Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

Pulse ID: 6a0b6898afd39bdd2dd6f142
Pulse Link: https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Pulse Author: AlienVault
Created: 2026-05-18 19:29:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

Ivanti, Palo Alto Networks Flaws Exploited in Active Attacks

Meet Quasar Linux RAT, a sneaky malware that combines remote access, evasion, and data theft capabilities, making it a potent threat to Linux systems. This powerful tool lets hackers secretly control infected hosts, harvest sensitive info, and even create a network of compromised devices that communicate with each other.

https://osintsights.com/ivanti-palo-alto-networks-flaws-exploited-in-active-attacks?utm_source=mastodon&utm_medium=social

#LinuxMalware #QuasarLinuxRat #RemoteAccessTrojan #KernelRootkit #EmergingThreats

Obsidian plugin was abused to deploy a remote access trojan

https://cyber.netsecops.io/articles/obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat/

#HackerNews #ObsidianPlugin #RemoteAccessTrojan #CyberSecurity #ThreatAlert #Malware

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications.

Pulse ID: 69f3e871eb2a73cd5c8bee7e
Pulse Link: https://otx.alienvault.com/pulse/69f3e871eb2a73cd5c8bee7e
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChatGPT #CyberSecurity #Email #Google #HTTP #HTTPS #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #Proxy #RAT #RCE #RemoteAccessTrojan #Rust #Trojan #Word #bot #AlienVault

An In-Depth Analysis of Novel KarstoRAT Malware

KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution.

Pulse ID: 69f3653e6f25eb53d5d343b1
Pulse Link: https://otx.alienvault.com/pulse/69f3653e6f25eb53d5d343b1
Pulse Author: AlienVault
Created: 2026-04-30 14:20:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #RemoteCommandExecution #SMS #Trojan #bot #AlienVault

Python Backdoor Exploits Tunneling Service to Harvest Browser, Cloud Credentials

Meet DEEP#DOOR, a sneaky Python-based backdoor framework that's harvesting browser and cloud credentials by exploiting a tunneling service, and learn how it infiltrates systems through a clever sequence of stealthy steps. This sophisticated threat starts with a simple batch script that disables Windows security…

https://osintsights.com/python-backdoor-exploits-tunneling-service-to-harvest-browser-cloud-credentials?utm_source=mastodon&utm_medium=social

#PythonBackdoor #Deepdoor #RemoteAccessTrojan #Rat #CredentialHarvesting

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f342059da1410582479c7c
Pulse Link: https://otx.alienvault.com/pulse/69f342059da1410582479c7c
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f34205f24069b265ccf570
Pulse Link: https://otx.alienvault.com/pulse/69f34205f24069b265ccf570
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f342068865d55a5846d71b
Pulse Link: https://otx.alienvault.com/pulse/69f342068865d55a5846d71b
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Rebex-based Telegram RAT Targeting Vietnam

A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.

Pulse ID: 69f1d26f3c7a8e098eccb448
Pulse Link: https://otx.alienvault.com/pulse/69f1d26f3c7a8e098eccb448
Pulse Author: AlienVault
Created: 2026-04-29 09:42:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberCrime #CyberSecurity #Encryption #HTML #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #RemoteAccessTrojan #Telegram #Trojan #Vietnam #bot #AlienVault