Tag: rat
-
KI-Agenten als Einfallstor: Angreifer kapern OpenClaw und schleusen Remcos RAT in Entwicklerumgebungen ein
Cyberkriminelle missbrauchen zunehmend KI-Frameworks als neue Eintrittspunkte in Unternehmensnetzwerke. Aktuell steht OpenClaw im Fokus. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/ki-agenten-als-einfallstor-angreifer-kapern-openclaw-und-schleusen-remcos-rat-in-entwicklerumgebungen-ein/a45171/
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 97
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter JDownloader site hacked to replace installers with Python RAT malware New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment Operation…
-
Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4
Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads. First seen on hackread.com Jump to article: hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/
-
FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit
Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT,… First seen on hackread.com Jump to article: hackread.com/famoussparrow-oil-gas-ms-exchange-server-exploit/
-
Chinese APT Exploits Microsoft Exchange to Breach Energy Sector Network
Chinese state-aligned hackers compromised a Microsoft Exchange server at a major energy firm. They repeatedly reused that same entry point to run a months”‘long espionage operation, deploying the Deed RAT and Terndoor backdoors to maintain deep access across the network. The activity is attributed with moderate”‘to”‘high confidence to FamousSparrow, a China”‘aligned APT cluster that overlaps…
-
Official JDownloader site served malware to Windows and Linux users between May 6 and May 7
JDownloader website was hacked to distribute malicious Windows and Linux installers carrying a Python RAT between May 67, 2026. JDownloader official website was compromised in a supply chain attack that replaced legitimate Windows and Linux installers with malicious files between May 6 and May 7, 2026. JDownloader is a free, open-source download management application designed…
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 96
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter CloudZ RAT potentially steals OTP messages using Pheno plugin Backdoored PyTorch Lightning package drops credential stealer A rigged game: ScarCruft compromises gaming platform in a supply-chain attack Muddying the Tracks: The State-Sponsored Shadow Behind…
-
Security Affairs newsletter Round 576 by Pierluigi Paganini INTERNATIONAL EDITION
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence Braintrust security incident…
-
CloudZ RAT Abuses Windows Phone Link to Steal OTPs
Cisco Talos discovered the CloudZ RAT exploiting Microsoft Phone Link to intercept SMS-based OTPs from Windows endpoints. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cloudz-rat-abuses-windows-phone-link-to-steal-otps/
-
Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA
In hard-to-detect attacks, hackers are dropping the CloudZ RAT and a fresh plugin, Pheno, to hijack the Windows-based bridge between PCs and smartphones. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/attacks-abuse-windows-phone-link-texts-bypass-2fa
-
CloudZ Malware Abuses Phone Link to Steal SMS OTPs
Cisco Talos uncovers CloudZ RAT and Pheno plugin abusing Microsoft Phone Link to intercept SMS OTPs First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/cloudz-rat-pheno-phone-link-otp/
-
CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs
CloudZ is a new modular remote access trojan that abuses Microsoft’s built”‘in Phone Link feature to steal SMS one”‘time passwords (OTPs) and other mobile notifications directly from Windows PCs, without infecting the phone itself. Microsoft Phone Link (formerly “Your Phone”) is integrated into Windows 10 and 11 to mirror smartphone SMS messages, application notifications, call…
-
Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs
Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft.”According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time…
-
Malicious OpenClaw Skill Targets Agentic AI Workflows to Deploy RATs and Stealers
OpenClaw’s agent “skill” ecosystem to deliver both Remcos RAT and a cross”‘platform stealer called GhostLoader by hiding malware inside a deceptive DeepSeek integration called “DeepSeek”‘Claw.” The campaign shows how agentic AI workflows with high local privileges can be quietly hijacked through manipulated installation instructions rather than classic exploit chains. OpenClaw, formerly known as Clawdbot and…
-
Silver Fox Uses Fake Tax Notices to Drop ValleyRAT and ABCDoor Backdoor
Silver Fox is running a tax”‘themed phishing campaign that abuses fake notices from Indian and Russian tax authorities to drop ValleyRAT and a new Python backdoor dubbed ABCDoor, using a customized RustSL loader to evade detection and enforce strict geofencing controls. The campaign shows how the group is steadily evolving from commodity RAT delivery to…
-
Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs
Multi-stage infection chain: The intrusion begins with an unknown initial access vector, followed by the execution of a malicious file disguised as a ScreenConnect update, Talos said.The initial payload is a Rust-compiled loader using filenames such as “systemupdates.exe,” which drops a .NET loader disguised as a text file in a system directory, the post said.Persistence…
-
CloudZ RAT potentially steals OTP messages using Pheno plugin
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/cloudz-pheno-infostealer/
-
New Deep#Door RAT uses stealth and persistence to target Windows
Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel. Security researchers at Securonix uncovered a sophisticated malware campaign called Deep#Door. Threat actors employed a stealthy Python-based backdoor that uses a surprisingly simple delivery method to achieve deep, persistent access…
-
Deep#Door Python Backdoor Evades Detection On Windows
Deep#Door Python RAT uses tunneling and obfuscation to evade detection and steal credentials First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/deepdoor-python-backdoor-windows/
-
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic’s Claude Opus large language model (LLM).The package in question is “@validate-sdk/v2,” which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its…
-
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic’s Claude Opus large language model (LLM).The package in question is “@validate-sdk/v2,” which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its…
-
Auraboros RAT Adds Live Audio, Keylogging, and Cookie Theft via Open C2 Panel
A fully exposed command-and-control (C2) panel for a previously undocumented remote access trojan (RAT) framework dubbed Auraboros, supporting live audio streaming, intensive keylogging, browser credential theft, and multi-cookie hijacking all accessible over the internet with zero authentication. Further inspection revealed “Auraboros C2 Station,” a polished single-page dashboard that immediately loads victim data and live controls without…
-
âš¡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems”, it’s bending…
-
âš¡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems”, it’s bending…
-
âš¡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems”, it’s bending…
-
Gh0st RAT, CloverPlus Hit Victims in Dual-Malware Campaign
A new malware campaign is bundling a powerful remote access trojan (RAT) with intrusive adware, giving attackers both long-term control of infected systems and an immediate revenue stream from fraudulent advertising activity. The loader hides two encrypted payloads in its resource section, one of which is detected as AdWare.Win32.CloverPlus. Once executed, this adware installs advertising…
-
MiningDropper Spreads Infostealers, RATs, Banking Malware on Android
Hackers are abusing a modular Android framework called MiningDropper to mine cryptocurrency and silently install infostealers, remote access trojans (RATs), and banking malware on infected devices. MiningDropper is a multi-stage Android dropper that combines crypto-mining with the delivery of additional malware payloads, including banking trojans, RATs such as BTMOB, and credential-stealing spyware. A recent variant is built…
-
JanaWare Ransomware Hits Turkish Users via Tailored Adwind RAT
A newly analyzed ransomware campaign dubbed “JanaWare” is targeting users in Turkey by leveraging a customized version of the Adwind Remote Access Trojan (RAT). The campaign combines stealthy delivery techniques, geographic restrictions, and polymorphic malware to evade detection while maintaining long-term activity. Researchers identified that JanaWare is specifically designed to infect systems located in Turkey.…
-
Mirax malware campaign hits 220K accounts, enables full remote control
Mirax, a new Android RAT, spread via Meta ads, infected 220,000 users and turns devices into SOCKS5 proxies, giving attackers full remote control. Mirax is a new Android remote access trojan spreading through ads on Meta platforms, targeting mainly Spanish-speaking users and reaching over 220,000 accounts. The malicious code lets attackers fully control infected devices…
-
Mirax RAT Targets Android Devices Through Meta Apps
Malware-as-a-Service Operations Favors Russian-Speaking Customers. An emerging remote access Trojan targeting Android devices in Spanish-speaking nations is propagating fraudulent advertisements as an initial access point on Meta-owned applications. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/mirax-rat-targets-android-devices-through-meta-apps-a-31421