Libyan oil refinery targeted in prolonged espionage campaign using AsyncRAT. Critical infrastructure at risk. #CyberSecurity #Libya #AsyncRAT #Espionage #CriticalInfrastructure Link: thedailytechfeed.com/libyan-oil-r...

Libyan Oil Refinery Hit in Long-Running Espionage Campaign Using AsyncRAT Libyan refinery, telecom and state org hit by espionage using AsyncRAT, enabling remote control, spying and data theft.

Libyan Oil Refinery Hit in Long-Running Espionage Campaign Using AsyncRAT
cybersecuritynews.com/libyan-oil-r...

#Infosec #Security #Cybersecurity #CeptBiro #LibyanOilRefinery #EspionageCampaign #AsyncRAT

Libyan Refinery Targeted in Prolonged Spy Campaign With AsyncRAT A targeted cyber espionage campaign against Libyan organizations has compromised an oil refinery, a telecommunications provider, and a state institution between November 2025.

A targeted #cyber #espionage campaign against #Libya organizations has compromised an oil refinery, a #telecommunications provider, and a state institution between November 2025 and February 2026. #AsyncRAT gbhackers.com/libyan-refin...

Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign Between November 2025 and February 2026, targeted spear-phishing campaigns delivered a VBS downloader and PowerShell droppers that ultimately installed the AsyncRAT backdoor on Libyan organizations including an oil refinery, a telecoms provider and a state institution. The campaign used Libya-themed lure filenames and a KrakenFiles-hosted downloader to persist via a scheduled task named 'devil', suggesting focused targeting that could be state sponsored. #AsyncRAT #LibyanOilRefinery

Between Nov 2025 and Feb 2026, a spear-phishing campaign targeted Libyan organizations, including an oil refinery, using VBS downloaders and PowerShell droppers to install AsyncRAT via a scheduled task named ‘devil’. #Libya #AsyncRAT

Original post on webpronews.com

Inside the Fake Tech Support Scam Pipeline: How Spam Emails Are Becoming the Gateway to Remote Access Trojans A sophisticated fake tech support spam campaign is deploying remote access trojans thro...

#EnterpriseSecurity #AsyncRAT #corporate #cybersecurity […]

[Original post on webpronews.com]

🚨Threat hunters uncovered DEAD#VAX, a stealth malware campaign abusing Windows features to deploy AsyncRAT. Using phishing, IPFS-hosted VHD files, obfuscated scripts, and in-memory execution, it evades detection and forensic analysis. #Malware #AsyncRAT #CyberThreats #EDR #DEADVAX

Alert: The DEAD#VAX malware campaign employs IPFS-hosted VHD phishing files to deploy AsyncRAT, evading traditional detection methods. Stay vigilant! #PotatoSecurity #MalwareAlert #AsyncRAT Link: thedailytechfeed.com/deadvax-malw...

Alert: The DEAD#VAX malware campaign employs IPFS-hosted VHD phishing files to deploy AsyncRAT, evading traditional detection methods. Stay vigilant! #CyberSecurity #MalwareAlert #AsyncRAT Link: thedailytechfeed.com/deadvax-malw...

Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong “invoice” or “purchase order” and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer. It’s a remote access tool, which means attackers gain remote hands‑on‑keyboard control, while traditional file‑based defenses see almost nothing suspicious on disk. From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks. Victims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways. The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double‑clicks it, Windows mounts it as a new drive (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells. Inside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF. After some checks to avoid analysis and detection, the script injects the payload—AsyncRAT shellcode—into trusted, Microsoft‑signed processes such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, or `sihost.exe`. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention. For an individual user, falling for this phishing email can result in: * Theft of saved and typed passwords, including for email, banking, and social media. * Exposure of confidential documents, photos, or other sensitive files taken straight from the system. * Surveillance via periodic screenshots or, where configured, webcam capture. * Use of the machine as a foothold to attack other devices on the same home or office network. ## How to stay safe Because detection can be hard, it is crucial that users apply certain checks: * Don’t open email attachments until after verifying, with a trusted source, that they are legitimate. * Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called `invoice.pdf.vhd` the user would only see `invoice.pdf`. To find out how to do this, see below. * Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory. ### Showing file extensions on Windows 10 and 11 To show file extensions in Windows 10 and 11: * Open Explorer (Windows key + E) * In Windows 10, select **View** and check the box for **File name extensions**. * In Windows 11, this is found under **View** > **Show** > **File name extensions**. Alternatively, search for **File Explorer Options** to uncheck **Hide extensions for known file types**. For older versions of Windows, refer to this article. * * * **We don’t just report on threats—we remove them** Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Open the wrong “PDF” and attackers gain remote access to your PC The DEAD#VAX campaign tricks users into installing AsyncRAT by disguising a virtual hard disk as a PDF attachment. Cybercriminal...

#News #Threat #Intel #AsyncRAT #DEAD#VAX #extensions

Origin | Interest | Match

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files InterPlanetary Filesystem (IPFS) network read more about DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files reconbee.com/deadvax-malw...

#DEADVAXmalware #malwarecampaign #AsyncRAT #IPFS #phishing #phishingattack #cyberattack

Decoding malware C2 with CyberChef This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef. The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex('Auto') XOR({'option':'He[...]

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations  Cybercriminals distributing the AsyncRAT remote access trojan are exploiting Cloudflare’s free-tier services and TryCloudflare tunneling domains to conceal malicious infrastructure behind widely trusted platforms. By hosting WebDAV servers through Cloudflare, attackers are able to mask command-and-control activity, making detection significantly more difficult for conventional security tools that often whitelist Cloudflare traffic.  The campaign typically begins with phishing emails that contain Dropbox links. These links deliver files using double extensions, such as .pdf.url, which are designed to mislead recipients into believing they are opening legitimate documents. When the files are opened, victims unknowingly download multi-stage scripts from TryCloudflare domains. At the same time, a genuine PDF document is displayed to reduce suspicion and delay user awareness of malicious activity.  A notable aspect of this operation is the attackers’ use of legitimate software sources. The malware chain includes downloading official Python distributions directly from Python.org. Once installed, a full Python environment is set up on the compromised system. This environment is then leveraged to execute advanced code injection techniques, specifically targeting the Windows explorer.exe process, allowing the malware to run stealthily within a trusted system component.  To maintain long-term access, the attackers rely on multiple persistence mechanisms. These include placing scripts such as ahke.bat and olsm.bat in Windows startup folders so they automatically execute when a user logs in. The campaign also uses WebDAV mounting to sustain communication with command-and-control servers hosted through Cloudflare tunnels.  The threat actors heavily employ so-called “living-off-the-land” techniques, abusing built-in Windows tools such as PowerShell, Windows Script Host, and other native utilities. By blending malicious behavior with legitimate system operations, the attackers further complicate detection and analysis, as their activity closely resembles normal administrative actions.  According to research cited by Trend Micro, the use of Cloudflare’s infrastructure creates a significant blind spot for many security solutions. Domains containing “trycloudflare.com” often appear trustworthy, allowing AsyncRAT payloads to be delivered without triggering immediate alerts. This abuse of reputable services highlights how attackers increasingly rely on legitimate platforms to scale operations and evade defenses.  Security researchers warn that although known malicious repositories and infrastructure may be taken down, similar campaigns are likely to reappear using new domains and delivery methods. Monitoring WebDAV connections, scrutinizing traffic involving TryCloudflare domains, and closely analyzing phishing attachments remain critical steps in identifying and mitigating AsyncRAT infections.

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations #AsyncRAT #AsyncRATattack #Cloudfare

#xworm #asyncrat #purehvnc at:

https:// locale-respondent-realtor-excellent.trycloudflare\\.com

ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

Exposed C2 dashboards for AsyncRAT and others often reuse default titles, predictable URL paths, and identical favicons; scanning httpv2 and crawler datasets helps link assets and TLS reuse. #ThreatIntel #C2 #AsyncRAT https://bit.ly/46KbOOt

Attackers trojanized ConnectWise ScreenConnect installers in exposed open directories to distribute AsyncRAT; observed IOCs include 176.65.139.119 and /Bin/ ClickOnce paths, with dual execution via .NET Assembly.Load or libPK.dll injection. #AsyncRAT #ScreenConnect #RMM https://bit.ly/3Iu93sl

Cybercriminals are exploiting ScreenConnect to deploy AsyncRAT and PowerShell RAT. Stay vigilant and ensure your software is up-to-date. #CyberSecurity #MalwareAlert #ScreenConnect #AsyncRAT Link: thedailytechfeed.com/cybercrimina...

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords | TechRadar www.techradar.com/pr...
#cybersecurity #ScreenConnect #AsyncRAT #fileless #malware

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT Hackers exploit ConnectWise ScreenConnect to drop AsyncRAT via scripted loaders, stealing data and persisting with a fake Skype updater.

Attackers are exploiting ConnectWise ScreenConnect to drop AsyncRAT malware, giving remote control over infected systems.
#ConnectWise #ScreenConnect #AsyncRAT #Malware #CyberSecurity #RemoteAccessTrojan #Infosec securityaffairs.com/182090/malwa...

Microsoft azzera le fee sullo Store e corregge NDI su Windows; emergono campagne AsyncRAT, Akira su SonicWall e tre CVE critiche Cisco IOS XR.

#Akira #AsyncRAT #cisco #MicrosoftStore #sonicwall
www.matricedigitale.it/2025/09/11/d...

Trojanized ScreenConnect Deploys AsyncRAT to Steal Credentials

Researchers discovered a phishing campaign delivering a tampered ConnectWise ScreenConnect installer that injects a loader to deploy the AsyncRAT trojan, allowing access and credential theft. getnews.me/trojanized-screenconnect... #connectwise #asyncrat

Microsoft azzera le fee sullo Store e corregge NDI su Windows; emergono campagne AsyncRAT, Akira su SonicWall e tre CVE critiche Cisco IOS XR.

#Akira #AsyncRAT #cisco #MicrosoftStore #sonicwall
www.matricedigitale.it/2025/09/11/e...

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto establish a remote session read more about AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto reconbee.com/asyncrat-exp...

#Asyncrat #connectwise #crypto #credentials #CyberAttack