CyberSecurity news

FlagThis - #backdoor

Veronika Telychko@SOC Prime Blog //

Mocha Manakin Uses NodeJS Backdoor via Paste-and-Run - Mocha Manakin threat actor uses a paste-and-run technique to deliver a custom NodeJS backdoor named NodeInitRAT, potentially resulting in data exfiltration and ransomware deployment.
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.

Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor.

Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment.

Recommended read:
References :
  • redcanary.com: Red Canary's report on Mocha Manakin details the use of NodeInitRAT and provides detection strategies.
  • SOC Prime Blog: SocPrime provides information on detecting Mocha Manakin attacks, focusing on the backdoor's capabilities and associated ransomware.
  • redcanary.com: Named by Red Canary, Mocha Manakin uses paste and run with PowerShell to drop a custom NodeJS backdoor that could lead to ransomware
  • socprime.com: Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique
  • cyberpress.org: Mocha Manakin Exploits Paste-and-Run Method to Deceive Users into Downloading Malware
  • hackread.com: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • Virus Bulletin: Red Canary researchers analyse a Mocha Manakin activity cluster that delivers NodeJS backdoor via Clickfix/fakeCAPTCHA.
securebulletin.com@Secure Bulletin //

Sophos Exposes GitHub Malware Targeting Cybercriminals, Gamers - Sophos researchers uncovered a GitHub campaign distributing backdoored malware, targeting hackers, gamers, and cybersecurity researchers with infostealer/RAT infections.
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.

The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness.

Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.

Recommended read:
References :
  • Secure Bulletin: Sophos exposes massive GitHub campaign distributing backdoored malware
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
  • Sophos X-Ops: We’ve previously looked into the niche world of threat actors targeting each other, so we investigated further, and found 133 backdoored repos, most linked to the same threat actor via an email address. Some repos claimed to be malware, others gaming cheats. The threat actor appears to have gone to some lengths to make their backdoored repos seem legitimate – including multiple accounts and contributors, and automated commits.
  • Sophos X-Ops: To avoid falling victim to these kinds of attacks, be wary of downloading/running code from unverified/untrusted repos, and where possible inspect code for anything unusual.
  • Sophos X-Ops: When we analyzed the backdoors, we ended up down a rabbithole of multiple variants, obfuscation, convoluted infection chains, and identifiers. The upshot is that a threat actor seems to be creating backdoored repos at scale, and may have been doing so for some time.
  • The Register - Security: More than a hundred backdoored malware repos traced to single GitHub user. Someone went to great lengths to prey on the next generation of cybercrooks
  • Sophos News: A simple customer query leads to a rabbit hole of backdoored malware and game cheats
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
Pierluigi Paganini@securityaffairs.com //

9000 ASUS Routers Compromised in Botnet Campaign - A botnet campaign dubbed “AyySSHush” compromised over 9,000 ASUS routers by exploiting CVE-2023-39780, a command injection vulnerability, and other authentication bypass techniques, deploying malware that persists even after reboots and firmware updates.
A new botnet campaign, dubbed AyySSHush, is targeting ASUS routers, compromising over 9,000 devices globally. The attackers are exploiting a known command injection vulnerability, CVE-2023-39780, along with other authentication bypass techniques to gain unauthorized access. Models such as RT-AC3100, RT-AC3200, and RT-AX55 are among those being targeted, with attackers seeking to establish a persistent presence within the compromised routers. GreyNoise researchers, who uncovered the campaign, emphasize the stealthy tactics employed, which include disabling router logging and avoiding the installation of malware, making detection difficult.

Attackers initially gain access to ASUS routers through brute-force login attempts and the exploitation of authentication bypass flaws, including techniques that have not yet been assigned CVEs. Once inside, they leverage the CVE-2023-39780 command injection vulnerability to execute system commands and modify router settings. These commands enable SSH access on a custom port, typically TCP/53282, and insert an attacker-controlled public key for remote access. This allows the attackers to maintain a persistent backdoor into the compromised routers, even after firmware upgrades and reboots.

As a result of this sophisticated campaign, compromised ASUS routers require a factory reset to fully remove the persistent SSH backdoor. Standard firmware updates are insufficient, as the attackers abuse legitimate router configuration features stored in non-volatile memory (NVRAM). GreyNoise recommends users rotate all authentication tokens, including passwords and SSH keys, and perform a factory reset to clear the affected devices' NVRAM. Users can also use runZero's service inventory to locate potentially impacted assets by querying for SSH protocol on port 53282, or scan for the attacker’s public key using the SSHamble tool.

Recommended read:
References :
  • cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
  • The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
  • Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
  • www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
  • bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
  • securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
  • CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
  • BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
  • www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
  • The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
  • PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
  • eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
  • www.itpro.com: Asus routers at risk from backdoor vulnerability
  • www.csoonline.com: New botnet hijacks AI-powered security tool on Asus routers
  • www.esecurityplanet.com: Over 9,000 ASUS routers were hacked in a stealth cyberattack exploiting CVE-2023-39780.
  • cyble.com: Researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.
  • hothardware.com: Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting.
  • techvro.com: GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
  • Techzine Global: New botnet creates permanent backdoors in ASUS routers
  • securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
  • securityonline.info: SecurityOnline: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
  • Catalin Cimpanu: -AyySSHush botnet infects 9k ASUS routers
  • Blog: In early 2025, cybersecurity researchers uncovered a stealthy campaign compromising over 9,000 ASUS routers. Dubbed "AyySSHush," this operation targets specific ASUS models, including RT-AC3100, RT-AC3200, and RT-AX55, by exploiting a known command injection vulnerability, designated CVE-2023-39780, alongside other authentication bypass techniques.
  • Latest news: Cybercriminals have hacked into thousands of Asus routers. Here's how to tell if yours is compromised.
  • Seceon Inc: ASUS Router Hijackings Highlight Urgent Need for Advanced Threat Detection and Response
Daryna Olyniychuk@SOC Prime Blog //

Attackers Exploit CMS Flaws for Server Breaches - Attackers are actively exploiting vulnerabilities in WordPress and Craft CMS to compromise web servers, highlighting the need for vigilance in applying security patches and strong security practices.
References: securityaffairs.com
Attackers are actively exploiting vulnerabilities in popular content management systems (CMS) like WordPress and Craft CMS to gain unauthorized access to web servers. These attacks highlight the critical need for website administrators to stay vigilant and promptly apply security patches. A significant phishing campaign has been identified targeting WordPress WooCommerce users, where victims are tricked into downloading a fake security patch that actually installs a backdoor on their sites, allowing attackers persistent access.

Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk.

An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations.

Recommended read:
References :
  • securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.
@securityonline.info //

Fake Security Plugin on WordPress Enables Backdoor Access - A new malware campaign targets WordPress sites using a malicious plugin disguised as a security tool, highlighting the risk of installing plugins and the need to verify legitimacy before installation.
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.

The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site.

Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites.

Recommended read:
References :
  • hackread.com: WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • www.bleepingcomputer.com: WordPress plugin disguised as a security tool injects backdoor
  • The DefendOps Diaries: Protecting WordPress Sites from Malicious Plugin Campaigns
  • BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • Talkback Resources: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code [app] [mal]
  • BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • bsky.app: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • The Hacker News: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
  • BleepingComputer: WordPress plugin disguised as a security tool injects backdoor
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • Talkback Resources: Talkback - Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
  • Talkback Resources: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers [net] [mal]
  • bsky.app: bleepingcomputer.com/news/security/wordpress-plugin-disguised-as-a-security-tool-injects-backdoor/
Pierluigi Paganini@securityaffairs.com //

WooCommerce Users Targeted Patch Phishing Site Backdoors - A phishing campaign targeting WordPress WooCommerce users employs fake security alerts with a malicious patch that grants unauthorized access to WordPress websites.
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.

The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion.

Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme.

Recommended read:
References :
  • cyberpress.org: The Patchstack security team has identified a large-scale, sophisticated phishing campaign targeting WooCommerce users with fake security alerts.
  • gbhackers.com: A concerning large-scale phishing campaign targeting WooCommerce users has been uncovered by the Patchstack securpity team, employing a highly sophisticated email and web-based phishing template to deceive website owners.
  • The DefendOps Diaries: Phishing campaign exploits WooCommerce admins with fake security patches and deceptive tactics, highlighting advanced cyber threats.
  • The Hacker News: Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a critical patch but deploy a backdoor instead.
  • BleepingComputer: WooCommerce admins targeted by fake security patches that hijack sites
  • Cybernews: Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
  • securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.
  • hackread.com: Sneaky WordPress Malware Disguised as Anti-Malware Plugin
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • www.bleepingcomputer.com: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.

Posts

Blogs

Research Tools