Lmst

#backDoor

Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

A NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers has been discovered. The campaign deploys a multi-stage payload where NCryptYo acts as a dropper, establishing a local proxy, while companion packages exfiltrate ASP.NET Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses obfuscation, JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.

Pulse ID: 699d5baa21c5722498f88433
Pulse Link: https://otx.alienvault.com/pulse/699d5baa21c5722498f88433
Pulse Author: AlienVault
Created: 2026-02-24 08:04:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #NET #NuGet #OTX #OpenThreatExchange #Proxy #RAT #SupplyChain #Troll #bot #developers #AlienVault

Cloud Atlas: Analysis of Phishing Campaign and VBShower Backdoor

Pulse ID: 699d3e7bfa78fc758cbaebfd
Pulse Link: https://otx.alienvault.com/pulse/699d3e7bfa78fc758cbaebfd
Pulse Author: Tr1sa111
Created: 2026-02-24 06:00:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CloudAtlas #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #VBS #bot #Tr1sa111

Fake Huorong security site infects users with ValleyRAT

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.

Pulse ID: 699c6b8685a6526f07db3c61
Pulse Link: https://otx.alienvault.com/pulse/699c6b8685a6526f07db3c61
Pulse Author: AlienVault
Created: 2026-02-23 15:00:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #Windows #bot #AlienVault

Cloud Atlas: Analysis of Phishing Campaign and VBShower Backdoor

The article analyzes a phishing campaign by the Cloud Atlas APT group targeting Russian organizations. It details five successful attacks on the same system over time, using malicious Microsoft Office documents to deliver the VBShower backdoor. The attackers used alternate data streams to hide malicious code and maintained persistence through registry modifications. The analysis covers the evolution of the attack chain, including the use of VBCloud malware and various command and control servers. Despite prolonged access, no evidence of lateral movement was found. The report concludes that Cloud Atlas continues to be active, using consistent tactics and tools.

Pulse ID: 699c2539b33fbe17058937b3
Pulse Link: https://otx.alienvault.com/pulse/699c2539b33fbe17058937b3
Pulse Author: AlienVault
Created: 2026-02-23 10:00:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CloudAtlas #CyberSecurity #ICS #InfoSec #Malware #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #Russia #VBS #bot #AlienVault

Operation Olalampo: Inside MuddyWater's Latest Campaign

MuddyWater APT has launched Operation Olalampo, targeting organizations in the MENA region. The campaign involves new malware variants, including a Rust backdoor called CHAR, downloaders GhostFetch and HTTP_VIP, and an advanced backdoor GhostBackDoor. Notably, the group is using Telegram bots for command-and-control, revealing insights into their post-exploitation tactics. The operation, first observed on January 26, 2026, shows tactical and technical overlaps with previous MuddyWater activities. Key discoveries include potential AI-assisted malware development and infrastructure reuse dating back to October 2025. The campaign aligns with ongoing geopolitical tensions and provides valuable information on the threat actor's evolving techniques.

Pulse ID: 699c2852f2e41e1678d750b5
Pulse Link: https://otx.alienvault.com/pulse/699c2852f2e41e1678d750b5
Pulse Author: AlienVault
Created: 2026-02-23 10:13:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #HTTP #ICS #InfoSec #LUA #Malware #MuddyWater #OTX #OpenThreatExchange #RAT #Rust #Telegram #bot #AlienVault

The Hidden Backdoor to 200 Airports: A Supply Chain Failure in Aviation

A single leaked credential from a fourth-party vendor recently exposed the digital infrastructure of 200 global airports. This security failure highlights how a lack of Multi-Factor Authentication can jeopardize critical systems, including baggage reconciliation and passenger kiosks. Discover how SVigil identified this backdoor before it cost the industry billions.

✈️ https://www.cloudsek.com/blog/the-hidden-backdoor-to-200-airports-a-supply-chain-failure-in-aviation

#airport #backdoor #leak #fail

Zero-day in Dell RecoverPoint for Virtual Machines (CVE-2026-22769)

A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been discovered and actively exploited. The flaw, identified as CVE-2026-22769, allows attackers to gain root-level access on affected systems. China-linked threat actor UNC6201 has been leveraging this vulnerability in targeted intrusions since mid-2024, deploying custom backdoors like GRIMBOLT and BRICKSTORM for persistence and further compromise. The vulnerability affects versions prior to 6.0.3.1 HF1. Organizations are urged to apply the security patch immediately or use the provided remediation script if patching is not possible. Detection indicators for the malware and network traffic have been provided to help identify potential compromises.

Pulse ID: 69976fb1e346dadacfae5133
Pulse Link: https://otx.alienvault.com/pulse/69976fb1e346dadacfae5133
Pulse Author: AlienVault
Created: 2026-02-19 20:16:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #CyberSecurity #Dell #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Vulnerability #ZeroDay #bot #AlienVault

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

Pulse ID: 6997aaa340e2e5c6cdac145f
Pulse Link: https://otx.alienvault.com/pulse/6997aaa340e2e5c6cdac145f
Pulse Author: AlienVault
Created: 2026-02-20 00:28:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DataTheft #Education #Healthcare #InfoSec #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Rust #Vulnerability #bot #AlienVault

Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets

Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.

Pulse ID: 6997fce17ae6ac720fec14c5
Pulse Link: https://otx.alienvault.com/pulse/6997fce17ae6ac720fec14c5
Pulse Author: Tr1sa111
Created: 2026-02-20 06:19:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #RAT #bot #botnet #Tr1sa111

Keenadu Android Malware Preinstalled on New Devices

Researchers have identified a new "backdoor" in the Android operating system, which can be installed on "new" devices on a "thousands of devices" on which they are currently operating.

Pulse ID: 699762e8ad3e3432e9666e98
Pulse Link: https://otx.alienvault.com/pulse/699762e8ad3e3432e9666e98
Pulse Author: cryptocti
Created: 2026-02-19 19:22:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #bot #cryptocti

📢 Keenadu : un backdoor Android intégré au firmware relie plusieurs botnets majeurs
📝 Source : Kaspersky (Securelist) — Dans une publication de recherche, les analystes détaillent « Keenadu », un nouveau backdoor Android intégré à la chaîne...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-19-keenadu-un-backdoor-android-integre-au-firmware-relie-plusieurs-botnets-majeurs/
🌐 source : https://securelist.com/keenadu-android-backdoor/118913/
#Android #Backdoor #Cyberveille

Keenadu Android Malware Infects Firmware, Spreads via Google Play for Remote Control Access

Kaspersky has published a detailed analysis of Keenadu, a sophisticated Android backdoor that infects device firmware, spreads through Google Play apps, and allows attackers to take control over victims' devices.

Pulse ID: 6996fa9bec23f3ef35b68213
Pulse Link: https://otx.alienvault.com/pulse/6996fa9bec23f3ef35b68213
Pulse Author: CyberHunter_NL
Created: 2026-02-19 11:57:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #CyberSecurity #Google #GooglePlay #InfoSec #Kaspersky #Malware #OTX #OpenThreatExchange #bot #CyberHunter_NL

Back Entrance
Vlissingen boulevard in is a high dike with a row of buildings on it. Some also have a rear entrance, which starts with a sturdy door, with a staircase behind it to the living level.

#dailypicture #vlissingen #night #lamplight #lantern #backdoor #stairs #doorsday

Night in a quiet street in the center of Vlissingen. A dark blue steel door is illuminated by a convex lamp attached to the facade. The door is decorated with a few images of birds and displays the name of the house 'NAEREBOUT'. The shadow of a steel banister falls over the door.

Attenzione ai tablet Android economici: potrebbero avere un malware di fabbrica
I ricercatori di #kaspersky hanno individuato un #backdoor già presente nel firmware di alcuni #tablet #android prima ancora che i dispositivi uscissero di fabbrica, con implicazioni piuttosto serie per la #sicurezza La nuova backdoor Android chiamata #keenadu e integrata direttamente nel firmware di alcuni tablet prodotti da brand diversi #malware #virusinformatici diversi.https://www.smartworld.it/news/malware-tablet-android-firmware-keenadu.html

Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native AOT, represents a shift in tradecraft designed to complicate analysis and improve performance. The actors also employed novel tactics to pivot into VMware infrastructure, including 'Ghost NICs' creation and iptables for Single Packet Authorization. Dell has released patches for the vulnerability, and the post provides detailed technical analysis, detection opportunities, and hardening guidance.

Pulse ID: 6995ac8b4c871a87564622a2
Pulse Link: https://otx.alienvault.com/pulse/6995ac8b4c871a87564622a2
Pulse Author: AlienVault
Created: 2026-02-18 12:11:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Dell #ICS #InfoSec #Mac #Malware #OTX #OpenThreatExchange #PRC #VMware #Vulnerability #ZeroDay #bot #AlienVault

Critical Vulnerabilities in Ivanti EPMM Exploited

Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited, allowing unauthenticated remote code execution on servers. Widespread exploitation has been observed, including reverse shells, web shells, reconnaissance, and malware downloads. Affected sectors include government, healthcare, manufacturing, and technology in multiple countries. Over 4,400 vulnerable instances have been identified. Attackers are moving quickly from initial access to deploying persistent backdoors. Immediate patching is strongly recommended, as exploitation attempts are largely automated and opportunistic.

Pulse ID: 6995249be065bbf8bec34118
Pulse Link: https://otx.alienvault.com/pulse/6995249be065bbf8bec34118
Pulse Author: AlienVault
Created: 2026-02-18 02:31:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Endpoint #Government #Healthcare #InfoSec #Ivanti #Malware #Manufacturing #OTX #OpenThreatExchange #RemoteCodeExecution #ZeroDay #bot #AlienVault