All news with #remote access trojan tag

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.

⚠️ South Korean firm Genians links a multi-stage intrusion to the North Korean-affiliated Konni group, which used spear-phishing ZIP attachments containing malicious .LNK shortcuts to deploy an AutoIt remote-access trojan, EndRAT. The shortcut fetches a next-stage payload, establishes persistence via scheduled tasks, and displays a PDF decoy while the malware stealthily exfiltrates documents. Investigators found additional AutoIt artifacts for RftRAT and RemcosRAT, and the attacker abused the victim's KakaoTalk desktop to send infected ZIP files to selected contacts, turning compromised systems into propagation hubs.

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.

⚠️ JFrog researchers discovered a malicious npm package published as "@openclaw-ai/openclawai" that impersonates an OpenClaw installer and executes a multi-stage infection chain delivering a remote access trojan. During installation a postinstall script places a binary on the PATH, which runs an obfuscated setup that simulates a legitimate CLI installer and prompts for administrator credentials. The second-stage payload, internally named GhostLoader, installs persistently, harvests credentials, browser data, wallets, SSH keys and Apple Keychain entries, and exposes a SOCKS5 proxy for remote operators.

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.

🔐 Researchers at BlueVoyant describe a Microsoft Teams phishing campaign that social-engineers employees into initiating Quick Assist remote sessions to install a newly observed backdoor, A0Backdoor. Attackers deliver digitally signed MSI installers and use DLL sideloading with legitimate Microsoft binaries to load a malicious hostfxr.dll that decrypts and runs shellcode. The backdoor fingerprints hosts, communicates with command-and-control over DNS MX queries with encoded subdomains, and has been observed targeting financial and healthcare organizations.

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.

🔍 Securonix Threat Research has disclosed a multi-stage campaign named VOID#GEIST that leverages obfuscated batch scripts to stage a portable Python runtime and deploy encrypted RAT payloads including XWorm, AsyncRAT, and Xeno RAT. The chain retrieves ZIP archives from a TryCloudflare domain, extracts a Python loader (runn.py) and encrypted shellcode blobs, then decrypts and injects them directly into separate explorer.exe processes using Early Bird APC injection. The initial stage displays a decoy PDF while a hidden PowerShell relaunches the batch, and persistence is established at the user level via an auxiliary script placed in the Startup folder to minimize forensic artifacts.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.

🔴 Security researchers identified malicious Packagist PHP packages posing as Laravel utilities that install a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux. The actor published nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger, with lara-swagger pulling the helper as a Composer dependency to trigger installation. The embedded payload phones home to a reported C2 at helper.leuleu[.]net:2096, supports extensive remote commands, and activates at application boot or via autoloading, exposing application credentials and environment secrets.

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.

🔒 In February 2026 Microsoft Defender Experts uncovered phishing campaigns that delivered digitally signed malware impersonating common workplace applications. The threat actor used an EV certificate issued to TrustConnect Software PTY LTD to sign trojanized installers (examples include msteams.exe, adobereader.exe, and invite.exe) that deployed RMM tools such as ScreenConnect, Tactical RMM, and MeshAgent. Executables reinforced legitimacy by copying to Program Files, registering services, creating Run keys, and executing encoded PowerShell to stage additional payloads and connect to attacker-controlled domains, enabling persistent remote access and lateral movement.

🔒 Huntress researchers uncovered a campaign where attackers posed as IT support, using email spam and follow-up phone calls to coerce victims into granting remote access and visiting a counterfeit Microsoft page hosted on AWS. The fake site harvested credentials and prompted a download that executed a legitimate binary which sideloaded a malicious DLL to launch the Havoc Demon. The intrusions showed rapid lateral movement, scheduled-task persistence, and use of legitimate RMM tools as backup persistence.

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.

🔍 Researchers disclosed a new StegaBin iteration of the Contagious Interview campaign in which North Korean actors uploaded 26 malicious packages to the npm registry. The packages masqueraded as developer tools and used text steganography in Pastebin essays to encode Vercel-based C2 addresses, ultimately delivering a credential stealer and a cross-platform RAT. Install-time scripts fetch multi-stage components that enable persistence, credential harvesting, and exfiltration.