Tag: remote access

27 Attack Reports | 0 Vulnerabilities

Attack reports

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…
screenconnect
phishing
stealer
government
pdf
remote-access
formbook
domain-spoofing
2025-06-04
credential-harvesting
Published: June 4, 2025
Downloadable IOCs: 2

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploade…
typosquatting
remote-access
npm
pypi
data-exfiltration
supply-chain-attack
2025-06-02
colorama
colorizr
Published: June 2, 2025
Downloadable IOCs: 2

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promi…
xworm
python
infostealer
worm
credential theft
remote access
ai
morphisec
facebook
2025-05-12
word document
noodlophile
capcutloader
video dream
Published: May 12, 2025
Downloadable IOCs: 32

Uyghur Diaspora Group Targeted with Remote Surveillance Malware

Senior members of the World Uyghur Congress (WUC) were targeted by a sophisticated spear phishing campaign aimed at deploying surveillance malware. The attack, discovered in March 2025, involved a trojanized version of a legitimate Uyghur language text editor. The malware enabled remote surveillanc…
surveillance
remote access
spear phishing
2025-04-28
uyghur
trojanized application
uyghureditpp backdoor
Published: April 28, 2025
Downloadable IOCs: 0

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…
phishing
social engineering
credential theft
remote access
connectwise rat
2025-04-08
office365
file-sharing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

TookPS distributed under the guise of UltraViewer, AutoCAD, and Ableton

A malware campaign is distributing the TookPS downloader by impersonating popular software like UltraViewer, AutoCAD, SketchUp, Ableton, and Quicken. The malware establishes an SSH tunnel for remote access and deploys additional payloads like TeviRat and Lapmon backdoors. The attackers gain full sy…
backdoor
remote access
downloader
2025-04-03
tookps
lapmon
ssh tunnel
tevirat
software impersonation
Published: April 3, 2025
Downloadable IOCs: 17

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft,…
screenconnect
rmm
remcos
lumma stealer
asyncrat
remote access
cybercrime
grandoreiro
email campaigns
netsupport
astaroth
initial access
2025-03-12
guildma
atera
mispadu
bluetrait
fleetdeck
Published: March 12, 2025
Downloadable IOCs: 15

JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-ba…
remote access
infrastructure
web shell
detection
2025-03-12
jspspy
file management
filebroser
http headers
Published: March 12, 2025
Downloadable IOCs: 4

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted…
ransomware
anydesk
iot
remote access
edr evasion
network segmentation
2025-03-11
akira ransomware
webcam
smb protocol
Published: March 11, 2025
Downloadable IOCs: 0

Deep Dive Into a Linux Rootkit Malware

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for …
linux
rootkit
persistence
remote access
2025-01-14
netfilter
sysinitd.ko
sysinitd
procfs
kernel module
command execution
Published: January 14, 2025
Downloadable IOCs: 3

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

NetSupport RAT and RMS in malicious emails

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…
obfuscation
phishing
rhadamanthys
russia
stealer
remote access
burnsrat
netsupport rat
meduza
2024-12-02
Published: December 2, 2024
Downloadable IOCs: 35

Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…
remote access
burnsrat
netsupport rat
meduza
2024-12-02
Published: December 2, 2024
Downloadable IOCs: 0

Know Thy Enemy: A Novel November Case on Persistent Remote Access

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtu…
remote access
persistent
lateral movement
meshagent
2024-11-26
psexec
rdp brute force
Published: November 26, 2024
Downloadable IOCs: 6

HEXON STEALER: THE LONG JOURNEY OF COPYING, HIDING, AND REBRANDING

Hexon Stealer, a malware capable of extracting sensitive information from browsers, has emerged as a rebranded version of Stealit Stealer. It utilizes the Electron framework and NSIS installer format to target browser cookies, credentials, and crypto-wallets. The malware grants full remote access t…
obfuscation
remote access
nsis installer
cryptocurrency theft
browser data theft
2024-11-23
hexon stealer
electron framework
stealit stealer
turkish developer
discord stealer
fewer stealer
Published: November 23, 2024
Downloadable IOCs: 0

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…
espionage
social engineering
android
data theft
trojan
financial fraud
remote access
craxsrat
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 0

Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Gen…
credential theft
remote access
grandoreiro
banking trojan
brazil
evasion techniques
2024-10-22
financial malware
global threat
Published: October 22, 2024
Downloadable IOCs: 0

XWorm: Analysis of Latest Version and Execution Flow

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files,…
xworm
infection chain
remote access
process injection
2024-10-03
evasion techniques
reflective loading
telegram notification
Published: October 3, 2024
Downloadable IOCs: 8

The trojan horse that wanted to fly

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication…
phishing
remote access
banking trojan
brazil
keylogging
mobile malware
2024-09-02
device takeover
hook
rocinante
ermac
Published: September 2, 2024
Downloadable IOCs: 4

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…
phishing
social engineering
anydesk
remote access
2024-08-09
uk banks
Published: August 9, 2024
Downloadable IOCs: 50

SharpRhino – New Hunters International RAT

Quorum Cyber's Incident Response team discovered a novel malware, SharpRhino, used by the threat actor Hunters International as an initial infection vector and Remote Access Trojan (RAT). This malware, coded in C#, is delivered via a typosquatting domain impersonating Angry IP Scanner. Upon executi…
ransomware
remote access
2024-08-06
sharprhino
Published: August 6, 2024
Downloadable IOCs: 6

Strikes with commercial malware against organizations in Kazakhstan

BI.ZONE experts have been monitoring the activities of a threat group called Bloody Wolf since late 2023. This group targets organizations in Kazakhstan using STRRAT, a commercial malware known as Strigoi Master. The attackers employ phishing emails posing as communications from government agencies…
phishing
data theft
remote access
2024-08-01
strrat
strigoi master
Published: August 1, 2024
Downloadable IOCs: 10

Analysis of Attack Case Installing VPN on Korean ERP Server

This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a comma…
sql injection
credential theft
remote access
2024-06-17
vpn
erp
softether vpn
Published: June 17, 2024
Downloadable IOCs: 11

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
obfuscation
rat
phishing
persistence
remcos
remote access
2024-06-11
Published: June 11, 2024
Downloadable IOCs: 3

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering
Published: May 16, 2024
Downloadable IOCs: 12

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34
Click here to see more Attack Reports