VulnHub

Kaspersky's GReAT team has reported on a new campaign involving JanelaRAT, a type of remote access trojan that specifically targets financial information from users in Latin America. This malware is designed to steal sensitive data, including banking credentials, by infecting victims' devices through a series of sophisticated techniques. The infection process and the functionality of the malware have both been updated, making it more dangerous than previous versions. This campaign is particularly concerning as it highlights the ongoing risks to financial security for users in the region, especially given the rise of online banking and digital transactions. Users in Latin America need to be aware of this threat and take steps to protect their financial information.

Kaspersky has reported that SparkCat malware has resurfaced on app stores, specifically targeting cryptocurrency users in Asia. This malware has been found in applications available for both iOS and Android devices. Users downloading these apps may unknowingly expose their sensitive information, such as cryptocurrency wallet details, to attackers. This resurgence is particularly concerning given the increasing popularity of cryptocurrency among users, making them prime targets for cybercriminals. As the malware spreads, it underlines the need for users to be vigilant about the apps they download and the permissions they grant.

CrystalRAT is a new type of malware that has emerged in 2023, functioning as a malware-as-a-service platform. It operates on a subscription model, allowing users to access its capabilities, which include remote access to infected systems and features designed for pranks. Researchers from Kaspersky have noted that CrystalRAT bears a strong resemblance to an earlier malware called WebRAT. This is concerning as it lowers the barrier for entry for cybercriminals, enabling even those with limited technical skills to launch attacks. The rise of such services poses a growing threat to individuals and organizations, as they can be exploited for a variety of malicious purposes including data theft and system manipulation.

Kaspersky researchers have identified a new Remote Access Trojan (RAT) called CrystalX, which is being distributed as Malware-as-a-Service (MaaS). This malware combines features of spyware, information stealers, and prankware, making it particularly versatile and dangerous. Users can unknowingly download CrystalX, leading to their personal information being stolen or their devices being used for malicious purposes. The presence of prankware adds a unique twist, as it can also be used to annoy or embarrass victims. This incident underscores the evolving nature of cyber threats and the need for users to be vigilant about the software they install and the links they click on.

Recent findings from Kaspersky reveal that the Coruna iOS exploit kit is using an updated version of the kernel exploit code from the 2023 Operation Triangulation campaign. This exploit targets two specific vulnerabilities in Apple’s iOS, raising concerns about the potential for mass attacks against users. Initially, there wasn't enough evidence to connect Coruna to the earlier campaign, but researchers have now established a clear link. This means that devices running affected versions of iOS could be at risk from attackers leveraging these exploits. Users and organizations need to be vigilant and ensure their devices are updated to protect against these threats.

Kaspersky's GReAT team has identified a new exploit kit called Coruna, which specifically targets iPhones. This kit utilizes kernel exploits associated with two vulnerabilities, CVE-2023-32434 and CVE-2023-38606, and is an updated version of techniques used in Operation Triangulation. The existence of these exploits poses significant risks to iPhone users, as they could potentially allow attackers to gain unauthorized access to sensitive data or control over the devices. Users should be aware of these vulnerabilities and take steps to secure their devices against exploitation. The findings emphasize the need for continuous vigilance in mobile security as attackers evolve their methods.

Kaspersky's Security Operations Center has identified a new Horabot campaign targeting users in Mexico. This campaign involves sophisticated tactics that aim to compromise systems and steal sensitive information. Researchers have provided insights into how the attack is carried out, which can help security teams identify and respond to the threat effectively. The focus on Mexico suggests that local businesses and individuals may be particularly vulnerable, highlighting the need for increased awareness and protective measures. Understanding the methods used in this campaign can assist in preventing future attacks and safeguarding valuable data.

A cybercriminal group known as Bloody Wolf is targeting organizations in Uzbekistan and Russia with a spear-phishing campaign designed to deploy a remote access trojan called NetSupport RAT. This group, which has been active since at least 2023, is focusing its attacks on the manufacturing, finance, and IT sectors. Kaspersky, a cybersecurity firm, is tracking this activity under the name Stan Ghouls. The use of spear-phishing indicates that the attackers are likely customizing their messages to trick specific individuals or organizations into downloading the malicious software. This type of threat can lead to significant data breaches and operational disruptions for the affected companies, making it crucial for them to enhance their email security and user awareness training.

On January 20, Kaspersky detected malware associated with a supply chain attack targeting eScan antivirus software. This incident suggests that attackers compromised the update mechanism of eScan, potentially allowing them to distribute malicious updates to users. Companies using eScan antivirus are at risk, as the malware could lead to unauthorized access or data breaches. Users of the software should be vigilant and consider immediate actions to protect their systems. Kaspersky has provided indicators of compromise and mitigation strategies for affected users to follow in order to secure their environments.

Kaspersky researchers have identified updates to the CoolClient backdoor and the deployment of new tools associated with the HoneyMyte group, also known as Mustang Panda or Bronze President. This group is known for its advanced persistent threat (APT) campaigns, which have now introduced three variants of a browser data stealer. These updates suggest an ongoing effort by attackers to enhance their capabilities and target sensitive data from users. The implications are significant, as organizations and individuals could be at risk of having their personal and financial information stolen. Users are encouraged to remain vigilant and ensure their systems are protected against these evolving threats.

Kaspersky has reported on a new campaign from the HoneyMyte APT group, also known as Mustang Panda or Bronze President, which has evolved to use a sophisticated kernel-mode rootkit. This rootkit is designed to deploy and secure a backdoor known as ToneShell, which allows attackers to maintain persistent access to compromised systems. The implications of this development are significant, as it enhances the group’s ability to infiltrate networks and evade detection. Organizations need to be vigilant against these advanced tactics to protect sensitive data and maintain system integrity. This campaign highlights the ongoing threats posed by state-sponsored hacking groups and the need for robust cybersecurity measures.

A Chinese cyberespionage group known as Evasive Panda has been using a technique called DNS poisoning to install a backdoor known as MgBot on targeted systems in Türkiye, China, and India. Kaspersky researchers identified this campaign, which shows the group's focus on espionage activities against specific entities in these countries. DNS poisoning allows attackers to redirect victims to malicious servers without their knowledge, facilitating the installation of the backdoor. This incident raises concerns about the security of sensitive information, as the MgBot backdoor can provide attackers with ongoing access to compromised systems. Organizations in the affected regions should be vigilant and strengthen their cybersecurity measures to protect against such sophisticated attacks.

Kaspersky's GReAT team has released findings on a sophisticated attack by a group known as Evasive Panda APT. This group employs a technique that poisons DNS requests to deploy a malicious implant called MgBot. The attack chain includes the use of shellcode that is encrypted with DPAPI and RC5, making it harder to detect. This method poses a significant risk as it can compromise systems and networks by redirecting legitimate traffic to malicious sites. Organizations need to be aware of these tactics to prevent potential breaches and protect their infrastructure.

Kaspersky researchers have reported on the recent activities of the Cloud Atlas advanced persistent threat (APT) group in early 2025. This group has updated their arsenal with new malicious tools, including backdoors known as VBShower, VBCloud, PowerShower, and CloudAtlas. These implants are designed to infiltrate and control targeted systems, which typically include government and corporate networks. The evolving tactics of Cloud Atlas highlight the ongoing risks to organizations, particularly those in sensitive sectors. Companies need to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated threats.