Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP.
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely. MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity. "AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say. "The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."
GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. This activity was first discovered by GreyNoise on March 18, 2025. Public disclosure was deferred as we coordinated the findings with government and industry partners. GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet. The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary. The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features. The activity was uncovered by Sift — GreyNoise’s proprietary AI-powered network payload analysis tool — in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence. Read the full technical analysis. Timeline of Events March 17, 2025: GreyNoise’s proprietary AI technology, Sift, observes anomalous traffic. March 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating. March 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners. May 22, 2025: Sekoia announces compromise of ASUS routers as part of ‘ViciousTrap.’ May 28, 2025: GreyNoise publishes this blog.
Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software. Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022. Vendor Package Tigren Ajaxsuite Tigren Ajaxcart Tigren Ajaxlogin Tigren Ajaxcompare Tigren Ajaxwishlist Tigren MultiCOD Meetanshi ImageClean Meetanshi CookieNotice Meetanshi Flatshipping Meetanshi FacebookChat Meetanshi CurrencySwitcher Meetanshi DeferJS MGS Lookbook MGS StoreLocator MGS Brand MGS GDPR MGS Portfolio MGS Popup MGS DeliveryTime MGS ProductTabs MGS Blog We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers. This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores. We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor
The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.
Apple yanks encrypted storage in U.K. instead of allowing backdoor access
Company will no longer provide its highest security offering in Britain in the wake of a government order to let security officials see protected data.
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware. The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions. We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion.
Mysterious backdoor found on select Juniper routers
Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available "invisible backdoor" designed to operate stealthily on a victim's machine by monitoring network traffic for specific conditions before activating.
In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024.
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
Cisco warns of backdoor admin account in Smart Licensing Utility
Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges.
Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss of epic proportions, a blow to the fabric of trust underlying open source development, a stark reminder of the risks of supply-chain attacks. Equal measures brilliant and devious.
Major Backdoor in Millions of RFID Cards Allows Instant Cloning
French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 observed a recent malvertising campaign luring users to download malicious installers for popular software like Google Chrome and Microsoft Teams.
Over 92,000 exposed D-Link NAS devices have a backdoor account
A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models.
This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024. The Git repositories of XZ projects are on git.tukaani.org. xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.
An online tool offers a service to obfuscate PHP code, but it also silently inserts a backdoor into the code that allows any other PHP code to be executed!
Urgent security alert for Fedora 41 and Fedora Rawhide users
Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.
.png?width=92&height=&ar=&mode=&format=avif&dpr=2)
