Tag: rat
-
Hackers Use UAE-India Diplomatic Lure to Deliver SHEETCREEP RAT via Google Sheets
An active espionage campaign tracked as SHEETCREEP that leverages a UAE”‘India diplomatic-themed ISO lure to deliver a compact C# remote access trojan (RAT) and uses Google Sheets as its command-and-control (C2) channel. The ISO, named UAE-India_Strategic_Partnership_Week.iso, contains a deceptively iconized LNK file that launches a C# dropper. The dropper extracts a decoy PDF to temp,…
-
ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories
It’s been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there’s a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials.The bigger problem is how polished this…
-
ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Action Patch + 28 New Stories
It’s been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there’s a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials.The bigger problem is how polished this…
-
Lucid Stealer Hits 18 Browsers, Crypto Wallets, and Discord Tokens
A new, fully featured Lucid Stealer build that combines large-scale credential theft with hidden remote access. The sample, distributed through Telegram-linked underground channels, is not a simple packed executable but a Lucid-branded information stealer and RAT wrapped inside a legitimate Node.js Single Executable Application (SEA). Static analysis recovered an embedded JavaScript loader and decrypted core…
-
New malspam campaign uses Google DoubleClick to deliver DesckVB RAT
First seen on scworld.com Jump to article: www.scworld.com/brief/new-malspam-campaign-uses-google-doubleclick-to-deliver-desckvb-rat
-
China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa
A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa.These efforts have been complemented by a “rapid operational tempo” and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as…
-
China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa
A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa.These efforts have been complemented by a “rapid operational tempo” and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as…
-
Proofpoint: TA4922 Deploys New RAT and Loader Arsenal
A rapidly evolving threat cluster tracked as TA4922, a Chinese-speaking cybercriminal actor deploying a diverse and expanding malware arsenal that now includes Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT. The group is notable for its high operational tempo, shifting tactics, and ability to blend custom malware with legitimate tools and cloud services, complicating detection efforts across…
-
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Despite broadly connected digital infrastructure, standard fare TTPs are enough to cause trouble for Afghanistan’s porous cybersecurity. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/pakistan-spies-afghan-finance-ministry-xeno-rat
-
Chinese hackers use new Atlas RAT malware in European cyberattacks
A Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
-
Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT
Cybersecurity researchers have flagged a new malspam campaign that makes use of Google’s DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT.”Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to…
-
SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT
First seen on scworld.com Jump to article: www.scworld.com/brief/sidecopy-group-targets-afghanistans-ministry-of-finance-with-xeno-rat
-
Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT
Mustang Panda is using a fake “Browser Updater” and a multi”‘stage LNKPowerShell loader to sideload PlugX through a legitimate G DATA antivirus binary, ultimately beaconing over HTTPS to a hard”‘coded C2 while hiding configuration and strings behind layered encryption and API hashing. Mustang Panda is a China”‘nexus APT group, long associated with PlugX remote access…
-
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan’s Ministry of Finance with an open-source remote access trojan called Xeno RAT.”The campaign opens with a spear phishing delivery – a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,” First seen on…
-
PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems
New technical details about PHANTOMPULSE, a sophisticated remote access trojan (RAT) used in multi-stage intrusions targeting Windows environments. The malware represents the final payload in an attack chain previously linked to Obsidian plugin abuse and in-memory loaders, but this latest analysis focuses on its advanced post-exploitation capabilities. PHANTOMPULSE stands out for combining multiple stealth techniques,…
-
Twill Typhoon RAT Campaign Uses DLL Side Loading to Target APJ Networks
A stealthy cyber espionage operation is actively targeting organizations across the Asia-Pacific region. Specifically, security researchers recently uncovered First seen on securityonline.info Jump to article: securityonline.info/twill-typhoon-rat-campaign-dll-side-loading/
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 99
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io RemotePE: The Lazarus RAT that lives…
-
BTMOB Android RAT Spreads Through No-Code Builder Tooling
BTMOB Android RAT sold as a service with a no-code builder for fast, regional phishing lures First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/btmob-android-rat-maas-builder/
-
Quasar RAT Hits Developers With Fileless Linux Attacks
Quasar Linux (QLNX) is a new, stealthy Linux Remote Access Trojan that quietly turns developer and DevOps workstations into high”‘value beachheads for software supply”‘chain attacks, using fileless execution, an eBPF rootkit, PAM backdoors, and a P2P C2 mesh to evade conventional defenses. Despite its name, it is unrelated to the Windows”‘focused QuasarRAT family. It is…
-
Lazarus APT unveils fileless remote access Trojan designed to evade detection
North Korea-linked Lazarus APT Group is using a stealthy memory-only RAT that leaves almost no forensic traces behind. North Korea-linked APT group Lazarus has never been shy about its ambitions, the threat actor has been tied to some of the most audacious financial heists in recent memory, draining hundreds of millions from cryptocurrency exchanges and…
-
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations.RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader.”DPAPILoader decrypts and First seen…
-
MiniUpdate RAT Abuses Azure C2 for Targeted Espionage
A sophisticated espionage campaign by the Iran-nexus advanced persistent threat group known as Screening Serpens also tracked as UNC1549 and Smoke Sandstorm deploying a newly identified remote access Trojan (RAT) family called MiniUpdate against targets in the United States, Israel, and the United Arab Emirates. Screening Serpens has been active since at least 2022, but…
-
Hackers Weaponize NF-e Invoice Lures to Deploy Banana RAT
Hackers are actively using Brazil’s electronic invoice system (NF-e) as a lure to distribute a sophisticated banking trojan known as Banana RAT. The campaign has been attributed to a financially motivated threat cluster tracked as SHADOW-WATER-063 and appears exclusively focused on Brazilian financial institutions. The investigation is notable because analysts obtained visibility into both attacker…
-
TamperedChef Malware Hides in Signed Apps to Drop Stealers and RATs
A large-scale malware campaign dubbed “TamperedChef” is leveraging trojanized productivity applications such as PDF editors, calendar tools, and file converters to silently deploy information stealers and remote access trojans (RATs), according to recent threat intelligence findings. Security researchers have identified multiple activity clusters linked to this evolving threat, including CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. While these…
-
Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks
Banana RAT malware hidden in fake invoices and security update screens targets customers at 16 Brazilian banks stealing data with QR fraud. First seen on hackread.com Jump to article: hackread.com/banana-rat-malware-fake-invoices-16-brazilian-banks/
-
Chinese APT FamousSparrow Weaponizes Evolved Deed RAT Against Azerbaijani Energy Infrastructure
The post Chinese APT FamousSparrow Weaponizes Evolved Deed RAT Against Azerbaijani Energy Infrastructure appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/famoussparrow-deed-rat-azerbaijan-energy-exchange-vulnerability/
-
Missbrauch von OpenClaw-Workflows zur Verbreitung von Remcos RAT und GhostLoader
Forscher von Zscaler warnen vor einer neuen Angriffskampagne, die gezielt autonome KI-Agenten und moderne Entwicklungsumgebungen ins Visier nimmt. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/openclaw-workflows-remcos-rat-ghostloader
-
Cyberkriminelle missbrauchen Openclaw-Workflows zur Verbreitung von Remcos-RAT und Ghostloader
Die Threatlabz-Researcher von Zscaler haben eine neuartige Angriffskampagne analysiert, die gezielt den wachsenden Einsatz von autonomen KI-Agenten Entwicklungs- und Unternehmensumgebungen ins Visier nimmt. Die Angreifer machen sich das Open-Source-Framework <> zunutze, das KI-Agenten zur Umsetzung komplexer Aufgaben mit weitreichenden Systemzugriffsrechten ausstattet. Das zur Automatisierung von Workflow entwickelte Rahmenwerk wird jetzt als gefährlicher Angriffsvektor instrumentalisiert. Im…
-
Paper Werewolf APT Spreads EchoGather RAT via Fake Adobe Installer
A sophisticated Russian-language threat cluster known asPaper Werewolf(also tracked as GOFFEE) has launched a fresh wave of targeted cyberattacks against Russian industrial, financial, and transport organizations between March and April 2026. The attack begins with a phishing email carrying a PDF attachment. Embedded inside the PDF is a URL pointing to a ZIP archive named…