The #backdoor #option is at times the most preferable. As always, keep an #openmind to new #oportunities, and how to #meet them.
#BackDoor
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Pulse ID: 6984fa9b481e11f8426b9eb0
Pulse Link: https://otx.alienvault.com/pulse/6984fa9b481e11f8426b9eb0
Pulse Author: AlienVault
Created: 2026-02-05 20:16:27
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #Android #BackDoor #China #Chinese #Cisco #CyberSecurity #DNS #Edge #InfoSec #IoT #Linux #Malware #Nim #OTX #OpenThreatExchange #RAT #ShadowPad #Talos #Windows #bot #AlienVault
@Eichi es heißt #CensirBiit denn daran ist nix sicher, egal ob #BitLocker-#Backdoor oder #GoldenKeyBoot!
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
Chinese hackers used a previously undocumented custom backdoor to deliver shellcode to victims of a targeted espionage campaign, according to Rapid7 Labs and the Rapid 7 MDR team, who have uncovered a new type of malicious implant.
Pulse ID: 6983154d527ea2bf3aac3649
Pulse Link: https://otx.alienvault.com/pulse/6983154d527ea2bf3aac3649
Pulse Author: CyberHunter_NL
Created: 2026-02-04 09:45:49
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CyberSecurity #Espionage #InfoSec #OTX #OpenThreatExchange #Rapid7 #ShellCode #bot #CyberHunter_NL
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Pulse ID: 6982cbe3f96a38f7a82972eb
Pulse Link: https://otx.alienvault.com/pulse/6982cbe3f96a38f7a82972eb
Pulse Author: Tr1sa111
Created: 2026-02-04 04:32:35
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111
A (fairly technical) look at what happened with #NotepadPlusPlus and huge support to Don « The #Chrysalis #Backdoor : A Deep Dive into Lotus Blossom’s toolkit »
› https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Leveraging of CVE-2026-21509 in Operation Neusploit
A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.
Pulse ID: 698128e65e8a9984e3ff5b7e
Pulse Link: https://otx.alienvault.com/pulse/698128e65e8a9984e3ff5b7e
Pulse Author: AlienVault
Created: 2026-02-02 22:44:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT28 #BackDoor #CyberSecurity #EasternEurope #Europe #ICS #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RTF #Russia #SMS #SocialEngineering #Steganography #bot #AlienVault
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
Pulse ID: 6981aff0acbb318f992ed03e
Pulse Link: https://otx.alienvault.com/pulse/6981aff0acbb318f992ed03e
Pulse Author: AlienVault
Created: 2026-02-03 08:21:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #ELF #ICS #InfoSec #Microsoft #Notepad #OTX #OpenThreatExchange #RAT #Rapid7 #RemoteCommandExecution #bot #AlienVault
@tranquil_cassowary @halotroop2288 here's a good example:
And yes, this can and will be weaponized against any non-#Govware - #backdoored #OS & -Device.
- #Microsoft doesn't even hide the fact that they got a #Backdoor in #BitLocker.
- #Apple certainly is both able and willing to unlock #iOS & #macOS devices as they have all the keys and literally snitched on users in the "P.R." #China.
- #Russia literally sues @delta / #deotaChat for neither collecting user data nor providing them with #backdoors.
In fact, #Australia banning #SecureDevices and -#Encryption came just after their #HoneyPot "#ANØM" aka. #OperationIronside aka. #OperationTrøjanShield had to end and they had to bust the users as #Estonia was unwilling to extend the permission to host the infrastructure on it's soil on behalf if #FBI & #AFP!
APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP
A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.
Pulse ID: 697a42251f1b8af2c39201cc
Pulse Link: https://otx.alienvault.com/pulse/697a42251f1b8af2c39201cc
Pulse Author: AlienVault
Created: 2026-01-28 17:06:45
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Cloud #CyberSecurity #Google #Government #ICS #India #InfoSec #LNK #Malware #Microsoft #OTX #OpenThreatExchange #PDF #Pakistan #RAT #bot #AlienVault
@Soeren_loeg the fact that @signalapp not only does "#KYC with extra steps" by mandating a #PhoneNumber to this day as well as being solely under #CloudAct whilst basically being a #centralized, #proprietary, #SingleVendor & #SingleProvider solution makes them the ideal candidate for a longterm #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield.
- By the sheer size of users, it's a statistical inevitability that they got #Subopena'd and since they don't implement real #E2EE (with #SelfCustody of all the keys!) @Mer__edith would be in jail *if there wasn't a #Govware #backdoor as mandated per telco laws in every juristiction (see "#LawfulInterception!")…
CoolClient backdoor updated, new data stealing tools used
The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.
Pulse ID: 6978a64af51a4e50807b6636
Pulse Link: https://otx.alienvault.com/pulse/6978a64af51a4e50807b6636
Pulse Author: AlienVault
Created: 2026-01-27 11:49:30
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #Browser #Clipboard #CredentialHarvesting #CyberSecurity #Europe #Government #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #PlugX #Proxy #bot #AlienVault
A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.
Pulse ID: 6977cf000e82fbf4ca307f21
Pulse Link: https://otx.alienvault.com/pulse/6977cf000e82fbf4ca307f21
Pulse Author: AlienVault
Created: 2026-01-26 20:30:56
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #Browser #CandC #China #CyberSecurity #Government #InfoSec #NET #OTX #OpenThreatExchange #RAT #bot #AlienVault
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
A Pakistan-linked APT group conducted two campaigns targeting Indian government entities. The Gopher Strike campaign used PDFs with malicious links to deliver an ISO file containing GOGITTER, a Golang downloader that fetches payloads from private GitHub repositories. GITSHELLPAD, a Golang backdoor, was used for C2 communication via GitHub. GOSHELL, a Golang shellcode loader, deployed Cobalt Strike Beacon on specific hostnames. The attackers used various techniques including scheduled tasks for persistence, obfuscation, and environmental keying. Post-compromise activities involved system reconnaissance and data exfiltration. The campaign demonstrated sophisticated TTPs and custom-built tools, indicating a potentially new subgroup or parallel Pakistan-linked threat actor.
Pulse ID: 6977da59fb7a0679c7535c14
Pulse Link: https://otx.alienvault.com/pulse/6977da59fb7a0679c7535c14
Pulse Author: AlienVault
Created: 2026-01-26 21:19:21
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CobaltStrike #CyberSecurity #GitHub #Golang #Government #India #InfoSec #OTX #OpenThreatExchange #PDF #Pakistan #RAT #ShellCode #bot #AlienVault
North Korean cybercriminals are using an AI-generated PowerShell backdoor
North Korean cybercriminals are targeting developers with access to blockchains. A PowerShell backdoor appears to be programmed by AI.
#Backdoor #Cybercrime #IT #KünstlicheIntelligenz #Malware #PowerShell #Security #news
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst