RAT Archives

AppWizard

June 9, 2026

Surely FromSoftware has something brewing besides that Switch 2 exclusive, right?

FromSoftware announced a network test for the game Duskbloods, exclusive to the Switch 2, during the recent Nintendo Direct. The game features a trailer with atmospheric visuals and ominous narration. Fans are speculating about its implications for a potential Bloodborne 2 and expressing disappointment over its exclusivity to the Switch 2. Additionally, the Tarnished Edition DLC for Elden Ring is set to release on August 28, introducing two new classes and new weapons and armor.

AppWizard

June 8, 2026

Pirated PC games are delivering password-stealing malware

A surge in Windows malware campaigns has been identified, with malicious software hidden in pirated PC games and modified installers for popular franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed. Over 400,000 devices globally have been affected, with around 30,000 cases in the United States. The malware, known as the "RenEngine loader," is disguised as a legitimate game launcher and infects systems when users download cracked games. It aims to deploy an infostealer called ARC, which can capture sensitive information such as passwords and cryptocurrency wallets, and may also install other harmful payloads like the Rhadamanthys stealer and Async Remote Access Trojan (RAT). Users often remain unaware of their infection until significant damage occurs. Recommendations for safety include avoiding unofficial downloads, using up-to-date anti-malware protection, and regularly updating software.

AppWizard

June 4, 2026

Legendary Warhammer artist John Blanche has died

John Blanche, a prominent illustrator known for his work in fantasy and science fiction, particularly with Warhammer 40,000 and other Games Workshop properties, passed away earlier this week at the age of 77. His death was confirmed by fellow artist Trish Carden on Facebook. Blanche contributed to video games such as the original Space Hulk and Warhammer: Shadow of the Horned Rat, and received special thanks in titles like Vermintide 2 and Fire Warrior. He retired from Games Workshop in 2023 due to health issues. The art community has expressed admiration and sorrow over his passing, highlighting his significant influence on the genre.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

AppWizard

May 28, 2026

Fake ‘Cockroach Janta Party’ Android app flagged as critical malware threat, report warns

A cybersecurity report released on May 22, 2026, identifies a counterfeit Android application posing as the official app of the Cockroach Janta Party as a significant malware threat. The malicious app, known as Cockroach.Janta.Party, functions as a Remote Access Trojan (RAT) and can infiltrate Android devices, steal sensitive information, intercept communications, and control infected smartphones. The genuine Cockroach Janta Party has no affiliation with this app and is a victim of brand impersonation. The app is distributed through WhatsApp, Telegram, and misleading websites, particularly a rogue domain, cockroachjantaparty[.]org. It targets Android devices running versions 8.0 to 14 and requests elevated permissions, including access to camera, SMS, call logs, and contacts, while misusing the Android Accessibility Service to read on-screen content and grant itself additional permissions. The app contains multiple malicious modules for data exfiltration and uses a Command and Control infrastructure based on the Telegram Bot API. Users are advised to uninstall the app, disable Accessibility permissions, reset banking credentials, enable two-factor authentication, and conduct a full mobile security scan. The legitimate Cockroach Janta Party is encouraged to issue a formal clarification regarding the impersonation.

Winsage

May 10, 2026

Official JDownloader site served malware to Windows and Linux users between May 6 and May 7

Between May 6 and May 7, 2026, the official JDownloader website was compromised in a supply chain attack, leading to the distribution of malicious installers for Windows and Linux users. Attackers altered download links, redirecting users to harmful files, specifically targeting the Windows “Alternative Installer” and the Linux shell installer. A Reddit user reported the issue after Microsoft Defender flagged the installers as malicious, noting unusual developer names instead of the expected publisher, AppWork GmbH. JDownloader developers confirmed the breach and temporarily took down the website for investigation, revealing that an unpatched vulnerability in the content management system allowed the attackers to modify download pages. The genuine installer packages were not altered, and the malicious links were removed. The website was restored on May 8–9, 2026, with verified clean installer links. Indicators of compromise included specific hashes and compromised URLs related to the attack.

Winsage

May 6, 2026

New Trojan attacks Windows and steals data from smartphones via Phone Link

Cisco Talos experts have discovered a trojan that has been operational since at least January 2026, which installs the CloudZ RAT (Remote Access Tool) on Windows systems along with the Pheno plugin. The attack starts with an undisclosed initial access vector and involves executing a counterfeit SmartConnect update to deploy the CloudZ RAT. This RAT establishes an encrypted connection to its command and control (C2) server, allowing attackers to extract sensitive information. The CloudZ RAT assists in harvesting credentials from web browsers and downloads the Pheno plugin, which accesses Phone Link app data and transmits it to the C2 server. The Phone Link feature synchronizes critical data, including SMS messages with one-time passwords and account login details, which are the primary targets of the attackers.

AppWizard

May 6, 2026

Android Apps Get Public Verification System to Stop Supply Chain Attacks

Google has launched an enhanced Binary Transparency initiative for Android to strengthen the ecosystem against supply chain attacks. This initiative builds on the Pixel Binary Transparency framework introduced in October 2021, which ensures Pixel devices operate on verified OS software through a public cryptographic log of factory images. The new initiative aims to address the increasing sophistication of binary supply chain attacks, emphasizing that a binary's digital signature alone is insufficient for guaranteeing its authenticity. Starting May 1, 2026, all production Android applications released by Google will include a cryptographic entry confirming their authenticity. This initiative covers various Google applications and provides a transparent 'Source of Truth' for users to verify the software on their devices. Google is also offering verification tools for users and researchers to confirm the transparency state of supported software types, enhancing user privacy and security.

Tech Optimizer

May 4, 2026

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender mistakenly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, leading to their removal from Windows systems globally. This issue arose after a Defender signature update on April 30th, with affected certificates including 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. The certificates were removed from the AuthRoot store under the Registry key HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates. Microsoft has addressed the issue in Security Intelligence update version 1.449.430.0, which also restored the removed certificates. The false positives were linked to detections related to a recent DigiCert breach, where threat actors obtained valid code-signing certificates used for signing malware. DigiCert revoked 60 code-signing certificates, including those linked to the "Zhong Stealer" malware campaign. The malware utilized certificates issued to companies like Lenovo and Kingston, but the certificates flagged by Microsoft Defender are root certificates and do not correspond to the revoked code-signing certificates.