All news with #remote access trojan tag

🕵️‍♂️ZeroDayRAT is a commercial mobile spyware platform advertised on Telegram that enables extensive data collection and real-time surveillance on Android and iOS devices. The developer offers a builder to generate malicious binaries and an online or self-hosted control panel that exposes device metadata, GPS location history, accounts and notification previews. Operators can capture keystrokes, SMS (including OTPs), live camera and microphone streams, and perform hands-on remote operations. Additional modules swap clipboard crypto addresses and target mobile payment apps to facilitate direct financial theft.

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.

🔒 Fortinet researchers disclosed a phishing campaign that chains a legacy Microsoft Office vulnerability (CVE-2018-0802) with fileless execution to deliver the commercially available XWorm RAT. The attack begins with business-themed lures and a malicious Excel add-in, then pivots into HTA and PowerShell stages to keep most activity off disk. A memory-resident .NET stage is hollowed into msbuild.exe, and XWorm communicates with AES-encrypted C2 while supporting modular plugins that enable credential theft, data exfiltration, and other operator actions.

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.

🔐 Pakistan-aligned clusters APT36 and SideCopy are targeting Indian defense and government organizations to deploy cross-platform remote access trojans on Windows and Linux. Attack chains use phishing lures that deliver malicious LNK/HTA files, ELF binaries, and PowerPoint Add-In payloads to initiate multi-stage deployments. Observed malware — Geta RAT, Ares RAT, and DeskRAT — enables persistence, reconnaissance, data theft, and remote command execution while leveraging decoys and memory-resident techniques to evade detection.

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.

🔍 FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute embedded shellcode. The chain uses an obfuscated HTA and PowerShell to load a fileless .NET module, which downloads a PE in memory and uses process hollowing into Msbuild.exe to run XWorm. The RAT establishes AES-encrypted C2, supports extensive commands and plugins, and enables data theft, remote control, DDoS, and ransomware operations. Fortinet protections including FortiMail, AV, IPS, and Web Filtering are effective against observed indicators.

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.

🔒 Security researchers at Point Wild’s Lat61 team disclosed a Windows campaign that uses a multi-stage chain to establish persistent, memory-resident access and steal sensitive data. The attack starts with a small batch script that creates a per-user Registry Run key and launches a PowerShell loader which decodes Donut-generated shellcode and injects a heavily obfuscated .NET payload into memory. The modular Pulsar RAT supports live, interactive operator control alongside a parallel stealer, with stolen data exfiltrated as ZIP archives via Discord webhooks and Telegram bots.

🔒 A new Android remote access trojan (RAT) leverages the AI hosting platform Hugging Face to store and deliver malicious APK payloads, researchers at Bitdefender report. The campaign distributes a dropper app called TrustBastion that uses fake update dialogs to trick users into downloading an updater which redirects to repositories hosting polymorphic RAT APKs. Operators made frequent commits and shifted repositories to avoid takedowns, while the malware requests Accessibility and screen-recording permissions to capture credentials and relay data to command-and-control servers.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

🛡️ Bitdefender Labs reports a large-scale Android malware campaign that leveraged Hugging Face's public hosting to deliver a remote access trojan (RAT). The operation begins with a scareware dropper disguised as a security app, TrustBastion, which tricks users via fake infection alerts into downloading a second-stage APK from a Hugging Face dataset. Attackers automated payload generation with thousands of unique APKs and frequent commits to evade signature-based detection. The installed RAT requests high-risk permissions — Accessibility Services, screen recording, casting, and overlay rights — enabling credential harvesting, screen capture, persistent control, and exfiltration; Bitdefender notified Hugging Face and the malicious datasets were removed, though variants resurfaced elsewhere.

🚨Researchers at Bitdefender found an Android campaign using the Hugging Face platform to host and serve thousands of malicious APK variants. A scareware dropper called TrustBastion lures victims with fake Google Play update prompts, redirects to a Hugging Face dataset, and downloads the payload via the platform's CDN. The RAT aggressively abuses Android Accessibility Services to present overlays, capture screens, impersonate login UIs for services such as Alipay and WeChat, block uninstall, and exfiltrate credentials; Hugging Face removed the malicious datasets after notification.

🔍 Cisco Talos has identified a UAT-8099 campaign active from August 2025 through early 2026 that targets vulnerable IIS servers across Asia, concentrating on victims in Thailand and Vietnam. The actor uses web shells, PowerShell, and the GotoHTTP remote-control tool to maintain access and deploy region-customized BadIIS variants that hardcode country codes and inject SEO-fraud content. New persistence mechanisms, hidden accounts, and log-wiping utilities support long-term stealth and evasion.

🔐 Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.

⚠️ A malicious Visual Studio Code extension impersonating Moltbot, published as 'ClawdBot Agent - AI Coding Assistant' (clawdbot.clawdbot-agent), was distributed on the official Marketplace and has since been removed by Microsoft. The add-on auto-executes on IDE launch, fetches a remote config.json and installs a binary that deploys an ConnectWise ScreenConnect client connecting to attacker infrastructure. It includes DLL sideload and batch-script fallbacks and hard-coded payload URLs. Researchers warn exposed Moltbot instances and insecure defaults increase the risk of credential theft and remote compromise.

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.