< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 17 of 17

Lazarus Group Expands Cross-Platform RATs Against DeFi

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.
read more →

MystRodX Backdoor Uses DNS and ICMP for Stealthy Control

🛡️ QiAnXin XLab warns of a stealthy backdoor named MystRodX (aka ChronosRAT) that leverages layered encryption and flexible network options to hinder detection. The C++ implant supports file management, port forwarding, reverse shells and socket control, and can run actively or as a passive "wake-up" backdoor triggered by crafted DNS queries or ICMP payloads. A multi-stage dropper with anti-debug and VM checks decrypts components and an AES-encrypted configuration that contains C2 endpoints, ports and the backdoor mode.
read more →

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.
read more →

ScarCruft Deploys RokRAT in 'HanKook Phantom' Campaign

🚨Seqrite Labs has uncovered a spear-phishing campaign named Operation HanKook Phantom attributed to North Korea–linked ScarCruft (APT37). The attacks use ZIP attachments containing malicious Windows LNK shortcuts that masquerade as PDFs and drop a RokRAT backdoor while displaying decoy documents. RokRAT can collect system information, execute commands, enumerate files, capture screenshots, and download further payloads, exfiltrating data via cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. A second observed variant leverages fileless PowerShell and obfuscated batch scripts to deploy additional droppers and conceal network traffic as browser file uploads.
read more →

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.
read more →

Cephalus Ransomware: Emergence and Threat Profile

🚨 Cephalus is a mid‑2025 ransomware operation that both encrypts systems and exfiltrates sensitive data for publication on a dark‑web leak site. The group commonly gains initial access via Remote Desktop Protocol (RDP) accounts lacking multi‑factor authentication and uses a DLL sideloading chain that abuses SentinelOne's SentinelBrowserNativeHost.exe to load a malicious DLL and execute the payload. Infected files are renamed with the .sss extension, Volume Shadow Copies are deleted, and Windows Defender is disabled. Organisations should prioritise MFA, timely patching, secure offline backups, network segmentation and staff training to reduce risk.
read more →

Blind Eagle: Five Clusters Target Colombian Government

⚠️ Recorded Future's Insikt Group attributes five distinct activity clusters to the actor Blind Eagle (tracked as TAG-144) active between May 2024 and July 2025. The campaigns largely targeted Colombian government agencies across local, municipal, and federal levels using spear-phishing, cracked and open-source RATs (including AsyncRAT, Remcos, DCRat, and Lime RAT) and legitimate internet services for staging. Operators abused dynamic DNS, VPS and VPN services and leveraged geofencing and compromised accounts to redirect or evade detection.
read more →

Hook Android Trojan Evolves with Ransomware Features

🛡️Researchers at Zimperium zLabs have detected a new variant of the Hook Android banking Trojan that expands beyond banking fraud to include ransomware-style overlays and advanced surveillance tools. The sample supports 107 remote commands, 38 of which are newly introduced, enabling fake NFC prompts, lock-screen bypasses, transparent gesture-capturing overlays and real-time screen streaming. Operators are distributing malicious APKs via GitHub repositories and continue to exploit Android Accessibility Services for automated fraud and persistent control. Industry observers warn the campaign is global and rapidly escalating, increasing risks to both enterprises and individual users.
read more →

Phishing Campaign Uses UpCrypter to Deploy Multiple RATs

🔒 FortiGuard Labs has detailed a global phishing campaign that uses personalized HTML attachments and spoofed websites to deliver a custom loader, UpCrypter, which installs multiple remote access tools. The operation uses tailored lures—voicemail notices and purchase orders—embedding recipient emails and company logos to appear legitimate. The delivered ZIPs contain obfuscated JavaScript that runs PowerShell, fetches further payloads (sometimes hidden via steganography) and ultimately loads RATs such as PureHVNC, DCRat and Babylon, while UpCrypter checks for sandboxes, enforces persistence and can force reboots to hinder analysis.
read more →

UNC6384 Uses Captive Portal Hijacks to Deploy PlugX

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.
read more →

Phishing Campaign Uses UpCrypter to Deploy RATs Globally

📧 Fortinet FortiGuard Labs has observed a phishing campaign using fake voicemail and purchase-order lures to direct victims to convincing landing pages that prompt downloads of JavaScript droppers. The droppers retrieve the UpCrypter loader, which conducts anti-analysis and sandbox checks before fetching final payloads, including various RATs such as PureHVNC, DCRat and Babylon. Attacks since August 2025 have targeted manufacturing, technology, healthcare, construction and retail/hospitality across multiple countries; defenders are urged to block malicious URLs, strengthen email authentication, and monitor anomalous M365 activity.
read more →

Global Phishing Campaign Distributes UpCrypter Loader

📧 FortiGuard Labs identified a global phishing campaign that uses crafted HTML email attachments and personalized phishing pages to deliver obfuscated JavaScript droppers which stage the UpCrypter loader on Microsoft Windows systems. The attack uses target-specific URL reconstruction, convincing domain and logo spoofing, and prompts victims to run a bundled JavaScript dropper. The dropper decodes and executes a Base64 PowerShell payload that performs anti-analysis checks, loads an MSIL loader directly into memory, and ultimately deploys multiple RATs (PureHVNC, DCRat, Babylon RAT). Organizations should apply layered email filtering, endpoint least-privilege, and script/memory-aware detection to block these artifacts.
read more →

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.
read more →

Linux Backdoor Delivered via Malicious RAR Filenames

🛡️ Trellix researchers describe a Linux-focused infection chain that uses a malicious RAR filename to trigger command execution. The filename embeds a Base64-encoded Bash payload that leverages shell command injection when untrusted filenames are parsed, allowing an ELF downloader to fetch and run an architecture-specific binary. The chain ultimately delivers the VShell backdoor, which runs in memory to evade disk-based detection.
read more →

QuirkyLoader Deploys Agent Tesla, AsyncRAT and Keyloggers

🛡️ Researchers disclosed a new .NET-based DLL loader named QuirkyLoader that's been used since November 2024 to deliver information stealers, keyloggers and RATs via email spam. IBM X-Force says attackers send malicious archives from both legitimate providers and self-hosted servers; each archive contains a DLL, an encrypted payload and a real executable used for DLL side-loading. The loader uses process hollowing to inject decrypted payloads into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. Operators compile the .NET DLL with ahead-of-time (AOT) compilation so the resulting binary resembles native C/C++ code and is harder to attribute.
read more →

Full PowerShell RAT Campaign Targets Israeli Organizations

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.
read more →

Unmasking AsyncRAT: Mapping Forks and Variants in the Wild

🛡️ ESET Research reviews the sprawling ecosystem of AsyncRAT, an open-source C# remote access trojan first published in 2019, and the many forks that have proliferated since. The post maps major families—most notably DcRat and VenomRAT—and outlines rapid identification techniques based on client configuration, embedded certificates, and behavior. It highlights uncommon plugins (USB spreaders, screamers, clipboard clippers, distributed brute modules) and stresses evolving obfuscation and evasion tactics.
read more →