attack campaigns Archives

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

Tech Optimizer

September 22, 2025

Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD

Cybersecurity researchers have identified a sophisticated Remote Access Trojan (RAT) being marketed as a fully undetectable alternative to the legitimate ScreenConnect remote access solution. This malware evades security measures like Google Chrome and Windows SmartScreen by bundling itself with valid Extended Validation (EV) certificates, allowing it to appear legitimate and evade detection. The RAT employs a comprehensive evasion toolkit, including antibot mechanisms and cloaked landing pages, to mislead automated security scanners while delivering malicious payloads. It utilizes fileless execution techniques via PowerShell commands, enabling it to operate without leaving traditional file traces. The malware provides attackers with real-time control over compromised systems, facilitating data exfiltration and system manipulation. The sales strategy of the threat actors indicates a mature cybercrime-as-a-service model, with the tool marketed as a "FUD loader" for establishing persistent access before deploying secondary payloads. This trend highlights an increasing focus on exploiting user trust in legitimate brands and undermining security technologies, particularly through the use of valid EV certificates. Security professionals are warned to expect more instances of brand impersonation and sophisticated evasion techniques.

Winsage

April 17, 2025

Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

CVE-2025-24054 is a vulnerability that allows attackers to capture NTLMv2-SSP hashes from a victim's machine during authentication requests to an attacker-controlled SMB server. Active exploitation of this vulnerability has been observed since March 19, 2025, targeting government and private sectors in Poland and Romania. The attacks involve phishing emails that lead victims to download an archive file containing exploits designed to leak NTLMv2-SSP hashes. Microsoft has released patches for this vulnerability, but users on older, unsupported versions may need to consider micropatching.

Winsage

April 9, 2025

Windows Common Log File System 0-Day Vulnerability Exploited in the Wild

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is actively exploited, allowing attackers to elevate privileges to SYSTEM level and compromise system integrity. This flaw arises from a use-after-free issue within the CLFS driver, enabling local attackers to execute malicious code. Microsoft is aware of the exploitation and is working on a security update, but no immediate patch is available. The vulnerability affects multiple versions of Windows 10, including x64-based and 32-bit systems, and can lead to privilege escalation, data breaches, operational disruption, and malware deployment. Microsoft has classified this vulnerability as "Important" and urges organizations to apply patches promptly once available.

Winsage

November 7, 2024

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a malware campaign named Winos4.0 that disguises itself as benign gaming applications targeting Microsoft Windows users. This malware framework is similar to threats like Cobalt Strike and Sliver. Users who download these applications inadvertently install Trojan horses that deploy the Winos4.0 framework, which has been found in various gaming-related tools. The malware appears to focus on the education sector, as indicated by its file description “校园政务” (Campus Administration). Winos4.0 is a re-engineered version of the Gh0stRat remote access trojan and consists of modular components for specific tasks. The attack begins with the retrieval of a BMP file from a remote server, leading to the extraction of a DLL file named “you.dll.” This file downloads additional files, including the main malicious file “libcef.dll,” which injects shellcode to establish a connection with a command and control (C2) server. The malware executes various tasks, such as monitoring system information and maintaining a connection to the C2 server. To protect against such threats, users are advised to download applications only from reputable sources, avoid third-party app stores, and scan new files before execution. Regular device scans are recommended, especially after downloading new content.

AppWizard

July 18, 2024

CapraRAT Spyware Masks As Popular Android Apps

The CapraRAT spyware attack campaigns were discovered in September 2023 by SentinelOne, known as the CapraTube campaign. The spyware is disguised as popular Android apps like YouTube and has advanced capabilities to access sensitive data such as call logs, messages, and locations. The spyware can also record audio or video, take screenshots, and make phone calls. The use of sophisticated techniques by threat actors highlights the increasing severity of cyber espionage tactics.