backdoor Archives

Tech Optimizer

December 3, 2025

Fileless protection explained: Blocking the invisible threat others miss

Fileless malware operates within a computer's active memory, avoiding detection by traditional antivirus solutions that rely on file scanning. It uses legitimate tools like PowerShell to execute harmful commands without creating files, making it difficult to identify. Cybercriminals can use fileless malware for various malicious activities, including data theft and cryptocurrency mining. Malwarebytes combats fileless attacks through two defense layers: Script Monitoring, which intercepts potentially dangerous scripts at execution, and Command-Line Protection, which scrutinizes command-line tools for suspicious activities. Examples of fileless attacks include malicious email attachments activating PowerShell to download ransomware, hidden JavaScript on websites mining cryptocurrency, and attackers using Windows Management Instrumentation (WMI) to create backdoors. Malwarebytes' Fileless Protection operates automatically in the background, ensuring legitimate applications function normally while monitoring for threats. It is part of a comprehensive security framework that includes machine-learning detection and web protection, designed to stop attacks that do not write files. This protection is included with Malwarebytes Premium, aimed at safeguarding personal and small business systems.

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

AppWizard

November 5, 2025

Beware: 239 Dangerous Android Apps Found on Google Play with 40M+ Installs

Cybersecurity threats targeting mobile devices and critical infrastructure have significantly increased, with Zscaler's research revealing that 239 malicious Android applications on the Google Play Store have been downloaded 42 million times. The energy sector has experienced a 387% rise in cyberattacks compared to the previous year. Malicious applications often disguise themselves as legitimate tools, exploiting user trust, especially in hybrid and remote work environments. There has been a 67% year-over-year increase in Android malware transactions, with spyware and banking malware posing significant risks. The manufacturing and transportation sectors accounted for 20.2% of all observed IoT malware attacks, with a shift in focus from manufacturing to include transportation. Approximately 40% of blocked transactions were linked to the Mirai malware family, while Mozi has become the second most prevalent. Geographically, India is the top target for mobile attacks (26%), followed by the United States (15%) and Canada (14%). The U.S. also leads in IoT malware incidents at 54%. New threats include Android Void malware, affecting 1.6 million Android TV boxes, and Xnotice, a Remote Access Trojan targeting job seekers in the oil and gas industry. Adware now represents 69% of mobile threats, surpassing the Joker malware family.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

AppWizard

November 4, 2025

Backdoored ‘secure’ messaging app leads to more arrests

Australian law enforcement arrested 55 individuals in a recent operation targeting organized crime, aided by intelligence from a backdoored messaging application called AN0M. AN0M was developed by the FBI and Australia’s Federal Police (AFP) after the shutdown of a service called Phantom Secure, which facilitated encrypted communications for criminals. AN0M users were unaware that the app contained a backdoor for authorities to access their messages. In 2022, the Australian High Court ruled that AN0M’s operations were legal, as it functioned as a closed system. The recent raids in South Australia were part of the ongoing efforts under "Operation Ironside," which has seen multiple waves of activity linked to AN0M. The operation led to the restraint of assets valued at AUD 8 million. The AFP continues to push for access to encrypted communications to improve public safety investigations.

Tech Optimizer

November 2, 2025

Hackers Exploit Fake Microsoft Teams Ads to Deploy Rhysida Ransomware

Cybercriminals are deploying deceptive ads for Microsoft Teams that lead users to malicious software downloads, including ransomware like Rhysida’s OysterLoader. These ads appear prominently in search results and redirect users to counterfeit websites. The malware, often disguised as the legitimate Teams application and signed with counterfeit certificates, can evade antivirus detection and compromise systems. Microsoft has revoked over 200 compromised certificates to disrupt these campaigns and issued warnings about downloading software from unverified sources. The rise of these attacks targets collaboration tools, particularly amid the remote work trend, with hackers exploiting platforms like Teams for espionage and credential theft. Experts recommend navigating directly to official websites and implementing strong endpoint protection to combat these threats.

AppWizard

October 28, 2025

Telegram Messenger Abused by Android Malware to Seize Full Device Control

Security researchers at Doctor Web have identified a sophisticated Android backdoor, named Android.Backdoor.Baohuo.1.origin, disguised as Telegram X, which has compromised over 58,000 devices globally, with around 20,000 active infections. The malware propagates through malicious websites posing as app catalogs and targets approximately 3,000 different models of devices. It features unprecedented control mechanisms via Redis database integration, allowing extensive manipulation of victims' accounts and devices, including hiding evidence of compromise and autonomously managing messaging functionalities. The malware extracts sensitive data, including SMS messages and clipboard contents, and uploads information to attacker servers every three minutes. Brazil and Indonesia are primary targets, with the malware available on third-party app stores under fraudulent identities.

AppWizard

October 26, 2025

Hackers Weaponizing Telegram Messenger with Dangerous Android Malware to Gain Full System Control

A sophisticated backdoor known as Android.Backdoor.Baohuo.1.origin has been identified in malicious versions of the Telegram X messenger, granting attackers comprehensive control over victims’ accounts. This malware has compromised over 58,000 devices across approximately 3,000 smartphone models and other Android-based systems, primarily targeting users in Brazil and Indonesia. It spreads through misleading advertisements and third-party app stores, often masquerading as legitimate applications. The malware can exfiltrate sensitive information, manage user interactions, and manipulate messenger functionality without detection. It utilizes a Redis database for command-and-control operations, representing a novel approach in Android malware. The backdoor monitors clipboard contents and collects device information, sending data to attackers every three minutes while disguising its activities.

AppWizard

October 24, 2025

Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

A new Android malware, identified as Android.Backdoor.Baohuo.1.origin, is disguised as counterfeit versions of the messaging app Telegram X. It has been labeled as one of the most sophisticated Android backdoors this year. The malware is distributed through online advertisements promising enhanced features and connects to remote servers to grant attackers full control over the user’s Telegram account. It can conceal unauthorized logins, erase chat traces, and manipulate app behavior in real-time using the Xposed framework. Over 58,000 devices have been infected, primarily in India, Brazil, and Indonesia. Baohuo communicates directly with a Redis database for command-and-control, allowing seamless operation even if primary servers are down. It can intercept clipboard data and perform regular check-ins on user activity. The malware has been found in third-party app stores, falsely attributed to Telegram’s developer. Users are advised to download Telegram only from official sources.

Winsage

October 23, 2025

Russian hackers replace malware with new tools, Windows updates cause login issues, campaign targets high-profile servers

Mark your calendars for this Friday's Super Cyber Friday, featuring the session titled "Hacking the Death of EDR." Russian state-sponsored hacking group Coldriver has introduced three new malware strains: NOROBOT, YESROBOT, and MAYBEROBOT, following the exposure of their previous tool, LostKeys. The new malware is designed to evade detection and extract sensitive data from high-value targets. Microsoft has acknowledged that Windows updates released since August 29th are causing login failures on systems with duplicate Security Identifiers (SIDs), leading to authentication failures. Microsoft recommends rebuilding affected systems or contacting support for a temporary fix. Kaspersky researchers have identified a likely Chinese-speaking threat actor behind the “PassiveNeuron” campaign, targeting government, financial, and industrial servers across Asia, Africa, and Latin America since 2024, using custom implants and Cobalt Strike. CISA has added high-severity vulnerabilities in Oracle E-Business Suite, Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple JavaScriptCore to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by November 10th. Researchers from France's CEA and Soitec have unveiled a new chip architecture called Fully Depleted Silicon-on-Insulator, designed to defend against laser fault injection attacks on automotive microcontrollers. During Pwn2Own Ireland 2025, researchers exploited 34 zero-days across various devices, earning a total of 2,500 in rewards, with Team DDOS chaining eight zero-days to compromise a QNAP router and NAS. Koi Security researchers discovered a new self-propagating malware named GlassWorm, which has infected approximately 36,000 developer systems by exploiting Visual Studio Code extensions, pilfering credentials, and installing remote access tools. PolarEdge is a botnet malware targeting Cisco, ASUS, QNAP, and Synology routers, first detected in February, which installs a TLS-based backdoor to fingerprint hosts and execute tasks while employing anti-analysis techniques.