All news with #remote access trojan tag

🎮 Microsoft Threat Intelligence warns that threat actors are distributing trojanized gaming utilities via browsers and chat platforms to deliver a Java-based remote access trojan (RAT). A malicious downloader stages a portable Java runtime and executes a jd-gui.jar, leveraging PowerShell and LOLBins like cmstp.exe for stealth and self-deletion while configuring Microsoft Defender exclusions. Persistence is achieved with a scheduled task and a startup script named world.vbs, and the final payload phones home to 79.110.49[.]15 for command-and-control.

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.

🔒 Google Threat Intelligence Group (GTIG) and partners disrupted UNC2814, a prolific cyber-espionage campaign with suspected links to China that operated since 2017 and targeted governments and telecommunications across multiple continents. Researchers identified a novel backdoor, GridTide, which abused Google Sheets as a covert command-and-control channel to execute shell commands and transfer files. Google terminated attacker-controlled Cloud Projects, disabled accounts, revoked Sheets API access used for C2, and has notified victims while offering remediation support.

🔒 CISA released an updated Malware Analysis Report detailing new findings on RESURGE, a sophisticated implant that exploits vulnerabilities to establish covert SSH-based command-and-control access. The update shows advanced network-level evasion, forged TLS certificates, and authentication techniques that allow RESURGE to remain dormant on Ivanti Connect Secure devices until an operator connects, evading routine scans. CISA publishes IOCs, detection signatures, and directs use of mitigation guidance for CVE-2025-0282 to aid defenders.

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.

⚠️ Steaelite is a browser-based remote access trojan marketed on underground forums that consolidates remote access, credential harvesting, data exfiltration, and a planned ransomware module into a single management pane. Researchers at BlackFog say the toolkit includes live screen streaming, webcam and microphone access, password recovery, Defender-disable capabilities, and persistence options, and it’s been available since last November. The seller offers access as malware-as-a-service (about $200/month), and defenders are urged to prioritize stopping data exfiltration over relying solely on perimeter defenses.

🔒 The Kaspersky Team outlines evolving variations of the ClickFix social‑engineering technique, where attackers trick users into executing malicious commands on their own machines. Recent campaigns abuse legitimate utilities such as mshta.exe, nslookup and the legacy Finger protocol, and have used platforms like TikTok, Pastebin and fake extension pages to prompt victims to run code. Observed payloads include infostealers and remote access trojans such as ModeloRAT. Organizations are advised to prioritize user awareness and robust endpoint and XDR controls to mitigate these risks.

🔒 A Russia-aligned cybercrime cluster tracked as UAC-0050 (also known as DaVinci Group and labeled Mercenary Akula by BlueVoyant) carried out a spear-phishing operation this month against a European financial institution involved in regional development and reconstruction. The campaign spoofed a Ukrainian judicial domain and lured a senior legal and policy advisor to download an archive hosted on PixelDrain, which unpacked into a password-protected chain culminating in an executable disguised as a PDF. Execution led to installation of an MSI that deployed RMS remote desktop software, providing persistent remote control and file-transfer capabilities, consistent with the group’s prior use of remote-access tools to evade detection and maintain stealthy access.

🔒 Positive Technologies reports that the UnsolicitedBooker cluster has shifted from Saudi targets to telecommunications firms in Kyrgyzstan and Tajikistan, deploying two backdoors named LuciDoor and MarsSnake. The intrusions relied on phishing with malicious Microsoft Office documents that prompt users to enable macros, dropping C++ loaders (LuciLoad and MarsSnakeLoader) to deploy the payloads. In some cases attackers used LNK-based chains, hacked routers for C2, and infrastructure mimicking Russian systems while leveraging rare tools of Chinese origin.

⚠️ Proofpoint uncovered TrustConnect, a malware-as-a-service that masquerades as a legitimate remote monitoring and management (RMM) product and is advertised at about $300 per month. The operation uses a polished public website and a backend portal that functions as a web-based command-and-control dashboard for paying customers. Attackers primarily rely on social engineering — phishing lures and signed installers impersonating Zoom, Teams, Adobe Reader and others — to trick victims into running the RAT, which auto-registers infected hosts in the portal. Researchers disrupted parts of the infrastructure but observed resilient activity and a related variant called DocConnect.

⚠️FortiGuard Labs observed targeted phishing campaigns in Taiwan delivering Winos 4.0 (ValleyRat) and modular plugins via weaponized attachments and cloud-hosted links. Lures impersonate tax audits, e-invoice portals, and installer packages to trick recipients. Attackers employ rotating domains, malicious LNK files, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys to gain kernel privileges and evade defenses. Fortinet detections include W64/Agent.ATW!tr and multiple email and gateway protections.

🔒 Elastic Security Labs disclosed a ClickFix campaign that leverages compromised legitimate websites to deliver a new remote access trojan named MIMICRAT. Attackers inject JavaScript to load an externally hosted PHP lure that shows a fake Cloudflare verification page and tricks victims into running a PowerShell command. A multi-stage PowerShell chain performs ETW and AMSI bypasses, then drops a Lua-based in-memory loader which decrypts shellcode to install the RAT. MIMICRAT communicates over HTTPS on port 443 using profiles that mimic web analytics and supports localized lures in 17 languages to widen impact.

🔍 Researchers at Point Wild have identified a Remcos RAT variant that shifts toward real-time espionage and enhanced evasion. The strain streams webcam footage and sends captured keystrokes directly to attacker-controlled servers while delivering modular DLL plugins on demand. It decrypts its C2 configuration only in memory, resolves Windows APIs dynamically to hinder static analysis and performs cleanup routines to remove logs, cookies and persistence artifacts. Defenders should watch for suspicious outbound connections and unauthorized registry changes.

🔒 A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison after hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. Authorities say he stole clients' Social Security numbers and prior-year tax data by deploying the Warzone RAT masked with a crypter, and used convincing CEO-impersonation phishing messages with a Dropbox link to silently install malware. Akande was arrested in October 2024 at London’s Heathrow Airport, extradited to the U.S. in March 2025, and ordered to pay nearly $1.4 million in restitution plus three years of supervised release.

🧠 ESET researchers have identified PromptSpy, the first known Android malware to integrate generative AI (Google's Gemini) into its execution flow. The malware sends serialized UI XML to Gemini and receives JSON-formatted tap, swipe, and long-press instructions to navigate device-specific interfaces. This enables robust persistence by programmatically locking the app in Recent Apps and deploying a VNC module for remote control and data exfiltration. Distribution appears limited and regionally focused, but the technique raises broader concerns about AI misuse.

🛡️ ThreatFabric has disclosed Massiv, a new Android trojan that impersonates IPTV apps to deliver device takeover (DTO) attacks aimed at financial theft. Distributed via SMS phishing droppers, Massiv abuses Android accessibility and MediaProjection APIs to stream screens, capture keystrokes and SMS, and deploy fake overlays that harvest banking credentials and KYC data. Operators have used stolen information to open accounts, launder money and remotely control infected devices while concealing malicious activity behind black-screen overlays.

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.