CyberSecurity news

FlagThis - #remoteaccesstrojan

@research.checkpoint.com //
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.

Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).

The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: Scammers Use Fake Kling AI Ads to Spread Malware
  • Check Point Blog: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • gbhackers.com: Malicious Hackers Create Fake AI Tool to Exploit Millions of Users
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • The Hacker News: Fake Kling AI Facebook ads deliver RAT malware to over 22 million potential victims.
  • blog.checkpoint.com: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • Virus Bulletin: Check Point's Jaromír HoÅ™ejší analyses a Facebook malvertising campaign that directs the user to a convincing spoof of Kling AI’s websitem
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • Check Point Research: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
  • Security Risk Advisors: 🚩 Facebook Malvertising Campaign Impersonates Kling AI to Deliver PureHVNC Stealer via Disguised Executables
Classification:
  • HashTags: #Malvertising #AI #RemoteAccessTrojan
  • Company: Google, Checkpoint
  • Target: Facebook users
  • Product: Kling AI
  • Feature: Malvertising
  • Malware: Remote Access Trojan
  • Type: Malware
  • Severity: Major
TIGR Threat@Security Risk Advisors //
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.

The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems.

Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: A threat actor has compromised the rand-user-agent JavaScript library and released a malicious version containing a remote access trojan.
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • The DefendOps Diaries: Understanding the Supply Chain Attack on 'rand-user-agent' npm Package
  • www.bleepingcomputer.com: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • Secure Bulletin: Malicious npm packages hijack macOS Cursor AI IDE
  • Security Risk Advisors: Malicious npm Packages Target macOS Cursor Editor and Cryptocurrency Users in Coordinated Supply Chain Attacks
  • The Hacker News: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Security Risk Advisors: RATatouille RAT Discovered in Compromised rand-user-agent NPM Package Affecting Thousands of Weekly Downloads
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • socket.dev: Malicious #npm packages targeting #Cursor editor and #crypto users steal credentials and execute remote code. #cybersecurity #supplychain
Classification:
@socket.dev //
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.

The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands.

The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • socket.dev: Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • The Hacker News: Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times
  • www.scworld.com: RAT-laced PyPI package sets sights on Discord developers
  • thecyberexpress.com: Article highlighting the malicious discord developer package and its purpose
  • Security Risk Advisors: Malicious PyPI package "discordpydebug" targets Discord developers with remote access trojan. Over 11K downloads enables arbitrary command execution and data theft.
  • www.bleepingcomputer.com: Malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.
Classification: