backdoor Archives

Winsage

June 10, 2025

APT Hackers Exploited WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware

A cyberattack campaign by the advanced persistent threat group Stealth Falcon targeted a prominent Turkish defense company using a zero-day vulnerability identified as CVE-2025-33053. This vulnerability allowed attackers to manipulate the working directory of legitimate Windows tools to execute malware from their WebDAV servers. The attack was initiated through a spear-phishing email containing a malicious .url file that directed the system to a legitimate Internet Explorer utility, which was then exploited to execute malicious files. The attackers employed process hollowing to bypass traditional defenses. Stealth Falcon, also known as FruityArmor, has been conducting cyber espionage since at least 2012, targeting government and defense sectors in Turkey, Qatar, Egypt, and Yemen. The attack involved a multi-stage infection chain leading to the deployment of "Horus Agent," a custom implant designed for advanced reconnaissance and equipped with anti-analysis techniques. Researchers identified additional custom tools used by Stealth Falcon, including a DC Credential Dumper and a custom keylogger. The group utilizes repurposed legitimate domains to blend their infrastructure with legitimate traffic, complicating detection efforts.

Tech Optimizer

June 9, 2025

Cryptostealing Malware Found in Printer Software Highlights Growing Supply Chain Threat

A cybersecurity incident involving Procolored printers revealed vulnerabilities in everyday hardware, as users may have downloaded malware capable of stealing cryptocurrencies like Bitcoin. Tech content creator Cameron Coward reported an antivirus alert linked to Procolored printer software, prompting an investigation by G Data researchers who found malicious code in installation files on the manufacturer's website. The identified threats included a remote access tool (Win32.Backdoor.XRedRAT.A) and a cryptocurrency wallet stealer (MSIL.Trojan-Stealer.CoinStealer.H). Compromised files were last updated in October 2024 and distributed through official channels. The company initially denied the issue but later removed the downloads from their website in May 2025 and acknowledged the malware might have been introduced via USB transfers. An analysis of an attacker’s wallet showed a total of 9.3 BTC accumulated across 330 transactions before it was emptied. Cybersecurity experts recommend that users conduct antivirus scans and consider reformatting drives and reinstalling operating systems if infections are suspected.

Tech Optimizer

June 5, 2025

CISA releases TTPs & IoCs for Play Ransomware That Hacked 900+ Orgs

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Australian Cyber Security Centre, released an advisory on the Play ransomware group, which has targeted around 900 entities since its inception in June 2022. The group employs a double extortion model, exploiting vulnerabilities in public-facing applications and using tools for lateral movement and credential dumping. Their operations involve recompiling ransomware binaries for each attack to evade detection. The advisory highlights mitigation measures such as multifactor authentication and regular software patching. The Play ransomware specifically targets virtual environments and encrypts files using AES-256 encryption. Indicators of Compromise (IoCs) include: - SVCHost.dll (Backdoor) - SHA-256: 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E - Backdoor - SHA-256: 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A - PSexesvc.exe (Custom Play “psexesvc”) - SHA-256: 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 - HRsword.exe (Disables endpoint protection) - SHA-256: 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 - Hi.exe (Associated with ransomware) - SHA-256: 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6

AppWizard

June 3, 2025

Facebook, Yandex Apps Secretly Track Users Via Hidden Ports, Research Claims

Recent findings from IMDEA Networks Institute indicate that Facebook and Instagram apps have been tracking Android users' web browsing activities without consent, bypassing privacy controls and functioning even in incognito mode. This tracking affects millions of websites using Meta's tracking code. Yandex has employed similar tracking techniques since 2017, creating a cross-platform surveillance network. The tracking exploits Android’s permission system by establishing background services that listen on network ports, allowing the apps to capture browsing data and associate it with users' accounts. Meta's pixel is present on about 5.8 million websites, while Yandex Metrica is on around 3 million sites, potentially impacting billions of users. Approximately 78% of sites with Meta’s pixel and 84% of Yandex's sites attempted localhost communications without user consent. This tracking method operates at the operating system level, unaffected by cookie clearing, incognito modes, or privacy settings. Researchers have demonstrated that malicious apps could exploit this technique to gather users' browsing histories. Many website operators were unaware of these localhost communications, leading to confusion and complaints. In response, major browser vendors are implementing measures to block these tracking methods. Meta ceased this tracking on June 3rd, coinciding with the research's public release. The research highlights a significant security gap in mobile platforms regarding localhost communications, emphasizing the need for stricter policies and vetting processes.

Tech Optimizer

May 23, 2025

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has identified a new strain of backdoor malware that works with a Monero coin miner, utilizing the PyBitmessage library for covert P2P communications. This malware uses encryption to secure data exchanges and anonymize identities, complicating detection by security tools. It decrypts resources using XOR operations to deploy a Monero miner and a backdoor component. The Monero miner exploits the cryptocurrency's anonymity, while the backdoor, created with PowerShell, installs PyBitmessage and retrieves files from GitHub or a Russian file-sharing platform. Commands are executed as PowerShell scripts, making detection difficult. The malware may be distributed as legitimate software or cracked files. ASEC advises caution with unverified files and recommends keeping security solutions updated. Indicators of Compromise (IOCs): - MD5: 17909a3f757b4b31ab6cd91b3117ec50 - MD5: 29d43ebc516dd66f2151da9472959890 - MD5: 36235f722c0f3c71b25bcd9f98b7e7f0 - MD5: 498c89a2c40a42138da00c987cf89388 - MD5: 604b3c0c3ce5e6bd5900ceca07d587b9 - URLs: - http://krb.miner.rocks:4444/ - http://krb.sberex.com:3333/ - http://pool.karbowanec.com:3333/ - http://pool.supportxmr.com:3333/ - https://spac1.com/files/view/bitmessage-6-3-2-80507747/

Tech Optimizer

May 20, 2025

Bitcoin stealer malware found in official printer drivers

Procolored, a printer manufacturer based in Shenzhen, has been accused of distributing malware designed to steal Bitcoin through its printer drivers. The malware, embedded in USB drivers, has reportedly stolen approximately 9.3 BTC, valued at over 3,000. A backdoor program in the compromised drivers can hijack wallet addresses copied to the clipboard. Users are advised to conduct system scans and consider a complete system reset. The issue was first highlighted by YouTuber Cameron Coward, whose antivirus software flagged the malware. Procolored denied the allegations but later acknowledged the problem, stating they removed the infected drivers and attributed the malware to a supply chain compromise. Cybersecurity firm G-Data confirmed the presence of two types of malware in the drivers.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

May 7, 2025

Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords

Microsoft has decided not to address a significant security flaw in the Windows Remote Desktop Protocol (RDP) that allows users to log in with outdated, cached passwords, even after those passwords have been changed. The company claims this behavior is intentional, designed to prevent users from being locked out of their machines. Microsoft does not consider this a security vulnerability, despite concerns that it creates a potential backdoor for unauthorized access. The issue has been known to Microsoft since at least August 2023, but they chose not to modify the functionality due to compatibility concerns with existing applications.