In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.
In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.
Read more…
Source: Kaspersky
Related:
- CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor
December 19, 2025
Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense ...
- SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums
December 15, 2025
Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.” The malware collects ...
- NANOREMOTE, cousin of FINALDRAFT
December 11, 2025
In October 2025, Elastic Security Labs discovered a newly-observed Windows backdoor in telemetry. The fully-featured backdoor Elastic Security Lab call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google ...
- SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
December 11, 2025
In October and November 2025, campaigns targeting sectors such as energy, defence, pharmaceuticals, and cybersecurity shared characteristics with older campaigns attributed to Void Rabisuopen on a new tab (also known as ROMCOM, Tropical Scorpius, Storm-0978). Void Rabisu is known to be associated with an actor group that has both financial and espionage motivations that are ...
- Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl
December 9, 2025
During a recent incident response engagement, FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers. They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating ...
- AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
December 8, 2025
Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is ...

