< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 8 of 17

Android RAT Abuses Hugging Face to Host Malware Campaign

🔒 A new Android remote access trojan (RAT) leverages the AI hosting platform Hugging Face to store and deliver malicious APK payloads, researchers at Bitdefender report. The campaign distributes a dropper app called TrustBastion that uses fake update dialogs to trick users into downloading an updater which redirects to repositories hosting polymorphic RAT APKs. Operators made frequent commits and shifted repositories to avoid takedowns, while the malware requests Accessibility and screen-recording permissions to capture credentials and relay data to command-and-control servers.
read more →

RedKitten: Iran-linked campaign targets activists and NGOs

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.
read more →

Hugging Face Hosting Abused to Distribute Android RAT

🛡️ Bitdefender Labs reports a large-scale Android malware campaign that leveraged Hugging Face's public hosting to deliver a remote access trojan (RAT). The operation begins with a scareware dropper disguised as a security app, TrustBastion, which tricks users via fake infection alerts into downloading a second-stage APK from a Hugging Face dataset. Attackers automated payload generation with thousands of unique APKs and frequent commits to evade signature-based detection. The installed RAT requests high-risk permissions — Accessibility Services, screen recording, casting, and overlay rights — enabling credential harvesting, screen capture, persistent control, and exfiltration; Bitdefender notified Hugging Face and the malicious datasets were removed, though variants resurfaced elsewhere.
read more →

Hugging Face abused to host thousands of Android malware

🚨Researchers at Bitdefender found an Android campaign using the Hugging Face platform to host and serve thousands of malicious APK variants. A scareware dropper called TrustBastion lures victims with fake Google Play update prompts, redirects to a Hugging Face dataset, and downloads the payload via the platform's CDN. The RAT aggressively abuses Android Accessibility Services to present overlays, capture screens, impersonate login UIs for services such as Alipay and WeChat, block uninstall, and exfiltrate credentials; Hugging Face removed the malicious datasets after notification.
read more →

UAT-8099 Targets IIS in Asia with Region-Specific BadIIS

🔍 Cisco Talos has identified a UAT-8099 campaign active from August 2025 through early 2026 that targets vulnerable IIS servers across Asia, concentrating on victims in Thailand and Vietnam. The actor uses web shells, PowerShell, and the GotoHTTP remote-control tool to maintain access and deploy region-customized BadIIS variants that hardcode country codes and inject SEO-fraud content. New persistence mechanisms, hidden accounts, and log-wiping utilities support long-term stealth and evasion.
read more →

TA584 Adopts Tsundere Bot to Enable Ransomware Access

🔐 Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.
read more →

Fake Moltbot VS Code Extension Deploys Remote Access

⚠️ A malicious Visual Studio Code extension impersonating Moltbot, published as 'ClawdBot Agent - AI Coding Assistant' (clawdbot.clawdbot-agent), was distributed on the official Marketplace and has since been removed by Microsoft. The add-on auto-executes on IDE launch, fetches a remote config.json and installs a binary that deploys an ConnectWise ScreenConnect client connecting to attacker infrastructure. It includes DLL sideload and batch-script fallbacks and hard-coded payload URLs. Researchers warn exposed Moltbot instances and insecure defaults increase the risk of credential theft and remote compromise.
read more →

EncystPHP Web Shell Exploits FreePBX Endpoint Manager

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.
read more →

AI-Generated Code and Emojis Found in PureRAT Malware

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.
read more →

Malicious PyPI Spellchecker Packages Deliver Python RAT

⚠ Aikido researchers discovered two malicious PyPI packages, spellcheckerpy and spellcheckpy, that posed as spellcheckers but contained a Base64-encoded downloader and a Python remote access trojan (RAT). The payload was hidden inside the Basque dictionary archive resources/eu.json.gz and decoded when the package’s test_file() extraction was invoked. Early releases only decoded the payload; spellcheckpy v1.2.0 (published Jan 21, 2026) introduced an obfuscated trigger that executes the payload, and the packages were downloaded just over 1,000 times before removal.
read more →

Mustang Panda Updates CoolClient Backdoor with Infostealers

🔐 Kaspersky researchers say Chinese espionage group Mustang Panda has updated its CoolClient backdoor to steal browser login data, monitor the clipboard, and sniff HTTP proxy credentials. The upgraded variant has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and was distributed via legitimate Sangfor software. New plugins add a remote shell, enhanced file and service management, and in-memory plugin execution; researchers also noted a previously unseen rootkit used in some intrusions.
read more →

PeckBirdy: JScript C2 Framework Used by China-Linked APTs

🛡️ Trend Micro researchers uncovered PeckBirdy, a JScript-based command-and-control framework used by China-aligned APTs since 2023 to target gambling sites, government portals, and private organizations across Asia. The flexible framework executes via living-off-the-land binaries (LOLBins) and supports browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET execution paths. Operators relied on watering‑hole injections and fake Google Chrome update pages to deliver staged scripts and deploy modular backdoors such as HOLODONUT and MKDOOR. Detection is complicated by dynamically generated, runtime-injected JavaScript and scarce persistent artifacts.
read more →

Konni Targets Blockchain Engineers with AI-Powered Malware

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".
read more →

Multi-Stage Windows Malware Campaign Abusing Defendnot

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.
read more →

LinkedIn Messages Used to Distribute RAT via DLL Sideload

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.
read more →

LinkedIn phishing uses legitimate tools to deploy RAT

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.
read more →

CrashFix Fake Extension Delivers ModelRAT via Browser Crash

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.
read more →

Fake NexShield Extension Crashes Browsers for ClickFix

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.
read more →

CrashFix Chrome Extension Delivers ModeloRAT Payload

⚠️ Researchers disclosed an active campaign, tracked as KongTuke and codenamed CrashFix, that used a malicious Chrome extension posing as an ad blocker to deliberately crash browsers and coerce victims into running commands. The fake add-on, “NexShield – Advanced Web Guardian,” impersonated uBlock Origin Lite, garnered 5,000+ installs, and implements delayed execution, DoS crash loops, and anti-analysis controls. The lure prompts users to paste a pre-copied command into the Windows Run dialog that abuses finger.exe to fetch a PowerShell chain, ultimately delivering the previously undocumented ModeloRAT. Huntress warns the technique weaponizes user frustration to create a persistent, self-sustaining infection loop that can hand victims off to other threat actors.
read more →

Phishing Campaign Uses Fake PayPal Alerts, Abuses RMM

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.
read more →