All news with #remote access trojan tag

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.

🛡️ ESET researchers analyzed Webworm’s 2025 campaigns and found a shift from traditional RATs to stealthier proxy tools and two new backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API for C2. They decrypted over 400 Discord messages, uncovered GitHub staging repositories and a compromised Amazon S3 bucket, linking infrastructure to Vultr and IT7 Networks. Victims across Europe and South Africa were targeted; identified services have been taken down and impacted parties notified.

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.

🔍 Cato Networks' Cyber Threats Research Lab (CTRL) identified an undocumented Go-based implant called TencShell while responding to an April 2026 intrusion attempt against the Indian branch of a global manufacturer. The operation used a first-stage dropper, Donut shellcode, a disguised .woff web-font resource, memory injection and web-like C2 traffic. Cato blocked the intrusion and published technical findings in a May 13 report, linking the implant to an altered Rshell C2 lineage and Tencent-like API impersonation.

🔒 Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.

🔒 Bitdefender links a multi-wave intrusion against an Azerbaijani oil and gas company to the China-affiliated group FamousSparrow, observed between December 2025 and February 2026. The adversary repeatedly exploited a Microsoft Exchange Server ProxyNotShell chain to deploy alternating backdoors — Deed RAT and TernDoor — across three waves. Attackers used evolved DLL side-loading via the legitimate LogMeIn Hamachi binary, attempted web shell persistence and lateral movement, and re-entered the environment despite remediation efforts.

🔒 Researchers report that a threat actor known as Mr_Rot13 is exploiting a critical cPanel/WHM vulnerability (CVE-2026-41940) to deploy a cross-platform backdoor named Filemanager on compromised hosts. A QiAnXin XLab analysis indicates automated attacks from more than 2,000 source IPs worldwide and an infection chain that replaces root credentials, plants SSH keys, deploys a PHP web shell, and delivers a Go-based infector. The malware harvests credentials and system data, sends results to attacker-controlled infrastructure, and enables file management and remote command execution across Windows, macOS, and Linux.

📡 ThreatFabric has identified a new Android banking trojan variant, TrickMo C, that shifts its command-and-control channel into The Open Network (TON) blockchain by resolving operator endpoints as .adnl identities. The malicious APK embeds a native TON proxy and routes its HTTP client through a loopback port, while any remaining clearnet queries are sent via DNS-over-HTTPS. This design makes conventional domain takedowns ineffective and helps conceal malicious traffic as legitimate TON application activity.

⚠ The official JDownloader website was compromised between May 6 and May 7, 2026, and attackers replaced alternative Windows and Linux installers with malicious payloads. The Windows binaries deploy a heavily obfuscated Python-based remote access trojan, while the Linux shell installer installs SUID-root components and persistence. Developers say the CMS was abused to alter download links without host-level access and have taken the site offline to investigate. Users who ran affected installers should treat systems as compromised, verify installers' digital signatures (AppWork GmbH) and consider reinstalling and rotating credentials.

🔒 Trend Micro researchers disclosed a previously undocumented Linux implant dubbed Quasar Linux RAT (QLNX) that targets developers and DevOps credentials to establish a stealthy foothold. The fileless loader masquerades as kernel threads, erases logs, and persists via seven or more mechanisms such as systemd, crontab and .bashrc injection. Its credential harvester extracts secrets from high-value files including .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json and .env, enabling registry poisoning, cloud access or CI/CD pivoting. QLNX also installs PAM inline-hook backdoors, a userland LD_PRELOAD rootkit and an eBPF kernel component to hide artifacts while supporting 58 remote commands and data exfiltration.

🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.

⚠️ A fake Claude website pushed a 505MB archive named 'Claude-Pro-windows-x64.zip' that installs a trojanized MSI and drops three Startup files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos and Malwarebytes analysis shows the signed G Data updater is abused to sideload avk.dll and an encrypted payload, which decrypts an in-memory DonutLoader that deploys the new Beagle backdoor. Beagle runs in memory, communicates with C2 at license.claude-pro[.]com (8.217.190[.]58) over TCP/443 or UDP/8080 using a hardcoded AES key, and supports basic file and command operations.

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.

🔐 Cisco Talos attributes a China-nexus APT it tracks as UAT-8302 to sustained attacks on government entities in South America since late 2024 and on agencies in southeastern Europe in 2025. The actor deploys custom backdoors, notably a .NET implant called NetDraft (aka NosyDoor), and leverages tools such as CloudSorcerer, VShell and SNOWLIGHT/SNOWRUST. Talos highlights reuse of malware linked to multiple China-aligned clusters and extensive reconnaissance, lateral movement, and proxy/VPN-based persistence.

🛡️ A sustained phishing campaign named Venomous#Helper is abusing signed remote monitoring and management (RMM) tools to install persistent backdoors on Windows hosts. Researchers at Securonix say attackers used SSA-branded lures that redirected via a compromised Mexican domain to a signed JWrapper binary masquerading as a government document. The payload deploys a cracked SimpleHelp build alongside a ConnectWise ScreenConnect relay, creating dual access channels and robust persistence mechanisms that evade basic gateway and EDR checks.

⚠️ Kaspersky researchers discovered a large-scale supply chain attack that trojanized DAEMON Tools installers; the malicious executables are signed with a valid AVB Disc Soft digital signature and have been distributed since April 8, 2026. Once installed the malware runs at startup, collects system and network information, and contacts a command-and-control server that can deliver additional payloads. In some cases attackers deployed a backdoor and a more advanced implant, QUIC RAT, capable of in-memory execution and process injection; users should audit systems and use reliable security solutions.