Tag: command and control

26 Attack Reports | 0 Vulnerabilities

Attack reports

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command…
credential harvesting
lateral movement
edr
coolclient
mgbot
process injection
toneshell
command-and-control
vbcloud
vbshower
adaptixc2
powershower
cloudatlas
2026-04-17
network detection
post-exploitation framework
Published: April 17, 2026
Downloadable IOCs: 0

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

A compromised Joomla website displayed suspicious product links unrelated to the business. Investigation revealed heavily obfuscated PHP code injected at the top of index.php that contacted external command-and-control servers to receive instructions and manipulate content. The malware acts as a re…
obfuscation
search engine manipulation
command-and-control
seo spam
2026-04-17
dynamic content injection
joomla
php backdoor
remote loader
Published: April 17, 2026
Downloadable IOCs: 1

Technical Analysis of SnappyClient

Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and tran…
evasion
cryptocurrency
data theft
remote access
hijackloader
command and control
2026-03-18
snappyclient
Published: March 18, 2026
Downloadable IOCs: 5

MuddyWater Exposed: Inside an Iranian APT operation

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfilt…
exfiltration
cyber espionage
reconnaissance
CVE-2022-42475
vulnerability exploitation
command and control
CVE-2024-55591
CVE-2025-5777
CVE-2025-54068
iranian apt
CVE-2025-9316
CVE-2025-55182
CVE-2025-34291
CVE-2025-68613
CVE-2025-52691
tsundere botnet
CVE-2026-1281
CVE-2026-1731
geopolitical conflict
2026-03-05
arenac2
CVE-2024-23113
keyc2
mois
persianc2
Published: March 5, 2026
Linked vulnerabilities : CVE-2024-5559 (CVSS 6.1), CVE-2024-55591 (CVSS 9.8), CVE-2022-42475, CVE-2025-5777 (CVSS 9.3), CVE-2025-54068 (CVSS 9.2), CVE-2025-9316 (CVSS 6.9), CVE-2025-55182 (CVSS 10.0), CVE-2025-34291 (CVSS 9.4), CVE-2025-68613 (CVSS 9.9), CVE-2025-52691 (CVSS 10.0), CVE-2026-1281 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2024-23113
Downloadable IOCs: 14

Developer-targeting campaign using malicious Next.js repositories

A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into s…
javascript
node.js
remote code execution
command-and-control
visual studio code
next.js
2026-02-24
developer-targeting
environment variable exfiltration
Published: February 24, 2026
Downloadable IOCs: 4

Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits rea…
rat
persistence
remcos
credential theft
keylogging
data exfiltration
evasion techniques
remote access trojan
command-and-control
2026-02-18
Published: February 18, 2026
Downloadable IOCs: 1

Investigation on the EmEditor Supply Chain Cyberattack

A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some …
powershell
command and control
watering hole
supply chain attack
domain masquerading
emeditor
2026-02-09
Published: February 9, 2026
Downloadable IOCs: 4

Restless Spirit: New Attacks on Russian Companies

PhantomCore, a hacking group targeting Russian and Belarusian companies since 2022, launched a new wave of malicious email campaigns on January 19 and 21, 2026. The attacks targeted various sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical in…
phishing
powershell
phantomcore
multi-stage attack
command and control
scheduled tasks
persistent threat
decoy documents
russian targets
2026-01-23
phantomcore.polldl
Published: January 23, 2026
Downloadable IOCs: 7

Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with…
malware
apt
xmrig
cobalt strike
china
asyncrat
cybercrime
mirai
nanocore
mgbot
infrastructure
supershell
command-and-control
mozi
vshell
rondodox
CVE-2025-8110
valley rat
2026-01-15
arl
cloud providers
isps
l3mon
Published: January 15, 2026
Linked vulnerabilities : CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 12

RondoDoX Botnet Weaponizes React2Shell

A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to Decem…
iot
botnet
mirai
cryptominer
vulnerability exploitation
command and control
next.js
rondodox
react2shell
2025-12-29
rondo
web application
Published: December 29, 2025
Downloadable IOCs: 7

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

AI-Generated Code and Fake Apps Used for Far-Reaching Attacks

A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It …
obfuscation
persistence
node.js
trojan
credential theft
command and control
2025-09-12
ai-generated code
evilai
fake applications
Published: September 12, 2025
Downloadable IOCs: 14

Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis

A detailed analysis of a malicious PDF editor application called AppSuite PDF Editor reveals it to be a sophisticated backdoor. The software, masquerading as a legitimate productivity tool, is distributed through high-ranking websites. Once installed, it creates scheduled tasks and establishes pers…
backdoor
trojan
data exfiltration
aes encryption
command and control
scheduled tasks
browser manipulation
2025-08-28
appsuite pdf editor
pdf editor
appsuite
Published: August 28, 2025
Downloadable IOCs: 9

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

DNS: A Small but Effective C2 system

This analysis explores the exploitation of DNS for command-and-control operations and data exfiltration. It details how cybercriminals leverage DNS tunneling to create covert communication channels, bypassing traditional security measures. The article examines various DNS tunneling families, includ…
cobalt strike
dns tunneling
sliver
command-and-control
2025-07-17
dnscat2
dns exfiltrator
iodine
weasel
Published: July 17, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Reborn in Rust: Attempt to thwart malware analysis

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin …
plugins
asyncrat
rust
command and control
remote access trojan
reverse engineering
system information
2025-05-26
tls
hardware id
rustyasyncrat
Published: May 26, 2025
Downloadable IOCs: 4

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

LightSpy Malware Now Targets Facebook & Instagram Data

LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 c…
malware
surveillance
lightspy
plugins
infrastructure
command and control
facebook
2025-02-21
instagram
Published: February 21, 2025
Downloadable IOCs: 27

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…
north korea
cryptocurrency
data exfiltration
software supply chain
command-and-control
2025-01-30
phantom circuit
Published: January 30, 2025
Downloadable IOCs: 13

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads…
phishing
data exfiltration
chrome extension
command and control
2025-01-02
facebook ads
oauth
Published: January 2, 2025
Downloadable IOCs: 5

Dissecting A Multi-Stage PowerShell Campaign Using Chisel

A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope pro…
powershell
persistence
lateral movement
lnk file
multi-stage
command-and-control
2024-11-12
chisel
Published: November 12, 2024
Downloadable IOCs: 17

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

A command-and-control framework called Winos 4.0 is being distributed through gaming-related applications, targeting Chinese-speaking users. The malware, rebuilt from Gh0st RAT, uses a multi-stage infection process involving fake BMP files, DLLs, and shellcode. It can harvest system information, ca…
gh0st rat
cryptocurrency wallets
multi-stage infection
2024-11-06
command-and-control
winos 4.0
optimization apps
Published: November 6, 2024
Downloadable IOCs: 2

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

The Dark Knight Returns: Joker malware analysis

The report details sophisticated command and control (C2) techniques employed by the APT41 threat group. APT41 uses custom malware and legitimate tools to maintain persistent access to compromised networks while evading detection. Key techniques include DNS tunneling, domain fronting, and steganogr…
evasion
steganography
dns tunneling
social media
2024-10-03
command and control
apt41
cloud services
domain fronting
Published: October 3, 2024
Downloadable IOCs: 8
Click here to see more Attack Reports