< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 5 of 17

RoadK1ll WebSocket Implant Enables Network Pivoting

🛡️ Blackpoint discovered a lightweight Node.js implant named RoadK1ll that uses an outbound WebSocket reverse tunnel to convert compromised hosts into relay points. It forwards TCP traffic on demand, supports multiple concurrent connections, and implements a small set of commands (CONNECT, DATA, CONNECTED, CLOSE, ERROR) to manage proxied sessions. RoadK1ll lacks traditional registry or scheduled-task persistence and runs only while its process remains active. Its stealthy outbound-only design helps attackers pivot to internal systems and bypass perimeter controls.
read more →

Russian 'CTRL' RAT Distributed via Malicious LNK Files

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.
read more →

China-linked clusters target Southeast Asian government

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.
read more →

Silver Fox Phishing Targets Japanese Firms During Tax Season

🦊 Silver Fox has resumed targeted spearphishing against Japanese companies during the annual tax and personnel change season. Attackers send tailored, believable HR and tax-themed emails and spoof trusted employees to deliver malicious attachments or links that drop ValleyRAT. Because recipients expect such communications, these lures increase the risk of compromise. Verify suspicious requests through alternate channels and report them to security teams immediately.
read more →

GlassWorm Campaign Uses Solana Dead-Drops for RAT Operations

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.
read more →

Silver Fox Campaigns Shift Toward Dual Espionage and Crime

🦊 Sekoia has identified a series of Silver Fox campaigns from 2025–2026 that blend espionage and financially motivated cybercrime. Attackers used tax- and payroll-themed phishing lures, SEO poisoning and malicious ads to deliver tools such as ValleyRAT, HoldingHands and a custom Python credential stealer disguised as a WhatsApp app. Targets included organizations across Taiwan, Japan and multiple Southeast Asian countries. Researchers say the group’s modular approach enables rapid tool changes while preserving persistence in compromised networks.
read more →

NPM 'Ghost' Campaign Uses Fake Install Logs to Hide Malware

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.
read more →

Ghost campaign uses npm packages to steal crypto wallets

🛡️Security researchers at ReversingLabs have uncovered a set of malicious npm packages published by user mikilanjillo that phish for sudo credentials and deploy a multi-stage downloader to steal cryptocurrency wallets and other sensitive data. The packages display fake npm install logs and inject delays to mask their actions, then prompt for elevated privileges to retrieve a remote payload via Telegram. The final stage installs a remote access trojan capable of harvesting browser credentials, wallets, SSH keys, and developer tokens.
read more →

StoatWaffle malware auto-executes via VS Code tasks

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.
read more →

North Korean Actors Use VS Code Auto-Run for StoatWaffle

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.
read more →

Tax season surge: Phishing and malware campaigns in 2026

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.
read more →

Konni Deploys EndRAT via KakaoTalk-Spear Phishing Campaign

⚠️ South Korean firm Genians links a multi-stage intrusion to the North Korean-affiliated Konni group, which used spear-phishing ZIP attachments containing malicious .LNK shortcuts to deploy an AutoIt remote-access trojan, EndRAT. The shortcut fetches a next-stage payload, establishes persistence via scheduled tasks, and displays a PDF decoy while the malware stealthily exfiltrates documents. Investigators found additional AutoIt artifacts for RftRAT and RemcosRAT, and the attacker abused the victim's KakaoTalk desktop to send infected ZIP files to selected contacts, turning compromised systems into propagation hubs.
read more →

Vishing Leads to Compromise via Microsoft Teams Support

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.
read more →

DRILLAPP JavaScript Backdoor Targets Ukrainian Systems

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.
read more →

BeatBanker Masquerades as Starlink App to Hijack Devices

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.
read more →

npm package deploys GhostLoader RAT as OpenClaw Installer

⚠️ JFrog researchers discovered a malicious npm package published as "@openclaw-ai/openclawai" that impersonates an OpenClaw installer and executes a multi-stage infection chain delivering a remote access trojan. During installation a postinstall script places a binary on the PATH, which runs an obfuscated setup that simulates a legitimate CLI installer and prompts for administrator credentials. The second-stage payload, internally named GhostLoader, installs persistently, harvests credentials, browser data, wallets, SSH keys and Apple Keychain entries, and exposes a SOCKS5 proxy for remote operators.
read more →

APT28 Deploys Customized Covenant Variant for Espionage

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.
read more →

Microsoft Teams Phishing Deploys A0Backdoor via Quick Assist

🔐 Researchers at BlueVoyant describe a Microsoft Teams phishing campaign that social-engineers employees into initiating Quick Assist remote sessions to install a newly observed backdoor, A0Backdoor. Attackers deliver digitally signed MSI installers and use DLL sideloading with legitimate Microsoft binaries to load a malicious hostfxr.dll that decrypts and runs shellcode. The backdoor fingerprints hosts, communicates with command-and-control over DNS MX queries with encoded subdomains, and has been observed targeting financial and healthcare organizations.
read more →

Termite Ransomware Breaches Tied to ClickFix, CastleRAT

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.
read more →

Iran-linked MuddyWater Targets US Firms with New Backdoors

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.
read more →