All news with #remote access trojan tag

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.

🔒 A new malware-as-a-service called CrystalRAT (also marketed as CrystalX) has been active since January and is being promoted on Telegram and a dedicated YouTube channel, offering remote access, data theft, keylogging, clipboard hijacking and an extensive set of prankware functions. Kaspersky researchers found strong similarities to WebRAT (Salat Stealer), noting a Go-based codebase, matching panel design and a bot-driven sales system; the kit includes a builder, geoblocking, executable customization and anti-analysis protections. Payloads are zlib-compressed and ChaCha20-encrypted, connect to C2 over WebSocket, and the RAT supports CMD execution, VNC-backed remote control, audio/video capture, streaming keylogging and a clipboard clipper; the infostealer component targeting Chromium-based browsers and desktop apps is currently being upgraded. Users should avoid untrusted downloads and apply standard endpoint protections to reduce infection risk.

⚠ A compromised npm maintainer account led to malicious Axios releases (v1.14.1 and v0.30.4) that introduced a hidden dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan (RAT). The postinstall lifecycle script executed a heavily obfuscated Node.js dropper that retrieved platform-specific payloads from a C2 at sfrclak[.]com:8000. Payloads for macOS, Windows and Linux implement a unified RAT protocol with 60-second beacons and capabilities to run commands, inject binaries and remove themselves. Unit 42 recommends immediate isolation, rebuilds from known-good images, credential rotation, dependency pinning and network egress blocking to the C2.

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.

🛡️ Kaspersky researchers discovered CrystalX, a subscription-based Remote Access Trojan promoted on Telegram and YouTube that mixes disruptive "prank" capabilities with robust theft and surveillance features. The Trojan can rotate screens, swap mouse buttons, block keyboard input, display arbitrary messages, and disable system utilities, while also stealing credentials, hijacking clipboards to redirect crypto, logging keystrokes, and accessing screen, camera and microphone. Builds are uniquely encrypted per customer and include anti-analysis checks, complicating detection, and Kaspersky products detect and neutralize the threat. Users should avoid pirated software, be cautious with messaging attachments, enable 2FA, keep systems updated, and run reputable security solutions.

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.

🔔 Threat actors compromised maintainer Jason Saayman's accounts to publish malicious versions of axios that included the plain-crypto-js dependency, distributing cross-platform remote access trojans (RATs). The attackers staged the dependency before the takeover, changed the maintainer’s email for persistence, and used stolen npm credentials to publish malicious releases. npm removed the tainted packages and revoked tokens within about three hours while researchers urge audits of lockfiles, CI/CD systems and credential rotation.

🚨 Attackers compromised the npm account of Axios' lead maintainer and pushed trojanized releases that install a cross-platform remote access trojan on developer machines. The malicious versions axios@1.14.1 and axios@0.30.4 pulled a staged dependency plain-crypto-js@4.2.1 containing a postinstall dropper. Multiple security vendors detected the packages within minutes and npm removed them within two to three hours, but the short window was enough to affect many environments.

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.

🔎 Hexastrike warns of a regionally focused campaign targeting Chinese-speaking users through typosquatted sites that impersonate trusted software brands to deliver a previously undocumented remote access trojan. The malware, AtlasCross RAT, is deployed via ZIP lures that drop a trojanized Autodesk installer which loads a second-stage payload and executes in memory. Installers were signed with a stolen EV certificate tied to DUC FABULOUS CO.,LTD, and the operation is attributed to Silver Fox, affecting multiple Asian countries.

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.

🛡️ Blackpoint discovered a lightweight Node.js implant named RoadK1ll that uses an outbound WebSocket reverse tunnel to convert compromised hosts into relay points. It forwards TCP traffic on demand, supports multiple concurrent connections, and implements a small set of commands (CONNECT, DATA, CONNECTED, CLOSE, ERROR) to manage proxied sessions. RoadK1ll lacks traditional registry or scheduled-task persistence and runs only while its process remains active. Its stealthy outbound-only design helps attackers pivot to internal systems and bypass perimeter controls.

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.

🦊 Silver Fox has resumed targeted spearphishing against Japanese companies during the annual tax and personnel change season. Attackers send tailored, believable HR and tax-themed emails and spoof trusted employees to deliver malicious attachments or links that drop ValleyRAT. Because recipients expect such communications, these lures increase the risk of compromise. Verify suspicious requests through alternate channels and report them to security teams immediately.

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.

🦊 Sekoia has identified a series of Silver Fox campaigns from 2025–2026 that blend espionage and financially motivated cybercrime. Attackers used tax- and payroll-themed phishing lures, SEO poisoning and malicious ads to deliver tools such as ValleyRAT, HoldingHands and a custom Python credential stealer disguised as a WhatsApp app. Targets included organizations across Taiwan, Japan and multiple Southeast Asian countries. Researchers say the group’s modular approach enables rapid tool changes while preserving persistence in compromised networks.

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.

🛡️Security researchers at ReversingLabs have uncovered a set of malicious npm packages published by user mikilanjillo that phish for sudo credentials and deploy a multi-stage downloader to steal cryptocurrency wallets and other sensitive data. The packages display fake npm install logs and inject delays to mask their actions, then prompt for elevated privileges to retrieve a remote payload via Telegram. The final stage installs a remote access trojan capable of harvesting browser credentials, wallets, SSH keys, and developer tokens.