CyberSecurity news

FlagThis - #remoteaccesstrojan

@research.checkpoint.com //
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.

Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).

The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.

Recommended read:
References :
  • hackread.com: Scammers Use Fake Kling AI Ads to Spread Malware
  • Check Point Blog: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • gbhackers.com: Malicious Hackers Create Fake AI Tool to Exploit Millions of Users
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • The Hacker News: Fake Kling AI Facebook ads deliver RAT malware to over 22 million potential victims.
  • blog.checkpoint.com: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • Virus Bulletin: Check Point's Jaromír HoÅ™ejší analyses a Facebook malvertising campaign that directs the user to a convincing spoof of Kling AI’s websitem
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • Check Point Research: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
  • Security Risk Advisors: 🚩 Facebook Malvertising Campaign Impersonates Kling AI to Deliver PureHVNC Stealer via Disguised Executables

TIGR Threat@Security Risk Advisors //
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.

The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems.

Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities.

Recommended read:
References :
  • bsky.app: A threat actor has compromised the rand-user-agent JavaScript library and released a malicious version containing a remote access trojan.
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • The DefendOps Diaries: Understanding the Supply Chain Attack on 'rand-user-agent' npm Package
  • www.bleepingcomputer.com: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • Secure Bulletin: Malicious npm packages hijack macOS Cursor AI IDE
  • Security Risk Advisors: Malicious npm Packages Target macOS Cursor Editor and Cryptocurrency Users in Coordinated Supply Chain Attacks
  • The Hacker News: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Security Risk Advisors: RATatouille RAT Discovered in Compromised rand-user-agent NPM Package Affecting Thousands of Weekly Downloads
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • socket.dev: Malicious #npm packages targeting #Cursor editor and #crypto users steal credentials and execute remote code. #cybersecurity #supplychain

@socket.dev //
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.

The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands.

The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community.

Recommended read:
References :
  • socket.dev: Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • The Hacker News: Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times
  • www.scworld.com: RAT-laced PyPI package sets sights on Discord developers
  • thecyberexpress.com: Article highlighting the malicious discord developer package and its purpose
  • Security Risk Advisors: Malicious PyPI package "discordpydebug" targets Discord developers with remote access trojan. Over 11K downloads enables arbitrary command execution and data theft.
  • www.bleepingcomputer.com: Malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.

Microsoft Incident@Microsoft Security Blog //
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.

The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.

Recommended read:
References :
  • bsky.app: ​Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
  • Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
  • BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
  • hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
  • Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
  • securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
  • The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
  • CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
  • Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
  • Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
  • www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
  • The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
  • Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
  • BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
  • securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
  • Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
  • Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .