Remote Access Trojans | Breaking Cybersecurity News | The Hacker News

Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025. "Over the course of three days, a threat actor gained access to the customer's network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware," Darktrace said in a report shared with The Hacker News. The vulnerability in question is CVE-2025-31324 , a severe unauthenticated file upload bug in SAP NetWeaver that enables remote code execution (RCE). It was patched by SAP in April. Auto-Color, first documented by Palo Alto Networks Unit 42 earlier this February, functions akin to a remote access trojan, enabling remote access to compromised Linux hosts. It was observed in attacks targeting universities and government organizations in North America and Asia between November and December 2024. The malware has been...

Cybersecurity researchers are warning of a new phishing campaign that's targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe. The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan's National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News. The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT. It's worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups. The starting point of the attack is a p...

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file. The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server. The script, in turn, houses a Base64-encoded payload that's subsequently deciphered, written to the Wi...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul . The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known as GOFFEE, is assessed to have conducted at least seven campaigns since 2022, according to BI.ZONE, with the attacks mainly aimed at government, energy, financial, media, and other organizations. Attack chains mounted by the threat actor have also been observed incorporating a disruptive component, wherein the intrusions go beyond distributing malware for espionage purposes to also change passwords belonging to employee accounts. The attacks themselves are initiated via phishing emails that contain a macro-laced lure document, which, upon opening and enabling macros, paves the way for th...

Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The Hacker News. A notable aspect of these campaigns is that they lead to phishing pages that are delivered via a phishing-as-a-service (PhaaS) platform codenamed RaccoonO365 , an e-crime platform that first came to light in early December 2024. Also delivered are remote access trojans (RATs) like Remcos RAT, as well as other malware and post-exploitation frameworks such as Latrodectus , AHKBot, GuLoader , and BruteRatel C4 (BRc4). One such campaign spotted by the tech giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the United States ahead of the t...

Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub . The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky. "The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game," the Russian cybersecurity vendor said. "All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard." The malicious activity has facilitated the theft of 5 bitcoins, approximately worth $456,600 as of writing. It's believed the campaign has been ongoing for at least two years, when some of the fake projects were published. A majority of the infection attempts...