Remote Access Trojan | Breaking Cybersecurity News | The Hacker News

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities , with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter fr...

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in Golang, offering cross-platform support for both Windows and Linux systems," security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko said in a report shared with The Hacker News. "Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines." While work on the "remote administration tool" started way back in 2017, it did not attract attention until December 2022 , when it was put to use in a malicious campaig...

If this had been a security drill, someone would've said it went too far. But it wasn't a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late. This is how attacks happen now—quiet, convincing, and fast. Defenders aren't just chasing hackers anymore—they're struggling to trust what their systems are telling them. The problem isn't too few alerts. It's too many, with no clear meaning. One thing is clear: if your defense still waits for obvious signs, you're not protecting anything. You're just watching it happen. This recap highlights the moments that mattered—and why they're worth your attention. ⚡ Threat of the Week APT41 Exploits Google Calendar for Command-and-Control — The Chinese state-sponsored threat actor known as APT41 deployed a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). Google said it observed the spear-phishing attacks in October 2024 and that the malware was hosted on...

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. "CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan Raghuprasad said in a report published today. "Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary." Numero, on the other hand, is a destructive malware that impacts victims by manipulating the graphical user interface (GUI) components of their Windows operating system, thereby rendering the machines unusable. The cybersecurity company said the legitimate versions of the AI tools are popular in the business-to-business (B2B) sal...

Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file , providing information about the executable. While the DOS header makes the executable file backward compatible with MS-DOS and allows it to be recognized as a valid executable by the operating system, the PE header contains the metadata and information necessary for Windows to load and execute the program. "We discovered malware that had been running on a compromised machine for several weeks," researchers Xiaopeng Zhang and John Simmons from the FortiGuard Incident Response Team said in a report shared with The Hacker News. "The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process." Fortinet said while it was unable to extract th...

Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot . Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking session...

Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena. "Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, evading traditional antivirus tools," security researchers Anna Širokova and Ivan Feigl said . "Once installed, it quietly connects to attacker-controlled servers – mostly hosted in Hong Kong – to receive follow-up instructions or additional malware." The attacks, like those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the "careful, long-term planning" by a very capable threat actor. Winos 4.0 (aka ValleyRAT) was first ...

Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said . The attack chains, which have not been attributed to any specific threat actor, commence with a phishing email that contains a RAR file attachment or a link to the archive that masquerades as a Microsoft Word or a PDF document by making use of double extensions ("doc_054_[redacted].pdf.rar"). Present within the archive file is an executable that, when launched, copies itself to the "%AppData%" location of the compromised Windows machine under the name "task.exe" and creates a Visual Basic Script called "Task.vbs" in the Startup VBS folder. The executable then proceeds to unpack another ...

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said . First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-genera...

The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility. "Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website. "Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Do not search for or download purported RVTools software from any other websites or sources." The development comes after security researcher Aidan Leon revealed that an infected version of the installer downloaded from the website was being used to sideload a malicious DLL that turned out to be a known malware loader called Bumblebee . It's currently not known how long the trojanized version of RVTools had been available for download and how many had installed it before the site was taken offline. In the interim, users are recommended to veri...

Cybersecurity leaders aren't just dealing with attacks—they're also protecting trust, keeping systems running, and maintaining their organization's reputation. This week's developments highlight a bigger issue: as we rely more on digital tools, hidden weaknesses can quietly grow.  Just fixing problems isn't enough anymore—resilience needs to be built into everything from the ground up. That means better systems, stronger teams, and clearer visibility across the entire organization. What's showing up now isn't just risk—it's a clear signal that acting fast and making smart decisions matters more than being perfect. Here's what surfaced—and what security teams can't afford to overlook. ⚡ Threat of the Week Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a total of 78 security flaws in its Patch Tuesday update for May 2025 last week, out of which five of them have come under active exploitation in the wild. The vulnerabilities include CVE-2025-30397, CVE-2025-...

Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "3...

Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile . "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns," Morphisec researcher Shmuel Uzan said in a report published last week. Posts shared on these pages have been found to attract over 62,000 views on a single post, indicating that users looking for AI tools for video and image editing are the target of this campaign. Some of the fake social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros. Users who land on the social media posts are urged to click on links that advertise AI-powered content creation services, including videos, logos, images, and even websites. One of the bogus websites masquerad...

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said . The packages in question are listed below - sw-cur (2,771 downloads) sw-cur1 (307 downloads), and aiide-cur (163 downloads) All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025. It was uploaded by a user named "aiide." The npm library is described as a "command-line tool for configuring the macOS version of the Cursor editor." The other two packages, ...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that masquerades as a seemingly harmless Discord-related utility but incorporates a remote access trojan. The package in question is discordpydebug , which was uploaded to PyPI on March 21, 2022. It has been downloaded 11,574 times and continues to be available on the open-source registry. Interestingly, the package has not received any update since then. "At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library," the Socket Research Team said . "However, the package concealed a fully functional remote access trojan (RAT)." The package, once installed, contacts an external server ("backstabprotection.jamesx123.repl[.]co"), and includes features to read and write arbitrary files based on commands, readfile or writefile, received from the server. The RAT also supports the ability...

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage," the FortiGuard Incident Response (FGIR) team said in a report. The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757. It's been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has leveraged ...