top of page
ALL POSTS
Quasar Linux RAT (QLNX): A Fileless Implant Targeting Supply Chain with Stealth and Persistence
Key Findings Researchers discovered QLNX, a previously undocumented Linux remote access trojan targeting developers and DevOps environments The malware operates entirely from memory using memfd_create to avoid disk detection QLNX includes embedded C source code for PAM backdoors and LD_PRELOAD rootkits that dynamically compile on target systems The implant supports 58 command handlers including keylogging, credential theft, SSH lateral movement, and eBPF-based hiding Communic
May 94 min read
New Deep#Door RAT: Stealthy Windows Malware With Advanced Persistence Capabilities
Key Findings Python-based remote access trojan embeds payload directly inside batch file dropper with no external downloads Malware disables Windows Defender, PowerShell logging, firewall logging, and SmartScreen before activating Establishes persistence through multiple mechanisms including startup folders, registry keys, scheduled tasks, and WMI subscriptions with automatic restoration capability Uses bore.pub public TCP tunneling service for command-and-control instead of
May 23 min read
FIRESTARTER Backdoor Persists on Federal Cisco Security Devices Despite Patches
Key Findings FIRESTARTER backdoor compromised a U.S. federal Cisco Firepower ASA device in September 2025 and persisted even after security patches were applied The malware survives firmware updates and device reboots by embedding itself in the boot sequence, requiring a hard power cycle to remove APT actors exploited CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) to gain initial access before deploying FIRESTARTER for persistence Post-exploitation toolkit LINE VIPER
Apr 243 min read
36 Malicious npm Packages Deploy Redis and PostgreSQL Persistent Implants
Key Findings 36 malicious npm packages masquerading as Strapi CMS plugins uploaded by four sock puppet accounts over 13 hours Eight distinct payload variants reveal real-time attack development against a specific target Exploitation chain includes Redis RCE, PostgreSQL database theft, Docker container escape, and persistent C2 implants Packages target cryptocurrency platform infrastructure with hardcoded database credentials and wallet-specific data harvesting Postinstall scr
Apr 54 min read
PromptSpy: The Android Malware that Leverages Gemini AI for Persistent Access
Key Findings: PromptSpy is the first known Android malware to abuse Google's Gemini AI to maintain persistence on infected devices It can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video The malware leverages Gemini AI to analyze the current screen and provide it with step-by-step instructions on how to remain pinned in the recent apps list, preventing easy removal Background ESET researc
Feb 202 min read
bottom of page
