Tag: Cyber Threats

Sep 03, 2025Ravie LakshmananMalware / Social Engineering

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar.

“The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.

The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below –

The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them.

While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible.

As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project, causing it to fetch and run a next-stage payload from an attacker-controlled server.

Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload – a technique reminiscent of EtherHiding. The shift underscores the new tactics that threat actors are adopting to evade detection.

Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages “real-time on-chain data to execute trades automatically, saving you time and effort.” The GitHub account associated with the repository is no longer available.

It’s assessed that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network, which refers to a cluster of bogus GitHub accounts that are known to star, fork, watch, commit, and subscribe to malicious repositories to artificially inflate their popularity.

Included among those commits are source code changes to import colortoolsv2. Some of the other repositories caught pushing the npm package are ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot.

The naming of these GitHub repositories suggests that the cryptocurrency developers and users are the primary target of the campaign, using a combination of social engineering and deception.

“It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” Valentić said. “And that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.”

Sep 03, 2025Ravie LakshmananMobile Security / Vulnerability

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.

The vulnerabilities are listed below –

• CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
• CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component

Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.

The tech giant did not reveal how the issues have been weaponized in real-world attacks, but acknowledged there are indications of “limited, targeted exploitation.”

Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.

Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.

“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google said.

Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities — CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) — that were flagged by the chipmaker as actively exploited in the wild.

In January 2025, cybersecurity experts at Wiz Research found that Chinese AI specialist DeepSeek had suffered a data leak, putting more than 1 million sensitive log streams at risk.

According to the Wiz Research team, they identified a publicly accessible ClickHouse database belonging to DeepSeek. This allowed “full control over database operations, including the ability to access internal data”, Wiz Research stated, with more than a million lines of log streams involved, containing chat history, secret keys and more.

Wiz immediately reported the issue to DeepSeek, which quickly secured the exposure. Still, the incident underscored the danger of data leakage.

Intentional or unintentional?

Data leakage is a broad concept, covering a range of scenarios. As IBM notes, the term in general refers to a scenario where “sensitive information is unintentionally exposed to unauthorized parties”.

It could be intentional or unintentional. On the intentional side, for instance, hackers could use phishing or social engineering techniques to manipulate an organization’s employees into exposing their personal data.

There’s even the risk of an insider threats: for instance, a worker with a grudge who seeks to compromise systems, perhaps for financial benefit or as part of some quest for revenge.

But unintentional leakage is just as big a concern. This could be a case of simple human error: sending an email to the wrong person or providing too much information to a third party for example.

There are a wide range of common vectors – we’ll run through just a few.

Misconfigured cloud storage

Cloud misconfigurations can be a common cause of data leakage. The Cloud Security Alliance highlights the danger from simple mistakes, like leaving default passwords in place or failing to properly configure access controls.

Endpoint vulnerabilities

Data processed through hardware like unencrypted laptops or stored in devices such as USBs can be a key vulnerability for leakage; it’s important that employees are aware of – and follow – organizational security policies to mitigate this risk.

Emails and messaging

There’s a real danger that data can be intercepted: this could come from a simple error (sending a sensitive attachment to the wrong address) or through a deliberate attack. Robust encryption is essential to ensure it stays in the right hands.

Shadow IT

Employees often use their own IT as part of their daily working lives (such as external cloud technologies), including for data storage. While this isn’t generally malicious, it can make risk management more difficult, notes the UK’s National Cyber Security Centre (NCSC), “because you won’t have a full understanding of what you need to protect and what you value most.”

Financial and legal problems

There are several common drivers of data leakage, ranging from weak access controls to a lack of data-classification policies, insufficient monitoring, and inadequate employee training. But no matter the specific cause, the consequences can be devastating.

For example, regulatory authorities around the world now enforce strict data protection policies, which can result in huge fines for organizations that fail to comply; this includes the EU’s General Daa Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

There is also the broader risk of losing intellectual property (IP) or other sensitive company information. Crimes like credit card fraud could stem from a leak, while public companies could even see a fall in their share price.

Perhaps most importantly, failing to protect employee and customer data could have a devastating impact on an organization’s reputation, with long-term negative implications for the business.

Building your defenses

So how can organizations protect themselves, their employees and their customers from the dangers of data leakage? Here are some key approaches:

Enforce least-privilege access: By granting users access only to the data they need to perform their job, the ‘blast radius’ of a breach or leakage will be significantly reduced.

Pursue data loss prevention (DLP): This is a wide-ranging solution, combining technologies like AI and antivirus software with techniques and actions focused on people and processes, all with the aim of identifying and preventing data-connected harm.

Classify sensitive data: Protection begins with knowledge. Develop a thorough understanding of your riskiest data to ensure you know where to prioritize your security implementation.

Audits: Through both external audit checks and a comprehensive internal audit program, organizations can increase their chances of identifying potential vulnerabilities.

Training: Of course, no technical solution or operational enhancement can succeed without full employee engagement and understanding. Adequate training will ensure your staff and other stakeholders are up to speed, while engagement may even produce new insights into vulnerabilities and mitigation techniques.

CompassDRP: Detect leaked data

As your digital attack surface grows, so does the risk of data leakage. Outpost24’s CompassDRP helps organizations manage this expanding threat environment, with a key module focused on data leakage.

The feature has crucial applications for many businesses. These include:

• Detect potentially leaked documents or confidential data: Users often rely on unauthorized or misconfigured applications to share documents and sometimes confidential data with customers or colleagues. The Data Leakage feature is designed to detect such cases across numerous sources, including document repositories.
• Detect potentially leaked source code: Such leakages could reveal internal information to an attacker, including IP or even the authentication tokens in the code. The Data Leakage feature searches code repositories to detect these leaks.

Organizations of all sizes deal with growing volumes of data today. This is a huge advantage, helping gather insights into your business and your customer base. However, it also poses risks, as we have seen.

By embracing technological innovation and operational enhancements, you can help ensure your organization realizes the many benefits of this information without succumbing to the dangers and costly consequences of data leakage. Book a CompassDRP live demo.

Sep 03, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws.

HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges.

Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling.

But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to exploit recently disclosed security vulnerabilities.

“This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” the cybersecurity company said.

Discussions on darknet cybercrime forums show that threat actors claim to have successfully exploited the three security flaws that Citrix disclosed last week using HexStrike AI, and, in some cases, even flag seemingly vulnerable NetScaler instances that are then offered to other criminals for sale.

Check Point said the malicious use of such tools has major implications for cybersecurity, not only shrinking the window between public disclosure and mass exploitation, but also helping parallelize the automation of exploitation efforts.

What’s more, it cuts down the human effort and allows for automatically retrying failed exploitation attempts until they become successful, which the cybersecurity company said increases the “overall exploitation yield.”

“The immediate priority is clear: patch and harden affected systems,” it added. “Hexstrike AI represents a broader paradigm shift, where AI orchestration will increasingly be used to weaponize vulnerabilities quickly and at scale.”

The disclosure comes as two researchers from Alias Robotics and Oracle Corporation said in a newly published study that AI-powered cybersecurity agents like PentestGPT carry heightened prompt injection risks, effectively turning security tools into cyber weapons via hidden instructions.

“The hunter becomes the hunted, the security tool becomes an attack vector, and what started as a penetration test ends with the attacker gaining shell access to the tester’s infrastructure,” researchers Víctor Mayoral-Vilches and Per Mannermaa Rynning said.

“Current LLM-based security agents are fundamentally unsafe for deployment in adversarial environments without comprehensive defensive measures.”

Sep 03, 2025Ravie LakshmananData Breach / Cyber Espionage

An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.

The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice.

“Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload.

The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net. European embassies and African organizations are said to have been the most heavily targeted.

The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (*@fm.gov.om).

“The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution,” Dream said.

The end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information.

Cybersecurity company ClearSky, which also detailed some aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs.

“Similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania,” it said in a post on X. “We assess with moderate confidence that this activity is linked to the same Iranian threat actors.”

Sep 03, 2025Ravie LakshmananThreat Intelligence / Network Security

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).

“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.”

The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”

Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.

Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.

“The initial impact of a volumetric attack is to create congestion that degrades the performance of network connections to the internet, servers, and protocols, potentially causing outages,” Akamai says in an explanatory note.

“However, attackers may also use volumetric attacks as a cover for more sophisticated exploits, which we refer to as ‘smoke screen’ attacks. As security teams work diligently to mitigate the volumetric attack, attackers may launch additional attacks (multi-vector) that allow them to surreptitiously penetrate network defenses to steal data, transfer funds, access high-value accounts, or cause further exploitation.”

The development comes a little over two months after Cloudflare said it blocked in mid-May 2025 a DDoS attack that hit a peak of 7.3 Tbps targeting an unnamed hosting provider.

In July 2025, the company also said hyper-volumetric DDoS attacks – L3/4 DDoS attacks exceeding 1 billion packets per second (Bpps) or 1 Tbps – skyrocketed in the second quarter of 2025, scaling a new high of 6,500 in comparison to 700 hyper-volumetric DDoS attacks in Q1 2025.

The development comes as Bitsight detailed the RapperBot kill chain, which targets network video recorders (NVRs) and other IoT devices for purposes of enlisting them into a botnet capable of carrying out DDoS attacks. The botnet infrastructure was taken down last month as part of a law enforcement operation.

In the attack documented by the cybersecurity company, the threat actors are said to have exploited security flaws in NVRs to gain initial access and download the next-stage RapperBot payload by mounting a remote NFS file system (“104.194.9[.]127”) and executing it.

This is accomplished by means of a path traversal flaw in the web server to leak the valid administrator credentials, and then use it to push a fake firmware update that runs a set of bash commands to mount the share and run the RapperBot binary based on the system architecture.

“No wonder the attackers choose to use NFS mount and execute from that share, this NVR firmware is extremely limited, so mounting NFS is actually a very clever choice,” security researcher Pedro Umbelino said. “Of course, this means the attackers had to thoroughly research this brand and model and design an exploit that could work under these limited conditions.”

The malware subsequently obtains the DNS TXT records associated with a set of hard-coded domains (“iranistrash[.]libre” and “pool.rentcheapcars[.]sbs” in order to get the actual list of actual command-and-control (C2) server IP addresses.

The C2 IP addresses, in turn, are mapped to a C2 domain whose fully qualified domain name (FQDN) is generated using a simplified domain generation algorithm (DGA) that consists of a combination of four domains, four subdomains, and two top-level domains (TLDs). The FQDNs are resolved using hard-coded DNS servers.

RapperBot ends up establishing an encrypted connection to the C2 domain with a valid DNS TXT record description, from where it received the commands necessary to launch DDoS attacks. The malware can also be commandeered to scan the internet for open ports to further propagate the infection.

“Their methodology is simple: scan the Internet for old edge devices (like DVRs and routers), brute-force or exploit and make them execute the botnet malware,” Bitsight said. “No persistence is actually needed, just scan and infect, again and again. Because the vulnerable devices continue to be exposed out there and they are easier to find than ever before.”

Sep 03, 2025Ravie LakshmananVulnerability / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device.

“This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot,” the agency said. “The attacker can then obtain incorrect access control by setting a new administrative password.”

According to malwrforensics, the issue has been fixed with firmware version TL-WA855RE(EU)_V5_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it’s unlikely to receive any patches or updates. Users of the Wi-Fi range extender are advised to replace their gear with a newer model that addresses the issue.

CISA has not shared any details on how the vulnerability is being exploited in the wild, by whom, or on the scale of such attacks.

Also added to the KEV catalog is a security flaw that WhatsApp disclosed last week (CVE-2025-55177, CVSS score: 5.4) as having been exploited as part of a highly-targeted spyware campaign by chaining it with an Apple iOS, iPadOS, and macOS vulnerability (CVE-2025-43300, CVSS score: 8.8).

Not much is known about who was targeted and which commercial spyware vendor is behind the attacks, but WhatsApp told The Hacker News that it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign.

Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

Sep 03, 2025Ravie LakshmananData Breach / Threat Intelligence,

Salesloft on Tuesday announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens.

“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible.”

The company said its top priority is to ensure the integrity and security of its systems and customers’ data, and that it’s working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.

The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said was a widespread data theft campaign that has leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers’ Salesforce instances.

“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” the company said last week.

The activity has been attributed to a threat cluster dubbed UNC6395 (aka GRUB1), with Google telling The Hacker News that more than 700 organizations may have been potentially impacted.

While it was initially claimed that the exposure was limited to Salesloft’s integration with Salesforce, it has since emerged that any platform integrated with Drift is potentially compromised. Exactly how the threat actors gained initial access to Salesloft Drift remains unknown at this stage.

The incident has also prompted Salesforce to temporarily disable all Salesloft integrations with Salesforce as a precautionary measure. Some of the businesses that have confirmed being impacted by the breach are as follows –

“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks,” Cloudflare said.

“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”

Sep 02, 2025Ravie LakshmananMalware / Threat Intelligence

The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.

The attack, observed by NCC Group’s Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee’s system.

“From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,” Yun Zheng Hu and Mick Koomen said. “Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack.”

The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim.

Although the exact initial access vector is currently not known, the foothold is leveraged to deploy a loader called PerfhLoader, which then drops PondRAT, a known malware assessed to be a stripped-down variant of POOLRAT (aka SIMPLESEA). The cybersecurity company said there is some evidence to suggest that a then-zero-day exploit in the Chrome browser was used in the attack.

Also delivered along with PondRAT are a number of other tools, including a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, and proxy programs like MidProxy and Proxy Mini.

“PondRAT is a straightforward RAT that allows an operator to read and write files, start processes, and run shellcode,” Fox-IT said, adding it dates back to at least 2021. “The actor used PondRAT in combination with ThemeForestRAT for roughly three months, to afterwards clean up and install the more sophisticated RAT called RemotePE.”

The PondRAT malware is designed to communicate over HTTP(S) with a hard-coded command-and-control (C2) server to receive further instructions, with ThemeForestRAT launched directly in memory either via PondRAT or a dedicated loader.

ThemeForestRAT, like PondRAT, monitors for new Remote Desktop (RDP) sessions and contacts a C2 server over HTTP(S) to retrieve as many as twenty commands to enumerate files/directories, perform file operations, execute commands, test TCP connection, timestomp file based on another file on disk, get process listing, download a files, inject shellcode, spawn processes, and hibernate for a specific amount of time.

Fox-IT said ThemeForestRAT shares similarities with a malware codenamed RomeoGolf that was put to use by the Lazarus Group in the November 2014 destructive wiper attack against Sony Pictures Entertainment (SPE). It was documented by Novetta as part of a collaborative effort known as Operation Blockbuster.

RemotePE, on the other hand, is retrieved from a C2 server by RemotePELoader, which, in turn, is loaded by DPAPILoader. Written in C++, RemotePE is a more advanced RAT that’s likely reserved for high-value targets.

“PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose,” Fox-IT said. “For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only.”

Sep 02, 2025Ravie LakshmananCyber Espionage / Network Security

Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems.

“MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management,” QiAnXin XLab said in a report published last week. “Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility.”

MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda.

The malware’s stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network communication, or opting for plaintext or AES encryption to secure network traffic.

MystRodX also supports what’s called a wake-up mode, thereby enabling it to function as a passive backdoor that can be triggered following the receipt of specially crafted DNS or ICMP network packets from incoming traffic. There is evidence to suggest that the malware may have been around since at least January 2024, based on an activation timestamp set in the configuration.

“Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands,” XLab researchers said. “Unlike well-known stealth backdoors like SYNful Knock, which manipulates TCP header fields to hide commands, MystRodX uses a simpler yet effective approach: it hides activation instructions directly in the payload of ICMP packets or within DNS query domains.”

The malware is delivered by means of a dropper that makes use of a spate of debugger- and virtual machine-related checks to determine if the current process is being debugged or it’s being run within a virtualized environment. Once the validation step is complete, the next-stage payload is decrypted. It contains three components –

• daytime, a launcher responsible for launching chargen
• chargen, the MystRodX backdoor component, and
• busybox

MystRodX, once executed, continuously monitors the daytime process, and if it is not found to be running, immediately launches it. Its configuration, which is encrypted using the AES algorithm, contains information pertaining to the C2 server, backdoor type, and main and backup C2 ports.

“When the Backdoor Type is set to 1, MystRodX enters passive backdoor mode and waits for an activation message,” XLab said. “When the value of Backdoor Type is not 1, MystRodX enters active backdoor mode and establishes communication with the C2 specified in the configuration, waiting to execute the received commands.”