< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 2 of 17

Silent Ransom Group Targets U.S. Law Firms Now

🛡️ Mandiant reports the Silent Ransom Group (UNC3753) is targeting U.S. law firms and professional services with invoice-themed phishing followed by voice calls impersonating IT staff. Attackers use callback phishing to trick victims into installing remote support tools like AnyDesk or Zoho Assist, granting access to networks and enabling rapid data theft and extortion. The campaign involves phishing domains, self-destructing messaging, and fast-flux infrastructure to host leak sites.
read more →

Chinese hackers deploy new Atlas RAT across Europe

🔍 Proofpoint attributes a surge of financially motivated campaigns to TA4922, a Chinese-speaking cybercrime group now targeting organizations in Germany, Italy, the UK, and South Africa. The actor uses localized phishing lures and messaging apps to deliver a growing arsenal that includes the newly observed Atlas RAT, multiple custom loaders such as RomulusLoader and SilentRunLoader, and the ValleyRAT family. Researchers warn the toolset supports reconnaissance, credential theft, keylogging, audio/video capture, and plugin payloads, and note operational expansion and possible use of LLMs in development.
read more →

DoubleClick Redirects Used to Deliver DesckVB RAT

🛡️ Huntress researchers disclosed a malspam campaign that abuses Google DoubleClick redirectors to funnel victims to personalized phishing landing pages and drop a .NET remote access trojan called DesckVB RAT. The attack starts with an HTML attachment that redirects through DoubleClick, decodes a Base64 email, and serves a ZIP containing a JavaScript loader which executes a PowerShell script to fetch a .NET loader. The loader disables security controls, establishes persistence, and injects the RAT via process hollowing into Microsoft-signed processes to evade detection.
read more →

Weedhack campaign targets Minecraft players via YouTube

🛡️ McAfee Labs reports a MaaS campaign called Weedhack that has been active since January 2026, using SEO poisoning and YouTube videos to trick Minecraft users into downloading malicious JAR files. The malware chain begins with a trojanized client and leverages the Ethereum blockchain for C2 resolution, ultimately delivering remote access and information-stealing payloads. The service is offered free and as a paid tier, enabling widespread abuse, account theft, and cyberbullying against younger victims.
read more →

BTMOB MaaS Android trojan targets Latin America

🛡️ BTMOB is an Android remote access trojan offered as malware-as-a-service with a builder that generates customized APKs tailored to phishing lures. The platform lets customers choose permissions, hide icons, disable Google Play, and configure behaviors to evade removal. ESET and other researchers link campaigns to Brazil and Latin America and note distribution via fake streaming and crypto mining sites. Subscriptions are sold through private Telegram channels.
read more →

GPU-mining campaign uses SEO and AI for delivery

🛡️ Microsoft uncovered a targeted cryptojacking campaign that lures owners of high-performance PCs to malicious download pages for utilities like CrystalDiskInfo and HWMonitor. The attackers used SEO poisoning and, in some cases, manipulated AI chatbots to surface attacker-controlled download links. Infected ZIP archives include legitimate utilities and a malicious DLL that installs the ScreenConnect remote access tool, enabling persistent access and deployment of a process-hollowing loader that ultimately launches GPU miners.
read more →

Grandoreiro and BTMOB campaigns target Latin Europe

🛡️ WatchGuard and ESET report two active campaigns spreading Windows and Android banking trojans across Latin America and Europe. The Grandoreiro campaign leverages DLL side-loading, WebRTC/STUN/ICE communications, and phishing to target Portuguese banks and international financial services. ESET details BTMOB, a rapidly evolving Android RAT sold as a service with an APK builder that enables mass phishing-based distribution and remote device control.
read more →

BTMOB Android RAT: No-Code Builder Spreads Globally

🛡️ ESET researchers identified a no-code Android remote access trojan (RAT) named BTMOB that is distributed via phishing campaigns and fake app stores. The malware includes an APK builder so buyers can produce customized payloads quickly and retool lures for different countries without coding. BTMOB abuses Android Accessibility Services to escalate permissions and enable data theft, screenshots, activity recording and full remote control. Sold as a malware-as-a-service offering with relatively low pricing, it lowers the barrier for criminals and allows rapid variant turnover.
read more →

Webworm Adds EchoCreep and GraphWorm Using Discord

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.
read more →

Tracking TamperedChef: Malicious Productivity Software

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.
read more →

Webworm APT's 2025 Shift: New Burrowing Tactics and Proxies

🛡️ ESET researchers analyzed Webworm’s 2025 campaigns and found a shift from traditional RATs to stealthier proxy tools and two new backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API for C2. They decrypted over 400 Discord messages, uncovered GitHub staging repositories and a compromised Amazon S3 bucket, linking infrastructure to Vultr and IT7 Networks. Victims across Europe and South Africa were targeted; identified services have been taken down and impacted parties notified.
read more →

Kazuar Evolves into Modular P2P Botnet by Secret Blizzard

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.
read more →

Turla Converts Kazuar Into Modular P2P Botnet for Stealth

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.
read more →

China-linked TencShell implant derived from Rshell C2

🔍 Cato Networks' Cyber Threats Research Lab (CTRL) identified an undocumented Go-based implant called TencShell while responding to an April 2026 intrusion attempt against the Indian branch of a global manufacturer. The operation used a first-stage dropper, Donut shellcode, a disguised .woff web-font resource, memory injection and web-like C2 traffic. Cato blocked the intrusion and published technical findings in a May 13 report, linking the implant to an altered Rshell C2 lineage and Tencent-like API impersonation.
read more →

KongTuke Uses Microsoft Teams to Gain Corporate Access

🔒 Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.
read more →

Chinese-Linked Group Repeatedly Hits Azerbaijani Energy

🔒 Bitdefender links a multi-wave intrusion against an Azerbaijani oil and gas company to the China-affiliated group FamousSparrow, observed between December 2025 and February 2026. The adversary repeatedly exploited a Microsoft Exchange Server ProxyNotShell chain to deploy alternating backdoors — Deed RAT and TernDoor — across three waves. Attackers used evolved DLL side-loading via the legitimate LogMeIn Hamachi binary, attempted web shell persistence and lateral movement, and re-entered the environment despite remediation efforts.
read more →

cPanel Authentication Bypass Deploys Filemanager Backdoor

🔒 Researchers report that a threat actor known as Mr_Rot13 is exploiting a critical cPanel/WHM vulnerability (CVE-2026-41940) to deploy a cross-platform backdoor named Filemanager on compromised hosts. A QiAnXin XLab analysis indicates automated attacks from more than 2,000 source IPs worldwide and an infection chain that replaces root credentials, plants SSH keys, deploys a PHP web shell, and delivers a Go-based infector. The malware harvests credentials and system data, sends results to attacker-controlled infrastructure, and enables file management and remote command execution across Windows, macOS, and Linux.
read more →

TrickMo C Moves Android C2 to TON Blockchain Network

📡 ThreatFabric has identified a new Android banking trojan variant, TrickMo C, that shifts its command-and-control channel into The Open Network (TON) blockchain by resolving operator endpoints as .adnl identities. The malicious APK embeds a native TON proxy and routes its HTTP client through a loopback port, while any remaining clearnet queries are sent via DNS-over-HTTPS. This design makes conventional domain takedowns ineffective and helps conceal malicious traffic as legitimate TON application activity.
read more →

JDownloader Site Compromise Replaced Installers with RAT

⚠ The official JDownloader website was compromised between May 6 and May 7, 2026, and attackers replaced alternative Windows and Linux installers with malicious payloads. The Windows binaries deploy a heavily obfuscated Python-based remote access trojan, while the Linux shell installer installs SUID-root components and persistence. Developers say the CMS was abused to alter download links without host-level access and have taken the site offline to investigate. Users who ran affected installers should treat systems as compromised, verify installers' digital signatures (AppWork GmbH) and consider reinstalling and rotating credentials.
read more →

Quasar Linux RAT Targets Developers' Credentials, Pipelines

🔒 Trend Micro researchers disclosed a previously undocumented Linux implant dubbed Quasar Linux RAT (QLNX) that targets developers and DevOps credentials to establish a stealthy foothold. The fileless loader masquerades as kernel threads, erases logs, and persists via seven or more mechanisms such as systemd, crontab and .bashrc injection. Its credential harvester extracts secrets from high-value files including .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json and .env, enabling registry poisoning, cloud access or CI/CD pivoting. QLNX also installs PAM inline-hook backdoors, a userland LD_PRELOAD rootkit and an eBPF kernel component to hide artifacts while supporting 58 remote commands and data exfiltration.
read more →