Since 2022, Trend Micro researchers have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.
Most vendors identify this backdoor as a variant of existing malware such as Gh0st RAT or Rekoobe. However, Trend Micro unearthed the truth: this backdoor is not merely a variant of existing malware, but is a new type altogether. The researchers suspect it is being used by Chinese-speaking groups engaged in either espionage or cybercrime. We dubbed this formerly undocumented malware as “Noodle RAT.” Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a relatively simple backdoor confirmed to have both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions.
Read more…
Source: Trend Micro
Related:
- GoldenEye Dog(APT-Q-27) gang’s recent use of “Silver Fox” Trojan stealing activities
June 6, 2025
GoldenEyeDog (tracked internally as APT-Q-27 by Qi’anxin) is a hacking group targeting people involved in gaming and dog-pushing in Southeast Asia, as well as the overseas Chinese community, with a range of business activities including remote control, mining, DDoS attacks, etc. It is related to a larger attack group tracked by Qi’anxin, the Miuuti Group. The ...
- Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns
May 30, 2025
Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns. This malware is hosted on multiple adversary-controlled web properties. This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details. ...
- Deep Dive into a Dumped Malware without a PE Header
May 29, 2025
This analysis is part of an incident investigation led by the FortiGuard Incident Response Team. Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware ...
- Zanubis in motion: Tracing the active evolution of the Android banking malware
May 28, 2025
Zanubis is a banking Trojan for Android that emerged in mid-2022. Since its inception, it has targeted banks and financial entities in Peru, before expanding its objectives to virtual cards and crypto wallets. The main infection vector of Zanubis is impersonating legitimate Peruvian Android applications and then misleading the user into enabling the accessibility permissions. Once ...
- Mysterious hacking group Careto was run by the Spanish government
May 23, 2025
More than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known government-backed group, based on similar targeting and its phishing techniques. Soon, the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government, among others. Eventually the researchers were ...
- DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
May 14, 2025
In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. DarkCloud employs multi-stage payloads and obfuscated ...