All news with #remote access trojan tag

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.

🚨 A China-based cybercrime group known as Silver Fox ran tax-themed phishing campaigns that deployed a newly identified Python backdoor called ABCDoor. The attacks used PDFs linking to ZIP/RAR archives on abc.haijing88[.]com or malicious attachments and relied on a modified RustSL loader to fetch an encrypted ValleyRAT implant, whose plugin installed ABCDoor. Kaspersky and S2W observed over 1,600 phishing emails across waves targeting India, Russia, Indonesia and others. Organizations should treat unsolicited tax correspondence with suspicion, validate attachments out-of-band, and monitor for modified RustSL and HTTPS C2 activity.

🔒 Trend Micro disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that exploited N-day flaws in internet-facing Microsoft Exchange and IIS servers to deploy web shells (including Godzilla) and persistently stage the ShadowPad backdoor via DLL sideloading and AnyDesk. Targets spanned Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and one NATO member, Poland. Citizen Lab separately reported two phishing clusters, GLITTER CARP and SEQUIN CARP, impersonating journalists and tech/security alerts to harvest credentials and OAuth tokens. Researchers recommend urgent patching, virtual patching with WAF/IPS, and heightened monitoring for tunneling tools, web shells, and lateral-movement artifacts.

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.

🛡️ Zscaler ThreatLabz attributes a new campaign to Tropic Trooper that uses a trojanized SumatraPDF installer to deliver the AdaptixC2 Beacon post‑exploitation agent. Victims—primarily Chinese‑speaking individuals in Taiwan, with some targets in South Korea and Japan—are lured via military‑themed ZIP archives that show a decoy PDF while fetching encrypted shellcode. The backdoored reader launches a Xiangoop‑derived loader called TOSHIS, which stages payloads and only escalates to installing Visual Studio Code and configuring VS Code tunnels for persistent remote access on high‑value hosts.

🔒 Symantec and Carbon Black attribute a new Linux build of the GoGra backdoor to the threat actor known as Harvester, observing deployments likely targeting entities in South Asia. The implant abuses Microsoft Graph and Outlook mailboxes as a covert C2 channel and is delivered via ELF binaries disguised as PDF lures. Incoming tasking emails (subject prefix "Input") contain Base64-encoded shell commands that the backdoor decrypts and runs via /bin/bash, then exfiltrates results as emails labeled "Output" and removes the original messages.

🕵️‍♂️ ICE has publicly acknowledged using spyware developed by the Israeli firm Graphite, confirming prior reporting and prompting renewed scrutiny over government surveillance practices. The agency says the tools are used in immigration and criminal investigations but provided limited details about scope, oversight, or legal justification. Privacy advocates and technologists warn that deployment of such remote access trojans can expose large amounts of personal data and evade standard protections.

🔒 Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff and gain remote access. Attackers initiate cross-tenant chats to request remote assistance—commonly via Quick Assist—then perform reconnaissance and deploy small payloads into user-writable locations. They abuse trusted, signed applications for execution and use HTTPS-based C2 and tools like Rclone to exfiltrate filtered, high-value data, often blending into normal traffic. Administrators are urged to treat external Teams contacts as untrusted, restrict remote-assistance tools, and limit WinRM usage.

🛡️ A novel social engineering campaign abused the Obsidian note-taking app to deliver a previously undocumented Windows remote access trojan dubbed PHANTOMPULSE. Elastic Security Labs tracked the activity as REF6598, reporting attackers lured financial and cryptocurrency professionals via LinkedIn and Telegram before asking them to open a cloud-hosted Obsidian vault. By convincing victims to enable the Installed community plugins sync, actors leveraged legitimate Shell Commands and Hider plugins to execute malicious JSON-configured payloads and run signed Electron-based loaders that hand off execution. The campaign underscores the risk of trusted applications and targeted social engineering as initial access vectors.

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.

🔒 Researchers report that the JanelaRAT malware, a modified BX RAT, extensively targeted banks and financial services across Latin America, with telemetry showing 14,739 attack attempts in Brazil and 11,695 in Mexico during 2025. The trojan steals banking and cryptocurrency credentials, captures keystrokes, screenshots and system metadata, and uses custom title-bar detection to trigger actions on matched sites. Attackers shifted delivery from VBScript ZIPs to rogue MSI installers and DLL side-loading, often installing a malicious Chromium extension for persistence and data exfiltration. Vendors including Kaspersky, KPMG, and Zscaler documented multi-stage chains and robust C2 capabilities.

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.

🔐 eSentire's Threat Response Unit identified a previously undocumented remote access trojan, STX RAT, after an attempted deployment in a financial services environment in late February 2026. The malware uses multi-stage, script-based delivery and in-memory execution to evade detection, leveraging XXTEA encryption, Zlib compression and reflective PowerShell loaders. It delays credential theft until instructed by an encrypted C2 channel and implements registry autoruns and COM hijacking for persistence. Organizations should strengthen endpoint protections and limit exposure to script-based attack vectors.

⚠️ The maintainers of Axios report a targeted social engineering attack that allowed threat actors to publish malicious npm releases (1.14.1 and 0.30.4) which added a dependency, plain-crypto-js, that deployed a remote access trojan across macOS, Windows, and Linux. The tainted packages were available for roughly three hours before removal; any systems that installed them should be treated as compromised and have credentials and keys rotated. Google links the operation to North Korea‑aligned UNC1069, while researchers say the same playbook targeted multiple high‑impact Node.js maintainers. Axios maintainers have wiped affected hosts, reset credentials, and are adding safeguards to reduce future supply chain risk.

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.