< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 7 of 17

ClickFix Campaign Uses Compromised Sites to Deploy MIMICRAT

🔒 Elastic Security Labs disclosed a ClickFix campaign that leverages compromised legitimate websites to deliver a new remote access trojan named MIMICRAT. Attackers inject JavaScript to load an externally hosted PHP lure that shows a fake Cloudflare verification page and tricks victims into running a PowerShell command. A multi-stage PowerShell chain performs ETW and AMSI bypasses, then drops a Lua-based in-memory loader which decrypts shellcode to install the RAT. MIMICRAT communicates over HTTPS on port 443 using profiles that mimic web analytics and supports localized lures in 17 languages to widen impact.
read more →

Remcos RAT gains real-time surveillance and evasion

🔍 Researchers at Point Wild have identified a Remcos RAT variant that shifts toward real-time espionage and enhanced evasion. The strain streams webcam footage and sends captured keystrokes directly to attacker-controlled servers while delivering modular DLL plugins on demand. It decrypts its C2 configuration only in memory, resolves Windows APIs dynamically to hinder static analysis and performs cleanup routines to remove logs, cookies and persistence artifacts. Defenders should watch for suspicious outbound connections and unauthorized registry changes.
read more →

Nigerian Hacker Sentenced to Eight Years for Tax Fraud

🔒 A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison after hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. Authorities say he stole clients' Social Security numbers and prior-year tax data by deploying the Warzone RAT masked with a crypter, and used convincing CEO-impersonation phishing messages with a Dropbox link to silently install malware. Akande was arrested in October 2024 at London’s Heathrow Airport, extradited to the U.S. in March 2025, and ordered to pay nearly $1.4 million in restitution plus three years of supervised release.
read more →

PromptSpy: GenAI-driven Android malware abuses Gemini

🧠 ESET researchers have identified PromptSpy, the first known Android malware to integrate generative AI (Google's Gemini) into its execution flow. The malware sends serialized UI XML to Gemini and receives JSON-formatted tap, swipe, and long-press instructions to navigate device-specific interfaces. This enables robust persistence by programmatically locking the app in Recent Apps and deploying a VNC module for remote control and data exfiltration. Distribution appears limited and regionally focused, but the technique raises broader concerns about AI misuse.
read more →

Massiv Android Trojan Targets IPTV Users for DTO Attacks

🛡️ ThreatFabric has disclosed Massiv, a new Android trojan that impersonates IPTV apps to deliver device takeover (DTO) attacks aimed at financial theft. Distributed via SMS phishing droppers, Massiv abuses Android accessibility and MediaProjection APIs to stream screens, capture keystrokes and SMS, and deploy fake overlays that harvest banking credentials and KYC data. Operators have used stolen information to open accounts, launder money and remotely control infected devices while concealing malicious activity behind black-screen overlays.
read more →

Massiv Android banking malware disguises as IPTV app

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.
read more →

CRESCENTHARVEST Campaign Targets Iran Protest Supporters

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.
read more →

OysterLoader: Updated C2 Infrastructure and Obfuscation

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.
read more →

ZeroDayRAT: Commercial Mobile Spyware Targets Android, iOS

🕵️‍♂️ZeroDayRAT is a commercial mobile spyware platform advertised on Telegram that enables extensive data collection and real-time surveillance on Android and iOS devices. The developer offers a builder to generate malicious binaries and an online or self-hosted control panel that exposes device metadata, GPS location history, accounts and notification previews. Operators can capture keystrokes, SMS (including OTPs), live camera and microphone streams, and perform hands-on remote operations. Additional modules swap clipboard crypto addresses and target mobile payment apps to facilitate direct financial theft.
read more →

Hackers Abuse Monitoring and RMM Tools to Deploy Ransomware

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.
read more →

Phishing Campaign Uses Old Office Flaw to Deploy XWorm

🔒 Fortinet researchers disclosed a phishing campaign that chains a legacy Microsoft Office vulnerability (CVE-2018-0802) with fileless execution to deliver the commercially available XWorm RAT. The attack begins with business-themed lures and a malicious Excel add-in, then pivots into HTA and PowerShell stages to keep most activity off disk. A memory-resident .NET stage is hollowed into msbuild.exe, and XWorm communicates with AES-encrypted C2 while supporting modular plugins that enable credential theft, data exfiltration, and other operator actions.
read more →

Crazy ransomware gang exploits employee monitoring

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.
read more →

APTs APT36 and SideCopy Launch Cross-Platform RATs

🔐 Pakistan-aligned clusters APT36 and SideCopy are targeting Indian defense and government organizations to deploy cross-platform remote access trojans on Windows and Linux. Attack chains use phishing lures that deliver malicious LNK/HTA files, ELF binaries, and PowerPoint Add-In payloads to initiate multi-stage deployments. Observed malware — Geta RAT, Ares RAT, and DeskRAT — enables persistence, reconnaissance, data theft, and remote command execution while leveraging decoys and memory-resident techniques to evade detection.
read more →

Spoofed PDF Deliveries Enable New AsyncRAT Campaign

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.
read more →

Deep Dive: XWorm Phishing Campaign Exploits Excel Files

🔍 FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute embedded shellcode. The chain uses an obfuscated HTA and PowerShell to load a fileless .NET module, which downloads a PE in memory and uses process hollowing into Msbuild.exe to run XWorm. The RAT establishes AES-encrypted C2, supports extensive commands and plugins, and enables data theft, remote control, DDoS, and ransomware operations. Fortinet protections including FortiMail, AV, IPS, and Web Filtering are effective against observed indicators.
read more →

Bloody Wolf Uses NetSupport RAT to Target Uzbekistan, Russia

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.
read more →

Phishing campaign hides AsyncRAT in fake disk-mounted PDFs

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.
read more →

ClickFix 'CrashFix' Variant Deploys ModeloRAT via Python

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.
read more →

DEAD#VAX Campaign Deploys Encrypted AsyncRAT In-Memory

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.
read more →

Stealthy Windows RAT Enables Live Operator Conversations

🔒 Security researchers at Point Wild’s Lat61 team disclosed a Windows campaign that uses a multi-stage chain to establish persistent, memory-resident access and steal sensitive data. The attack starts with a small batch script that creates a per-user Registry Run key and launches a PowerShell loader which decodes Donut-generated shellcode and injects a heavily obfuscated .NET payload into memory. The modular Pulsar RAT supports live, interactive operator control alongside a parallel stealer, with stolen data exfiltrated as ZIP archives via Discord webhooks and Telegram bots.
read more →