All news with #remote access trojan tag

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.

⚠ An unpatched firmware error in the TOTOLINK EX200 wireless range extender can cause the device to start an unauthenticated root-level telnet service when specific malformed firmware files are processed. CERT/CC (CVE-2025-65606) says exploitation requires an attacker to be authenticated to the web management interface to reach the firmware-upload handler, which can then enter an abnormal error state. The vendor has not issued a patch and the product is no longer actively maintained; users are advised to restrict administrative access and consider upgrading to a supported model.

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.

🛡️ Transparent Tribe (APT36) has launched a spear-phishing campaign delivering a memory‑resident RAT that grants persistent remote control of compromised hosts. The attack chain leverages weaponized .LNK shortcuts that execute obfuscated HTA scripts via mshta.exe, decrypt payloads into memory, and present decoy PDFs to evade detection. The malware adapts persistence to detected antiviruses and drops a DLL, iinneldc.dll, which supports remote command execution, file exfiltration, screenshot capture, clipboard manipulation, and process control.

📧 Silver Fox is targeting Indian users with income tax-themed phishing emails that deliver the modular remote-access trojan ValleyRAT. The campaign uses decoy PDFs that redirect victims to a domain hosting a ZIP archive containing an NSIS installer which sideloads a rogue libexpat.dll alongside a legitimate thunder.exe. The loader disables Windows Update, performs anti-analysis checks, and injects the RAT into explorer.exe to establish persistent, low-noise access.

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.

🐀 Attackers are hosting counterfeit proof-of-concept exploit repositories on GitHub to deliver the Webrat backdoor to unsuspecting users. Kaspersky analysts observed polished, likely machine-generated README files that mask a password-protected ZIP; the archive password is hidden in filenames and often missed. Inside are decoy DLLs, batch loaders and executables (e.g., rasmanesc.exe) that disable Windows Defender, escalate privileges, and fetch the real payload from hardcoded C2 servers. The campaign, active since at least September 2025, appears tuned to catch novice researchers and students who analyze PoCs outside isolated environments.

🛡️ Kaspersky researchers found WebRAT backdoor being distributed through GitHub repositories that posed as proof‑of‑concept exploits for recently disclosed vulnerabilities. The malicious packages were delivered as password‑protected ZIPs containing a corrupted decoy DLL, a batch script, and a main dropper named rasmanesc.exe that elevates privileges, disables Defender, and downloads WebRAT. All identified repositories have been removed, but developers are urged to verify PoC sources and test untrusted code in isolated environments.

🔍 A legitimate open-source server monitoring platform, Nezha, is being abused by threat actors as a post-exploitation remote access tool. Ontinue's Cyber Defense Center found attackers silently installing the agent to gain SYSTEM/root privileges and execute remote commands, file transfers and interactive shells. Because the software is legitimate and shows zero detections on VirusTotal, signature-based defenses often fail to flag this misuse. The campaign highlights the challenge of distinguishing benign tools from adversary activity.

🚨 French authorities arrested a Latvian crew member after discovery of a remote access tool aboard the Italian passenger ferry Fantastic, owned by Grandi Navi Veloci. A Bulgarian crewmember was released without charge. The malware was detected and neutralized by GNV while the ship was docked in Sète, and France's DGSI seized items for forensic analysis. Investigators are treating the case as suspected foreign interference and continue cooperation with Italian authorities.

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.

🔒 Cisco Talos identified a targeted campaign, tracked as UAT-9686, that compromises appliances running Cisco AsyncOS, including Secure Email Gateway and Secure Email and Web Manager. The actor, assessed as a Chinese-nexus APT, deployed a Python backdoor called AquaShell that decodes specially crafted HTTP POSTs and executes system shell commands after being placed in a web server file. Operators also used a Go-based reverse SSH tool (AquaTunnel), Chisel for tunneling, and a log wiper named AquaPurge. Cisco has published advisories and recommends following remediation guidance and opening cases with TAC if IOCs are observed.

📚 Kaspersky reported a targeted phishing campaign linked to Operation ForumTroll observed in October 2025 that impersonated the Russian eLibrary service. Attackers used a long-aged bogus domain to send personalized emails with one-time links to ZIP archives named for each victim, which contained a .LNK that runs a PowerShell downloader. The chain fetches a staged payload that loads a final DLL, persists via COM hijacking, deploys the Tuoni C2 framework for remote access, and shows a decoy PDF to victims.

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.

🛡️ A 49-year-old Malaysian national, Cheoh Hai Beng, has been sentenced in Singapore to five-and-a-half years' imprisonment and fined S$3,608 after admitting he produced detailed video tutorials showing criminals how to deploy the Spymax Android RAT. Between February and May 2023 he is reported to have recorded about 20 step‑by‑step videos demonstrating installation, remote control, credential theft, camera hijack, contact harvesting and GPS tracking. Authorities say these tutorials were circulated on criminal networks and used to facilitate financial fraud against victims who were tricked into installing the malware.

🛡️ Researchers warn that a wave of malicious GitHub repositories are distributing a newly observed JavaScript-based RAT called PyStoreRAT, delivered via minimal Python/JS loader stubs that fetch and execute remote HTA files through mshta.exe. The deceptive projects — marketed as OSINT utilities, DeFi bots, GPT wrappers, and developer tools — often exhibit non-functional or placeholder interfaces designed to build trust. Once executed, the multi-stage implant can run EXE, DLL, PowerShell, MSI, Python, and HTA modules and deploys a follow-on information stealer, Rhadamanthys. The initial stage also checks for security products such as CrowdStrike and Cybereason to reduce visibility and establishes persistence via a scheduled task masquerading as an NVIDIA update.