< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 4 of 17

Teams abused for helpdesk impersonation, warns Microsoft

🔒 Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff and gain remote access. Attackers initiate cross-tenant chats to request remote assistance—commonly via Quick Assist—then perform reconnaissance and deploy small payloads into user-writable locations. They abuse trusted, signed applications for execution and use HTTPS-based C2 and tools like Rclone to exfiltrate filtered, high-value data, often blending into normal traffic. Administrators are urged to treat external Teams contacts as untrusted, restrict remote-assistance tools, and limit WinRM usage.
read more →

Obsidian Plugin Abuse Delivers PHANTOMPULSE Remote RAT

🛡️ A novel social engineering campaign abused the Obsidian note-taking app to deliver a previously undocumented Windows remote access trojan dubbed PHANTOMPULSE. Elastic Security Labs tracked the activity as REF6598, reporting attackers lured financial and cryptocurrency professionals via LinkedIn and Telegram before asking them to open a cloud-hosted Obsidian vault. By convincing victims to enable the Installed community plugins sync, actors leveraged legitimate Shell Commands and Hider plugins to execute malicious JSON-configured payloads and run signed Electron-based loaders that hand off execution. The campaign underscores the risk of trusted applications and targeted social engineering as initial access vectors.
read more →

Mirax Android RAT Turns Devices into SOCKS5 Proxies

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.
read more →

JanelaRAT Targets Latin American Banks, 14,739 Hits

🔒 Researchers report that the JanelaRAT malware, a modified BX RAT, extensively targeted banks and financial services across Latin America, with telemetry showing 14,739 attack attempts in Brazil and 11,695 in Mexico during 2025. The trojan steals banking and cryptocurrency credentials, captures keystrokes, screenshots and system metadata, and uses custom title-bar detection to trigger actions on matched sites. Attackers shifted delivery from VBScript ZIPs to rogue MSI installers and DLL side-loading, often installing a malicious Chromium extension for persistence and data exfiltration. Vendors including Kaspersky, KPMG, and Zscaler documented multi-stage chains and robust C2 capabilities.
read more →

APT37 Uses Facebook Social Engineering to Spread RokRAT

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.
read more →

STX RAT Uses Stealth Tactics to Target Finance Sector

🔐 eSentire's Threat Response Unit identified a previously undocumented remote access trojan, STX RAT, after an attempted deployment in a financial services environment in late February 2026. The malware uses multi-stage, script-based delivery and in-memory execution to evade detection, leveraging XXTEA encryption, Zlib compression and reflective PowerShell loaders. It delays credential theft until instructed by an encrypted C2 channel and implements registry autoruns and COM hijacking for persistence. Organizations should strengthen endpoint protections and limit exposure to script-based attack vectors.
read more →

Axios npm compromise used fake Teams update to hijack

⚠️ The maintainers of Axios report a targeted social engineering attack that allowed threat actors to publish malicious npm releases (1.14.1 and 0.30.4) which added a dependency, plain-crypto-js, that deployed a remote access trojan across macOS, Windows, and Linux. The tainted packages were available for roughly three hours before removal; any systems that installed them should be treated as compromised and have credentials and keys rotated. Google links the operation to North Korea‑aligned UNC1069, while researchers say the same playbook targeted multiple high‑impact Node.js maintainers. Axios maintainers have wiped affected hosts, reset credentials, and are adding safeguards to reduce future supply chain risk.
read more →

Axios npm Supply Chain Compromise Deploys Malicious Builds

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.
read more →

REF1695: Fake Installers Deliver RATs and Miners Campaign

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.
read more →

CrystalRAT malware adds RAT, stealer, and prankware features

🔒 A new malware-as-a-service called CrystalRAT (also marketed as CrystalX) has been active since January and is being promoted on Telegram and a dedicated YouTube channel, offering remote access, data theft, keylogging, clipboard hijacking and an extensive set of prankware functions. Kaspersky researchers found strong similarities to WebRAT (Salat Stealer), noting a Go-based codebase, matching panel design and a bot-driven sales system; the kit includes a builder, geoblocking, executable customization and anti-analysis protections. Payloads are zlib-compressed and ChaCha20-encrypted, connect to C2 over WebSocket, and the RAT supports CMD execution, VNC-backed remote control, audio/video capture, streaming keylogging and a clipboard clipper; the infostealer component targeting Chromium-based browsers and desktop apps is currently being upgraded. Users should avoid untrusted downloads and apply standard endpoint protections to reduce infection risk.
read more →

Axios npm Supply Chain Attack Injects Cross-Platform RAT

⚠ A compromised npm maintainer account led to malicious Axios releases (v1.14.1 and v0.30.4) that introduced a hidden dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan (RAT). The postinstall lifecycle script executed a heavily obfuscated Node.js dropper that retrieved platform-specific payloads from a C2 at sfrclak[.]com:8000. Payloads for macOS, Windows and Linux implement a unified RAT protocol with 60-second beacons and capabilities to run commands, inject binaries and remove themselves. Unit 42 recommends immediate isolation, rebuilds from known-good images, credential rotation, dependency pinning and network egress blocking to the C2.
read more →

CERT-UA Impersonation Campaign Distributes AGEWHEEZE RAT

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.
read more →

CrystalX RAT: Prankware MaaS with Full Spy Tools and Theft

🛡️ Kaspersky researchers discovered CrystalX, a subscription-based Remote Access Trojan promoted on Telegram and YouTube that mixes disruptive "prank" capabilities with robust theft and surveillance features. The Trojan can rotate screens, swap mouse buttons, block keyboard input, display arbitrary messages, and disable system utilities, while also stealing credentials, hijacking clipboards to redirect crypto, logging keystrokes, and accessing screen, camera and microphone. Builds are uniquely encrypted per customer and include anti-analysis checks, complicating detection, and Kaspersky products detect and neutralize the threat. Users should avoid pirated software, be cautious with messaging attachments, enable 2FA, keep systems updated, and run reputable security solutions.
read more →

WhatsApp VBS Malware Campaign Delivers MSI Backdoors

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.
read more →

Hackers Hijack Axios npm Package to Spread RATs Globally

🔔 Threat actors compromised maintainer Jason Saayman's accounts to publish malicious versions of axios that included the plain-crypto-js dependency, distributing cross-platform remote access trojans (RATs). The attackers staged the dependency before the takeover, changed the maintainer’s email for persistence, and used stolen npm credentials to publish malicious releases. npm removed the tainted packages and revoked tokens within about three hours while researchers urge audits of lockfiles, CI/CD systems and credential rotation.
read more →

Axios npm Compromised: Malicious Releases Deployed RAT

🚨 Attackers compromised the npm account of Axios' lead maintainer and pushed trojanized releases that install a cross-platform remote access trojan on developer machines. The malicious versions axios@1.14.1 and axios@0.30.4 pulled a staged dependency plain-crypto-js@4.2.1 containing a postinstall dropper. Multiple security vendors detected the packages within minutes and npm removed them within two to three hours, but the short window was enough to affect many environments.
read more →

Axios npm Account Compromised to Deliver Cross-Platform RATs

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.
read more →

WhatsApp-delivered VBS Campaign Installs MSI Backdoors

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.
read more →

Silver Fox Expands Asia Campaign Using AtlasCross RAT

🔎 Hexastrike warns of a regionally focused campaign targeting Chinese-speaking users through typosquatted sites that impersonate trusted software brands to deliver a previously undocumented remote access trojan. The malware, AtlasCross RAT, is deployed via ZIP lures that drop a trojanized Autodesk installer which loads a second-stage payload and executes in memory. Installers were signed with a stolen EV certificate tied to DUC FABULOUS CO.,LTD, and the operation is attributed to Silver Fox, affecting multiple Asian countries.
read more →

Axios Supply Chain Attack Pushes Cross-Platform RAT

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.
read more →