators compile the .NET DLL with ahead-of-time (AOT) compilation so the resulting binary resembles native C/C++ code and is harder to attribute.

Rogue CAPTCHAs: Phony Verification Pages Spread Malware

🔒 Phony CAPTCHA pages are being used to trick users into running commands that invoke legitimate Windows tools like PowerShell or mshta.exe, which then download and install malware. Threat actors—including those using the social engineering method ClickFix—deploy infostealers, remote access trojans, ransomware and cryptominers through deceptive verification prompts that appear legitimate. Users should avoid executing pasted commands, keep systems and security software updated, and consider ad blockers to reduce exposure.