First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks.

The threat originates from activity first observed in October 2024, where attackers created 287 malicious npm packages using typosquatting—mimicking the names of popular libraries like Puppeteer and Bignum.js to deceive developers into installation.

The infection vector has evolved considerably since then. Tsundere spreads through multiple pathways, including Remote Monitoring and Management tools and disguised game installers that capitalize on piracy communities.

Samples discovered in the wild bear names like “valorant,” “cs2,” and “r6x,” specifically targeting first-person shooter enthusiasts.

This approach proves highly effective at evading traditional security awareness since users expect these applications anyway.

The botnet particularly threatens Windows users, though the initial campaign exposed systems across Windows, Linux, and macOS platforms when it operated through npm package deployment.

The infrastructure behind Tsundere reveals a sophisticated understanding of modern attack methods. Rather than relying on traditional centralized command-and-control infrastructure, the botnet utilizes Ethereum blockchain smart contracts to store and retrieve C2 addresses.

This approach adds resilience by making servers difficult to take down through conventional means. The threat actor, identified as koneko—a Russian-speaking operative—operates a professional marketplace where other cybercriminals can purchase botnet services or deploy their own functionality.

Securelist security analysts identified the malware after discovering connections between the current campaign and earlier supply chain attacks.

Their investigation revealed that the threat actor has since resurfaced with enhanced capabilities, launching Tsundere as an evolution of previous malware efforts.

The panel supports both MSI installer and PowerShell script delivery mechanisms, giving attackers flexibility in deployment strategies across different network environments and defenses.

How Tsundere Maintains Persistence Through Node.js Abuse

The infection mechanism begins when an MSI installer or PowerShell script executes on the victim’s system, dropping legitimate Node.js runtime files into AppData alongside malicious JavaScript.

The setup uses a hidden PowerShell command that spawns a Node.js process executing obfuscated loader code.

This loader script decrypts the main bot using AES-256-CBC encryption before establishing the botnet environment. The bot automatically installs three critical npm packages: ws for WebSocket communication, ethers for Ethereum blockchain interaction, and pm2 for process persistence.

The pm2 package plays a crucial role in maintaining presence on compromised machines. It creates registry entries that ensure the bot restarts automatically whenever a user logs in, achieving effective persistence.

The bot then queries Ethereum blockchain nodes through public RPC providers, retrieving the current C2 server address from a smart contract variable.

This clever approach means defenders cannot simply block a known IP address—the attackers rotate C2 infrastructure at will through blockchain transactions, rendering traditional IP-based blocking ineffective.

Once connected, the bot establishes encrypted communication and awaits commands from operators, which arrive as dynamic JavaScript code for execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users appeared first on Cyber Security News.

Security researchers have discovered that this sophisticated Android trojan can capture encrypted messages from popular messaging apps like WhatsApp, Telegram, and Signal by accessing content directly from the device screen after decryption.

The malware’s ability to monitor these communications marks a serious advancement in mobile banking threats, combining credential theft with extensive remote access capabilities.

The malware operates by harvesting banking credentials through convincing fake login screens that perfectly replicate legitimate banking applications.

What makes Sturnus particularly dangerous is its capacity to provide attackers with full device takeover, allowing them to observe all user activity without physical interaction.

Attackers can inject text messages, intercept communications, and even black out the device screen while conducting fraudulent transactions in the background, leaving victims completely unaware of the theft occurring on their compromised devices.

Threat Fabric security analysts identified Sturnus as a privately operated trojan currently in its early testing phase, with targeted campaigns already configured against financial institutions across Southern and Central Europe.

Although the malware remains in limited deployment, researchers emphasize that Sturnus is fully functional and more advanced than several established malware families in certain aspects, particularly regarding its communication protocol and device support capabilities.

This combination of sophisticated features and targeted geographic focus suggests attackers are refining their tools before launching broader operations.

The current threat landscape indicates that Sturnus.A operates with region-specific targeting, using tailored overlay templates designed for Southern and Central European victims.

The malware’s operators demonstrate clear focus on compromising secure messaging platforms, testing the trojan’s ability to capture sensitive communications across different environments.

The relatively few samples detected so far, combined with short intermittent campaigns rather than sustained large-scale activity, indicate the operation remains in evaluation and tuning phases.

Understanding the Communication Protocol

The malware’s complex communication structure inspired its name, drawing parallels to the Sturnus vulgaris bird, whose rapid and irregular chatter jumps between whistles, clicks, and imitations.

Sturnus mirrors this chaotic pattern through its layered mix of plaintext, RSA, and AES communications that switch unpredictably between simple and complex messages.

The malware establishes a connection with its command-and-control server using both WebSocket (WSS) and HTTP channels, transmitting a combination of encrypted and plaintext data primarily over WebSocket connections.

The technical handshake begins with an HTTP POST request where the malware registers the device using a placeholder payload. The server responds with a UUID client identifier and an RSA public key.

The malware then generates a 256-bit AES key locally, encrypts it using RSA/ECB/OAEPWithSHA-1AndMGF1Padding, and transmits the encrypted key back while storing the plaintext AES key on the device in Base64 format.

Once key exchange completes, all subsequent communication receives protection through AES/CBC/PKCS5Padding with a 256-bit encryption key.

The trojan generates fresh 16-byte initialization vectors for each message, prepends them to encrypted payloads, and wraps results in custom binary protocols containing message type headers, message length data, and client UUIDs.

This sophisticated encryption scheme demonstrates the developers’ expertise in secure communications while maintaining malicious functionality.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device appeared first on Cyber Security News.

Rodriguez, who served as the Chief Executive Officer, received a five-year prison sentence on November 6, 2025, while Hill, the Chief Technology Officer, was sentenced to four years on November 19, 2025.

Their criminal enterprise facilitated the laundering of over $237 million in illicit funds through their mobile application platform.

Starting around 2015, Rodriguez and Hill developed Samourai with the explicit purpose of concealing criminal proceeds.

The application’s architecture centered on two core services built specifically to obstruct law enforcement investigations and prevent financial tracing.

Over 80,000 Bitcoin, valued at more than $2 billion at the time, flowed through their services, generating approximately $6 million in fees for the operators.

The U.S. Attorney’s Office, Southern District of New York security analysts identified that the criminal proceeds originated from multiple sources including drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and child pornography operations.

How Samourai’s Technical Infrastructure Enabled Money Laundering

The mixing service functioned through two primary obfuscation mechanisms. The first, known as “Whirlpool,” coordinated Bitcoin exchanges among user groups, effectively scrambling the blockchain record and making fund origins virtually untraceable to law enforcement and cryptocurrency exchanges.

The second service, called “Ricochet,” inserted unnecessary intermediate transactions referred to as “hops” between sending and receiving addresses, significantly complicating the ability of monitoring entities to establish connections between transfers and criminal activities.

Beyond the technical infrastructure, Rodriguez and Hill actively promoted their service to criminal communities.

Hill marketed Samourai on Dread, a darknet forum, explicitly recommending Whirlpool as the optimal method to “clean dirty BTC.”

Similarly, Rodriguez personally encouraged social media platform hackers via Twitter to route their stolen proceeds into Samourai’s Whirlpool service in July 2020, demonstrating direct knowledge and intentional facilitation of criminal activity.

The sentencing reflects the serious consequences of operating money laundering services, regardless of the technology employed, signaling law enforcement’s commitment to pursuing cryptocurrency-based financial crime.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Samourai Wallet Cryptocurrency Mixing Founders Jailed for Laundering Over $237 Million appeared first on Cyber Security News.

Unlike traditional ransomware that encrypts files using malicious software, these attacks exploit weak access controls and configuration mistakes in cloud environments to lock organizations out of their own data.

As more businesses move their operations to the cloud, attackers are adapting their methods, shifting away from on-premises systems to cloud-based resources where valuable information is stored.

These attacks can result in complete data loss, operational disruptions, and significant financial damage if organizations lack proper backup and recovery systems.

The threat actors behind these campaigns gain unauthorized access through stolen credentials, leaked access keys found in public code repositories, or compromised AWS accounts with excessive permissions.

Once inside, they identify vulnerable S3 buckets by checking for specific weaknesses such as disabled versioning, missing object lock protection, and improper write permissions.

The attackers then proceed to encrypt data using various encryption techniques, delete original files, or exfiltrate sensitive information before demanding ransom payments.

What makes these attacks particularly dangerous is their ability to use native cloud features to conduct malicious activities while remaining hidden from traditional security monitoring tools.

Trend Micro security researchers identified five distinct ransomware variants that specifically target S3 storage environments, each using different attack methods to achieve data encryption or deletion.

These variants range from using customer-managed encryption keys with scheduled deletion timelines to leveraging server-side encryption with customer-provided keys that AWS cannot recover.

The researchers documented both observed attack techniques used in real-world incidents and potential future attack vectors that organizations should prepare to defend against.

Their analysis provides detailed technical breakdowns of how each variant operates and what security measures can prevent these attacks.

Attack Mechanism and Technical Execution

The Server-Side Encryption with Customer-Provided Keys (SSE-C) variant represents one of the most dangerous attack methods because it creates permanently unrecoverable encrypted data.

In this approach, threat actors first gain write-level access to victim S3 buckets through compromised credentials or leaked IAM roles from public GitHub repositories.

After identifying target buckets without proper protections, attackers initiate encryption by providing a locally stored AES-256 encryption key through specific HTTP request headers or AWS command-line tools.

The critical aspect of this technique is that AWS uses the attacker’s encryption key to secure the data but never stores the actual key in its systems.

AWS only logs a Hash-based Message Authentication Code (HMAC) of the encryption key in CloudTrail logs, which cannot be reversed or used to decrypt the protected data.

This means neither the victim organization nor AWS support teams can recover the encrypted information once the attacker completes the encryption process.

After encrypting all target files, the attackers deposit ransom notes in the affected buckets, typically naming them “ransom-note.txt” or similar variations, which contain instructions for payment and communication.

The entire attack can be executed rapidly, and because the encryption key exists only on the attacker’s systems, victims face a permanent lockout unless they pay the ransom or have separate backup copies stored securely.

Organizations can protect against this variant by implementing specific policy controls that block SSE-C encryption requests at the bucket level or through organization-wide resource control policies.

Security teams should monitor CloudTrail logs for unusual SSE-C encryption activities and enforce policies that deny PutObject requests containing customer-provided encryption algorithm headers, effectively eliminating this attack vector from their cloud environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Ransomware Variants Targeting Amazon S3 Services Leveraging Misconfigurations and Access Controls appeared first on Cyber Security News.

The campaign uses fake installers disguised as common programs like manual readers, PDF editors, and games, all equipped with valid code-signing certificates to appear legitimate.

These applications are distributed through malvertising and search engine optimization techniques, making them easily discoverable by unsuspecting users searching for everyday tools or product manuals online.

The attackers behind TamperedChef have built an industrial-scale operation using a network of U.S.-registered shell companies to acquire Extended Validation certificates.

These disposable fronts allow the threat actors to sign their fake applications with trusted certificates, which helps them bypass security defenses and gain user trust.

Once a certificate is flagged or revoked, operators quickly register new shell companies under generic names like “Digital Marketing” to maintain continuous operations and keep their malicious software appearing legitimate.

Acronis security researchers identified the campaign in June 2025, though evidence suggests earlier activity. The operation primarily affects victims in the Americas, with roughly 80 percent concentrated in the United States, though the global infrastructure indicates a broad reach rather than targeted regional focus.

Healthcare, construction, and manufacturing sectors show the highest concentration of infections, likely because users in these industries frequently search online for specialized equipment manuals, one of the behaviors TamperedChef exploits.

The malware’s attack chain begins when users download fake applications from malicious websites that appear in search results or advertisements.

After installation, these applications drop an XML configuration file used to create a scheduled task for persistence. This task executes a heavily obfuscated JavaScript payload that functions as a backdoor, establishing communication with command-and-control servers over HTTPS.

The JavaScript payload encrypts data using XOR encryption with a random 16-byte key before encoding it with base64 for transmission.

Infection Chain and Persistence Mechanism

The TamperedChef infection process follows a multi-stage execution chain designed to evade detection while maintaining persistent access.

When users execute the downloaded installer, they encounter a standard license agreement window that mimics legitimate software installation.

During installation, the malware places a file named “task.xml” either in the installer’s temporary directory or the program installation directory at %APPDATA%\Programs\[Fake Application Name].

This XML file serves as the configuration for creating a scheduled task using the command: schtasks /Create /tn "Scheduled Daily Task" /xml "%APPDATA%\Local\Programs\AnyProductManual\task.xml".

The task executes immediately after creation and repeats every 24 hours with a random delay of up to 30 minutes.

This configuration allows extended runtimes, blocks multiple simultaneous instances, and automatically runs any missed schedules, ensuring the JavaScript payload executes consistently without raising suspicion.

The JavaScript payload itself is heavily obfuscated using tools from obfuscator.io, applying multiple techniques including string and function renaming, control flow flattening, and dead code injection.

Once executed, the malware establishes communication with hard-coded command-and-control servers that evolved from random domain-generated strings to more recognizable domain names to blend with normal network traffic.

The payload generates a machine ID to fingerprint devices and performs registry operations for system reconnaissance.

The malware sends encrypted JSON objects containing event names, session IDs, machine IDs, and metadata to the C2 server. It also possesses remote code execution capabilities, allowing attackers to run commands on compromised systems.

The campaign’s infrastructure relies on NameCheap for domain registration with one-year registration periods and domain privacy protection to hide ownership, enabling quick infrastructure rebuilding following takedowns.

Recent discoveries show the operation continues expanding with new shell company signers including Stratus Core Digital LLC, DataX Engine LLC, and Nova Sphere Systems LLC, all following identical attack patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post TamperedChef Hacking Campaign Leverages Common Apps to Deliver Payloads and Gain Remote Access appeared first on Cyber Security News.

The malware, written in Delphi, represents a significant evolution in Brazil’s cybercriminal landscape, combining advanced contact harvesting with credential theft targeting financial institutions.

The threat emerges from a multi-stage infection chain that begins with an obfuscated VBScript sent via WhatsApp messages.

When executed, the script downloads a batch file containing two primary payloads: a Python-based WhatsApp worm and an MSI installer that deploys the banking trojan.

This distribution method exploits the messaging platform’s trusted nature, making users more likely to interact with malicious attachments shared by contacts whose accounts have been compromised.

Trustwave security analysts noted that the malware demonstrates remarkable sophistication in targeting Brazilian victims specifically.

The trojan uses geolocation checks to verify the operating system language is Brazilian Portuguese before proceeding with infection.

If the system language doesn’t match, the malware displays an error message and terminates, preventing accidental infections outside its intended target region and avoiding sandbox detection.

The Contact Harvesting Mechanism

The core functionality of Eternidade Stealer involves stealing entire WhatsApp contact lists through the obter_contatos() function, which executes JavaScript code using the WPP.contact.list() API.

The malware intelligently filters out groups, business contacts, and broadcast lists, focusing specifically on individual personal contacts more likely to fall victim to phishing messages.

Each stolen contact record includes the full WhatsApp ID, contact name, phone number, and whether the contact is saved.

After collection, the malware immediately sends this data to the command-and-control server via HTTP POST requests without user interaction.

What makes Eternidade Stealer particularly dangerous is its dual-layer persistence mechanism. The trojan uses hardcoded credentials to connect via IMAP to an email account controlled by threat actors.

It extracts the command-and-control server address from email subjects and bodies, allowing attackers to update their infrastructure dynamically and maintain connections even if specific domains are seized.

The malware targets over 40 Brazilian financial institutions, payment services like MercadoPago, and cryptocurrency exchanges, including Binance and Coinbase.

When a victim accesses a targeted banking application, the trojan activates its overlay capability, displaying fake login screens designed to steal credentials seamlessly.

System reconnaissance capabilities collect information, including OS details, installed antivirus software, public and local IP addresses, and running processes.

This reconnaissance helps threat actors determine whether to proceed with credential theft or banking overlay deployment.

The investigation revealed that one threat actor’s infrastructure recorded 454 connection attempts globally, with significant traffic from the United States and European countries, suggesting broader attack ambitions beyond Brazil’s borders.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Malware Via WhatsApp Exfiltrate Contacts to Attack Server and Deploys Malware appeared first on Cyber Security News.

According to recent research, what once required months of work and specialized technical skills can now be accomplished in just a few hours by anyone with basic computer knowledge.

The shift marks a critical turning point in the digital fraud landscape, where artificial intelligence has essentially removed the barriers that used to protect consumers from well-crafted scams.

In the past, fraudsters faced a fundamental limitation: their operations looked obviously fake. Spelling mistakes, ungrammatical text, poorly designed websites, and awkward phone calls gave scams away instantly. Today, generative AI has changed this dynamic entirely.

These tools can now produce convincing product photos with authentic branding, flawless language, realistic voice clips, and lifelike videos within minutes.

This advancement means anyone determined to commit fraud can launch scalable scam campaigns with content that looks real enough to fool even cautious internet users.

GenAI security analysts and researchers at Trend Micro have documented this transformation through continuous monitoring of the threat landscape.

Their findings reveal that cybercriminals are actively using AI to supercharge scam operations, making them significantly harder to detect while simultaneously eroding consumer trust and brand confidence.

Understanding the AI-Powered Scam Assembly Line

The sophistication of modern fraud operations lies in automation and modular design. Researchers demonstrated how threat actors can leverage open-source automation platforms like n8n to create agentic workflows that operate nearly autonomously.

These systems function as assembly lines where each AI component handles a specific task, then automatically passes the result to the next stage.

The process begins with image generation, where fraudsters take genuine product photos and use AI models to modify them into fake “limited edition” luxury items.

The workflow then automatically removes backgrounds, composites the fake products into stock avatar photos, and generates synchronized AI voices for promotional videos.

Microsoft Azure image editing, OpenAI language models, and text-to-speech services work together seamlessly. The entire pipeline produces professional-quality, ready-to-use scam content with minimal human intervention.

What makes this particularly dangerous is the scale and speed. A single person can now generate hundreds of unique product variations within hours.

Because these systems use commercial cloud services for rendering, they produce professional-grade results while keeping criminal activities hidden.

The modular nature means scammers can simply swap prompts, images, or templates to create entirely different variations of the same basic fraud scheme.

The financial impact is substantial. Between June and September 2025, romance impostor scams accounted for over 77% of reported incidents, while merchandise scams ranked second at approximately 16%.

This data underscores how AI-enhanced social engineering is becoming the dominant fraud method in the current threat landscape.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post GenAI Makes it Easier for Cybercriminals to Successfully Lure Victims into Scams appeared first on Cyber Security News.

Instead of treating cybersecurity and military operations as separate activities, hostile nations are now blending them together in coordinated campaigns.

These new attacks start with digital operations designed specifically to gather information that enables physical military strikes.

This represents a major shift in global security threats that organizations worldwide need to understand and prepare for.

The traditional approach to security treats digital threats and physical dangers as completely separate problems.

Cybersecurity teams focus on networks and systems, while military and physical security teams handle different concerns.

However, recent investigations reveal that this separation no longer exists in the real world. Nation-state threat groups are connecting cyber reconnaissance directly to kinetic targeting, creating a unified attack strategy that is far more dangerous than traditional cyberattacks alone.

AWS security analysts identified this trend after observing multiple coordinated campaigns across different critical infrastructure sectors.

They discovered that threat actors are methodically using cyber operations to gather real-time intelligence that directly supports military targeting decisions.

This finding comes from AWS’s unique ability to monitor cloud operations globally, analyze honeypot data that captures attacker behavior, and collaborate with enterprise customers and government agencies to validate observed threats.

Technical Infrastructure Reveals Sophisticated Coordination

The technical methods these threat actors employ show impressive coordination and planning. They use multiple layers of security tools to hide their true locations, starting with anonymizing VPN networks that obscure their origins and make attribution challenging.

They establish dedicated servers under their control to maintain persistent access and command capabilities. Once they compromise enterprise systems hosting critical infrastructure like security cameras or maritime platforms, they establish real-time data streaming channels.

These live feeds from compromised cameras and sensors provide actionable intelligence that threat actors can use to adjust targeting decisions in near real time.

One clear example involved Imperial Kitten, a threat group linked to Iran’s Revolutionary Guard. They compromised maritime vessel systems starting in December 2021, gained access to onboard CCTV cameras by August 2022, then conducted targeted searches for specific ship locations in January 2024.

Just weeks later, in February 2024, missile strikes targeted the exact vessel they had been tracking, correlating cyber reconnaissance directly with kinetic attacks.

A second case involved MuddyWater, another Iranian threat group, using compromised security cameras in Jerusalem to gather real-time intelligence before missile attacks in June 2025.

This demonstrates how cyber operations and physical military actions now operate as unified strategies rather than separate threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Pioneering a New Operational Model That Combines Digital and Physical Threats appeared first on Cyber Security News.

This advanced threat continues to challenge security teams with its ability to steal sensitive data from infected systems while avoiding detection by traditional security tools.

The malware has become particularly notorious for its use in targeted attacks against businesses and individuals worldwide, with threat actors leveraging it to harvest credentials, financial information, and other valuable data from compromised machines.

The loader component of Rhadamanthys stands out as a technical achievement in malware development. Unlike the stealer payload itself, the loader serves as the initial delivery mechanism that prepares the system for infection.

What makes this loader particularly challenging for security researchers is its implementation of multiple layers of protection designed to prevent analysis and detection.

These protections include custom obfuscation techniques that scramble the code structure, making it extremely difficult for both automated tools and human analysts to understand what the malware does.

Cyber.wtf security researchers recently identified several key techniques employed by the Rhadamanthys loader to evade detection and analysis.

The malware implements a unique anti-sandboxing system that monitors user behavior before executing its payload.

Additionally, the loader uses control flow flattening and jump target obfuscation, two advanced techniques that break the normal flow of code execution.

These methods essentially turn the program into a puzzle where each piece appears disconnected from others, preventing security tools from mapping out how the malware operates.

The payload carried by the loader is encoded using a custom algorithm that the malware authors call Flutter. This encoding scheme converts binary data into text that looks like random characters, helping the malware hide its true purpose from security scanners.

The encoded payload is further protected by SM4 encryption, a Chinese block cipher that adds another layer of security. Together, these protections create a formidable barrier that has allowed Rhadamanthys to remain effective despite ongoing efforts by security researchers to combat it.

Detection Evasion Through User Behavior Analysis

The Rhadamanthys loader implements a time-based analysis system that monitors user activity for at least 45 seconds before executing the stealer payload.

This anti-sandboxing mechanism uses a timer callback that collects cursor positions, foreground window information, and timestamps every 30 milliseconds for 1,500 iterations.

The malware then analyzes this collected data to determine if it is running in a real user environment or an automated analysis system.

The loader performs specific checks on the gathered data to validate the environment. First, it verifies whether the cursor position has changed at least 30 times during the monitoring period.

Second, it checks for the presence of at least two different foreground windows, with at least one window that does not belong to the desktop process.

If these conditions are not met, the malware enters another 45-second monitoring cycle with advanced checks that calculate Euclidean distances between cursor positions to detect non-human movement patterns.

This behavior-based detection system effectively bypasses many automated analysis environments that do not simulate realistic user interaction.

However, advanced sandboxes like CAPE and VMRay have adapted to these techniques and can successfully trigger the payload execution.

The loader creates an invisible window and uses message-based architecture to queue and execute functions through timer callbacks, making the execution flow difficult to trace without proper deobfuscation of the underlying code structure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Researchers Disclosed Analysis of Rhadamanthys Loader’s Anti-Sandboxing and Anti-AV Emulation Features appeared first on Cyber Security News.

The campaign, which has been actively monitored since early 2025, demonstrates advanced persistent threat characteristics with a focus on nations including Laos, Cambodia, Singapore, the Philippines, and Indonesia.

The attack chain begins with a seemingly legitimate file named “Proposal_for_Cooperation_3415.05092025.rar” that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR software.

The attackers employ a multi-stage infection process that showcases their technical expertise and strategic planning.

Initial compromise occurs through spear-phishing emails containing the malicious RAR archive, which automatically triggers the vulnerability when victims attempt to extract the contents.

This exploitation allows the threat actors to install a persistence script in the user’s startup folder using path traversal combined with an Alternative Data Stream technique.

CyberArmor security researchers identified this sophisticated operation while tracking sustained espionage activities targeting critical infrastructure and information sectors.

The campaign demonstrates a clear preference for DLL sideloading techniques throughout multiple stages of infection.

Governments and media organizations represent high-value targets because they directly influence policy decisions, shape public opinion, and determine international strategic alignment.

The malicious campaign operates through four distinct stages, each designed to maintain persistence while avoiding detection by security products.

After the initial dropper executes, a batch script named “Windows Defender Definition Update.cmd” downloads additional payloads from Dropbox and establishes registry-based persistence.

The subsequent stages involve legitimate software components like OBS browser and Adobe Creative Cloud Helper being exploited to load malicious DLL files through search-order hijacking.

Technical Breakdown of the DLL Sideloading Mechanism

The DLL sideloading technique represents the core evasion strategy employed throughout this campaign. In Stage 2, the threat actors abuse a legitimate OBS open-source browser executable to automatically load a modified libcef.dll file.

This altered library executes malicious code while maintaining the appearance of normal software operation. The backdoor communicates with operators through Telegram using an encrypted bot token, providing three primary commands: shell execution, screenshot capture, and file upload capabilities.

Stage 3 continues the DLL sideloading approach by exploiting Adobe’s Creative Cloud Helper component. The legitimate “Creative Cloud Helper.exe” loads a malicious CRClient.dll file, which contains functionality to decrypt and execute the final backdoor payload stored as “Update.lib.”

The decryption process uses a simple XOR encoding technique, demonstrating that sophisticated encryption is not always necessary for successful operations.

The following code snippet shows the decryption function:-

// XOR decryption with hardcoded key
for (size_t i = 0; i < payload_size; i++) {
    decrypted_data[i] = encrypted_data[i] ^ 0x3c;
}

The final backdoor provides comprehensive remote access capabilities through HTTPS communication with command-and-control servers located at public.megadatacloud[.]com and IP address 104.234.37[.]45.

Network traffic remains encrypted using XOR operations, making detection challenging for traditional security monitoring systems.

The backdoor supports eight distinct command operations, including command execution, DLL loading, shellcode execution, file manipulation, and a kill switch function that terminates operations after random intervals.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post China-Nexus APT Group Leverages DLL Sideloading Technique to Attack Government and Media Sectors appeared first on Cyber Security News.