CyberSecurity news

FlagThis - #rat

Microsoft Incident@Microsoft Security Blog // 19d

StilachiRAT Employs Evasion for Cryptocurrency Theft - Microsoft Incident Response team discovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and exfiltrate sensitive data.
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.

The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.

Recommended read:
References :
  • bsky.app: ​Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
  • Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
  • BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
  • Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
  • securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
  • The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
  • CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
  • Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
  • www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
  • The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
  • Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
  • BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
  • securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
  • Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
  • Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .
do son@securityonline.info // 17d

Cybercriminals Exploit Signal Messaging App - Cybercriminals are using the Signal app to spread a Remote Access Trojan (RAT) targeting high-value individuals in Ukraine's defense sector by sending malicious files from compromised accounts.
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Recommended read:
References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
@www.infosecurity-magazine.com // 14d

Attackers Deploy Lumma Stealer via Fake CAPTCHAs - Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, tricking users into running PowerShell commands that install the malware.
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.

Recommended read:
References :
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
  • www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
@www.bleepingcomputer.com // 69d

Fake Malware Builder Backdoors 18000 Users - A threat actor used a fake malware builder to infect over 18,000 'script kiddies' with a backdoor, highlighting the risk of using cracked software and online tutorials.
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.

The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.

Recommended read:
References :
  • www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
  • bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
  • www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • www.scworld.com: XWorm RAT builder leveraged for widespread device compromise
@www.esentire.com // 54d

NetSupport RAT Use Surges via ClickFix Distribution - Cybercriminals are using NetSupport RAT, a legitimate IT tool, in attacks utilizing the "ClickFix" initial access vector to gain control over systems and steal data.
The eSentire Threat Intelligence team has observed a significant surge in the use of the NetSupport Remote Access Trojan (RAT) since January 2025. This increase is linked to attacks utilizing the emerging "ClickFix" initial access vector, a social engineering technique where users are tricked into executing malicious PowerShell commands. This RAT grants attackers full control over compromised systems, enabling them to monitor screens, control input devices like keyboard and mouse, upload and download files, and execute further malicious commands.

This surge includes a malvertising campaign distributing a fake Cisco AnyConnect installer containing the NetSupport RAT. The RAT, originally a legitimate IT support tool named NetSupport Manager since 1989, has been weaponized by cybercriminals. If left undetected, NetSupport RAT can lead to advanced threats, including ransomware attacks, compromising sensitive data, and disrupting business operations. Organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix.

eSentire MDR for Network and Endpoint detects NetSupport RAT activity and the eSentire Threat Response Unit is performing threat hunts for known Indicators of Compromise across customer environments. IP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional Indicators of Compromise have been added to the eSentireThreat Intelligence Feed. The eSentire Tactical Threat Response (TTR) team has developed detections for the Clickfix IAV in eSentire MDR for Network.

Recommended read:
References :
  • gbhackers.com: The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving the NetSupport Remote Access Trojan (RAT) since January 2025.
  • securityonline.info: A new malvertising campaign is distributing a fake Cisco AnyConnect installer that delivers the NetSupport RAT Trojan.
  • www.esentire.com: The eSentire Threat Intelligence team observed a notable spike in the use of NetSupport RAT in multiple recent incidents. The increase was observed in attacks that involved the emerging "ClickFixâ€� initial access vector.
  • gbhackers.com: NetSupport RAT Grant Attackers Full Access to Victims Systems
  • Virus Bulletin: The eSentire Threat Intelligence team observed a notable spike in the use of NetSupport RAT in multiple recent incidents.
  • The Hacker News: Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks - The Hacker News

Blogs

Research Tools