Tag: Evasion
-
The Admin’s Shadow: How Hackers Turned the Nezha Monitoring Tool into a Stealth RAT
Threat actors have begun repurposing a legitimate server monitoring tool as a ready-made platform for remotely controlling systems that have already been compromised. According to the Ontinue Cyber Defense Center, recent incidents involve Nezha, a popular open-source monitoring and administration solution capable of operating on both Windows and Linux. In this campaign, Nezha is not…
-
Virtual Walls: Curly COMrades Hides Attacks in Hyper-V VMs to Evade Detection
Threat actors affiliated with the group Curly COMrades have devised a method to conceal malicious activity from detection systems by leveraging Windows virtualization. Bitdefender’s investigation found that the attackers manually enable the Hyper-V role on compromised machines and spin up a lightweight Alpine Linux virtual machine to execute malicious code within an isolated enclave. The…
-
The Art of Digital Evasion: How Attackers Hide in Plain Sight
In the second quarter of 2025, experts at HP Wolf Security documented a wave of sophisticated attacks in which adversaries employed unconventional living-off-the-land (LOTL) tactics to evade detection. Multiple obscure system utilities were brought into play, while final malicious payloads were concealed within inconspicuous formats such as images or SVG files. This approach significantly complicates…
-
Plague Backdoor: New Linux Malware Infiltrates Authentication Stack, Evading Detection for a Year
For nearly a year, a malicious module known as Plague evaded detection by Linux security solutions, despite its active proliferation and deep entrenchment within one of the system’s most critical components—the authentication stack. Its presence was only uncovered through the forensic analysis of artifacts uploaded to VirusTotal in late July 2024. To date, none of…
-
XWorm 6.0 Unleashed: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
A new wave of attacks leveraging the XWorm malware vividly illustrates how far threat actors have advanced in crafting tools that are both resilient to detection and resistant to analysis. The variant identified by Netskope Threat Labs—XWorm version 6.0—not only retains all the core capabilities of its predecessors but also introduces sophisticated evasion techniques, all…
-
ACRStealer’s Stealthy Evolution: New Variants Use Heaven’s Gate & Low-Level NTAPIs to Evade Detection
ACRStealer, a notorious information-stealing malware, has once again come under the spotlight following a series of enhancements that have significantly improved its resilience against detection and analysis. Over the past year—particularly since the beginning of 2025—its activity has markedly intensified, with recent iterations showcasing a rapid adaptation to modern defensive mechanisms. Initially observed by experts…
-
Coyote Banking Trojan Exploits Microsoft UI Automation for Stealthy Credential Theft
A newly evolved strain of the Coyote banking trojan has adopted an unconventional method of user surveillance on Windows systems. Malicious actors have learned to exploit Microsoft’s UI Automation (UIA) framework—originally designed to aid users with disabilities—to monitor visits to banking websites and cryptocurrency exchanges. This technique enables the malware to harvest sensitive data, including…
-
DeerStealer: New Malware Uses Stealthy LNK & LOLBins for Undetectable Data Theft
A newly uncovered malicious campaign involving the infostealer DeerStealer has been identified by researchers at ANY.RUN. Threat actors are employing a sophisticated tactic—combining Windows shortcut files (LNK) with trusted system utilities known as Living-off-the-Land Binaries and Scripts (LOLBins/LOLScripts). This multi-stage, stealth-driven strategy allows adversaries to bypass security mechanisms and evade early detection. The attack is…
-
NativeDump: Stealthy LSASS Dumping Tool Bypasses EDRs Using Only NTAPIs
NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams). NTOpenProcessToken and NtAdjustPrivilegeToken to get the “SeDebugPrivilege” privilege RtlGetVersion to get the Operating System version details (Major version, minor version and build…
-
New SquidLoader Variant Unleashed: Stealthy Malware Hits Hong Kong Financial Sector Undetected
A newly discovered version of the SquidLoader malware has surfaced during a targeted attack on institutions in Hong Kong, sparking significant concern within the financial sector. Of particular alarm is its near-complete evasion of detection by antivirus solutions, rendering it virtually invisible to conventional security systems. The malicious campaign begins with phishing emails written in…
-
Matanbuchus 3.0: The Evolved Malware-as-a-Service Evading Detection & Exploiting Microsoft Teams
The latest iteration of the Matanbuchus malware loader, designated version 3.0, has drawn particular scrutiny from cybersecurity experts due to its significant enhancements aimed at evading detection and bypassing modern defensive systems. Originally introduced as a malware-as-a-service offering for $2,500 in February 2021 on underground forums, Matanbuchus has served as a delivery mechanism for a…