In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.
In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.
Read more…
Source: Kaspersky
Related:
- Windows Shortcut (LNK) Malware Strategies
July 2, 2025
Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Palo Alto Unit 42 telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, Unit 42 researchers present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. Windows shortcut files use the .lnk file ...
- SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
June 23, 2025
In January 2025, Kaspersky researchers uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims’ crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a user to open a specific screen (typically a support chat), then request access to the device’s gallery. It would then use ...
- Resurgence of the Prometei Botnet
June 20, 2025
In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the ...
- Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation
June 17, 2025
This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer. Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant ...
- VMDetector-Based Loader Abuses Steganography to Deliver Infostealers
June 16, 2025
Recently, the SonicWall Capture Labs threat research team has identified various malware strains being distributed through a custom VMDetector Loader. This loader is typically delivered to the victim’s system via image files embedded with steganography. The primary payloads observed include popular malware families such as Remcos, VIPKeyLogger, AveMariaRAT, DCRAT, FormBook, and others. Attackers send an email ...
- Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
June 13, 2025
A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery. Given its brief history and use of a multi-layered extortion model, Anubis has all ...

