Tag: backdoor
-
macOS Backdoor Uses Prompt Injection to Evade AI Triage
SentinelLabs found a North Korea-linked macOS backdoor using prompt injection on AI triage tools First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/
-
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
The Python-based remote access trojan ModeloRAT and a newly observed stealth backdoor, dubbed Backdoor.Mistic, to activity consistent with an initial access broker (IAB) operation that facilitates ransomware deployments. Mistic first seen in April 2026 and publicized by Zscaler as MLTBackdoor access appears optimized for long-term, low-visibility access and was discovered deployed in at least one…
-
Stealthy Mistic backdoor linked to ransomware access broker KongTuke
A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
-
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
A concerted campaign by an initial access broker with ties to the Payouts King ransomware ecosystem that leverages a novel browser-based delivery technique to establish persistent host-level control. The actor deploys a malicious Microsoft Edge extension dubbed >>Edgecution<< which abuses the Chrome native messaging protocol to reach a Python backdoor running on the endpoint, effectively…
-
ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates
Attackers backdoored ShapedPlugin Pro updates, deploying malware that steals credentials, 2FA secrets, and grants full site access. If you installed a ShapedPlugin Pro plugin between April and June 2026 and kept it updated, your site may be compromised. Not because you did something wrong, but because the vendor’s own build and distribution pipeline was breached.…
-
ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates
Attackers backdoored ShapedPlugin Pro updates, deploying malware that steals credentials, 2FA secrets, and grants full site access. If you installed a ShapedPlugin Pro plugin between April and June 2026 and kept it updated, your site may be compromised. Not because you did something wrong, but because the vendor’s own build and distribution pipeline was breached.…
-
North Korean Hackers Poison Mastra AI Framework
Tags: ai, attack, backdoor, credentials, framework, hacker, malicious, microsoft, north-korea, software, supply-chain, theft, toolMore Than 140 npm Packages Carried Credential-Stealing Code. Microsoft says North Korean-linked BlueNoroff compromised a Mastra npm maintainer account and published more than 140 malicious packages, using a software supply-chain attack to distribute infostealers, backdoors and credential theft tools through AI development environments. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/north-korean-hackers-poison-mastra-ai-framework-a-32042
-
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.”Attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels,” Wordfence said in an analysis First seen…
-
Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
Tags: attack, backdoor, breach, credentials, firewall, fortinet, Hardware, network, rce, remote-code-execution, WeeklyReviewHere’s an overview of some of last week’s most interesting news, articles, interviews and videos: A hardware neural network backdoor that hides in plain sight Deep learning … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/21/week-in-review-74k-fortinet-firewall-credentials-stolen-splunk-enterprise-rce-under-active-attack/
-
Microsoft discovers new lightweight backdoor that steals cryptocurrency
Crypto Clipper spreads over USB and communicates over Tor. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/
-
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was First…
-
DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity
DragonForce ransomware abused Microsoft Teams relay systems to hide a custom backdoor, steal files and encrypt systems at a US services firm. First seen on hackread.com Jump to article: hackread.com/dragonforce-ransomware-microsoft-teams-malware/
-
DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity
DragonForce ransomware abused Microsoft Teams relay systems to hide a custom backdoor, steal files and encrypt systems at a US services firm. First seen on hackread.com Jump to article: hackread.com/dragonforce-ransomware-microsoft-teams-malware/
-
Modified OpenSSH Binaries Let Velvet Ant Steal Passwords, Log Commands, and Hide Activity
A long-running, stealthy campaign attributed to the China-nexus actor tracked as Velvet Ant has been found to include deeply engineered backdoors in the authentication stack: modified OpenSSH binaries and tampered PAM modules that exfiltrate credentials, record every executed command, and conceal attacker activity. The discovery, part of Sygnia’s Operation Highland investigation, reveals nearly a decade…
-
DragonForce Hid Inside Microsoft Teams and Nobody Noticed for Two Months
DragonForce hid for months by routing malware traffic through Microsoft Teams infrastructure, masking C2 activity and evading network detection. DragonForce ransomware operators hit a major U.S. services firm and stayed hidden for one to two months by routing their command-and-control traffic through Microsoft’s own Teams relay servers. Symantec’s threat hunters tracked the custom backdoor they…
-
Softwareprojekt mit Backdoor: Malware-Attacke über Linkedin mittels KI enttarnt
Eine angebliche Recruiterin wollte einem Python-Entwickler über Linkedin Malware unterschieben. Ein KI-Tool half ihm dabei, den Angriff zu vereiteln. First seen on golem.de Jump to article: www.golem.de/news/linkedin-wie-ein-entwickler-mittels-ki-eine-schadcodeattacke-entlarven-konnte-2606-209862.html
-
SprySOCKS Windows Backdoor Uses Kernel Driver to Hide Processes, Files, and Network Traffic
Windows variants of SprySOCKS, a backdoor long associated with FishMonger (aka Earth Lusca/TAG-22), expanding a toolset that was until now Linux-only. The two Windows builds internally labelled WIN_DRV and WIN_PLUS preserve the original SprySOCKS protocol and command set while adding Windows-native loading techniques and, in WIN_DRV’s case, a kernel-mode driver that substantially increases stealth and…
-
SprySOCKS Windows Backdoor Uses Kernel Driver to Hide Processes, Files, and Network Traffic
Windows variants of SprySOCKS, a backdoor long associated with FishMonger (aka Earth Lusca/TAG-22), expanding a toolset that was until now Linux-only. The two Windows builds internally labelled WIN_DRV and WIN_PLUS preserve the original SprySOCKS protocol and command set while adding Windows-native loading techniques and, in WIN_DRV’s case, a kernel-mode driver that substantially increases stealth and…
-
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints
China-linked FishMonger used two SprySOCKS Windows variants that leveraged kernel drivers and the Print Spooler to target governments in four countries. ESET researchers have found two previously undocumented Windows versions of SprySOCKS, a backdoor that the security community had until now treated as Linux-only. Trend Micro first documented the Linux variant in September 2023 and…
-
Steam Workshop Malware Campaign Uses Wallpaper Engine to Steal Accounts and Infect Gamers
A sophisticated malware campaign has been abusing Steam Workshop’s sharing model to distribute backdoors, infostealers and crypto miners hidden inside Wallpaper Engine packages, primarily targeting gamers in China and Russia. The campaign exploits Wallpaper Engine’s “application” wallpaper type essentially standalone executables that run as animated desktop backgrounds to execute arbitrary code the moment a user…
-
Das FishMonger-Arsenal wurde erweitert: SprySOCKS für Windows
ESET Forscher haben ‘SprySOCKS for Windows” entdeckt. Die Backdoor von FishMonger nutzt einen Kernel-Treiber, um eine besonders hohe Tarnung zu erzielen. First seen on welivesecurity.com Jump to article: www.welivesecurity.com/de/eset-research/das-fishmonger-arsenal-wurde-erweitert-sprysocks-fur-windows/
-
SprySOCKS backdoor expands to Windows with new variants
First seen on scworld.com Jump to article: www.scworld.com/brief/sprysocks-backdoor-expands-to-windows-with-new-variants
-
SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
FishMonger, a China-nexus threat group, has deployed an undocumented version of the Linux backdoor against government targets in Honduras, Taiwan, Thailand, and Pakistan. First seen on darkreading.com Jump to article: www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-drivers
-
SprySOCKS Backdoor Expands From Linux to Windows
China-linked SprySOCKS backdoor gains stealthy Windows variants and 30-plus C2 commands First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/sprysocks-backdoor-windows/
-
Hackers Abuse Compromised WordPress Sites to Deliver GULoader Through EtherHiding Chain
In April 2026, incident responders traced a sophisticated intrusion that abused compromised WordPress sites to deliver GULoader via an EtherHiding → ClickFix → UNC-chain. The real-world ClickFix incident produced convergent evidence from an ANY.RUN sandbox detonation and live EDR telemetry, revealing a complete, user-initiated attack path from a WordPress mu-plugin backdoor to a blocked rundll32.exe…
-
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS.”The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS,” ESET said in a report shared with The Hacker News. “Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, First…
-
Chinese Hacking Firm Upgrades With New Windows Backdoor
Researchers Identified Two Undocumented Variants Used Since 2023. Eset uncovered two previously undocumented Windows variants of the China-linked SprySocks backdoor tied to FishMonger and iSoon, revealing expanded espionage capabilities, rootkit-based stealth and continued targeting of government organizations across Asia and Central America. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/chinese-hacking-firm-upgrades-new-windows-backdoor-a-31977
-
Rhysida and Interlock Ransomware Groups Linked to Initial Access Brokers and Crypter Ecosystem
Rhysida and Interlock sit inside the same ransomware supply chain, but their latest observed behavior shows a more nuanced relationship than simple code reuse. IBM X-Force’s long-term analysis ties both groups to initial access brokers, private crypters, downloaders, and backdoors that help them stage intrusion chains before encryption. The core finding is that both operations…
-
Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims’ own Google Workspace rules…
-
Google exposes China espionage group that’s been lurking in networks undetected since 2023
The revelation mirrors an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to intercept research and steal data with national security implications. First seen on cyberscoop.com Jump to article: cyberscoop.com/google-unc6508-china-espionage-threat/