RAT - Cisco Talos Blog Blog May 5, 2026 06:00 CloudZ RAT potentially steals OTP messages using Pheno plugin Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” Alex Karkins , Chetan Raghuprasad Threat Spotlight October 30, 2024 06:00 Writing a BugSleep C2 server and detecting its traffic with Snort This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.
Aaron Boyd malware October 22, 2024 06:00 Threat actor abuses Gophish to deliver new PowerRAT and DCRAT Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. Threats August 1, 2024 08:00 APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.
Joey Chen , Ashley Shen , Vitor Ventura June 21, 2024 08:00 Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. Chetan Raghuprasad , Ashley Shen SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.
February 8, 2024 08:00 New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” Cisco Talos December 11, 2023 08:50 Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.
Jungsoo An , Asheer Malhotra , November 30, 2023 08:00 New SugarGh0st RAT targets Uzbekistan government and South Korea Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” SecureX August 24, 2023 08:02 Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
Vitor Ventura , Jungsoo An September 7, 2022 08:01 MagicRAT: Lazarus’ latest gateway into victim networks Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. March 29, 2022 08:01 Transparent Tribe campaign uses new bespoke malware to target Indian government officials By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay. * Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities.
While the actors are infecting victims with CrimsonRAT, their well-known malware of choi Kendall McKay February 2, 2022 08:00 Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017. * This campaign targets Palestinian entities and activists using politically themed lures. * The latest iteration of the implant contains multi January 12, 2022 08:02 Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure * Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. * According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Vanja Svajcer September 30, 2021 08:01 A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus By Vitor Ventura and Arnaud Zobec.
Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundb Arnaud Zobec August 19, 2021 07:58 Malicious Campaign Targets Latin America: The seller, The operator and a curious link By Asheer Malhotra and Vitor Ventura, with contributions from Vanja Svajcer. * Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. * The campaign targets travel and hospitality organizations in Latin America. * Techniques Asheer Malhotra June 3, 2021 08:00 Necro Python bot adds new exploits and Tezos mining to its bag of tricks By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.
News summary * Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and April 21, 2021 07:59 A year of Fajan evolution and Bloomberg themed campaigns By Vanja Svajcer. * Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets.
Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. This ac March 2, 2021 08:04 ObliqueRAT returns with new campaign using hijacked websites By Asheer Malhotra. * Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. * This campaign targets organizations in South Asia. * ObliqueRAT has been linked to th November 12, 2020 08:18 CRAT wants to plunder your endpoints * Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. * Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. * One of the plugins is a ransomware known as & June 22, 2020 13:40 IndigoDrop spreads via military-themed lures to deliver Cobalt Strike * Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. * These maldocs use malicious macros to deliver a multist May 19, 2020 13:00 The wolf is back...
By Warren Mercer, Paul Rascagneres and Vitor Ventura. * Thai Android devices and users are being targeted by a modified version of DenDroid we are calling "WolfRAT," now targeting messaging apps like WhatsApp, Facebook Messenger and Line. * We assess w Warren Mercer April 29, 2020 11:48 Upgraded Aggah malspam campaign delivers multiple RATs By Asheer Malhotra * Cisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote access trojans (RATs). * The infection chain utilized in the attacks is highly modularized. * The attackers utilize publicly available infrastructure s April 16, 2020 13:52 PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors * Azerbaijan government and energy sector likely targeted by an unknown actor. * From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines. * The actor uses Word docum COVID-19 February 20, 2020 11:06 ObliqueRAT: New RAT hits victims' endpoints via malicious documents * Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.” * These maldocs use malicious macros to deliver the second stage RAT payload.
February 12, 2020 14:45 Loda RAT Grows Up By Chris Neal. * Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. * These websites also host malicious documents that begin a multi-stage infection c Chris Neal September 30, 2019 11:35 Open Document format creates twist in maldoc landscape By Warren Mercer and Paul Rascagneres.
Introduction Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an acto September 24, 2019 10:24 How Tortoiseshell created a fake veteran hiring website to host malware By Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.
Introduction Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec a August 28, 2019 10:59 RAT Ratatouille: Backdooring PCs with leaked RATs Executive summary Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape.
Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code asso Holger Unterbrink November 27, 2018 10:02 DNSpionage Campaign Targets Middle East Update 2018-11-27 15:30:00 EDT: A Russian-language document has been removed. Subsequent analysis leads us to believe it is unrelated to this investigation Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) aff Warren Mercer , Paul Rascagneres August 22, 2018 12:00 Picking Apart Remcos Botnet-In-A-Box This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Eric Kuhla and Lilia Gonzalez Medina.
Overview Cisco Talos has recently observed multiple campaigns using the Remcos remote access tool (RAT) that is offered for sale by a company cal Edmund Brumaghin April 2, 2018 11:48 Fake AV Investigation Unearths KevDroid, New Android Malware This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An. Summary Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform.
In the Korean media, it was m February 28, 2018 10:16 CannibalRAT targets Brazil January 16, 2018 00:57 Korea In The Crosshairs This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An. A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets. This article exposes the malicious November 28, 2017 00:52 ROKRAT Reloaded This post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.
Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloade July 6, 2017 03:58 New KONNI Campaign References North Korean Missile Capabilities This blog was authored by Paul Rascagneres We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years.
We have identified a new distribution campaign which took place on 4th Jul June 19, 2017 11:48 Delphi Used To Score Against Palestine This blog was authored by Paul Rascagneres and Warren Mercer with contributions from Emmanuel Tacheau, Vanja Svajcer and Martin Lee. Talos continuously monitors malicious emails campaigns. We identified one specific spear phishing campaign launched against tar May 3, 2017 12:59 KONNI: A Malware Under The Radar For Years Executive Summary Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years.
During this time it has managed to avoid scrutiny by the security community. The current version of the mal April 3, 2017 11:01 Introducing ROKRAT This blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett. A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up February 8, 2017 12:24 Go RAT, Go!
AthenaGo points “TorWords” Portugal This post was authored by Edmund Brumaghin with contributions from Angel Villegas Talos is constantly monitoring the threat landscape in an effort to identify changes in the way attackers are attempting to target organizations around the world. We identified a unique m August 25, 2015 04:43 Malware Meets SysAdmin - Automation Tools Gone Bad This post was authored by Alex Chiu and Xabier Ugarte Pedrero.
Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, Craig Williams