Tag: backdoor
-
TAMECAT PowerShell Backdoor Targets Edge and Chrome: Login Credentials At Risk
Tags: backdoor, browser, chrome, credentials, cyber, defense, espionage, government, hacking, iran, login, microsoft, powershell, riskTAMECAT is a sophisticated PowerShell-based backdoor linked to APT42, an Iranian state-sponsored hacking group. It steals login credentials from Microsoft Edge and Chrome browsers while evading detection. Security researchers from Israel’s National Digital Agency detailed its modular design in recent SpearSpecter campaign analysis.”‹ APT42 deploys TAMECAT in long-term espionage operations against senior defense and government…
-
Matanbuchus Malware Evolves to Bypass AV Defenses by Swapping Core Components
Matanbuchus is a malicious C++-based downloader that has been sold as Malware-as-a-Service (MaaS) since 2020. Initially known as a simple loader for second-stage payloads, it has steadily evolved into a flexible backdoor platform that is increasingly tied to ransomware operations. In July 2025, researchers observed Matanbuchus version 3.0 in the wild, featuring redesigned components, stronger…
-
Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks
Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government…
-
Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor
The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/
-
APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP – Part 2
Tags: access, ai, api, apt, attack, backdoor, backup, cloud, control, credentials, data, dns, email, exploit, github, google, government, group, india, infection, infrastructure, Internet, linux, malicious, malware, microsoft, monitoring, network, phishing, powershell, programming, service, tactics, threat, tool, update, windowsThis is Part 2 of our two-part technical analysis on the Gopher Strike and Sheet Attack campaigns. For details on the Gopher Strike campaign, go to Part 1.IntroductionIn September 2025, Zscaler ThreatLabz uncovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. In Part 2 of this series, ThreatLabz will…
-
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL – Part 1
Tags: access, adobe, ai, antivirus, api, apt, attack, authentication, backdoor, backup, cloud, control, data, data-breach, detection, email, endpoint, github, google, government, group, india, infection, infrastructure, injection, Internet, malicious, malware, microsoft, network, phishing, service, spear-phishing, threat, tool, update, windowsIntroductionIn September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we…
-
Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware
Cybersecurity researchers have discovered an ongoing campaign that’s targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat First…
-
DPRK’s Konni Targets Blockchain Developers With AI-Generated Backdoor
The North Korean threat group is using a new PowerShell backdoor to compromise development environments and target cryptocurrency holdings, according to researchers. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/dprks-konni-targets-blockchain-developers-ai-generated-backdoor
-
20,000 WordPress Sites at Risk From Plugin Admin Backdoor
A backdoor bug in a WordPress plugin with 20,000+ installs lets attackers create admin accounts without logging in. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/20000-wordpress-sites-at-risk-from-plugin-admin-backdoor/
-
Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers
Tags: ai, backdoor, blockchain, hacker, india, intelligence, korea, malware, north-korea, phishing, powershell, russia, threat, tool, ukraineThe North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector.The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary’s expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check…
-
The Developer’s Backdoor: North Korea Weaponizes Visual Studio Code
The post The Developer’s Backdoor: North Korea Weaponizes Visual Studio Code appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/the-developers-backdoor-north-korea-weaponizes-visual-studio-code/
-
20,000 WordPress Sites Compromised by Backdoor Vulnerability Enabling Malicious Admin Access
A critical backdoor vulnerability discovered in the LA-Studio Element Kit for the Elementor plugin poses an immediate threat to more than 20,000 WordPress installations. The vulnerability, tracked as CVE-2026-0920 with a CVSS severity rating of 9.8 (Critical), enables unauthenticated attackers to create administrator accounts and achieve complete site compromise. The function fails to properly restrict…
-
Angreifer missbrauchen Tools für Remote-Monitoring und Management als Backdoor
Die KnowBe4 Threat Labs informieren über eine ausgeklügelte Dual-Vektor-Kampagne, die die Bedrohungskette nach der Kompromittierung von Anmeldedaten demonstriert. Anstatt maßgeschneiderte Malware einzusetzen, umgehen die Angreifer die Sicherheitsperimeter, indem sie IT-Tools missbrauchen, denen von IT-Administratoren vertraut wird. Indem sie sich einen ‘Generalschlüssel” für das System verschaffen, verwandeln sie legitime Remote-Monitoring and Management (RMM)-Software in eine dauerhafte…
-
Angreifer missbrauchen RMM-Tools als Backdoor
Um das Risiko von RMM-basierten Angriffen zu mindern, sollten Sicherheitsteams eine Reihe von Sofortmaßnahmen priorisieren, dazu zählen die Suche nach bereitgestellten IOCs, die Blockierung identifizierter C2-Domänen und die Überwachung nicht autorisierter RMM-Installationen und Nutzungsmuster. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/angreifer-missbrauchen-rmm-tools-als-backdoor/a43443/
-
Self-hosted Github-Actions-Runner werden als Backdoor missbraucht
Sysdig erläutert in einer aktuellen Analyse, wie Bedrohungsakteure self-hosted Github-Actions-Runner missbrauchen, um dauerhaften Remote-Zugriff aufzubauen. Der Shai-Hulud-Wurm ist ein reales Beispiel. Er demonstrierte am 24. November 2025 genau diese Technik in großem Maßstab. Rogue-Runner werden installiert und diese nutzen verwundbare Workflows als Command-and-Control (C2)-Kanal. Das geschieht bei Traffic, der wie normale Github-Nutzung aussieht. Self-hosted Runner…
-
Self-hosted GitHub Actions Runner werden als Backdoors missbraucht
Self-hosted Runner sind eine unterschätzte Angriffsfläche: Sie führen per Design Workflow-Code aus, halten persistente Verbindungen zu GitHub und laufen häufig mit weitreichenden Berechtigungen. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/self-hosted-github-actions-runner-werden-als-backdoors-missbraucht/a43433/
-
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects
The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said.”This activity involved…
-
Google Ads Exploited to Deliver TamperedChef Through Malicious PDF Editor
A sophisticated malvertising campaign tracked as TamperedChef has compromised over 100 organizations across 19 countries by distributing weaponized PDF editing software through Google Ads. Sophos Managed Detection and Response (MDR) teams discovered the operation in September 2025, revealing a multi-layered attack infrastructure designed to steal browser credentials and establish persistent backdoor access on Windows systems.…
-
Fake browser crash alerts turn Chrome extension into enterprise backdoor
Browser extensions are a high-risk attack vector for enterprises, allowing threat actors to bypass traditional security controls and gain a foothold on corporate endpoints. … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/01/19/fake-browser-crash-alert-chrome-edge-extension/
-
Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor
Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications. First seen on hackread.com Jump to article: hackread.com/hackers-exploit-pdf24-app-pdfsider-backdoor/
-
PDFSIDER Malware Actively Exploited to Evade Antivirus and EDR Defenses
Security researchers have identified a sophisticated backdoor malware variant, PDFSIDER, that leverages DLL side-loading to evade endpoint detection and response (EDR) systems. The threat demonstrates advanced persistent threat (APT) tradecraft, combining evasion mechanisms with encrypted command-and-control capabilities to maintain covert access on compromised systems. PDFSIDER’s infection chain originates through spear-phishing campaigns delivering ZIP archives containing…
-
ServiceNow BodySnatcher flaw highlights risks of rushed AI integrations
Tags: ai, api, attack, authentication, backdoor, control, credentials, email, flaw, mfa, password, risk, update, vulnerabilityEnter agent-to-agent interactions and execution: The platform was later extended further to support external AI agents talking to internal ServiceNow AI agents that could execute tasks. To enable this, the company created a special protocol and a separate REST API that requires authentication.However, this new API is apparently just another layer on top of the…
-
New “BodySnatcher” Flaw Allows Full ServiceNow User Impersonation
Security researcher has disclosed a critical vulnerability in ServiceNow’s Virtual Agent API and Now Assist AI Agents application, tracked as CVE-2025-12420. Dubbed >>BodySnatcher,<< this flaw enables unauthenticated attackers to impersonate any ServiceNow user using only their email address, bypassing multi-factor authentication and single sign-on controls to execute privileged AI workflows and create backdoor administrator accounts.…
-
New >>LOTUSLITE<< Backdoor Targets U.S. Government in Suspected Mustang Panda Campaign
The post New >>LOTUSLITE<< Backdoor Targets U.S. Government in Suspected Mustang Panda Campaign appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/new-lotuslite-backdoor-targets-u-s-government-in-suspected-mustang-panda-campaign/
-
Insider risk in an age of workforce volatility
Tags: access, ai, api, authentication, automation, backdoor, backup, china, ciso, control, credentials, cyber, cybersecurity, data, data-breach, exploit, framework, governance, government, identity, jobs, least-privilege, malicious, mitigation, monitoring, network, risk, strategy, supply-chain, threat, zero-trustEarly warnings: The machine as insider risk/threat: These dynamics are not emerging in a vacuum. They represent the culmination of warnings that have been building for years.As early as 2021, in my CSO opinion piece “Device identity: The overlooked insider threat,” Rajan Koo (then chief customer officer at DTEX Systems, now CTO) observed: “There needs…
-
2025 Threat Landscape in Review: Lessons for Businesses Moving Into 2026
Tags: access, ai, application-security, attack, authentication, awareness, backdoor, breach, business, captcha, cloud, compliance, container, control, credentials, credit-card, cybersecurity, data, data-breach, ddos, defense, encryption, exploit, finance, firewall, flaw, google, identity, infrastructure, intelligence, leak, malicious, mitigation, monitoring, network, pypi, risk, service, software, strategy, supply-chain, threat, tool, vulnerability, windows2025 Threat Landscape in Review: Lessons for Businesses Moving Into 2026 andrew.gertz@t“¦ Thu, 01/15/2026 – 16:48 Nadav Avital – Senior Director of Threat Research at Thales More About This Author > 2025 was a year that tested how businesses think about security. Some attacks happened in new, unexpected ways, while others employed old tricks, taken…
-
From typos to takeovers: Inside the industrialization of npm supply chain attacks
Tags: access, application-security, attack, automation, backdoor, blockchain, breach, control, credentials, cybersecurity, github, gitlab, malicious, malware, phishing, radius, risk, supply-chain, threat, update, wormFrom typo traps to legitimate backdoors: For years, typosquatting defined the npm threat model. Attackers published packages with names just close enough to popular libraries, such as “lodsash,” “expres,” “reacts,” and waited for automation or human error to do the rest. The impact was usually limited, and remediation straightforward.That model began to break in 2025.Instead…
-
Ukraine’s army targeted in new charity-themed malware campaign
Officials of Ukraine’s Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/