Since 2022, Trend Micro researchers have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.
Most vendors identify this backdoor as a variant of existing malware such as Gh0st RAT or Rekoobe. However, Trend Micro unearthed the truth: this backdoor is not merely a variant of existing malware, but is a new type altogether. The researchers suspect it is being used by Chinese-speaking groups engaged in either espionage or cybercrime. We dubbed this formerly undocumented malware as “Noodle RAT.” Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a relatively simple backdoor confirmed to have both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions.
Read more…
Source: Trend Micro
Related:
- Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl
December 9, 2025
During a recent incident response engagement, FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers. They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating ...
- AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
December 8, 2025
Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is ...
- Hook for Gold: Inside GoldFactory’s Сampaign That Turns Apps Into Goldmines
December 3, 2025
In February 2024, Group-IB uncovered sophisticated mobile threat campaigns that show how fast banking malware is evolving across the Asia-Pacific region. Ongoing monitoring of this evolving threat revealed a surge of aggressive mobile Trojans targeting both iOS and Android users, all operated by a single threat actor tracked as GoldFactory. Since releasing our initial report, we ...
- Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure
December 3, 2025
An Iranian-aligned hacking group tracked as ‘MuddyWater’ has dramatically shifted tactics in attacks against Israeli and Egyptian critical infrastructure. Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques, and procedures (TTPs) making them easily detectable. However, the group has begun employing a new backdoor deployed via the Fooder loader, ...
- Shai Hulud 2.0, now with a wiper flavor
December 3, 2025
In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and Kaspersky published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish ...
- Tomiris wreaks Havoc: New tools and techniques of the APT group
November 28, 2025
While tracking the activities of the Tomiris threat actor, Kaspersky researchers identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure. In several cases, Kaspersky traced the threat actor’s actions from initial infection to the deployment of post-exploitation ...