enhanced evasion Archives

Tech Optimizer

September 22, 2025

Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD

Cybersecurity researchers have identified a sophisticated Remote Access Trojan (RAT) being marketed as a fully undetectable alternative to the legitimate ScreenConnect remote access solution. This malware evades security measures like Google Chrome and Windows SmartScreen by bundling itself with valid Extended Validation (EV) certificates, allowing it to appear legitimate and evade detection. The RAT employs a comprehensive evasion toolkit, including antibot mechanisms and cloaked landing pages, to mislead automated security scanners while delivering malicious payloads. It utilizes fileless execution techniques via PowerShell commands, enabling it to operate without leaving traditional file traces. The malware provides attackers with real-time control over compromised systems, facilitating data exfiltration and system manipulation. The sales strategy of the threat actors indicates a mature cybercrime-as-a-service model, with the tool marketed as a "FUD loader" for establishing persistent access before deploying secondary payloads. This trend highlights an increasing focus on exploiting user trust in legitimate brands and undermining security technologies, particularly through the use of valid EV certificates. Security professionals are warned to expect more instances of brand impersonation and sophisticated evasion techniques.

Winsage

August 17, 2024

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove – Check Point Research

Check Point Research (CPR) has identified a new malware variant called Styx Stealer, which extracts sensitive information from users, including browser data, instant messaging sessions from Telegram and Discord, and cryptocurrency assets. Styx Stealer is linked to the developer Sty1x, associated with the threat actor Fucosreal and the Agent Tesla malware. An operational security failure by the developer led to the accidental leak of sensitive data, allowing CPR to trace the malware back to its creator. Styx Stealer inherits functionalities from Phemedrone Stealer, capable of extracting saved passwords, cookies, auto-fill data, and information from browser extensions and cryptocurrency wallets. It can also capture session data from Telegram and Discord, gather system information, and take screenshots. The malware features auto-start capabilities, clipboard monitoring, and enhanced evasion techniques, and is marketed through a subscription model. In March 2024, a spam campaign distributing a malicious TAR archive containing Agent Tesla malware targeted various industries. CPR identified 54 customers who purchased Styx Stealer and Styx Crypter products, generating approximately ,500 in revenue over two months, with payments accepted in cryptocurrencies like Bitcoin and Monero. Styx Stealer employs evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments.

AppWizard

March 30, 2024

Vultur banking malware for Android poses as McAfee Security app

- A new iteration of the Vultur banking trojan has been identified with more sophisticated remote control features and an enhanced ability to evade detection. - The malware employs a combination of smishing and voice calls to deceive victims into downloading a fake McAfee Security app laden with the malware. - The infection process involves receiving an SMS alert about an unauthorized transaction, calling a number for assistance, following a link to a fraudulent site, and installing the fake McAfee Security app. - Once installed, the malware unleashes three Vultur-related payloads that gain access to Accessibility Services, enable remote control functionalities, and establish a link with the command and control server. - The latest Vultur variant includes new functionalities such as comprehensive file management options, exploiting Accessibility Services, preventing certain apps from launching, crafting custom notifications, and disabling Keyguard. - The malware has incorporated new evasion techniques like encrypting communications with the C2 server, using multiple encrypted payloads, and disguising malicious activities as legitimate applications. - The developers behind Vultur have prioritized enhancing remote control capabilities, introducing commands for various device interactions and app management. - Android users are advised to only download apps from trusted sources like Google Play, be cautious of unsolicited messages with links, and scrutinize app permissions during installation to maintain control over device security and privacy.