#remoteaccesstrojan — Public Fediverse posts

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications.

Pulse ID: 69f3e871eb2a73cd5c8bee7e
Pulse Link: https://otx.alienvault.com/pulse/69f3e871eb2a73cd5c8bee7e
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChatGPT #CyberSecurity #Email #Google #HTTP #HTTPS #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #Proxy #RAT #RCE #RemoteAccessTrojan #Rust #Trojan #Word #bot #AlienVault

An In-Depth Analysis of Novel KarstoRAT Malware

KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution.

Pulse ID: 69f3653e6f25eb53d5d343b1
Pulse Link: https://otx.alienvault.com/pulse/69f3653e6f25eb53d5d343b1
Pulse Author: AlienVault
Created: 2026-04-30 14:20:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #RemoteCommandExecution #SMS #Trojan #bot #AlienVault

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f342059da1410582479c7c
Pulse Link: https://otx.alienvault.com/pulse/69f342059da1410582479c7c
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f34205f24069b265ccf570
Pulse Link: https://otx.alienvault.com/pulse/69f34205f24069b265ccf570
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Threat Spotlight An In-Depth Analysis of Novel KarstoRAT Malware

Remote access trojans (RATs) remain one of the most common tools used
by attackers to maintain persistent access to compromised systems. Unlike
simple information stealers, RATs allow operators to fully control infected
machines, monitor user activity, collect sensitive data, and deploy additional
payloads when needed. In recent years, many new RAT families have
emerged that combine surveillance capabilities, credential theft, and remote
command execution within lightweight and flexible frameworks.

Pulse ID: 69f342068865d55a5846d71b
Pulse Link: https://otx.alienvault.com/pulse/69f342068865d55a5846d71b
Pulse Author: CyberHunter_NL
Created: 2026-04-30 11:50:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL

Rebex-based Telegram RAT Targeting Vietnam

A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.

Pulse ID: 69f1d26f3c7a8e098eccb448
Pulse Link: https://otx.alienvault.com/pulse/69f1d26f3c7a8e098eccb448
Pulse Author: AlienVault
Created: 2026-04-29 09:42:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberCrime #CyberSecurity #Encryption #HTML #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #RemoteAccessTrojan #Telegram #Trojan #Vietnam #bot #AlienVault

MiningDropper Android Malware Framework Spreads Infostealers, RATs and Banking Malware

Mining Dropper is an android malware delivery framework used to mine cryptocurrency and for distributing infostealers, Remote Access Trojans and banking malware.

Pulse ID: 69f10f6fb0cd7c248d2f4267
Pulse Link: https://otx.alienvault.com/pulse/69f10f6fb0cd7c248d2f4267
Pulse Author: cryptocti
Created: 2026-04-28 19:50:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #cryptocti

Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT

A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RAT employs multiple persistence mechanisms including registry run keys, Windows services, and Remote Access service manipulation. It features capabilities for token manipulation, DNS hijacking, keylogging targeting RDP sessions, system reconnaissance, and dead drop resolver techniques for C2 communication. The malware specifically targets security tools by blocking antivirus domains through DNS spoofing and hosts file modification. This dual-payload approach provides attackers with long-term system access while generating immediate profit through adware monetization.

Pulse ID: 69e2bfe25244c3e0bc4404f9
Pulse Link: https://otx.alienvault.com/pulse/69e2bfe25244c3e0bc4404f9
Pulse Author: AlienVault
Created: 2026-04-17 23:18:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DNS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #RDP #RemoteAccessTrojan #SMS #Trojan #Windows #bot #AlienVault

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilities. Notably, the Interlock Ransomware Group exploited CVE-2026-20131, a zero-day deserialization vulnerability in Cisco Secure Firewall Management Center, as early as January 2026 to compromise enterprise networks. The group deployed custom remote access trojans and facilitated ransomware operations through crafted HTTP requests executing arbitrary Java code as root. Additional campaigns involved the DarkSword iOS exploit kit delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads, and the Coruna exploit kit deploying PlasmaLoader malware. Nine vulnerabilities enabled remote code execution across multiple platforms. One vulnerability dated back nine years, emphasizing continued exploitation of legacy unpatched

Pulse ID: 69de0077cbff2dc8d99b17ff
Pulse Link: https://otx.alienvault.com/pulse/69de0077cbff2dc8d99b17ff
Pulse Author: AlienVault
Created: 2026-04-14 08:53:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #ConnectWise #CyberSecurity #Google #HTTP #InfoSec #Java #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #RemoteAccessTrojan #RemoteCodeExecution #Trojan #Vulnerability #Word #ZeroDay #bot #iOS #AlienVault

Re: Axios remote access trojan (RAT)

https://github.com/axios/axios/issues/10636

Luckily I don't use npm much (only #Indiekit) and it wasn't the malicious v1.14.1 or v0.30.4, it was v1.13.2.

Check with `npm list axios` in your /node_modules folder. I also ran `find ~ -type d -path "*/node_modules/plain-crypto-js" 2>/dev/null` to see if the RAT is found any where on my Mac. 🤞Luckily nothing. Scary! Read the full post mortem report above!

@paulrobertlloyd

#RemoteAccessTrojan #trojan #hack #virus #npm #axios

Fake Booking.com emails and BSODs used to infect hospitality staff https://www.helpnetsecurity.com/2026/01/07/fake-booking-com-emails-bsod-hospitality/ #hospitalityindustry #remoteaccesstrojan #socialengineering #Don'tmiss #Securonix #Hotstuff #phishing #malware #Europe #News

New Polymorphic Malware Undetected by Security Tools https://thecyberexpress.com/polymorphic-malware-undetected-by-security/ #TheCyberExpressNews #polymorphicmalware #remoteaccesstrojan #ThreatIntelligence #screenrecordings #TheCyberExpress #FirewallDaily #Pythonmalware #cryptomining #CyberThreats #CyberNews #keylogger #malware #XWorm

Developers Beware Of Malicious npm Package That Delivers Sophisticated RAT https://gbhackers.com/developers-beware-malicious-npm-package-rat/ #VulnerabilityAnalysis #RemoteAccessTrojan #cybersecurity #npmPackage #Malware