All news with #remote access trojan tag

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.

⚠ Aikido researchers discovered two malicious PyPI packages, spellcheckerpy and spellcheckpy, that posed as spellcheckers but contained a Base64-encoded downloader and a Python remote access trojan (RAT). The payload was hidden inside the Basque dictionary archive resources/eu.json.gz and decoded when the package’s test_file() extraction was invoked. Early releases only decoded the payload; spellcheckpy v1.2.0 (published Jan 21, 2026) introduced an obfuscated trigger that executes the payload, and the packages were downloaded just over 1,000 times before removal.

🔐 Kaspersky researchers say Chinese espionage group Mustang Panda has updated its CoolClient backdoor to steal browser login data, monitor the clipboard, and sniff HTTP proxy credentials. The upgraded variant has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and was distributed via legitimate Sangfor software. New plugins add a remote shell, enhanced file and service management, and in-memory plugin execution; researchers also noted a previously unseen rootkit used in some intrusions.

🛡️ Trend Micro researchers uncovered PeckBirdy, a JScript-based command-and-control framework used by China-aligned APTs since 2023 to target gambling sites, government portals, and private organizations across Asia. The flexible framework executes via living-off-the-land binaries (LOLBins) and supports browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET execution paths. Operators relied on watering‑hole injections and fake Google Chrome update pages to deliver staged scripts and deploy modular backdoors such as HOLODONUT and MKDOOR. Detection is complicated by dynamically generated, runtime-injected JavaScript and scarce persistent artifacts.

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.

⚠️ Researchers disclosed an active campaign, tracked as KongTuke and codenamed CrashFix, that used a malicious Chrome extension posing as an ad blocker to deliberately crash browsers and coerce victims into running commands. The fake add-on, “NexShield – Advanced Web Guardian,” impersonated uBlock Origin Lite, garnered 5,000+ installs, and implements delayed execution, DoS crash loops, and anti-analysis controls. The lure prompts users to paste a pre-copied command into the Windows Run dialog that abuses finger.exe to fetch a PowerShell chain, ultimately delivering the previously undocumented ModeloRAT. Huntress warns the technique weaponizes user frustration to create a persistent, self-sustaining infection loop that can hand victims off to other threat actors.

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.

🔒 Group-IB researchers report that the DeadLock ransomware is using Polygon smart contracts to store and rotate proxy server addresses, enabling more resilient command-and-control. Rather than rely on hard-coded servers, the malware performs read-only calls to blockchain contracts to fetch proxy URLs and uses fallback RPC endpoints to avoid transactions and fees. An HTML component communicates via the Session encrypted messaging platform, while operators also employ AnyDesk and PowerShell to escalate impact; victims' files are suffixed .dlock and ransom notes threaten data sale.

🛡️ FortiGuard Labs uncovered a phishing campaign that delivers a fileless Remcos RAT via a malicious Word document which loads a remote RTF exploiting CVE-2017-11882. The exploit executes shellcode to fetch a VBScript that launches a Base64 PowerShell loader. That PowerShell downloads an image with an embedded .NET module, which the loader runs in memory to install persistence and inject the Remcos payload into a legitimate process using process hollowing.

🛡️CERT-UA reports a campaign attributed with medium confidence to the group tracked as Void Blizzard that targeted Ukrainian defense forces between October and December 2025 with a Python backdoor dubbed PLUGGYAPE. Attackers used Signal and WhatsApp messages, impersonating charities and distributing password‑protected archives containing a PyInstaller executable. The backdoor supports remote code execution over WebSocket and, as of December 2025, MQTT, and retrieves base64‑encoded C2 addresses from paste services to maintain operational resilience. Successive builds have added obfuscation and anti‑analysis checks to avoid execution in virtual environments.

🔒 Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed messaging campaign that delivered the backdoor PluggyApe. Attackers used Signal and WhatsApp to lure recipients to fake charity sites or to send password-protected archives containing executable .docx.pif files created with PyInstaller, and sometimes delivered payloads directly via messaging apps. PluggyApe profiles hosts, sends victim identifiers and system data to operators, achieves persistence through Windows Registry modifications, and fetches base64-encoded C2 addresses from public paste services. CERT-UA assigns medium confidence attribution to the Russian-aligned group known as Laundry Bear (aka Void Blizzard) and warns that mobile devices and compromised local accounts make such lures especially convincing.

🔎 A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, uses obfuscated VBS and heavily encoded PowerShell to stage payloads entirely in memory and avoid disk-based indicators. Attackers fetch repeated text-based fragments over HTTP, reconstruct them into a reflectively loaded .NET assembly protected with .NET Reactor, and abuse signed Microsoft binaries such as MSBuild.exe to execute the final Remcos RAT. The chain emphasizes living-off-the-land techniques, persistence and anti-analysis measures to complicate detection.

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.

🔒 CloudSEK reports that Iran-linked APT MuddyWater has deployed a Rust-based implant dubbed RustyWater in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across Israel and the Middle East. The campaign relies on icon-spoofed executables delivered in ZIP archives that display decoy PDFs while executing loaders which establish persistence and fetch the Rust payload. RustyWater implements anti-analysis checks, string obfuscation, randomized callbacks and standard RAT functions including file enumeration, command execution and data exfiltration, while using C2 domains that mimic legitimate services.