< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 10 of 17

Nezha Monitoring Tool Repurposed as Post-Exploitation RAT

🔍 A legitimate open-source server monitoring platform, Nezha, is being abused by threat actors as a post-exploitation remote access tool. Ontinue's Cyber Defense Center found attackers silently installing the agent to gain SYSTEM/root privileges and execute remote commands, file transfers and interactive shells. Because the software is legitimate and shows zero detections on VirusTotal, signature-based defenses often fail to flag this misuse. The campaign highlights the challenge of distinguishing benign tools from adversary activity.
read more →

France Arrests Crew Member Over Malware on Italian Ferry

🚨 French authorities arrested a Latvian crew member after discovery of a remote access tool aboard the Italian passenger ferry Fantastic, owned by Grandi Navi Veloci. A Bulgarian crewmember was released without charge. The malware was detected and neutralized by GNV while the ship was docked in Sète, and France's DGSI seized items for forensic analysis. Investigators are treating the case as suspected foreign interference and continue cooperation with Italian authorities.
read more →

Kimsuky Distributes DocSwap Android RAT via QR Phish

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.
read more →

Chinese-nexus APT UAT-9686 Targets Cisco AsyncOS Appliances

🔒 Cisco Talos identified a targeted campaign, tracked as UAT-9686, that compromises appliances running Cisco AsyncOS, including Secure Email Gateway and Secure Email and Web Manager. The actor, assessed as a Chinese-nexus APT, deployed a Python backdoor called AquaShell that decodes specially crafted HTTP POSTs and executes system shell commands after being placed in a web server file. Operators also used a Go-based reverse SSH tool (AquaTunnel), Chisel for tunneling, and a log wiper named AquaPurge. Cisco has published advisories and recommends following remediation guidance and opening cases with TAC if IOCs are observed.
read more →

ForumTroll Phishing Targets Russian Scholars via eLibrary

📚 Kaspersky reported a targeted phishing campaign linked to Operation ForumTroll observed in October 2025 that impersonated the Russian eLibrary service. Attackers used a long-aged bogus domain to send personalized emails with one-time links to ZIP archives named for each victim, which contained a .LNK that runs a PowerShell downloader. The chain fetches a staged payload that loads a final DLL, persists via COM hijacking, deploys the Tuoni C2 framework for remote access, and shows a decoy PDF to victims.
read more →

Cellik Android MaaS Builds Malicious Play Store Apps

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.
read more →

Instructor jailed for teaching criminals to use Spymax

🛡️ A 49-year-old Malaysian national, Cheoh Hai Beng, has been sentenced in Singapore to five-and-a-half years' imprisonment and fined S$3,608 after admitting he produced detailed video tutorials showing criminals how to deploy the Spymax Android RAT. Between February and May 2023 he is reported to have recorded about 20 step‑by‑step videos demonstrating installation, remote control, credential theft, camera hijack, contact harvesting and GPS tracking. Authorities say these tutorials were circulated on criminal networks and used to facilitate financial fraud against victims who were tricked into installing the malware.
read more →

Fake GitHub Repos Deliver PyStoreRAT via HTA/JS Loaders

🛡️ Researchers warn that a wave of malicious GitHub repositories are distributing a newly observed JavaScript-based RAT called PyStoreRAT, delivered via minimal Python/JS loader stubs that fetch and execute remote HTA files through mshta.exe. The deceptive projects — marketed as OSINT utilities, DeFi bots, GPT wrappers, and developer tools — often exhibit non-functional or placeholder interfaces designed to build trust. Once executed, the multi-stage implant can run EXE, DLL, PowerShell, MSI, Python, and HTA modules and deploys a follow-on information stealer, Rhadamanthys. The initial stage also checks for security products such as CrowdStrike and Cybereason to reduce visibility and establishes persistence via a scheduled task masquerading as an NVIDIA update.
read more →

Fake 'One Battle After Another' Torrent Hides Malware

🛡️ Bitdefender researchers uncovered a malicious torrent impersonating the new Paul Thomas Anderson film that hides PowerShell loaders inside subtitle files, ultimately delivering the Agent Tesla RAT. A deceptive shortcut (CD.lnk) triggers a PowerShell script embedded between specific subtitle lines to extract AES-encrypted blocks and reconstruct multiple dropper scripts. The complex chain extracts files from included images and the movie file, creates a hidden scheduled task, disables or checks Windows Defender, and loads the final payload in memory, showing a high degree of stealth and persistence.
read more →

NANOREMOTE Windows Backdoor Abuses Google Drive API for C2

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.
read more →

North Korea-linked Actors Use React2Shell to Deploy EtherRAT

🛡️ Threat actors tied to North Korea have been observed exploiting the critical React Server Components vulnerability (React2Shell, CVE-2025-55182) to deliver a new remote access trojan named EtherRAT. The implant downloads a Node.js runtime, decrypts and spawns a JavaScript payload, and resolves command-and-control via Ethereum smart contracts using a multi-endpoint consensus method. EtherRAT persists on Linux with five distinct mechanisms and supports self-updating obfuscated payloads, enabling long-term stealthy access and making remediation difficult.
read more →

React2Shell Exploits Deploy EtherRAT, Linked to DPRK

🔐 Security researchers at Sysdig report new campaigns exploiting React2Shell (CVE-2025-55182), resulting in a novel implant that delivers EtherRAT and demonstrates advanced persistence and evasion. The exploit targets React v19 and many related frameworks, using a base64 shell command to fetch a downloader that installs Node.js, decrypts an obfuscated JavaScript dropper, and executes a blockchain-based C2-capable payload. Sysdig observed tooling overlaps with North Korea-associated campaigns, though firm attribution remains unconfirmed.
read more →

North Korean Hackers Exploit React2Shell to Deploy EtherRAT

🔒 Researchers at Sysdig uncovered a new malware implant, EtherRAT, delivered via exploitation of the React2Shell deserialization flaw in Next.js just days after the vulnerability disclosure. The implant bundles a full Node.js runtime, uses an encrypted loader, and employs Ethereum smart contracts for resilient C2 while supporting five Linux persistence mechanisms. Operators can self-update the payload and execute arbitrary JavaScript, complicating detection and response.
read more →

JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

🔍 Securonix has detailed a campaign named JS#SMUGGLER that leverages compromised websites and an obfuscated JavaScript loader to deliver the NetSupport RAT. Attackers chain a hidden iframe and a remote HTA executed via mshta.exe to run encrypted PowerShell stagers and fetch the RAT. The loader applies device-aware branching and a visit-tracking mechanism to trigger payloads only on first visits, reducing detection risk. Temporary stagers are removed and payloads execute in-memory to minimize forensic artifacts.
read more →

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.
read more →

MuddyWater Deploys UDPGangster Backdoor in Attacks

🔒 The Iranian-linked group MuddyWater has been observed deploying a new UDP-based backdoor called UDPGangster, using UDP channels for command-and-control, data exfiltration, and remote command execution. Fortinet FortiGuard Labs says the campaign targeted users in Turkey, Israel, and Azerbaijan via spear-phishing messages that deliver macro-enabled Word documents (e.g., "seminer.doc" inside "seminer.zip") and display a Hebrew-language decoy image. The embedded VBA macro decodes Base64 content into C:\Users\Public\ui.txt and launches it via CreateProcessA; the payload establishes registry persistence and runs multiple anti-analysis checks before communicating over UDP to 157.20.182[.]75:1269 to exfiltrate data, run commands with "cmd.exe", transfer files, and deploy additional payloads.
read more →

False-Flag Teams Lure Delivers ValleyRAT via SEO Poisoning

🚨 ReliaQuest attributes a false-flag SEO poisoning campaign to the actor known as Silver Fox, which has been active since November 2025 and aims to masquerade as a Russian group to mislead investigators. The campaign pushes a malicious Teams installer packaged as "MSTчamsSetup.zip" from an Alibaba Cloud URL, drops a trojanized Setup.exe, establishes exclusions in Microsoft Defender, and writes a staged installer "Verifier.exe" to the AppData profile. The loader scans for security processes, injects a malicious DLL into rundll32.exe, and reaches out to a remote server to retrieve the final ValleyRAT payload.
read more →

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.
read more →

Malicious Rust Crate Delivers Cross-Platform Backdoor

⚠️ Researchers identified a malicious Rust crate, evm-units, on crates.io that targeted developer machines running Windows, macOS, and Linux by posing as an Ethereum Virtual Machine helper. Uploaded in mid‑April 2025 and downloaded thousands of times, the package fetched OS-specific payloads from download.videotalks[.]xyz, wrote them to temporary directories, and executed them silently. A related package, uniswap-utils, included evm-units as a dependency, widening exposure; both packages have been removed and indicators released to help defenders.
read more →

Researchers Expose Lazarus APT Remote-Worker Scheme Live

🔍 A joint investigation by Mauro Eldritch (BCA LTD), NorthScan, and ANY.RUN captured operators from North Korea's Lazarus Group Famous Chollima working through a network of remote IT contractors. Analysts used long-running sandbox VMs that mimicked real developer laptops to observe live activity without alerting the intruders, recording credential collection, AI-assisted interview tooling, OTP handling, and persistent access via Google Remote Desktop. The study found identity and workstation takeover — not traditional malware — as the primary intrusion method, underscoring significant risks in remote hiring and contractor vetting.
read more →