< ciso
brief />
Tag Banner

All news with #remote access trojan tag

337 articles · page 9 of 17

DeadLock Ransomware Abuses Polygon Smart Contracts

🔒 Group-IB researchers report that the DeadLock ransomware is using Polygon smart contracts to store and rotate proxy server addresses, enabling more resilient command-and-control. Rather than rely on hard-coded servers, the malware performs read-only calls to blockchain contracts to fetch proxy URLs and uses fallback RPC endpoints to avoid transactions and fees. An HTML component communicates via the Session encrypted messaging platform, while operators also employ AnyDesk and PowerShell to escalate impact; victims' files are suffixed .dlock and ransom notes threaten data sale.
read more →

New Remcos Phishing Campaign Uses CVE-2017-11882 RTF

🛡️ FortiGuard Labs uncovered a phishing campaign that delivers a fileless Remcos RAT via a malicious Word document which loads a remote RTF exploiting CVE-2017-11882. The exploit executes shellcode to fetch a VBScript that launches a Base64 PowerShell loader. That PowerShell downloads an image with an embedded .NET module, which the loader runs in memory to install persistence and inject the Remcos payload into a legitimate process using process hollowing.
read more →

PLUGGYAPE Backdoor Uses Signal and WhatsApp for Access

🛡️CERT-UA reports a campaign attributed with medium confidence to the group tracked as Void Blizzard that targeted Ukrainian defense forces between October and December 2025 with a Python backdoor dubbed PLUGGYAPE. Attackers used Signal and WhatsApp messages, impersonating charities and distributing password‑protected archives containing a PyInstaller executable. The backdoor supports remote code execution over WebSocket and, as of December 2025, MQTT, and retrieves base64‑encoded C2 addresses from paste services to maintain operational resilience. Successive builds have added obfuscation and anti‑analysis checks to avoid execution in virtual environments.
read more →

Charity-Themed Campaign Delivers PluggyApe to Ukraine

🔒 Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed messaging campaign that delivered the backdoor PluggyApe. Attackers used Signal and WhatsApp to lure recipients to fake charity sites or to send password-protected archives containing executable .docx.pif files created with PyInstaller, and sometimes delivered payloads directly via messaging apps. PluggyApe profiles hosts, sends victim identifiers and system data to operators, achieves persistence through Windows Registry modifications, and fetches base64-encoded C2 addresses from public paste services. CERT-UA assigns medium confidence attribution to the Russian-aligned group known as Laundry Bear (aka Void Blizzard) and warns that mobile devices and compromised local accounts make such lures especially convincing.
read more →

SHADOW#REACTOR campaign uses text staging to deploy Remcos

🔎 A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, uses obfuscated VBS and heavily encoded PowerShell to stage payloads entirely in memory and avoid disk-based indicators. Attackers fetch repeated text-based fragments over HTTP, reconstruct them into a reflectively loaded .NET assembly protected with .NET Reactor, and abuse signed Microsoft binaries such as MSBuild.exe to execute the final Remcos RAT. The chain emphasizes living-off-the-land techniques, persistence and anti-analysis measures to complicate detection.
read more →

SHADOW#REACTOR Delivers Remcos RAT via Evasive Chain

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.
read more →

Dutch Hacker Sentenced to Seven Years for Port Hacks

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.
read more →

Iran-linked MuddyWater Deploys Rust-Based Implant Now

🔒 CloudSEK reports that Iran-linked APT MuddyWater has deployed a Rust-based implant dubbed RustyWater in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across Israel and the Middle East. The campaign relies on icon-spoofed executables delivered in ZIP archives that display decoy PDFs while executing loaders which establish persistence and fetch the Rust payload. RustyWater implements anti-analysis checks, string obfuscation, randomized callbacks and standard RAT functions including file enumeration, command execution and data exfiltration, while using C2 domains that mimic legitimate services.
read more →

MuddyWater Deploys RustyWater RAT in Spear‑Phishing Campaign

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.
read more →

NodeCordRAT Found in Bitcoin-Themed Malicious npm Packages

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.
read more →

Holiday Season Malware Targets Hotels via Booking Lures

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.
read more →

Unpatched EX200 Flaw Lets Authenticated Users Trigger Telnet

⚠ An unpatched firmware error in the TOTOLINK EX200 wireless range extender can cause the device to start an unauthenticated root-level telnet service when specific malformed firmware files are processed. CERT/CC (CVE-2025-65606) says exploitation requires an attacker to be authenticated to the web management interface to reach the firmware-upload handler, which can then enter an abnormal error state. The vendor has not issued a patch and the product is no longer actively maintained; users are advised to restrict administrative access and consider upgrading to a supported model.
read more →

Phishing Campaign Uses Fake Booking Emails to Deploy DCRat

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.
read more →

ClickFix Campaign Uses Fake BSOD to Trick Hospitality Staff

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.
read more →

Russia-Aligned Hackers Abuse Viber to Deploy Malware

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.
read more →

Transparent Tribe Deploys New RAT Targeting Indian Sectors

🛡️ Transparent Tribe (APT36) has launched a spear-phishing campaign delivering a memory‑resident RAT that grants persistent remote control of compromised hosts. The attack chain leverages weaponized .LNK shortcuts that execute obfuscated HTA scripts via mshta.exe, decrypt payloads into memory, and present decoy PDFs to evade detection. The malware adapts persistence to detected antiviruses and drops a DLL, iinneldc.dll, which supports remote command execution, file exfiltration, screenshot capture, clipboard manipulation, and process control.
read more →

Silver Fox Uses Tax Phishing to Deliver ValleyRAT in India

📧 Silver Fox is targeting Indian users with income tax-themed phishing emails that deliver the modular remote-access trojan ValleyRAT. The campaign uses decoy PDFs that redirect victims to a domain hosting a ZIP archive containing an NSIS installer which sideloads a rogue libexpat.dll alongside a legitimate thunder.exe. The loader disables Windows Update, performs anti-analysis checks, and injects the RAT into explorer.exe to establish persistent, low-noise access.
read more →

Typosquatted MAS domain spread Cosmali PowerShell malware

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.
read more →

Webrat Lures Researchers with Fake GitHub Exploit PoCs

🐀 Attackers are hosting counterfeit proof-of-concept exploit repositories on GitHub to deliver the Webrat backdoor to unsuspecting users. Kaspersky analysts observed polished, likely machine-generated README files that mask a password-protected ZIP; the archive password is hidden in filenames and often missed. Inside are decoy DLLs, batch loaders and executables (e.g., rasmanesc.exe) that disable Windows Defender, escalate privileges, and fetch the real payload from hardcoded C2 servers. The campaign, active since at least September 2025, appears tuned to catch novice researchers and students who analyze PoCs outside isolated environments.
read more →

WebRAT Distributed via Fake PoC Exploits on GitHub

🛡️ Kaspersky researchers found WebRAT backdoor being distributed through GitHub repositories that posed as proof‑of‑concept exploits for recently disclosed vulnerabilities. The malicious packages were delivered as password‑protected ZIPs containing a corrupted decoy DLL, a batch script, and a main dropper named rasmanesc.exe that elevates privileges, disables Defender, and downloads WebRAT. All identified repositories have been removed, but developers are urged to verify PoC sources and test untrusted code in isolated environments.
read more →