malware

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors
A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

RedWing Android Spyware Sold as a Service on Telegram
A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
A Chinese threat actor, UAT-7810, is reportedly enhancing its custom malware to broaden its Operational Relay Box (ORB) network. This expansion involves compromising internet-facing networking devices, according to Cisco Talos.

Chinese hackers develop LONGLEASH malware to expand ORB network
Chinese state-sponsored hackers, identified as UAT-7810, have developed new malware named LONGLEASH. It is being used to expand their ORB network by compromising internet-facing devices, specifically targeting unpatched Ruckus routers.

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
A new Malware-as-a-Service offering called RedWing packages Android bank fraud tools and is rented via Telegram. It provides ready-made malware capable of taking over phones and stealing banking credentials and one-time passcodes.

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks
An Iran-linked threat actor is using an adaptable modular command-and-control framework in cyberattacks. It compromised IT service providers to reach high-value targets primarily in Israel.

UAT-7810 continues building ORB networks using new malware
The threat actor UAT-7810 is reportedly developing new custom malware. This malware is being utilized to establish ORB networks, indicating an evolution in their tools and ongoing malicious operations.

Fake IT support calls on Microsoft Teams push EtherRAT malware
Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks. [...]

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More
A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT
A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The mult

New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions
Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing
Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Th

New Avalon Malware Framework Packs CrownX Ransomware Capabilities
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines c

FBI Seizes NetNut Proxy Platform, Popa Botnet
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technolo

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attenti

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new

And the Winner in Dominant Malware Delivery? ClickFix
Researchers say the highly effective social engineering technique is no longer the exception for malware attacks — it's now the rule.

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
Cybersecurity researchers have identified a new campaign by the banking Trojan Ousaban, primarily targeting users in Spain and Portugal. The malware, previously active in Brazil, is distributed via a sophisticated phishing PDF that leads victims to a malicious webpage. This page employs environmental and geo-fencing checks to ensure only intended targets download the payload, which includes a VBS script and the Ousaban executable. The Trojan then establishes persistence, decrypts banking-related strings using a custom algorithm, and communicates with command-and-control servers through dynamically generated hostnames.

Phishers Gain Persistence at EU, Asia Hospitality Orgs
Separate but similar campaigns described by Microsoft and Trend Micro use malicious zip files to spread malware via social engineering and obsfucation, including blockchain abuse.

USB drives carrying China-linked malware infected Japanese military networks for nearly a year
Read more in my article on the Hot for Security blog.

Iran, Russia, China Target Water Systems for Sabotage
Nation-state attackers breach water systems through weak passwords, exposed PLCs, and poor segmentation — not sophisticated malware.

Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses
The FSB state-sponsored operation has gotten a lot better at loading its malware and hiding its servers.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers

Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed
What if your AI coding assistant could be tricked into stealing your own company's secrets - by reading a single booby-trapped bug report? No phishing email. No malware. No password ever stolen. Just an AI doing exactly what it was told. Me

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed deni

Bypassing Administrator Protection by Abusing UI Access
In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was rele

Bypassing Windows Administrator Protection
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local use