In September 2024, Kaspersky researchers detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger.
The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server. GodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Over a million WordPress sites hit in plugin flaw — so patch now or face the consequences
May 14, 2026
A popular WordPress plugin with roughly a million active installations contained two vulnerabilities that could have allowed malicious actors to exfiltrate sensitive data, such as password hashes and other valuable information. Security researchers at Wordfence said they were tipped off by a researcher Rafie Muhammad about the existence of an Arbitrary File Read and an SQL Injection vulnerability in Avada ...
- Ransomware hackers claim breach at Foxconn, a major electronics manufacturer for Apple, Google, and Nvidia
May 13, 2026
Electronics manufacturing giant Foxconn, which makes devices and components for Apple, Google, Nvidia, and Sony, among other tech giants, confirmed on Monday that it was hit by a cyberattack that may have affected some of its factories. In a statement sent to media outlets, Foxconn said that the cyberattack affected facilities in North America and that ...
- When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
May 13, 2026
Attackers do not need to break into the front door when they can convince employees to open it for them through the tools they already trust. In April 2026, Rapid7 investigated an enterprise intrusion that began with a Microsoft Teams message from a fake “IT Support” account and quickly escalated into a full compromise chain involving ...
- Stolen Canvas data was “returned” after hacker agreement, Instructure says
May 12, 2026
The Instructure/Canvas data breach that has dominated cybersecurity coverage recently has reached a new stage. Millions of students had personal data stolen, with extortion group ShinyHunters claiming credit for the data breach and applying extra pressure for their ransom demands by bothering Canvas users directly. Which seems to have paid off. On the Instructure web page about the recent ...
- Cache-poisoning caper turns TanStack npm packages toxic
May 12, 2026
An attacker has published 84 malicious versions of official TanStack npm packages, with the impact including credential theft, self-propagation, and complete disk wipe of an infected host. The attack is part of a wave of attacks across npm and PyPI, continuing the Mini Shai-Hulud campaign. Supply chain security company Socket reports that other compromised packages include the OpenSearch client, Mistral ...
- Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
May 11, 2026
Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable ...