Tag: backdoor
-
China”‘linked PlushDaemon hijacks DNS via ‘EdgeStepper’ to weaponize software updates
Hijacked update to backdoor deployment: With the network device serving as a stealthy redirect, PlushDaemon then exploits the hijacked update channel to gain access to end-systems. ESET observed how typical victim software (such as a Chinese input-method application) issues an HTTP GET to its update server, but because DNS was hijacked, the request lands at…
-
Fake-Softwareupdates: Cyberspione verteilen Malware über manipulierten DNS-Traffic
Eine APT-Gruppe leitet gezielt DNS-Traffic kompromittierter Router um, um Anwendern falsche Softwareupdates mit einer Backdoor unterzuschieben. First seen on golem.de Jump to article: www.golem.de/news/dns-traffic-umgeleitet-cyberspione-verbreiten-malware-ueber-manipulierte-updates-2511-202397.html
-
PlushDaemon Hackers Unleash New Malware in China-Aligned Spy Campaigns
The cyber espionage group uses a previously undocumented network implant to drop two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/plushdaemon-new-malware-china-spy/
-
EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates
The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.EdgeStepper “redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure First seen on thehackernews.com Jump to article: thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
-
Google Finds New Malware Backdoors Linked to Iran
Hacking Group Deploys Raft of Custom Malware Variants. An Iranian state hacking group with a history of targeting aerospace, aviation and defense industries across the Middle East has improved its tooling with multiple custom malware variants, warned Google. The group, tracked as UNC1549, is suspected of ties to the Iranian Revolutionary Guard Corps. First seen…
-
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks
Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented…
-
Iran APT SpearSpecter Uses Weeks-Long WhatsApp Lures and Fileless TAMECAT Backdoor to Hit Defense
The post Iran APT SpearSpecter Uses Weeks-Long WhatsApp Lures and Fileless TAMECAT Backdoor to Hit Defense appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/iran-apt-spearspecter-uses-weeks-long-whatsapp-lures-and-fileless-tamecat-backdoor-to-hit-defense/
-
New Detection Methods Uncovered for Outlook NotDoor Backdoor Malware
Cybersecurity researchers have unveiled comprehensive detection methodologies for NotDoor, a sophisticated backdoor malware that leverages Microsoft Outlook macros for covert command and control operations. The malware, attributed to the Russian state-sponsored threat group APT28 (Fancy Bear), represents an evolution in email-based persistence techniques that can evade traditional security controls. NotDoor was first identified by Lab52,…
-
Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software
Tags: attack, backdoor, cyber, cybersecurity, data, hacker, intelligence, malware, monitoring, software, theft, toolCybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a sophisticated attack campaign leveraging legitimate Remote Monitoring and Management (RMM) tools to deploy backdoor malware on unsuspecting users’ systems. The attacks abuse LogMeIn Resolve (GoTo Resolve) and PDQ Connect, transforming trusted administrative tools into weapons for data theft and remote system compromise. While the…
-
Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software
Tags: attack, backdoor, cyber, cybersecurity, data, hacker, intelligence, malware, monitoring, software, theft, toolCybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a sophisticated attack campaign leveraging legitimate Remote Monitoring and Management (RMM) tools to deploy backdoor malware on unsuspecting users’ systems. The attacks abuse LogMeIn Resolve (GoTo Resolve) and PDQ Connect, transforming trusted administrative tools into weapons for data theft and remote system compromise. While the…
-
Lazarus Group Deploys Weaponized Documents Against Aerospace Defense
Security researchers at ENKI have uncovered a sophisticated espionage campaign targeting aerospace and defense organizations, in which the Lazarus Group is weaponizing a new variant of the Comebacker backdoor to infiltrate high-value targets. The threat actor has been actively conducting phishing operations since at least March 2025, distributing malicious documents disguised as legitimate communications from…
-
Threat Report: xHunt Targets Microsoft Exchange and IIS with Custom Backdoors
The xHunt advanced persistent threat group continues to pose a significant cybersecurity risk through sophisticated attacks targeting Microsoft Exchange and IIS web servers with custom-built backdoors. This highly focused cyber-espionage operation has maintained persistent, multi-year campaigns primarily aimed at organizations in Kuwait, with particular emphasis on the shipping, transportation, and government sectors. First identified in…
-
Lazarus Group Attacks Aerospace/Defense with New ChaCha20-Encrypted Comebacker Backdoor
The post Lazarus Group Attacks Aerospace/Defense with New ChaCha20-Encrypted Comebacker Backdoor appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/lazarus-group-attacks-aerospace-defense-with-new-chacha20-encrypted-comebacker-backdoor/
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 70
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter SesameOp: Novel backdoor uses OpenAI Assistants API for command and control Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector Gootloader Returns: What Goodies Did They Bring? Ransomvibing appears in VS Code extensions…
-
Russia-linked APT InedibleOchotense impersonates ESET to deploy backdoor on Ukrainian systems
Russia-linked group InedibleOchotense used fake ESET installers in phishing attacks on Ukrainian targets in May 2025. Russia-linked group InedibleOchotense used trojanized ESET installers in phishing attacks against Ukrainian entities detected in May 2025. The campaign used emails and Signal messages to deliver trojanized ESET installers that installed both legitimate software and the Kalambur backdoor. >>Another…
-
Russia-linked APT InedibleOchotense impersonates ESET to deploy backdoor on Ukrainian systems
Russia-linked group InedibleOchotense used fake ESET installers in phishing attacks on Ukrainian targets in May 2025. Russia-linked group InedibleOchotense used trojanized ESET installers in phishing attacks against Ukrainian entities detected in May 2025. The campaign used emails and Signal messages to deliver trojanized ESET installers that installed both legitimate software and the Kalambur backdoor. >>Another…
-
Cavalry Werewolf Launches Cyberattack on Government Agencies to Deploy Network Backdoor
In July 2025, Doctor Web’s anti-virus laboratory received a critical alert from a government-owned organization within the Russian Federation. The institution suspected a network compromise after discovering spam emails originating from one of their corporate email addresses. What began as a routine investigation quickly escalated into the discovery of a sophisticated targeted attack orchestrated by…
-
Breach Roundup: UPenn Hit by Email Breach
Also, Australian Police Arrest 55 in New Round of Anom App Sting. This week: UPenn hit by email breach, Australian police arrested 55, ‘SesameOp’ backdoor hid C2 traffic, BEC scammers used AWS, hackers stole trucking cargo, Ukrainian national extradited to United States for role in Conti ransomware and a supply chain risk in advanced installer…
-
Breach Roundup: UPenn Hit by Email Breach
Also, Australian Police Arrest 55 in New Round of Anom App Sting. This week: UPenn hit by email breach, Australian police arrested 55, ‘SesameOp’ backdoor hid C2 traffic, BEC scammers used AWS, hackers stole trucking cargo, Ukrainian national extradited to United States for role in Conti ransomware and a supply chain risk in advanced installer…
-
Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine
A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities.The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned.”InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link First seen on thehackernews.com…
-
Cavalry Werewolf Hit Russian Government with New ShellNET Backdoor
Doctor Web uncovers a targeted cyberattack on a Russian government body by the Cavalry Werewolf group using a new ShellNET backdoor and Telegram-based control. First seen on hackread.com Jump to article: hackread.com/cavalry-werewolf-russia-government-shellnet-backdoor/
-
Cavalry Werewolf Hit Russian Government with New ShellNET Backdoor
Doctor Web uncovers a targeted cyberattack on a Russian government body by the Cavalry Werewolf group using a new ShellNET backdoor and Telegram-based control. First seen on hackread.com Jump to article: hackread.com/cavalry-werewolf-russia-government-shellnet-backdoor/
-
Chinesischsprachiges Cyberspionage-Tool auf über 1.500 Servern
Der europäische Cybersicherheitsspezialist NVISO hat eine großangelegte Kampagne zur Cyberspionage aufgedeckt. Über 1.500 Server waren betroffen und mit der modularen Backdoor VShell infiziert. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/chinesischsprachiges-cyberspionage-tool-auf-1-500-servern
-
Curly COMrades APT Bypasses EDR by Hiding Linux Backdoor Inside Covert Hyper-V VM
The post Curly COMrades APT Bypasses EDR by Hiding Linux Backdoor Inside Covert Hyper-V VM appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/curly-comrades-apt-bypasses-edr-by-hiding-linux-backdoor-inside-covert-hyper-v-vm/
-
APT ‘Bronze Butler’ Exploits Zero-Day to Root Japan Orgs
A critical security issue in a popular endpoint manager (CVE-2025-61932) allowed Chinese state-sponsored attackers to backdoor Japanese businesses. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/bronze-butler-apt-exploits-zero-day-vuln-root-japan
-
Curly COMrades APT Bypasses EDR by Hiding Linux Backdoor Inside Covert Hyper-V VM
The post Curly COMrades APT Bypasses EDR by Hiding Linux Backdoor Inside Covert Hyper-V VM appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/curly-comrades-apt-bypasses-edr-by-hiding-linux-backdoor-inside-covert-hyper-v-vm/
-
FIN7 Hackers Leverage Windows SSH Backdoor for Stealthy Remote Access and Persistence
Tags: access, backdoor, cyber, cybercrime, group, hacker, infrastructure, intelligence, threat, windowsThe notorious FIN7 cybercriminal group, also known as Savage Ladybug, continues to rely on a sophisticated Windows SSH backdoor infrastructure with minimal modifications since 2022, according to threat intelligence analysis. The threat actor has maintained operational consistency while using an install.bat script paired with OpenSSH toolsets to establish reverse SSH and SFTP connections for maintaining…
-
Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users
The well-known North Korean threat group continues to improve the obfuscation and anti-analysis features of its attack toolchain. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/kimsuky-httptroy-backdoor-south-korea-users
-
SesameOp Backdoor Abused OpenAI Assistants API for Remote Access
Microsoft researchers found the SesameOp backdoor using OpenAI’s Assistants API for remote access, data theft, and command communication. First seen on hackread.com Jump to article: hackread.com/sesameop-backdoor-openai-assistants-api-access/
-
SesameOp: New backdoor exploits OpenAI API for covert C2
Microsoft found a new backdoor, SesameOp, using the OpenAI Assistants API for stealthy command-and-control in hacked systems. Microsoft uncovered a new backdoor, named SesameOp, that abuses the OpenAI Assistants API for command-and-control, allowing covert communication within compromised systems. Microsoft Incident Response Detection and Response Team (DART) researchers discovered the backdoor in July 2025 while […]…