Tag: stealth

18 Attack Reports | 0 Vulnerabilities

Attack reports

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan

CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an agg…
rat
persistence
credential theft
remote access
.net
stealth
defense evasion
avkiller
c#
hvnc
2026-03-31
crysome rat
Published: March 31, 2026
Downloadable IOCs: 2

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink …
rootkit
stealth
ai-assisted
voidlink
2026-03-26
lkm
Published: March 26, 2026
Downloadable IOCs: 2

Cryptojacking Campaign Exploits Driver to Boost Monero Mining

A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive…
xmrig
persistence
cryptojacking
stealth
driver vulnerability
2026-02-18
CVE-2020-14979
kernel exploit
monero mining
pirated software
Published: February 18, 2026
Linked vulnerabilities : CVE-2020-14979
Downloadable IOCs: 1

VoidLink threat analysis: C2-compiled kernel rootkits discovered

The Sysdig Threat Research Team analyzed VoidLink, a sophisticated Linux malware framework targeting cloud environments. Key findings include the first documented Serverside Rootkit Compilation, Chinese development with AI assistance, adaptive detection evasion, and use of the Zig programming langu…
linux
rootkit
evasion
cloud
c2
containers
stealth
kernel
voidlink
2026-01-19
ebpf
zig
Published: January 19, 2026
Downloadable IOCs: 9

Command & Evade: Turla's Kazuar v3 Loader

Turla's Kazuar v3 loader employs sophisticated techniques to evade detection. It uses a VBScript to drop files and execute a native loader, which bypasses security measures and leverages COM for stealth. The loader utilizes control flow redirection, patchless ETW and AMSI bypasses, and COM integrat…
loader
evasion
in-memory execution
stealth
amsi bypass
kazuar
2026-01-15
etw bypass
Published: January 15, 2026
Downloadable IOCs: 15

The Cloud-Native Malware Framework

VoidLink is an advanced malware framework designed for Linux systems, focusing on cloud and container environments. It includes custom loaders, implants, rootkits, and modular plugins for long-term access. The framework employs a flexible architecture with a Plugin API inspired by Cobalt Strike. Vo…
malware
linux
rootkit
plugins
stealth
cloud-native
2026-01-13
chinese-affiliated
framework
voidlink
Published: January 13, 2026
Downloadable IOCs: 3

DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant

Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, whi…
backdoor
obfuscation
espionage
comebacker
dprk
stealth
remote access tool
2025-11-03
blindingcan
httptroy
Published: November 3, 2025
Downloadable IOCs: 15

Hidden WordPress Backdoors Creating Admin Accounts

Two malicious files were discovered on a compromised WordPress website, designed to manipulate administrator accounts and maintain unauthorized access. The first file, disguised as a plugin called 'DebugMaster Pro', created a secret admin user and communicated with a command and control server. The…
backdoor
wordpress
credential theft
compromise
stealth
2025-09-24
debugmaster pro
admin accounts
Published: September 24, 2025
Downloadable IOCs: 0

DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities

DeerStealer is a sophisticated information-stealing malware that targets a wide range of user and system data. It employs deception techniques, persistence mechanisms, and rootkit-like capabilities to evade detection and maintain stealth on compromised systems. The malware uses signed executables, …
rootkit
persistence
information-stealing
deerstealer
data-exfiltration
stealth
uac-bypass
2025-09-20
multi-stage-execution
xfiles spyware
Published: September 20, 2025
Downloadable IOCs: 0

TINKYWINKEY KEYLOGGER

TinkyWinkey is a sophisticated Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling. It captures all keystrokes, including special keys and multi-language input, alongside detailed system metrics such as CPU, memory, OS ver…
windows
persistence
service
keylogger
stealth
dll injection
2025-09-01
system profiling
tinkywinkey
Published: September 1, 2025
Downloadable IOCs: 3

The Covert Dual-Mode Backdoor Threat

MystRodX is a sophisticated backdoor discovered in June 2025, featuring stealth and flexibility. It uses multi-layer encryption for sensitive information and can operate in active or passive modes. The backdoor supports file management, port forwarding, reverse shell, and socket management. Its pas…
backdoor
encryption
stealth
c2 servers
2025-08-28
icmp trigger
mystrodx
dual-process guardian
dns trigger
passive mode
Published: August 28, 2025
Downloadable IOCs: 12

APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery

Pakistan-linked APT36 (Transparent Tribe) launched a new cyber-espionage campaign targeting Indian government and defense entities. Active in August 2025, the group used phishing ZIP files containing malicious Linux “.desktop” shortcuts that downloaded payloads from Google Drive.
persistence
stealth
apt36
websocket
google drive
2025-08-21
syscall
icon data
ctfuft
linux desktop
stealth server
unix timestamp
Published: August 21, 2025
Downloadable IOCs: 6

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…
backdoor
apt
persistence
botnet
ssh
stealth
authentication bypass
asus routers
CVE-2023-39780
2025-06-04
nvram
Published: June 4, 2025
Downloadable IOCs: 3

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…
loader
pikabot
phishing
cobalt strike
icedid
lnk
darkgate
latrodectus
stealth
2024-10-21
msi
bumblebee
infection-chain
in-memory-execution
Published: October 21, 2024
Downloadable IOCs: 11

Technical Analysis of a Novel IMEEX Framework

The IMEEX framework is a newly discovered, custom-built malware targeting Windows systems. Delivered as a 64-bit DLL, it offers extensive control over compromised machines, featuring execution of additional modules, file manipulation, process management, registry modification, and remote command ex…
malware
windows
persistence
infrastructure
stealth
2024-10-14
imeex
Published: October 14, 2024
Downloadable IOCs: 9

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

A glimpse into the next moves and associated botnets

The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router …
evasion
backdoors
xlogin
botnets
routers
2024-09-10
hammertoss
axlogin
fsynet
hammerduke
stealth
alogin
updtae
zylogin
netduke
rlogin
Published: September 10, 2024
Downloadable IOCs: 11

A glimpse into the Quad7 operators’ next moves and associated botnets

The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router …
evasion
backdoors
xlogin
botnets
routers
2024-09-10
hammertoss
axlogin
fsynet
hammerduke
stealth
alogin
updtae
zylogin
netduke
rlogin
Published: September 10, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports