Waqas@hackread.com
//
Chinese cyber espionage group UNC3886 has been targeting Juniper Networks Junos OS MX routers that have reached their end-of-life. Researchers at Mandiant uncovered the attacks, which began in mid-2024, revealing that the group deployed custom backdoors to compromise these outdated systems. These backdoors allowed the attackers to bypass file integrity protections and maintain persistence, enabling them to steal data and conduct espionage.
Mandiant's investigation showed that UNC3886 exploited vulnerabilities in Junos OS, overcoming its protection subsystem, Veriexec, through a technique called process injection. The attackers injected malicious code into legitimate processes by gaining privileged access to a Juniper router from a terminal server using legitimate credentials. Juniper Networks and Mandiant recommend that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure.
Recommended read:
References :
- hackread.com: Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers
- www.cybersecuritydive.com: Juniper MX routers targeted by China-nexus threat group using custom backdoors
- : Chinese Hackers Implant Backdoor Malware on Juniper Routers
- BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks
 Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
- www.csoonline.com: Chinese cyberespionage group deploys custom backdoors on Juniper routers
- thehackernews.com: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
- The Register - Security: Expired Juniper routers find new life – as Chinese spy hubs
- Cybernews: Chinese cyberespionage group is targeting Juniper routers with custom backdoors for outdated hardware.
- BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
- The DefendOps Diaries: Chinese Cyberspies Exploit Juniper Routers: A Deep Dive into Advanced Threats
- Industrial Cyber: Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886
- The Record: Researchers said the Chinese state-backed group dubbed UNC3886 was behind a campaign to deploy custom backdoors on Juniper's Junos OS routers
- securityaffairs.com: China-linked APT UNC3886 targets EoL Juniper routers
- Security Risk Advisors: China-linked UNC3886 deploying custom backdoors on Juniper routers. Upgrade devices, run JMRT scans, implement MFA for network device management.
- BleepingComputer: ​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
- securityaffairs.com: Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers. The group known as UNC3886, targeted critical infrastructure sectors.
- Information Security Buzz: Google Uncovers China-Linked Espionage Campaign Targeting Juniper Routers
- Virus Bulletin: Mandiant researchers describe UNC3886’s TTPs, and their focus on malware & capabilities that enable them to operate on network & edge devices that usually lack security monitoring & detection solutions. The espionage group targets Juniper routers with TINYSHELL-based backdoors.
- securityaffairs.com: Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
- bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. [...]
- bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
- Blog: China-linked threat actor deploys backdoors, rootkits on Junos OS routers
- www.it-daily.net: Chinese espionage on old Juniper routers
- www.scworld.com: Old Juniper routers targeted by Chinese hackers to deploy various payloads
- www.techradar.com: Chinese hackers targeting Juniper Networks routers, so patch now
- Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590
- bsky.app: Description of Chinese hackers deploying custom backdoors on Juniper routers.
- www.cysecurity.news: China-linked APT UNC3886 targets EoL Juniper routers
- : Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
- securityonline.info: Security Advisory: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw – CVE-2025-21590
- iHLS: Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers
- www.techradar.com: Juniper patches security flaws which could have let hackers take over your router
- www.scworld.com: Actively exploited Juniper router vulnerability addressed
- www.scworld.com: The threat actor (UNC3886) was found to be targeting end-of-life Juniper Networks routers.
- aboutdfir.com: InfoSec News Nuggets 3/17/2025 discusses a state-backed group from China targeting Juniper Networks routers with custom backdoors.
- ASEC: A report on the deep web and dark web from February 2025 notes the espionage group UNC3886 operating out of China targeting routers made by Juniper Networks.
Veronika Telychko@SOC Prime Blog
//
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.
This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations.
Recommended read:
References :
- infosec.exchange: Ok, poll for the "supply chain risk management" people! There's a backdoor in the ESP32 wifi/bluetooth chip.
- Anonymous ???????? :af:: The ubiquitous microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- The DefendOps Diaries: Discover the ESP32 backdoor's impact on IoT security and the urgent need for robust protection measures.
- www.bleepingcomputer.com: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- BleepingComputer: Infosec.Exchange post about ESP32 Microchip Backdoor
- BleepingComputer: Infosec.Exchange post about ESP32 microchip with undocumented backdoor.
- Jon Greig: IOC.Exchange post about the backdoor
- TARNKAPPE.INFO: Bluetooth-Chip-Backdoor entdeckt: Über 1 Mrd. Geräte betroffen
- Rescana: Unveiling the ESP32 Bluetooth Chip Backdoor: Security Vulnerabilities and Mitigation Strategies
- BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
- dragosr: Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
- securityaffairs.com: Undocumented hidden feature found in Espressif ESP32 microchip
- BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- Davey Winder: Identity Theft Warning—Hidden Commands In 1 Billion Bluetooth Chips
- www.techradar.com: Top Bluetooth chip security flaw could put a billion devices at risk worldwide
- Security | TechRepublic: Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
- BetaNews: Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
- CyberInsider: Hidden Commands Discovered in Bluetooth Chip Used in a Billion Devices
- bsky.app: Undocumented "backdoor" found in Bluetooth chip used by a billion devices
- Matthew Rosenquist: The recent undocumented code in the ESP32 microchip, made by Chinese manufacturer Espressif Systems, is used in over 1 billion devices and could represent a cybersecurity risk.
- SOC Prime Blog: CVE-2025-27840: Vulnerability Exploitation in Espressif ESP32 Bluetooth Chips Can Lead to Unauthorized Access to Devices
@www.fda.gov
//
The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued warnings regarding a critical security flaw in Contec CMS8000 patient monitors. These monitors, manufactured by a Chinese company, contain a hidden backdoor that allows for unauthorized remote access. This backdoor enables the devices to connect to a hard-coded IP address located at a third-party university in China, potentially allowing the download and execution of unverified files. The vulnerability, tracked as CVE-2025-0626 and CVE-2025-0683, impacts all analyzed firmware versions of the device.
The discovered backdoor poses a significant risk to patient safety and data privacy. It allows malicious actors to modify device settings, execute arbitrary code, and alter displayed vital signs. Furthermore, patient data, including personal and health information, is being sent in plain text to the hardcoded IP address. This unauthorized exfiltration of sensitive information and the potential for device manipulation could lead to improper medical responses and endanger patient well-being. CISA has stated that the backdoor is unlikely to be a normal update mechanism, noting it lacks any integrity-checking or version tracking, making it difficult for hospitals to detect compromised devices.
Recommended read:
References :
- BleepingComputer: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- : CISA : CISA has an 11 page warning that a patient monitor known as Contec CMS8000 has an embedded backdoor with a hardcoded IP address which enables patient data spillage, or remote code execution (CISA puts forth a scenario where the device is altered to display inaccurate patient vital signs, which poses a serious risk to patient's safety).
- BleepingComputer: Backdoor found in two healthcare patient monitors, linked to IP in China
- www.bleepingcomputer.com: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- www.helpnetsecurity.com: Patient monitors with backdoor are sending info to China, CISA warns
- socradar.io: CISA Warns of Backdoor in Contec CMS8000 Patient Monitors
- The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
- cyberinsider.com: CISA issues a warning about a backdoor in Contec CMS8000 patient monitors, highlighting the risk of remote code execution and patient data exfiltration.
- Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns.
- thecyberexpress.com: Critical Flaws in Contec CMS8000 Allow Remote Code Execution and Patient Data Theft
- CyberInsider: Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
- securityaffairs.com: The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.
- : Information about the backdoor found in Contec patient monitors.
- securityonline.info: The Contec CMS8000 patient monitors are vulnerable to remote attacks.
- ciso2ciso.com: Backdoor in Chinese-made healthcare monitoring device leaks patient data – Source: www.csoonline.com
- securityboulevard.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- www.csoonline.com: Contec CMS8000 patient monitors are found to have a hidden backdoor that transmits patient data to a hardcoded IP address and executes files remotely.
- Security Boulevard: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- therecord.media: CyberScoop article about the vulnerabilities in the monitors.
- Pyrzout :vm:: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- ciso2ciso.com: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- securityboulevard.com: Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA
- Vulnerability-Lookup: A new bundle, CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware, has been published on Vulnerability-Lookup:
- securityonline.info: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding the Contec CMS8000 patient monitors.
- securityonline.info: CISA Warns of Hidden Backdoor in Contec CMS8000 Patient Monitors
- www.cysecurity.news: The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.
- ciso2ciso.com: This news alert brings light to a critical backdoor discovered in widely used healthcare patient monitors.
- ciso2ciso.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- Security Boulevard: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- securityboulevard.com: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- claroty.com: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
- www.heise.de: Medical surveillance monitor: Backdoor discovered in Contec CMS8000 Attackers can attack medical hardware from Contec. This can result in malicious code getting onto devices. There has been no security update to date.
- : Claroty : There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that . Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: ; cc: Note: there's associated vulnerabilities: (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor
@www.helpnetsecurity.com
//
A sophisticated cyberattack campaign, dubbed "J-Magic," has been targeting enterprise-grade Juniper routers since mid-2023, with activity observed until at least mid-2024. This stealthy operation uses custom-crafted "magic packets" to trigger a variant of the cd00r backdoor. Once activated, the malware establishes a reverse shell, granting attackers full access to the compromised devices. This allows for data exfiltration, device control, and the deployment of further malicious payloads. The malware operates by passively monitoring network traffic for specific TCP packets, designed to trigger the backdoor. This technique enables the threat actors to gain a strong foothold in enterprise networks by using routers that often serve as VPN gateways.
The "J-Magic" malware primarily focuses on routers within the semiconductor, energy, manufacturing, and IT sectors, particularly in Europe and South America. The malware is installed into the device's memory which scans for five network signals, and when it receives these, it triggers a reverse shell creation on the local file system. This allows for complete device takeover. The malware uses a unique RSA-based challenge-response mechanism to prevent unauthorized access, and while it shares some similarities with the "SeaSpy" malware family, the challenge implementation signifies a step up in operational security. The campaign appears to be targeting Junos OS, commonly used in enterprise-grade networking equipment and it has been noted that many of the compromised routers were acting as VPN gateways, which allows for lateral movement within the network.
Recommended read:
References :
- www.scworld.com: Malware campaign targeting enterprise Juniper routers.
- blog.lumen.com: Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed "J-magic". This backdoor is opened by a passive agent that continuously monitors for a "magic packet," sent by the attacker in TCP traffic.
- cyberpress.org: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- www.bleepingcomputer.com: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- www.helpnetsecurity.com: A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic� backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
- gbhackers.com: Juniper routers exploited via Magic Packet vulnerability to deploy custom backdoor
- : Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed 'J-magic'.
- Cyber Security News: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- gbhackers.com: Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- The Register: Unknown attackers have been secretly inserting backdoors into Juniper routers in key sectors since mid-2023, potentially compromising a large number of critical devices.
- Pyrzout :vm:: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- Ars Technica: Backdoor infecting VPNs used “magic packets� for stealth and security J-Magic backdoor infected organizations in a wide array of industries.
- Ars OpenForum: Backdoor infecting VPNs used “magic packets� for stealth and security
- ciso2ciso.com: J-Magic malware campaign targets Juniper routers, using a passive agent to monitor network traffic for predefined "magic packets" to exploit.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers
- go.theregister.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia... Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.…
- AAKL: Additional information about the Juniper router attack.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers – Source: securityaffairs.com
- The Hacker News: Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers
- Help Net Security: Juniper enterprise routers backdoored via "magic packet" malware
- securityaffairs.com: Threat actors are targeting Juniper routers with a custom backdoor in a campaign called "J-magic." Attackers exploit a "Magic Packet" flaw to deliver the malware.
- Threats | CyberScoop: Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,� to execute malicious commands.
- BleepingComputer: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
- The Register - Security: Initial report on the backdoor campaign
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available […] The post appeared first on .
info@thehackernews.com (The Hacker News)@The Hacker News
//
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.
Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.
Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.
Recommended read:
References :
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
- The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
- Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
- www.scworld.com: Telegram API exploited by new Golang backdoor
- Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
- securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
- Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
- www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations
do son@securityonline.info
//
A sophisticated cyberespionage campaign employing the EAGERBEE backdoor is targeting Internet Service Providers (ISPs) and government entities in the Middle East. This malware uses a novel service injector to embed itself into running services, and previously undocumented plugins to perform malicious activities like file manipulation, remote access, and process exploration. The attackers leverage a DLL hijacking vulnerability for initial access, deploying a backdoor injector and payload using the SessionEnv service. Once active, EAGERBEE gathers system information and communicates with a command-and-control server via encrypted protocols.
The EAGERBEE backdoor employs a plugin orchestrator that injects itself into memory, collecting system data and receiving commands to manage various plugins. These plugins include a File Manager, which can enumerate, manipulate, and execute files; a Process Manager, which controls system processes; a Remote Access Manager for data exfiltration and remote control; and a Service Manager for controlling system services. Analysis also suggests potential links between EAGERBEE and the CoughingDown threat group, but attribution remains uncertain. This campaign shows an evolution in malware frameworks used in sophisticated and targeted cyber attacks.
Recommended read:
References :
- malware.news: EAGERBEE, with updated and novel components, targets the Middle East
- ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- : Kaspersky : Kaspersky reports that an in-memory backdoor called EAGERBEE is being deployed at ISPs and governmental entities in the Middle East.
- securityaffairs.com: Eagerbee backdoor targets govt entities and ISPs in the Middle East
- securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
- Pyrzout :vm:: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
- ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
- securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
- The Hacker News: New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities
- gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
- gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
- ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- securelist.com: EAGERBEE, with updated and novel components, targets the Middle East
- ciso2ciso.com: EAGERBEE Malware Detection: New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East
@www.bleepingcomputer.com
//
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.
Recommended read:
References :
- Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
- The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
- www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
- Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
- www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
- fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.
Recommended read:
References :
- Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
- gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
- Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
- www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
- Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
- gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
- securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
@www.bleepingcomputer.com
//
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.
The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.
Recommended read:
References :
- www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
- bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
- hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
- www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
- Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
- gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
- cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
- gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
- www.scworld.com: XWorm RAT builder leveraged for widespread device compromise
Help Net Security@Help Net Security
//
Researchers have uncovered that the Lazarus Group, a North Korean state-sponsored hacking group, is using a web-based administrative panel built with React and Node.js to manage their global cyber operations. This platform gives them a centralized control point for overseeing compromised systems, organizing stolen data, and delivering malicious payloads. The administrative layer, dubbed "Phantom Circuit," is consistent across the group's command-and-control servers, allowing them to orchestrate campaigns with precise control, even while varying their payloads and obfuscation techniques.
This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.
Recommended read:
References :
- ciso2ciso.com: The ongoing investigation into recent attacks by the Lazarus Group on cryptocurrency entities and software developers.
- The Hacker News: The Lazarus Group uses React application for C2 control.
- Pyrzout :vm:: North Koreans clone open source projects to plant backdoors, steal credentials – Source: go.theregister.com
- gbhackers.com: Reporting on the Lazarus Group's targeting of developers through malicious NPM packages
Field Effect@Blog
//
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.
Recommended read:
References :
- Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
- Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
- The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems
@ciso2ciso.com
//
A new TorNet backdoor has been discovered being spread through an ongoing phishing campaign. This malicious campaign is targeting primarily users in Poland and Germany, utilizing phishing emails written in Polish and German. These emails impersonate financial institutions and manufacturing companies, containing malicious attachments in .tgz format. When opened, a .NET loader executes, downloading the PureCrypter malware, which is then used to deploy multiple payloads. These payloads include Agent Tesla, Snake Keylogger, and the new TorNet backdoor itself.
The TorNet backdoor is particularly concerning as it establishes a connection to a command and control server via the TOR network for stealthy communications, making detection more difficult. The malware is also being distributed through an ongoing campaign and exploits Windows Scheduled Tasks to achieve persistence, including on systems with low battery. These sophisticated techniques emphasize a need for heightened security awareness training and advanced threat detection tools.
Recommended read:
References :
- ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- blog.talosintelligence.com: New TorNet Backdoor Campaign
- Pyrzout :vm:: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- The Hacker News: PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks
@www.fda.gov
//
The FDA and CISA have issued warnings regarding cybersecurity vulnerabilities found in Contec CMS8000 and Epsimed MN-120 patient monitors. These monitors, often used for remote patient care in homes and hospice settings, present potential risks when connected to the internet. The agencies advise users to disconnect these devices from the network where possible.
These vulnerabilities could allow unauthorized access and manipulation of the devices. CISA discovered a backdoor function with a hard-coded IP address in all analyzed firmware versions of the Contec CMS8000. The identified risks include the potential for unauthorized transmission of patient data and remote code execution, with one vulnerability scoring a critical 9.8 CVSS. These patient monitors display vital patient information including temperature, heartbeat and blood pressure.
Recommended read:
References :
- securityboulevard.com: Security Boulevard article on the vulnerabilities in Contec and Epsimed patient monitors.
- AAKL: Claroty, from yesterday: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
|
|
FlagThis - #backdoor