< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 3 of 17

PamDOORa: PAM-Based Linux Backdoor Enables Persistent SSH

🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.
read more →

Fake Claude-Pro Site Distributes Beagle Windows Backdoor

⚠️ A fake Claude website pushed a 505MB archive named 'Claude-Pro-windows-x64.zip' that installs a trojanized MSI and drops three Startup files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos and Malwarebytes analysis shows the signed G Data updater is abused to sideload avk.dll and an encrypted payload, which decrypts an in-memory DonutLoader that deploys the new Beagle backdoor. Beagle runs in memory, communicates with C2 at license.claude-pro[.]com (8.217.190[.]58) over TCP/443 or UDP/8080 using a hardcoded AES key, and supports basic file and command operations.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.
read more →

Quasar Linux (QLNX) Turns Linux Hosts into P2P Mesh

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.
read more →

CloudZ RAT Exploits Windows Phone Link to Steal OTPs

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.
read more →

China-linked UAT-8302 Targets Governments in 2024–2025

🔐 Cisco Talos attributes a China-nexus APT it tracks as UAT-8302 to sustained attacks on government entities in South America since late 2024 and on agencies in southeastern Europe in 2025. The actor deploys custom backdoors, notably a .NET implant called NetDraft (aka NosyDoor), and leverages tools such as CloudSorcerer, VShell and SNOWLIGHT/SNOWRUST. Talos highlights reuse of malware linked to multiple China-aligned clusters and extensive reconnaissance, lateral movement, and proxy/VPN-based persistence.
read more →

Venomous#Helper Phishing Uses Signed RMM to Install Backdoor

🛡️ A sustained phishing campaign named Venomous#Helper is abusing signed remote monitoring and management (RMM) tools to install persistent backdoors on Windows hosts. Researchers at Securonix say attackers used SSA-branded lures that redirected via a compromised Mexican domain to a signed JWrapper binary masquerading as a government document. The payload deploys a cracked SimpleHelp build alongside a ConnectWise ScreenConnect relay, creating dual access channels and robust persistence mechanisms that evade basic gateway and EDR checks.
read more →

Supply Chain Attack via DAEMON Tools Compromises Installers

⚠️ Kaspersky researchers discovered a large-scale supply chain attack that trojanized DAEMON Tools installers; the malicious executables are signed with a valid AVB Disc Soft digital signature and have been distributed since April 8, 2026. Once installed the malware runs at startup, collects system and network information, and contacts a command-and-control server that can deliver additional payloads. In some cases attackers deployed a backdoor and a more advanced implant, QUIC RAT, capable of in-memory execution and process injection; users should audit systems and use reliable security solutions.
read more →

CloudZ RAT Abuses Microsoft Phone Link to Steal OTPs

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.
read more →

Phishing Campaign Leverages RMM to Maintain Persistent Access

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.
read more →

Silver Fox Uses ABCDoor Backdoor via Tax Phishing Campaign

🚨 A China-based cybercrime group known as Silver Fox ran tax-themed phishing campaigns that deployed a newly identified Python backdoor called ABCDoor. The attacks used PDFs linking to ZIP/RAR archives on abc.haijing88[.]com or malicious attachments and relied on a modified RustSL loader to fetch an encrypted ValleyRAT implant, whose plugin installed ABCDoor. Kaspersky and S2W observed over 1,600 phishing emails across waves targeting India, Russia, Indonesia and others. Organizations should treat unsolicited tax correspondence with suspicion, validate attachments out-of-band, and monitor for modified RustSL and HTTPS C2 activity.
read more →

China-Linked Hackers Target Asian Governments, Journalists

🔒 Trend Micro disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that exploited N-day flaws in internet-facing Microsoft Exchange and IIS servers to deploy web shells (including Godzilla) and persistently stage the ShadowPad backdoor via DLL sideloading and AnyDesk. Targets spanned Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and one NATO member, Poland. Citizen Lab separately reported two phishing clusters, GLITTER CARP and SEQUIN CARP, impersonating journalists and tech/security alerts to harvest credentials and OAuth tokens. Researchers recommend urgent patching, virtual patching with WAF/IPS, and heightened monitoring for tunneling tools, web shells, and lateral-movement artifacts.
read more →

Deep#Door Python Backdoor Evades Detection On Windows

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.
read more →

Stealthy Python RAT 'DEEP#DOOR' Uses Public Tunneling

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.
read more →

EtherRAT Campaign Spoofs Admin Tools via GitHub SEO

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.
read more →

Threat Actor Uses Microsoft Teams to Deploy 'Snow' Malware

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.
read more →

Tropic Trooper Uses Trojanized SumatraPDF to Access Hosts

🛡️ Zscaler ThreatLabz attributes a new campaign to Tropic Trooper that uses a trojanized SumatraPDF installer to deliver the AdaptixC2 Beacon post‑exploitation agent. Victims—primarily Chinese‑speaking individuals in Taiwan, with some targets in South Korea and Japan—are lured via military‑themed ZIP archives that show a decoy PDF while fetching encrypted shellcode. The backdoored reader launches a Xiangoop‑derived loader called TOSHIS, which stages payloads and only escalates to installing Visual Studio Code and configuring VS Code tunnels for persistent remote access on high‑value hosts.
read more →

Harvester Deploys Linux GoGra Backdoor Against South Asia

🔒 Symantec and Carbon Black attribute a new Linux build of the GoGra backdoor to the threat actor known as Harvester, observing deployments likely targeting entities in South Asia. The implant abuses Microsoft Graph and Outlook mailboxes as a covert C2 channel and is delivered via ELF binaries disguised as PDF lures. Incoming tasking emails (subject prefix "Input") contain Base64-encoded shell commands that the backdoor decrypts and runs via /bin/bash, then exfiltrates results as emails labeled "Output" and removes the original messages.
read more →

ICE Confirms Use of Israeli Graphite Spyware Domestically

🕵️‍♂️ ICE has publicly acknowledged using spyware developed by the Israeli firm Graphite, confirming prior reporting and prompting renewed scrutiny over government surveillance practices. The agency says the tools are used in immigration and criminal investigations but provided limited details about scope, oversight, or legal justification. Privacy advocates and technologists warn that deployment of such remote access trojans can expose large amounts of personal data and evade standard protections.
read more →