persistence Archives • Daily CyberSecurity

Attackers Hijack Trusted RMM Tools to Create Invisible, Permanent Backdoors RMM Hijacking Campaign Self-Healing Persistence

Attackers Hijack Trusted RMM Tools to Create Invisible, Permanent Backdoors

Do Son May 7, 2026

A sophisticated phishing campaign is proving that the most effective “virus” is often a legitimate piece of...

Attackers Weaponize Mailbox Rules to Control Your Inbox M365 Persistence Malicious Mailbox Rules

Attackers Weaponize Mailbox Rules to Control Your Inbox

Do Son April 15, 2026

In the modern landscape of Microsoft 365 security, the most dangerous threat might not be a sophisticated...

Beyond the URL: How “Cookie-Gated” Web Shells Hide Silent RCE in Plain Sight Cookie-Gated Web Shell Stealth C2

Beyond the URL: How “Cookie-Gated” Web Shells Hide Silent RCE in Plain Sight

Do Son April 9, 2026

A technical analysis from the Microsoft Defender Security Research Team has revealed that threat actors are increasingly...

Virtual Invasion: SolarWinds WHD Exploited to Host Hidden QEMU VMs SolarWinds Web Help Desk QEMU Persistence

Virtual Invasion: SolarWinds WHD Exploited to Host Hidden QEMU VMs

Do Son February 10, 2026

In a striking display of “living off the land” gone wrong, threat actors are turning legitimate administrative...

Silent Intruder: “EncystPHP” Web Shell Burrows into FreePBX Systems EncystPHP Web Shell FreePBX Vulnerability

Silent Intruder: “EncystPHP” Web Shell Burrows into FreePBX Systems

Do Son February 2, 2026

A sophisticated new web shell has been discovered burrowing into communication infrastructure, leveraging a critical vulnerability to...

Locked Out of the Cloud: Hackers Use AWS Termination Protection to Hijack ECS for Unstoppable Crypto Mining AWS Cryptojacking, Termination Protection

AWS Cryptojacking, Termination Protection

Locked Out of the Cloud: Hackers Use AWS Termination Protection to Hijack ECS for Unstoppable Crypto Mining

Do Son December 18, 2025

In a striking display of cloud-native tradecraft, cybercriminals have been caught turning legitimate AWS environments into illicit...

CISA/NSA Warn of BRICKSTORM Backdoor: China APT Targets VMware and ADFS for Long-Term Espionage BRICKSTORM Backdoor, VMware Espionage

CISA/NSA Warn of BRICKSTORM Backdoor: China APT Targets VMware and ADFS for Long-Term Espionage

Do Son December 8, 2025

A new and sophisticated malware threat has emerged from the shadows of state-sponsored cyber espionage. The Cybersecurity...

Patchwork APT Deploys StreamSpy Trojan, Hiding C2 Commands in WebSocket Traffic for Stealth Espionage Patchwork StreamSpy, WebSocket C2

Patchwork APT Deploys StreamSpy Trojan, Hiding C2 Commands in WebSocket Traffic for Stealth Espionage

Do Son December 5, 2025

The Patchwork APT group (also known as Bai Xiang or “White Elephant”), a cyberespionage actor believed to...

Cybercriminals Shift Tactics: Group Deploys Multiple RMM Tools (ScreenConnect, LogMeIn, Naverisk) for Redundant Persistence and Access Resale

Do Son November 20, 2025

A highly active cybercriminal group has shifted tactics in a long-running campaign that abuses remote monitoring and...

Legacy Malware Resurfaces: DarkComet RAT Uses Bitcoin Wallet Lure to Deploy UPX-Packed Payload DarkComet Bitcoin Lure, Legacy RAT

Legacy Malware Resurfaces: DarkComet RAT Uses Bitcoin Wallet Lure to Deploy UPX-Packed Payload

Do Son November 13, 2025

The Lat61 Threat Intelligence Team has uncovered a new campaign using Bitcoin-themed lures to distribute DarkComet RAT,...

Tangerine Turkey Cryptomining Worm Spreads Via USB Drives, Hides Payloads with VBScript and LOLBins Tangerine Turkey Cryptominer, VBScript Worm

Tangerine Turkey Cryptominer, VBScript Worm

Tangerine Turkey Cryptomining Worm Spreads Via USB Drives, Hides Payloads with VBScript and LOLBins

Do Son November 3, 2025

The Cybereason Security Services Team has exposed a stealthy, financially motivated campaign dubbed “Tangerine Turkey,” which uses...

Lampion Banking Trojan Evolves: 700MB Bloatware DLL and ClickFix VBS Script Target Brazilian Users Lampion 700MB Bloatware, ClickFix VBS

Lampion Banking Trojan Evolves: 700MB Bloatware DLL and ClickFix VBS Script Target Brazilian Users

Do Son October 30, 2025

Researchers at BitSight have uncovered a long-running spam campaign operated by a Brazilian threat group behind the...

China-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor Flax Typhoon ArcGIS Backdoor, SOE Web Shell

Flax Typhoon ArcGIS Backdoor, SOE Web Shell

China-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor

Do Son October 16, 2025

A newly released report from ReliaQuest reveals how the China-backed advanced persistent threat (APT) group “Flax Typhoon”...

New Shuyal Stealer Malware Targets 19 Browsers, Disables Windows Task Manager for Stealth Shuyal Stealer, Task Manager Evasion

New Shuyal Stealer Malware Targets 19 Browsers, Disables Windows Task Manager for Stealth

Do Son October 8, 2025

Security researchers at Point Wild have uncovered a new information-stealing malware dubbed Shuyal Stealer, which pushes the...

WARMCOOKIE Resurfaces After Takedown: New Variant Adds Stealth Handlers, Uses Expired C2 Certificates Kali365 phishing platform EmEditor Supply Chain Attack, WALSHAM INVESTMENTS LIMITED EggStreme, fileless malware North Korea Cybercrime, Remote IT Job Fraud RedDelta APT

Kali365 phishing platform EmEditor Supply Chain Attack, WALSHAM INVESTMENTS LIMITED EggStreme, fileless malware North Korea Cybercrime, Remote IT Job Fraud RedDelta APT

WARMCOOKIE Resurfaces After Takedown: New Variant Adds Stealth Handlers, Uses Expired C2 Certificates

Do Son October 3, 2025

The WARMCOOKIE backdoor has resurfaced with new features, expanded infrastructure, and updated delivery mechanisms, according to a...

From Infostealer to Full RAT: Huntress Uncovers a Multi-Stage Malware Attack Deploying PureRAT AdaptixC2 Abuse, Russian Cybercrime RondoDox Botnet, Exploit Shotgun China Cyber Power, Red Hackers Nvidia cyberattack

AdaptixC2 Abuse, Russian Cybercrime RondoDox Botnet, Exploit Shotgun China Cyber Power, Red Hackers Nvidia cyberattack

From Infostealer to Full RAT: Huntress Uncovers a Multi-Stage Malware Attack Deploying PureRAT

Do Son September 29, 2025

Huntress has published a detailed investigation into a recent intrusion campaign that began as a Python-based infostealer...

REVENANT: The Experimental Framework That Infects AI Models and Evades Traditional Defenses Experimental attack framework, AI security

REVENANT: The Experimental Framework That Infects AI Models and Evades Traditional Defenses

Do Son August 18, 2025

In a new report, CYFIRMA has detailed an experimental attack framework called REVENANT, which demonstrates how adversaries...

XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems

Do Son July 29, 2025

According to the latest report from Netskope Threat Labs, a new version of the XWorm malware—XWorm 6.0—has...

From Stealer to Spy: AMOS Malware Evolves into Full-Fledged Backdoor Threat for macOS AMOS, macOS backdoor

From Stealer to Spy: AMOS Malware Evolves into Full-Fledged Backdoor Threat for macOS

Do Son July 10, 2025

In a disturbing evolution of macOS malware, Moonlock Lab has discovered that Atomic macOS Stealer (AMOS)—already notorious...

IBM X-Force Uncovers Azure Arc Flaws: Hybrid-Cloud Tool Becomes Stealthy RCE & Privilege Escalation Vector Azure Arc, Hybrid Cloud Security

IBM X-Force Uncovers Azure Arc Flaws: Hybrid-Cloud Tool Becomes Stealthy RCE & Privilege Escalation Vector

Do Son July 7, 2025

IBM X-Force has peeled back the layers on Microsoft Azure Arc, uncovering how the hybrid-cloud management tool—meant...

Critical Alert 1 Active Exploit Detected Today