Tag: rat
-
Mirax Android RAT Hijacks Infected Phones as Residential Proxies
A new Android banking trojan called Mirax is rapidly gaining traction in the cybercrime ecosystem, combining powerful remote access features with residential proxy capabilities to turn victims’ smartphones into high-value infrastructure nodes. Mirax is marketed as a premium Android RAT and banking malware, offering attackers full, real”‘time control over compromised devices. Once installed, the malware can execute…
-
Mirax Android RAT Hijacks Infected Phones as Residential Proxies
A new Android banking trojan called Mirax is rapidly gaining traction in the cybercrime ecosystem, combining powerful remote access features with residential proxy capabilities to turn victims’ smartphones into high-value infrastructure nodes. Mirax is marketed as a premium Android RAT and banking malware, offering attackers full, real”‘time control over compromised devices. Once installed, the malware can execute…
-
Janela RAT Spreads via Fake MSI Installers, Malicious Extensions
Janela Remote Access Trojan (RAT) campaign using fake Windows MSI installers and malicious browser extensions to infiltrate financial networks and exfiltrate sensitive data. The latest Janela RAT samples are being distributed through public GitLab repositories, where attackers host MSI installation files disguised as legitimate software installers. Unsuspecting users in Chile, Colombia, and Mexico the campaign’s primary targets are lured into downloading these…
-
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta.”Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real First seen on thehackernews.com Jump…
-
Fake Claude AI installer abuses DLL sideloading to deploy PlugX
Fake Claude website impersonates Anthropic and delivers PlugX RAT via ZIP download using DLL sideloading. A fake website impersonating Anthropic’s Claude service was found distributing the PlugX remote access trojan, according to Malwarebytes. The rogue site abuses the chatbot’s popularity to trick users into downloading a ZIP archive presented as a “pro version” installer. The…
-
JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025
Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT.A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect…
-
Hackers hijacked CPUID downloads, served STX RAT to victims
If you tried to download software from CPUID’s website late last week, you might have downloaded malware instead. >>Investigations are still ongoing, but it appears … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/13/cpuid-download-malware/
-
CPUID watering hole attack spreads STX RAT malware
Threat actors compromised the CPUID website and spread STX RAT through fake CPU-Z and HWMonitor downloads. Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours. Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems. The short attack…
-
CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads
Unknown threat actors compromised CPUID (“cpuid[.]com”), a website that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than 24 hours to serve malicious executables for the software and deploy a remote access trojan called STX RAT.The incident lasted from approximately April 9, 15:00 UTC, to about April 10, 10:00…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…
-
DesckVB RAT Uses Fileless .NET Loader to Evade Detection
DesckVB RAT is emerging as a highly active and stealthy malware threat in 2026, leveraging layered obfuscation and fileless execution techniques to bypass traditional security defenses. The attack chain begins with a malicious JavaScript file that hides its true intent through complex encoding and code replication. This script copies its own logic into PowerShell and…
-
STX RAT Targets Finance Sector With Advanced Stealth Tactics
STX RAT, a newly identified remote access trojan, attempted deployment in finance, showing advanced C2 and stealthy delivery methods First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/stx-rat-targets-finance-sector/
-
New Phishing Campaign Exploits Google Storage to Deliver Remcos RAT
A recently observed phishing campaign is abusing Google Cloud Storage to deliver the Remcos remote access trojan (RAT), relying on trusted Google infrastructure and a signed Microsoft binary to evade traditional defenses. Attackers host a fake Google Drive login page on the legitimate domain storage.googleapis.com, making the URL appear trustworthy to both users and security…
-
STX RAT Hides Remote Desktop, Steals Data to Dodge Detection
A stealthy new remote access trojan, dubbed STX RAT, that blends hidden remote desktop control with powerful infostealer capabilities while using advanced evasion and encryption techniques to stay under the radar of security tools. The operators rely on opportunistic initial access, including malicious VBScript and JScript chains that download a TAR archive containing the core payload and…
-
STX RAT Hides Remote Desktop, Steals Data to Dodge Detection
A stealthy new remote access trojan, dubbed STX RAT, that blends hidden remote desktop control with powerful infostealer capabilities while using advanced evasion and encryption techniques to stay under the radar of security tools. The operators rely on opportunistic initial access, including malicious VBScript and JScript chains that download a TAR archive containing the core payload and…
-
Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows
Hackers are using a deceptive technique known as “ClickFix” to deliver a sophisticated Node. js-based remote access Trojan (RAT) targeting Windows users. ClickFix, which gained popularity in early 2025, tricks users into interacting with fake CAPTCHA or verification prompts. In this latest campaign, attackers lure victims into executing malicious commands that silently install malware disguised…
-
Fake Installers Spread RATs, Monero Miners in Ongoing Malware Campaign
Fake software installers are being used in a long-running malware operation to drop remote access trojans (RATs), Monero cryptominers, and a new .NET implant across multiple campaigns dating back to late 2023. REF1695 relies on ISO-based fake installers that mimic legitimate software setup packages but never deliver real applications. Instead, users are guided via a…
-
CrystalX RAT: new MaaS malware combines spyware, stealer, and remote access
CrystalX RAT, a new sophisticated MaaS malware, combines spyware, data theft, and remote access, allowing attackers to monitor victims. In March 2026, Kaspersky researchers uncovered a Telegram-based campaign promoting a previously unknown malware sold as a MaaS with three subscription tiers. The Trojan offers a wide range of features, including RAT capabilities, data theft, keylogging,…
-
Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023.”Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,” Elastic First seen on thehackernews.com Jump to…
-
Fake CERT-UA Site Spreads Go-Based RAT in Phishing Campaign
Hackers have launched a targeted phishing campaign by cloning Ukraine’s official CERT-UA website and distributing malicious software disguised as a security tool, according to a new alert from the national cyber response team. Targets included government agencies, financial institutions, educational bodies, medical centers, and IT companies. The emails urged recipients to download a password-protected archive…
-
CrystalX Malware-as-a-Service Spreads via Telegram With Stealer, RAT Tools
Hackers are actively promoting a new malware-as-a-service (MaaS) platform called CrystalX RAT through private Telegram channels, offering cybercriminals a powerful toolkit that combines remote access, data theft, surveillance, and even prank-based disruption features. Security researchers identified the campaign in March 2026, noting that the malware is being sold under a subscription model with three pricing…
-
Hackers Hijack Axios npm Package to Spread RATs
Threat actors hijacked the popular npm package axios to spread RAT malware after compromising an open”‘source maintainer’s account, researchers warn First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/hackers-hijack-axios-npm-package/
-
NPM Supply Chain Attack Uses undicy-http to Deploy RAT
A highly sophisticated npm supply chain attack that abuses a fake HTTP client package to deliver both a powerful RAT and a stealthy browser stealer. The malicious package, undicy-http@2.0.0, was uploaded to npm to impersonate undici, the official HTTP client widely used in Node.js projects. Despite the similar name, it contains no HTTP client logic;…
-
Technical Advisory: Axios npm Supply Chain Attack Cross-Platform RAT Deployed via Compromised Maintainer Account
<div cla [CRITICAL] – Active RAT – Malicious npm versions removed – Assess all systems that ran npm install during exposure window First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/technical-advisory-axios-npm-supply-chain-attack-cross-platform-rat-deployed-via-compromised-maintainer-account/
-
Phantom Project Bundles Infostealer, Crypter and RAT For Sale
Phantom Stealer .NET harvests browser credentials, cookies, cards, sessions, as stealer-as-a-service First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/phantom-project-infostealer-nov-25/
-
Axios npm Attack Deploys Cross-Platform RAT
A compromised Axios package briefly deployed a cross-platform RAT, highlighting supply chain risk. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/axios-npm-attack-deploys-cross-platform-rat/
-
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack
Tags: ai, attack, breach, cloud, control, credentials, crypto, github, incident response, linux, LLM, macOS, malicious, malware, monitoring, open-source, openai, powershell, pypi, rat, spam, supply-chain, tool, windowspostinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency.Shortly after midnight UTC on March 31 a new version of the Axios package, axios@1.14.1, was published on npm followed by axios@0.30.4 39 minutes later. Both listed plain-crypto-js@4.2.1 as a dependency in their package.json files, but…
-
Supply chain attack on Axios npm package: Scope, impact, and remediations
Tags: access, api, attack, breach, cloud, control, credentials, crypto, data, data-breach, defense, exploit, incident response, macOS, malicious, malware, open-source, rat, risk, security-incident, software, supply-chain, theft, threat, vulnerability, windowsThe Axios npm package has been compromised in a supply chain attack that uploaded new versions of the package containing malicious code. Any environment that downloaded these compromised Axios versions is at risk of severe data theft, including the loss of credentials and API keys. Scan your environment now. Key takeaways This incident is a…
-
Attackers hijack Axios npm account to spread RAT malware
Threat actors hijacked the npm account of Axios to distribute RAT malware via malicious package updates. Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads, and published malicious versions to spread remote access trojans across Linux, Windows, and macOS. The supply chain attack was identified by multiple…