Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Spam campaigns is bundled to distribute XTRAT and DUNIHI, Loki’s numerous malicious programs
  • Malware

Spam campaigns is bundled to distribute XTRAT and DUNIHI, Loki’s numerous malicious programs

Do Son April 24, 2018 3 minutes read
Spam campaigns
Add Daily CyberSecurity as a preferred source on Google

Recently, Trend Micro security experts posted a blog post saying they had discovered a spam campaign. Through this spam, hacking organizations can distribute XTRAT and DUNIHI backdoors and Loki malware bundled with the Adwind RAT. At present, experts detected a total of 5,535 cases of Adwind infection between January 1 and April 17, including the United States, Japan, and Australia.

This spam campaign was mainly used to distribute two campaigns, one of which is the XTRAT backdoor (aka “XtremeRAT”, BKDR_XTRAT.SMM) and the information theater Trojan Loki (TSPY_HPLOKI.SM1) to provide cross-platform remote access to Trojans. Adwind (detected by Trend Micro as JAVA_ADWIND.WIL). In another separate Adwind RAT spam campaign, researchers observed the use of VBScript with a backdoor that was tracked as DUNIHI.

Researchers said that both campaigns abuse legitimate free dynamic DNS servers hopto [.]org, and tried to increase the success rate of system infection through different backdoor programs. In other words, when one of the malwares is detected, other malicious software will continue to complete the infection.

The crook behind Adwind, XTRAT, and Loki use a weaponized RTF document to trigger the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki packages.

Since 2013, Adwind has been able to run on all major operating systems (Windows, Linux, MacOSX, Android) and is known for its various backdoor features such as (but not limited to):

  • Information theft
  • File and Registry Management
  • Remote Desktop
  • Remote shell
  • Process Management
  • Upload, download and execute files

XTRAT has similar functions to Adwind, such as information theft, file and registry management, remote desktop and so on. It also has the following features:

  • Screenshots desktop
  • Recording via webcam or microphone
  • upload and download files
  • Registry operations (read, write and operate)
  • Process operation (execution and termination)
  • Service operations (stop, start, create and modify)
  • A system that executes a remote shell and controls the victim

DUNIHI has the following backdoor features: execute files, update itself, uninstall itself, download files, upload files, enumerate drivers, enumerate files and folders, enumerate processes, execute shell commands, delete files and folders, terminate processes, Sleep.

To handle cross-platform threats like Adwind, experts recommend adopting multiple layers of security measures. IT administrators should regularly maintain and update networks and systems, and since Adwind’s two variants are sent by e-mail, they must ensure that The security of email gateways mitigates the threat of misuse of email as a system and network entry point.

Suggest Reading

XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails

Source: SecurityAffairs

Related coverage

  • DanaBot Malware: The Hidden Threat in Job Application Emails
  • LummaC2 and Raccoon Stealer: The Rise of Certificate Abuse in Malware
  • Virus Retreat: November Sees 18% Drop in Threats Detected by Dr.Web
  • GlassWorm Abuses VS Code Extensions to Fuel Supply Chain Attacks
  • Russian Tomiris APT Adopts “Polyglot” Strategy, Hijacking Telegram/Discord as Covert C2 for Diplomatic Spies
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Spam campaigns

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.