Remote Access Trojan | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered five distinct activity clusters linked to a persistent threat actor known as Blind Eagle between May 2024 and July 2025. These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under the name TAG-144. "Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods," the Mastercard-owned company said . Blind Eagle has a history of targeting organizations in South America since at least 2018, with the attacks reflecting both cyber espionage and financially driven motivations. This is evidenced in their ...

Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said . "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others. UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromi...

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities. "Initial access is achieved through spear-phishing emails," CYFIRMA said . "Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads." Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs). The latest dual-platform demonstrates the adversarial collective's continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments. The attack chains begin with phishing emails bearing sup...

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that's being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla , AsyncRAT , Formbook , Masslogger , Remcos RAT , Rhadamanthys Stealer , and Snake Keylogger . IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable. "The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL," security researcher Raymond Joseph Alfonso said . "This DLL, in turn, loads, decrypts, and injects the final payload into its target process....

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025. The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations. "The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel," Trellix researchers Pham Duy Phuc and Alex Lanstein said . The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems. The campaign i...

Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT . The malicious activity involves the "distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger," Kaspersky researcher Saurabh Sharma said in a technical analysis published today. The attacks, which have been active as recently as August 12, 2025, employ a technique called steganography to conceal within image files shellcode used to download the malware from a command-and-control (C2) server. The screen saver artifacts have been detected since September 9, 2024, targeting countries and territories like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Assessed to be based on Gh0st RAT, GodRAT follows a plugin-based approach to augment its functionality in order to harvest sensitive information and deliver secondary payloads like AsyncRAT. It'...

A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off the way it did over the past year, according to new findings from Guardio Labs. "Like a real-world virus variant, this new ' ClickFix ' strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year," security researcher Shaked Chen said in a report shared with The Hacker News. "It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result – a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures." ClickFix is the name given to a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first det...

Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong. "The botnet's rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base," Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said in an analysis of the malware. PlayPraetor, managed by a Chinese command-and-control (C2) panel, doesn't significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts. PlayPraetor was first documented by CTM360 in March 2025, detailing the operation's u...

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer , RedLine , StealC , NetSupport RAT , SectopRAT , and even other loaders like Hijack Loader . "It employs dead code injection and packing techniques to hinder analysis," the company said. "After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them." CastleLoader's modular structure allows it to act as both a delivery mechanism and a staging utility, enabling...

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. "The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems," security researchers Sudeep Singh and Roy Tay said in a Wednesday report. This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware. Over the past two years, hacking groups like EvilBamboo , Evasive Panda , and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the u...

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected packages and their rogue versions, according to Socket, is listed below - eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) eslint-plugin-prettier (versions 4.2.2 and 4.2.3) synckit (version 0.11.9) @pkgr/core (version 0.2.8) napi-postinstall (version 0.3.1) got-fetch (versions 5.1.11 and 5.1.12) is (versions 3.3.1 and 5.0.0) "The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said. The development comes in the aftermath of a phishing campaign that...

Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT , which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. "AsyncRAT has cemented its place as a cornerstone of modern malware and as a pervasive threat that has evolved into a sprawling network of forks and variants," ESET researcher Nikola Knežević said in a report shared with The Hacker News. "While its capabilities are not that impressive on their own, it is the open-source nature of AsyncRAT that has truly amplified its impact. Its plug-in-based architecture and ease of modification have sparked the proliferation of many forks, pushing the boundaries even further" While AsyncRAT's evolution highlights its technical adaptability, its real-world impact stems from how it's deployed in opportunistic phishing campaigns and bundled with loaders like GuLoader or SmokeLoader. These delivery metho...

Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix. "Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters," The DFIR Report said in a technical analysis published today in collaboration with Proofpoint. "The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors." The JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script that leads to the deployment of NodeSnake (aka Interlock RAT). The use of NodeSnake by Interlock was previously documented by Quorum Cyber ...

A threat actor with suspected ties to India has been observed targeting a European foreign affairs ministry with malware capable of harvesting sensitive data from compromised hosts. The activity has been attributed by Trellix Advanced Research Center to an advanced persistent threat (APT) group called DoNot Team , which is also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. It's been assessed to be active since 2016. "DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents," Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc, and Alex Lanstein said . "This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe." The attack chain commences with phishing emails that aim to trick rec...