Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#HackerNews #Axios #Compromised #NPM #MaliciousVersions #RemoteAccessTrojan #CyberSecurity

CrySome RAT Stealth-Oriented Malware Built on .NET

CrySome is a Remote Access Trojan (RAT) developed in C# for the .NET platform, designed to establish and maintain a persistent command-and- control (C2) connection over TCP, enabling attackers to execute remote actions on compromised systems.

Pulse ID: 69caea76eb0e8d15bcb7c207
Pulse Link: https://otx.alienvault.com/pulse/69caea76eb0e8d15bcb7c207
Pulse Author: cryptocti
Created: 2026-03-30 21:26:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #TCP #Trojan #bot #cryptocti

A cunning predator: How Silver Fox preys on Japanese firms this tax season

Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into opening malicious links or attachments. The campaign capitalizes on the high volume of legitimate financial and HR communications during this period, increasing the risk of compromise. Silver Fox has expanded its targets from Chinese-speaking entities to Southeast Asia, Japan, and potentially North America. The group uses ValleyRAT, a remote access trojan, to gain control of compromised machines and steal sensitive information. To protect against this threat, organizations should increase vigilance, reinforce awareness about phishing attempts, and verify the authenticity of tax- and HR-themed requests.

Pulse ID: 69c7fe028b39a27c589226aa
Pulse Link: https://otx.alienvault.com/pulse/69c7fe028b39a27c589226aa
Pulse Author: AlienVault
Created: 2026-03-28 16:12:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Chinese #CyberSecurity #Email #InfoSec #Japan #Mac #NorthAmerica #OTX #OpenThreatExchange #Phishing #RAT #RCE #RemoteAccessTrojan #SpearPhishing #Trojan #bot #AlienVault

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

Pulse ID: 69c59ad1d050c7b6a823051e
Pulse Link: https://otx.alienvault.com/pulse/69c59ad1d050c7b6a823051e
Pulse Author: AlienVault
Created: 2026-03-26 20:45:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #Chrome #ChromeExtension #CyberSecurity #FakeBrowser #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Worm #bot #cryptocurrency #developers #AlienVault

COVERT RAT: Phishing Campaign

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.

Pulse ID: 69b821c38b5e35d90728323e
Pulse Link: https://otx.alienvault.com/pulse/69b821c38b5e35d90728323e
Pulse Author: AlienVault
Created: 2026-03-16 15:29:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #RemoteAccessTrojan #Rust #SpearPhishing #Trojan #ZIP #bot #AlienVault

Android Remote Access Trojan Targeting the Banking Sector

Pulse ID: 69b6b3fff6efd5f1b6b23b33
Pulse Link: https://otx.alienvault.com/pulse/69b6b3fff6efd5f1b6b23b33
Pulse Author: cryptocti
Created: 2026-03-15 13:28:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RemoteAccessTrojan #Trojan #bot #cryptocti

VOID#GEIST Malware Delivers Multiple RATs through Multi-Stage Attack CTIA

VOID#GEIST is actively targeting Windows systems using phishing emails and malicious scripts. It installs remote access trojans such as XWorm,
AsyncRAT and Xeno RAT to allow attackers to control infected computers.

Pulse ID: 69ab76815510954864898d9c
Pulse Link: https://otx.alienvault.com/pulse/69ab76815510954864898d9c
Pulse Author: cryptocti
Created: 2026-03-07 00:51:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #CyberSecurity #Email #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #Windows #Worm #XWorm #XenoRAT #bot #cryptocti

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention.

Pulse ID: 69a80fbbdd6d5ec66e2a4a06
Pulse Link: https://otx.alienvault.com/pulse/69a80fbbdd6d5ec66e2a4a06
Pulse Author: AlienVault
Created: 2026-03-04 10:55:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #PHP #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

Steaelite RAT Targeting Enterprise Environments

A newly emerged remote access trojan (RAT) called Steaelite is raising
serious concerns across enterprise security teams.

Pulse ID: 69a5d9aba9e1942ac6a44d29
Pulse Link: https://otx.alienvault.com/pulse/69a5d9aba9e1942ac6a44d29
Pulse Author: cryptocti
Created: 2026-03-02 18:40:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocti

Abusing Windows File Explorer and WebDAV for Malware Delivery

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.

Pulse ID: 69a3ce1589019e16f3785b72
Pulse Link: https://otx.alienvault.com/pulse/69a3ce1589019e16f3785b72
Pulse Author: AlienVault
Created: 2026-03-01 05:26:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Email #Europe #InfoSec #LNK #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #AlienVault