📢 Faux site RustDesk diffuse le backdoor Winos4.0 via un installateur piégé
📝 Source: Malwarebytes — Analyse d’une campagne d’usurpation de site distribuant un installateur RustDesk modifié qui dépl...
📖 cyberveille : https://cyberveille.ch/posts/2026-01-17-faux-site-rustdesk-diffuse-le-backdoor-winos4-0-via-un-installateur-piege/
🌐 source : https://www.malwarebytes.com/blog/threat-intel/2026/01/how-real-software-downloads-can-hide-remote-backdoors
#Backdoor #IOC #Cyberveille
#backdoor
Targets critical infrastructure sectors in North America
UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.
Pulse ID: 696a3dc15e8d8c495dbd889b
Pulse Link: https://otx.alienvault.com/pulse/696a3dc15e8d8c495dbd889b
Pulse Author: AlienVault
Created: 2026-01-16 13:31:45
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #China #CredentialHarvesting #CyberSecurity #InfoSec #NorthAmerica #OTX #OpenThreatExchange #RAT #RCE #Worm #ZeroDay #bot #AlienVault
SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployments
This analysis examines a multi-stage Windows malware campaign called SHADOW#REACTOR. The infection chain uses obfuscated VBS, PowerShell downloaders, and text-based payloads to deliver a Remcos RAT backdoor. Key features include fragmented text staging, .NET Reactor protection, reflective loading, and MSBuild abuse as a living-off-the-land binary. The campaign leverages complex obfuscation and in-memory execution to evade detection while establishing persistent remote access. Defensive recommendations focus on script execution monitoring, LOLBin abuse detection, and enhanced PowerShell logging to counter the sophisticated evasion techniques employed.
Pulse ID: 69666ffc29ff0976c2de82b9
Pulse Link: https://otx.alienvault.com/pulse/69666ffc29ff0976c2de82b9
Pulse Author: AlienVault
Created: 2026-01-13 16:17:00
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #MSBuild #Malware #NET #OTX #OpenThreatExchange #PowerShell #RAT #Remcos #RemcosRAT #ScriptExecution #VBS #Windows #bot #AlienVault
Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Payloads
A new report on the latest cyber security threats shows how hackers are leveraging the arrest of Venezuelan President Nicolás Maduro to distribute sophisticated malware on a geopolitical-themed basis. and how they can be targeted.
Pulse ID: 69665e103cc6b5a55c537b06
Pulse Link: https://otx.alienvault.com/pulse/69665e103cc6b5a55c537b06
Pulse Author: CyberHunter_NL
Created: 2026-01-13 15:00:32
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors
Pulse ID: 69649c17fe635ad1ea6557ac
Pulse Link: https://otx.alienvault.com/pulse/69649c17fe635ad1ea6557ac
Pulse Author: Tr1sa111
Created: 2026-01-12 07:00:39
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #Notepad #OTX #OpenThreatExchange #bot #Tr1sa111
Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Malware
This threat campaign uses phishing emails related to the reported arrest of Venezuelan President Nicolás Maduro to spread malware. Attackers send emails with a ZIP attachment that looks like news content.
Pulse ID: 69623f17d7278decd8416e6a
Pulse Link: https://otx.alienvault.com/pulse/69623f17d7278decd8416e6a
Pulse Author: cryptocti
Created: 2026-01-10 11:59:19
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #Email #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #ZIP #bot #cryptocti
CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors
CNCERT and Microstep Online jointly detected a cyberattack campaign launched by the "Black Cat" criminal gang. This gang uses search engine SEO (Search Engine Optimization) techniques to push meticulously crafted phishing websites to the top of search engine keyword results. After visiting these high-ranking phishing pages, users are lured by carefully designed download pages, attempting to download software installation packages bundled with malicious programs. Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from their host computer by attackers.
Pulse ID: 6960d767ed2466fdb23d97e5
Pulse Link: https://otx.alienvault.com/pulse/6960d767ed2466fdb23d97e5
Pulse Author: AlienVault
Created: 2026-01-09 10:24:39
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberAttack #CyberSecurity #Edge #InfoSec #Notepad #OTX #OpenThreatExchange #Phishing #RAT #Trojan #Word #bot #AlienVault
DeedRAT: Unpacking a Modern Backdoor's Playbook
Pulse ID: 695f7bc52fe049df9fc8401b
Pulse Link: https://otx.alienvault.com/pulse/695f7bc52fe049df9fc8401b
Pulse Author: Tr1sa111
Created: 2026-01-08 09:41:25
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #DRat #EDR #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111
DeedRAT: Unpacking a Modern Backdoor's Playbook
Pulse ID: 695f7bd8cf25f0327748397e
Pulse Link: https://otx.alienvault.com/pulse/695f7bd8cf25f0327748397e
Pulse Author: Tr1sa111
Created: 2026-01-08 09:41:44
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #DRat #EDR #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111
FIN7 Threat Actors Using Windows SSH Backdoor to Establish Stealthy Remote Access
FIN7 also called Savage Ladybug is still a major threat to enterprise environments.
They’ve been improving a Windows SSH backdoor campaign.
Pulse ID: 695d6cf373e395066cf9873a
Pulse Link: https://otx.alienvault.com/pulse/695d6cf373e395066cf9873a
Pulse Author: cryptocti
Created: 2026-01-06 20:13:39
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #FIN7 #InfoSec #OTX #OpenThreatExchange #SSH #Windows #bot #cryptocti
New .NET CAPI Backdoor Targets Auto and E-Commerce Firms
Automobile and e-commerce sectors targeted by new .NET malware CAPI Backdoor.
Pulse ID: 695d60e937d8b798586a443b
Pulse Link: https://otx.alienvault.com/pulse/695d60e937d8b798586a443b
Pulse Author: cryptocti
Created: 2026-01-06 19:22:17
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #RCE #bot #cryptocti
HoneyMyte Campaign Weaponizes Rootkits to Hijack Asian Governments
HoneyMyte compromises government systems in Southeast and East Asia
by deploying rare kernel-mode rootkits. The rootkit enables the threat
actor to deploy a backdoor named “ToneShell” without being detected
enabling them to conduct long-term cyber-espionage activities against
government organizations while remaining undetected.
Pulse ID: 695ba557138e5247521b0042
Pulse Link: https://otx.alienvault.com/pulse/695ba557138e5247521b0042
Pulse Author: cryptocti
Created: 2026-01-05 11:49:43
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CyberSecurity #Espionage #Government #InfoSec #OTX #OpenThreatExchange #Rootkit #bot #cyberespionage #cryptocti
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.
Pulse ID: 6958f815aa5cbfe2f0a8d82d
Pulse Link: https://otx.alienvault.com/pulse/6958f815aa5cbfe2f0a8d82d
Pulse Author: AlienVault
Created: 2026-01-03 11:05:57
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #Browser #CandC #China #Cloud #CyberSecurity #Cyberespionage #ESET #Espionage #Government #ICS #InfoSec #Japan #Malware #NET #OTX #OpenThreatExchange #RAT #bot #AlienVault
MuddyWater: Snakes by the riverbank
MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.
Pulse ID: 6958f81623f8ea731f649bfb
Pulse Link: https://otx.alienvault.com/pulse/6958f81623f8ea731f649bfb
Pulse Author: AlienVault
Created: 2026-01-03 11:05:58
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Bank #Browser #CyberSecurity #Cyberespionage #Espionage #Government #ICS #InfoSec #Iran #Israel #Malware #MiddleEast #Military #MuddyWater #OTX #OpenThreatExchange #RAT #Telecom #Telecommunication #bot #AlienVault
Austrian Liberals NEOS/ their spokeswoman for digital affairs Henrike Branstötter seem to support a social media ban/ verification via ID-Austria or Europe Digital ID! ⚠️
Age verification could become a backdoor to mandatory identification and tracking.
DeedRAT: Unpacking a Modern Backdoor's Playbook
DeedRAT is a sophisticated backdoor associated with the Chinese APT group Salt Typhoon, targeting critical sectors globally. It infiltrates systems through phishing campaigns, utilizing DLL sideloading to evade detection. The malware establishes persistence via registry run keys and service creation, ensuring long-term access. DeedRAT's capabilities include file manipulation, system reconnaissance, and payload execution. The infection chain involves three files: a legitimate executable, a malicious DLL, and an encrypted file. Once installed, it attempts to connect to its command-and-control server. Defensive measures include monitoring email traffic, registry changes, and anomalous service creations.
Pulse ID: 6955aac43e4afc25d1894086
Pulse Link: https://otx.alienvault.com/pulse/6955aac43e4afc25d1894086
Pulse Author: AlienVault
Created: 2025-12-31 22:59:16
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CyberSecurity #DRat #EDR #Email #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #SideLoading #bot #AlienVault
Chinese Hackers Deploy Rootkit to Conceal ToneShell Malware Operations
A new variant of the ToneShell backdoor attributed to the Mustang Panda
group has been deployed
Pulse ID: 6953ced7aa91769979e76ca4
Pulse Link: https://otx.alienvault.com/pulse/6953ced7aa91769979e76ca4
Pulse Author: cryptocti
Created: 2025-12-30 13:08:39
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Rootkit #bot #cryptocti
📢 ToneShell livré via un chargeur en mode noyau contre des organismes gouvernementaux
📝 **Source :** Bill Toulas
**Média :** *BleepingComputer*
**Date :** 29 décembre 202...
📖 cyberveille : https://cyberveille.ch/posts/2025-12-30-toneshell-livre-via-un-chargeur-en-mode-noyau-contre-des-organismes-gouvernementaux/
🌐 source : https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/
#ToneShell #backdoor #Cyberveille
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst