< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 12 of 17

North Korean Hackers Use JSON Services for Malware

⚠️ NVISO researchers report that North Korean threat actors behind the Contagious Interview campaign are using public JSON storage services to stage and deliver malware. The attackers lure prospective victims—often developers—via LinkedIn with fake assessments or collaboration requests and host trojanized demo projects on code repositories. These projects point to obfuscated payloads on JSON Keeper, JSONsilo, and npoint.io that deploy a JavaScript loader BeaverTail which in turn drops a Python backdoor InvisibleFerret.
read more →

SpearSpecter: APT42 Targets Defense and Government

🛡️ The Israel National Digital Agency (INDA) has attributed a new espionage campaign codenamed SpearSpecter to Iranian state‑aligned APT42, active since September 2025 against senior defense and government officials and their family members. Operators employ tailored social engineering—invites to conferences and impersonated WhatsApp contacts—to deliver a WebDAV‑served .LNK via the search‑ms: handler that retrieves a batch script and stages the TAMECAT PowerShell backdoor. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, supports modular data‑theft capabilities (browser and Outlook exfiltration, screenshots), and relies on Cloudflare Workers, LOLBins, in‑memory execution, and obfuscation to maintain persistent, stealthy access.
read more →

Operation Endgame 3.0 Disrupts Three Major Malware Networks

🔒 Operation Endgame 3.0 targeted and dismantled infrastructure supporting three prominent malware families — Rhadamanthys, VenomRAT and the Elysium botnet — in coordinated actions carried out between 10 and 13 November. Authorities disrupted or seized more than 1,025 servers and 20 domains, searched 11 locations across multiple countries and arrested a suspected VenomRAT operator in Greece. The initiative was led by Europol with Eurojust, national law enforcement partners and over 30 private cybersecurity organizations.
read more →

Operation Endgame Takedown Disrupts Major Malware Campaign

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.
read more →

Police Disrupt Rhadamanthys, VenomRAT and Elysium Botnets

🔒 Law enforcement from nine countries disrupted infrastructure used by the Rhadamanthys infostealer, VenomRAT remote access trojan and the Elysium botnet during a phase of Operation Endgame. Coordinated by Europol and Eurojust with private partners, officers seized 20 domains, took down 1,025 servers and executed searches at 11 locations between 10 and 14 November 2025. A key suspect linked to VenomRAT was arrested in Greece, and authorities warn that the dismantled infrastructure contained hundreds of thousands of infected machines and several million stolen credentials, plus access to over 100,000 crypto wallets.
read more →

Fantasy Hub: Android RAT sold on Telegram as MaaS service

🔒 Cybersecurity researchers disclosed a new Android remote access trojan, Fantasy Hub, marketed on Russian-speaking Telegram channels under a Malware-as-a-Service model. The MaaS offers turnkey builders, bot-driven subscriptions, custom trojanized APKs and a C2 panel to manage compromised devices and exfiltrate SMS, contacts, media and call logs. Sellers provide fake Google Play landing pages and instruction to abuse the default SMS handler and deploy overlays to intercept banking 2FA and harvest credentials.
read more →

APT37 Abuses Google Find Hub to Remotely Wipe Android

🔍 North Korean-linked operators abuse Google Find Hub to locate targets' Android devices and issue remote factory resets after compromising Google accounts. The attacks focus on South Koreans and begin with social engineering over KakaoTalk, using signed MSI lures that deploy AutoIT loaders and RATs such as Remcos, Quasar, and RftRAT. Wiping devices severs mobile KakaoTalk alerts so attackers can hijack PC sessions to spread malware. Recommended defenses include enabling multi-factor authentication, keeping recovery access ready, and verifying unexpected files or messages before opening.
read more →

Konni Exploits Google's Find Hub to Remotely Wipe Devices

⚠️ The North Korea-linked Konni threat actor has been observed combining spear-phishing and signed installers to compromise Windows and Android systems and exfiltrate credentials. Genians Security Center reports attackers used stolen Google account credentials to access Google Find Hub and remotely reset devices, causing unauthorized data deletion. The campaign, detected in early September 2025, uses malicious MSI packages and RATs including EndRAT and Remcos to maintain long-term access and propagate via compromised KakaoTalk sessions.
read more →

China-aligned UTA0388 leverages AI in GOVERSHELL attacks

📧 Volexity has linked a series of spear-phishing campaigns from June to August 2025 to a China-aligned actor tracked as UTA0388. The group used tailored, rapport-building messages impersonating senior researchers and delivered archive files that contained a benign-looking executable alongside a hidden malicious DLL loaded via search order hijacking. The distributed malware family, labeled GOVERSHELL, evolved through five variants capable of remote command execution, data collection and persistence, shifting communications from simple shells to encrypted WebSocket and HTTPS channels. Linguistic oddities, mixed-language messages and bizarre file inclusions led researchers to conclude LLMs likely assisted in crafting emails and possibly code.
read more →

ClickFix Phishing Campaign Targets Hotels, Delivers PureRAT

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.
read more →

Phishing Campaign Targets Booking.com Partners and Guests

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.
read more →

UNK_SmudgedSerpent Targets Academics and Policy Experts

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.
read more →

OpenAI Assistants API Abused by 'SesameOp' Backdoor

🔐 Microsoft Incident Response (DART) uncovered a covert backdoor named 'SesameOp' in July 2025 that leverages the OpenAI Assistants API as a command-and-control channel. The malware uses an obfuscated DLL loader, Netapi64.dll, and a .NET component, OpenAIAgent.Netapi64, to fetch compressed, encrypted commands and return results via the API. Microsoft recommends firewall audits, EDR in block mode, tamper protection and cloud-delivered Defender protections to mitigate the threat.
read more →

SesameOp Backdoor Abuses OpenAI Assistants API for C2

🛡️ Researchers at Microsoft disclosed a previously undocumented backdoor, dubbed SesameOp, that abuses the OpenAI Assistants API to relay commands and exfiltrate results. The attack chain uses .NET AppDomainManager injection to load obfuscated libraries (loader "Netapi64.dll") into developer tools and relies on a hard-coded API key to pull payloads from assistant descriptions. Because traffic goes to api.openai.com, the campaign evaded traditional C2 detection. Microsoft Defender detections and account key revocation were used to disrupt the operation.
read more →

Operation SkyCloak: Tor-Enabled Backdoor Targets Defense

🔒 Attackers are deploying a persistent backdoor using OpenSSH and a customized Tor hidden service to target defense-related organizations in Russia and Belarus. The Operation SkyCloak campaign uses weaponized ZIP attachments and LNK-triggered PowerShell stagers that perform sandbox evasion and write an .onion hostname into the user's roaming profile. Persistence is established via scheduled tasks that run a renamed sshd.exe and a bespoke Tor binary using obfs4, enabling SSH, SFTP, RDP and SMB access over Tor.
read more →

Microsoft Detects SesameOp Backdoor Using OpenAI API

🔒 Microsoft’s Detection and Response Team (DART) detailed a novel .NET backdoor called SesameOp that leverages the OpenAI Assistants API as a covert command-and-control channel. Discovered in July 2025 during a prolonged intrusion, the implant uses a loader (Netapi64.dll) and an OpenAIAgent.Netapi64 component to fetch encrypted commands and return execution results via the API. The DLL is heavily obfuscated with Eazfuscator.NET and is injected at runtime using .NET AppDomainManager injection for stealth and persistence.
read more →

Fake Solidity VSCode Extension on Open VSX Backdoors

🛡️ A remote-access trojan named SleepyDuck, disguised as a Solidity extension on Open VSX, uses an Ethereum smart contract to deliver command-and-control instructions. The malicious package, downloaded over 53,000 times, activates on editor startup, when a Solidity file is opened, or when the compile command is run. On activation it collects system identifiers, creates a lock file for persistence, and polls an on-chain contract to update or replace its C2 endpoint. Open VSX has flagged the package and implemented security controls; developers should rely only on reputable publishers and official repositories.
read more →

SesameOp Backdoor Uses OpenAI Assistants API Stealthily

🔐 Microsoft security researchers identified a new backdoor, SesameOp, which abuses the OpenAI Assistants API as a covert command-and-control channel. Discovered during a July 2025 investigation, the backdoor retrieves compressed, encrypted commands via the API, decrypts and executes them, and returns encrypted exfiltration through the same channel. Microsoft and OpenAI disabled the abused account and key; recommended mitigations include auditing firewall logs, enabling tamper protection, and configuring endpoint detection in block mode.
read more →

Malicious VSX Extension 'SleepyDuck' Uses Ethereum

🦆 Researchers at Secure Annex warned of a malicious Open VSX extension, juan-bianco.solidity-vlang, that delivers a remote access trojan dubbed SleepyDuck. Originally published as a benign library on October 31, 2025, it was updated to a malicious release after reaching about 14,000 downloads. The extension triggers on opening a code editor window or selecting a .sol file, harvesting host details and polling an Ethereum-based contract to obtain and update its command server. It also contains fallback logic using multiple Ethereum RPC providers to recover C2 information if the domain is taken down; users should only install extensions from trusted publishers and follow vendor guidance.
read more →

SesameOp backdoor abuses OpenAI Assistants API for C2

🛡️ Microsoft DART researchers uncovered SesameOp, a novel .NET backdoor that leverages the OpenAI Assistants API as a covert command-and-control (C2) channel instead of traditional infrastructure. The implant includes a heavily obfuscated loader (Netapi64.dll) and a backdoor (OpenAIAgent.Netapi64) that persist via .NET AppDomainManager injection, using layered RSA/AES encryption and GZIP compression to fetch, execute, and exfiltrate commands. Microsoft and OpenAI investigated jointly and disabled the suspected API key; detections and mitigation guidance are provided for defenders.
read more →