CyberSecurity news

FlagThis - #rat

@research.checkpoint.com //
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.

Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).

The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.

Recommended read:
References :
  • hackread.com: Scammers Use Fake Kling AI Ads to Spread Malware
  • Check Point Blog: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • gbhackers.com: Malicious Hackers Create Fake AI Tool to Exploit Millions of Users
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • The Hacker News: Fake Kling AI Facebook ads deliver RAT malware to over 22 million potential victims.
  • blog.checkpoint.com: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • Virus Bulletin: Check Point's Jaromír HoÅ™ejší analyses a Facebook malvertising campaign that directs the user to a convincing spoof of Kling AI’s websitem
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • Check Point Research: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
  • Security Risk Advisors: 🚩 Facebook Malvertising Campaign Impersonates Kling AI to Deliver PureHVNC Stealer via Disguised Executables

@gbhackers.com //
References: cyberpress.org , isc.sans.edu ,
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.

The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active.

The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.

Recommended read:
References :
  • cyberpress.org: Hackers Use AutoIT Scripts to Spread Malware on Windows Systems
  • isc.sans.edu: RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
  • gbhackers.com: Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

@securebulletin.com //
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.

This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy.

The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic.

Recommended read:
References :

@poliverso.org //
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.

Recommended read:
References :
  • Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
  • The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
  • BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • Know Your Adversary: 108. Hunting for Node.js Abuse
  • bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
  • poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
  • threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
  • securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
  • www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
  • securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.

@www.infosecurity-magazine.com //
References: gbhackers.com , securityonline.info , ...
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.

Recommended read:
References :
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT

do son@securityonline.info //
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Recommended read:
References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.

Microsoft Incident@Microsoft Security Blog //
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.

The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.

Recommended read:
References :
  • bsky.app: ​Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
  • Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
  • BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
  • Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
  • securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
  • The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
  • CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
  • Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
  • www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
  • The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
  • Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
  • BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
  • securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
  • Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
  • Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .