COVERT RAT: Phishing Campaign

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.

Pulse ID: 69b821c38b5e35d90728323e
Pulse Link: https://otx.alienvault.com/pulse/69b821c38b5e35d90728323e
Pulse Author: AlienVault
Created: 2026-03-16 15:29:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #RemoteAccessTrojan #Rust #SpearPhishing #Trojan #ZIP #bot #AlienVault

Android Remote Access Trojan Targeting the Banking Sector

Pulse ID: 69b6b3fff6efd5f1b6b23b33
Pulse Link: https://otx.alienvault.com/pulse/69b6b3fff6efd5f1b6b23b33
Pulse Author: cryptocti
Created: 2026-03-15 13:28:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RemoteAccessTrojan #Trojan #bot #cryptocti

VOID#GEIST Malware Delivers Multiple RATs through Multi-Stage Attack CTIA

VOID#GEIST is actively targeting Windows systems using phishing emails and malicious scripts. It installs remote access trojans such as XWorm,
AsyncRAT and Xeno RAT to allow attackers to control infected computers.

Pulse ID: 69ab76815510954864898d9c
Pulse Link: https://otx.alienvault.com/pulse/69ab76815510954864898d9c
Pulse Author: cryptocti
Created: 2026-03-07 00:51:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #CyberSecurity #Email #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #Windows #Worm #XWorm #XenoRAT #bot #cryptocti

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention.

Pulse ID: 69a80fbbdd6d5ec66e2a4a06
Pulse Link: https://otx.alienvault.com/pulse/69a80fbbdd6d5ec66e2a4a06
Pulse Author: AlienVault
Created: 2026-03-04 10:55:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #PHP #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

Steaelite RAT Targeting Enterprise Environments

A newly emerged remote access trojan (RAT) called Steaelite is raising
serious concerns across enterprise security teams.

Pulse ID: 69a5d9aba9e1942ac6a44d29
Pulse Link: https://otx.alienvault.com/pulse/69a5d9aba9e1942ac6a44d29
Pulse Author: cryptocti
Created: 2026-03-02 18:40:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocti

Abusing Windows File Explorer and WebDAV for Malware Delivery

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.

Pulse ID: 69a3ce1589019e16f3785b72
Pulse Link: https://otx.alienvault.com/pulse/69a3ce1589019e16f3785b72
Pulse Author: AlienVault
Created: 2026-03-01 05:26:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Email #Europe #InfoSec #LNK #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #AlienVault

SURXRAT Android RAT Enables Full Device Takeover

SURXRAT is a commercially sold Android Remote Access Trojan that
quietly infects devices to steal data and control phones while abusing
powerful permissions to spy manipulate and extort victims primarily
through Telegram based distribution.

Pulse ID: 69a45d097bbe3e0c7103479c
Pulse Link: https://otx.alienvault.com/pulse/69a45d097bbe3e0c7103479c
Pulse Author: cryptocti
Created: 2026-03-01 15:36:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Telegram #Trojan #bot #cryptocti

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control of infected endpoints. Its capabilities include stealing passwords, executing remote commands, uploading files, capturing screens, and accessing webcams and microphones. The malware's silent operation increases business exposure, extending dwell time and raising risks of data loss and operational disruption. The attack chain involves session registration, host environment visibility, direct system interaction, credential access, active user monitoring, and privilege manipulation. Early detection strategies involve monitoring for weak signals, rapid triage with behavior confirmation, and threat hunting to prevent repeat incidents.

Pulse ID: 699dd912a5b53c853ec6c4c4
Pulse Link: https://otx.alienvault.com/pulse/699dd912a5b53c853ec6c4c4
Pulse Author: AlienVault
Created: 2026-02-24 17:00:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #RemoteAccessTrojan #RemoteCommandExecution #Trojan #Word #bot #AlienVault

Fake Huorong security site infects users with ValleyRAT

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.

Pulse ID: 699c6b8685a6526f07db3c61
Pulse Link: https://otx.alienvault.com/pulse/699c6b8685a6526f07db3c61
Pulse Author: AlienVault
Created: 2026-02-23 15:00:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #Windows #bot #AlienVault

ClickFix Malware Campaign Targets Users via Compromised Websites

A new ClickFix campaign uses hacked legitimate websites to spread
MIMICRAT a powerful remote access trojan.

Pulse ID: 699c6ff6ba660884ba49b07c
Pulse Link: https://otx.alienvault.com/pulse/699c6ff6ba660884ba49b07c
Pulse Author: cryptocti
Created: 2026-02-23 15:19:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocti