All news with #remote access trojan tag

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

🛡️ Atroposia is a new malware-as-a-service platform offering a modular remote access trojan for a $200 monthly subscription, combining persistent access, stealthy remote desktop, data theft, and a built-in local vulnerability scanner. Researchers at Varonis say the RAT can bypass UAC, perform host-level DNS hijacks, capture credentials and clipboard data, and compress and exfiltrate targeted files with minimal traces. Its vulnerability-audit plugin identifies missing patches and outdated software so attackers can prioritize exploits, making it particularly dangerous in corporate environments. Users should download only from official sources, avoid pirated software and torrents, and refrain from executing unfamiliar commands found online.

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.

🔐 Sekoia observed Transparent Tribe (APT36) conducting spear-phishing campaigns in Aug–Sep 2025 that deliver a Golang remote access trojan dubbed DeskRAT. The attacks use ZIP attachments containing malicious .desktop files that display a decoy PDF while executing the payload, specifically targeting BOSS Linux systems. DeskRAT establishes WebSocket C2, supports multiple persistence mechanisms, and includes modules for harvesting and exfiltrating WhatsApp and Chrome data. Researchers also reported the use of "stealth servers" and a shift from cloud-hosted distribution to dedicated staging infrastructure.

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.

🔍 Sekoia.io researchers uncovered a cyber-espionage campaign, beginning June 2025, that targets Indian government Linux systems using a new Golang RAT named DeskRAT. The operation primarily abused the Indian government‑endorsed BOSS Linux distribution via phishing ZIPs that executed Bash downloaders and displayed decoy PDFs. Attackers used dedicated staging servers and a new operator dashboard to manage victims and exfiltrate files.

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.

🔒 A European telecommunications organization was targeted in the first week of July 2025, according to Darktrace, with a threat actor linked to the China-associated group Salt Typhoon gaining initial access via a vulnerable Citrix NetScaler Gateway. The intruders pivoted to Citrix VDA hosts in an MCS subnet and used SoftEther VPN to mask their origin. They deployed Snappybee (aka Deed RAT) via DLL side-loading alongside legitimate antivirus executables; the backdoor called home to aar.gandhibludtric[.]com. Darktrace says the activity was detected and remediated before significant escalation.

🔒 Seqrite Labs uncovered a new .NET implant named CAPI Backdoor linked to a phishing campaign targeting Russian automobile and e-commerce organizations. The attack leverages a ZIP archive containing a decoy Russian tax notice and a Windows LNK that loads a malicious adobe.dll via the legitimate rundll32.exe. The backdoor gathers system and browser data, takes screenshots, and communicates with a remote C2 for commands and exfiltration. Persistence is achieved through scheduled tasks and a Startup LNK.

🔎 Silver Fox operators have expanded the Winos 4.0 (ValleyRAT) campaign from China and Taiwan to target Japan and Malaysia, and are also deploying a secondary RAT tracked as HoldingHands. The actors use phishing emails with booby‑trapped PDFs, SEO‑poisoned pages and targeted .LNK résumé lures to deliver multiple payloads, including Winos modules and HoldingHands. Observed techniques include DLL sideloading, Task Scheduler recovery abuse, anti‑VM checks and AV termination to maintain persistence and evade detection.

🔒 An AWS-hosted compromise revealed a new GNU/Linux rootkit dubbed LinkPro, discovered by Synacktiv. Attackers leveraged an exposed Jenkins server vulnerable to CVE-2024-23897 and deployed a malicious Docker image (kvlnt/vv) to Kubernetes clusters, delivering a VPN/proxy (vnt), a Rust downloader (vGet) and vShell backdoors. LinkPro relies on two eBPF modules—Hide and Knock—to conceal processes and activate via a magic TCP packet, with a user-space fallback via /etc/ld.so.preload when kernel support is missing.

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.

🔍 Proofpoint researchers uncovered TA585, a cybercriminal group that operates its own phishing, delivery and malware infrastructure rather than outsourcing. The actor distributes MonsterV2, a subscription-based RAT/stealer/loader that avoids CIS systems and offers modules like HVNC. Early 2025 campaigns used ClickFix social engineering and compromised sites with fake CAPTCHAs to filter victims and deliver payloads, and organisations should train users to spot ClickFix and restrict PowerShell for non-admins.

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.