top of page
ALL POSTS
DragonForce Ransomware Exploits Microsoft Teams Relays to Conceal Malicious Command-and-Control Traffic
Key Findings DragonForce ransomware operators deployed Backdoor.Turn, a custom Go-based remote access trojan that conceals command-and-control traffic within Microsoft Teams relay infrastructure This marks the first publicly documented abuse of Microsoft's TURN relay servers by threat actors Attackers maintained network access for one to two months while evading detection by routing malicious traffic through legitimate Microsoft servers The group employed sophisticated defens
Jun 183 min read
China-Linked FishMonger APT Deploys SprySOCKS Windows Backdoor With Kernel-Level Stealth and UEFI Bootkit Capabilities
Key Findings FishMonger, a China-linked APT group, has ported SprySOCKS backdoor to Windows with two new variants: WIN_DRV and WIN_PLUS WIN_DRV uses kernel drivers to hide network connections, processes, files, and registry keys from user-level detection tools WIN_PLUS exploits the Windows Print Spooler service to blend malicious activity into normal system operations Both variants were deployed against government targets in Honduras, Taiwan, Thailand, and Pakistan between 20
Jun 173 min read
Operation FlutterBridge: macOS Backdoor Campaign Leverages Fake Google Ads and Targeted Distribution
Key Findings Operation FlutterBridge is a sophisticated malvertising campaign targeting macOS users since late 2025, evolving from basic adware into a dangerous backdoor called FlutterShell Threat actors use fake shell companies to purchase verified Google and YouTube ads, bypassing security filters through artificial aging and legitimate developer credentials The malware masquerades as productivity tools including Podcasts Lounge, PDF-Brain, and PDF-Ninja, with three distinc
Jun 83 min read
WordPress Malware Hides C2 Instructions in Steam Profile Comments
Key Findings New malware campaign discovered on approximately 1,980 WordPress sites using Steam Community profile comments to store encoded command-and-control instructions Malware uses invisible Unicode characters hidden within visible Steam profile comments to deliver payloads, making detection difficult Infected sites load external malicious JavaScript and contain a server-side backdoor capable of modifying PHP files for persistent access Campaign first detected in July 20
Jun 23 min read
Supply Chain Attack: 700+ Laravel Lang Versions Infected with RCE Backdoor
Key Findings Over 700 historical versions of laravel-lang localization packages compromised with RCE backdoors across multiple repositories Attack occurred May 22-23, 2026 with automated mass tag publishing seconds apart, indicating infrastructure-level breach Malicious code executes automatically via composer autoload.files on every PHP request in affected applications Second-stage payload deploys 17 specialized credential collectors targeting cloud keys, Kubernetes tokens,
May 233 min read
Cloud Atlas: Upcoming Operations, New Tools, and Payload Deployments (2025-2026)
Key Findings Cloud Atlas, active since 2014, conducted pervasive SSH tunnel operations affecting government and commercial organizations in Russia and Belarus throughout late 2025 and into 2026 The group introduced new tools and malicious payloads, including VBCloud and PowerShower backdoors Primary infection vector remains phishing with ZIP archives containing malicious LNK shortcuts that execute PowerShell scripts Multi-stage attack chain includes persistence mechanisms, de
May 233 min read
Active Exploitation of cPanel CVE-2026-41940 Deploys Filemanager Backdoor Across 2,000+ Attacker IPs Globally
Key Findings Critical cPanel vulnerability CVE-2026-41940 (CVSS 9.3) is being actively exploited in the wild to deploy the Filemanager backdoor Over 2,000 malicious IPs from Germany, US, Brazil, Netherlands and other regions are conducting automated attacks Threat actor Mr_Rot13 has been linked to the campaign, with evidence of operations dating back to at least 2020 Exploitation has led to cryptomining, ransomware deployment, botnet propagation, and credential theft Southeas
May 123 min read
FIRESTARTER Backdoor Persists on Federal Cisco Security Devices Despite Patches
Key Findings FIRESTARTER backdoor compromised a U.S. federal Cisco Firepower ASA device in September 2025 and persisted even after security patches were applied The malware survives firmware updates and device reboots by embedding itself in the boot sequence, requiring a hard power cycle to remove APT actors exploited CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) to gain initial access before deploying FIRESTARTER for persistence Post-exploitation toolkit LINE VIPER
Apr 243 min read
Mustang Panda Deploys Enhanced LOTUSLITE Backdoor Against India and South Korea
Key Findings Mustang Panda, a China-linked hacking group, launched coordinated campaigns in March 2026 targeting India's financial sector and South Korean policy circles The group deployed an updated LOTUSLITE v1.1 backdoor with improved obfuscation techniques and modified command structures Indian banking workers were targeted via fake HDFC Bank support files, while South Korean diplomats received spear-phishing emails impersonating a former US National Security Council offi
Apr 223 min read
OpenAI Revokes macOS Certificate Following Axios Supply Chain Compromise
Key Findings OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4 OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and A
Apr 132 min read
Dindoor Malware Targets U.S. Networks in New MuddyWater Campaign
Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F
Mar 62 min read
APT28-Linked Campaign Targets Ukraine with Malware Threats
Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T
Mar 52 min read
Dohdoor Backdoor Hits U.S. Education and Healthcare
Key Findings Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control tra
Feb 263 min read
Notepad++ Hosting Breach Tied to China's Lotus Blossom Hackers
Key Findings The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) The compromise occurred at the hosting provider level, not due to vulnerabil
Feb 33 min read
Notepad++ Targeted by China-Based Espionage Group for Six Months
Key Findings China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025. The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities. The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users. The attackers exploited "insufficient upda
Feb 22 min read
North Korean Hackers Exploit Developers' Trust in Visual Studio Code
Key Findings North Korean threat actors associated with the "Contagious Interview" campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The attack involves instructing targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment. The malicious VS Code task configuration files are used to execute payloads, incl
Jan 212 min read
China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver XoBot Malware
Key Findings China-linked advanced persistent threat (APT) group Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) conducted a cyber espionage campaign targeting victims in Türkiye, China, and India. The group used adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deliver its signature MgBot backdoor. The attackers leveraged lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart
Dec 26, 20252 min read
New NANOREMOTE Backdoor Uses Google Drive API for Covert C2 and Links to FINALDRAFT Espionage Group
Key Findings Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations. NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect. The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert
Dec 15, 20252 min read
AI Uncovers GhostPenguin: Sophisticated Linux Backdoor Employs Advanced Encryption and Covert Communication Tactics
Key Findings Trend Micro's AI-driven threat hunting pipeline discovered a previously unknown and undetectable Linux backdoor called "GhostPenguin" GhostPenguin had zero detections on VirusTotal for over four months before being identified The sophisticated, multi-threaded backdoor is written in C++ and uses RC5-encrypted UDP for covert Command and Control (C2) communications Background GhostPenguin was first submitted to VirusTotal on July 7, 2025, but remained completely inv
Dec 9, 20252 min read
MuddyWater Targets Turkey, Israel, and Azerbaijan with UDPGangster Backdoor
Key Findings The Iranian hacking group known as MuddyWater has been observed deploying a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) communication. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. UDPGangste
Dec 8, 20252 min read
bottom of page
