Chinese state-backed threat actors are suspected of posing as Michigan congressman John Moolenaar in a series of spear-phishing attacks.

Chinese Hackers Allegedly Pose as US Lawmaker

LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence.

LevelBlue Labs has published new research on a recent attack that used a fileless loader to deliver AsyncRAT, a well-known Remote Access Trojan used for credential theft and on compromised systems.

The investigation found that attackers gained initial access through a compromised ScreenConnect client, with SentinelOne detecting the process execution that revealed the malicious activity. The connection was routed through relay.shipperzone.online, a domain linked to unauthorised ScreenConnect deployments.

From there, a VBScript named Update.vbs was executed with WScript, which launched PowerShell commands to download two payloads, logs.ldk and logs.ldr, from an external server. These were placed in the public user directory and executed entirely in memory.

LevelBlue Labs’ technical analysis shared with Hackread.com showed the first stage was Obfuscator.dll, a .NET assembly used to launch malicious code, disable security controls, and set persistence. Its methods included patching AMSI and ETW to bypass Windows logging, dynamic API resolution to hinder static detection, and creation of a scheduled task disguised as “Skype Updater.”

The second stage, AsyncClient.exe, handled command-and-control activity. It decrypted its configuration using AES-256, which revealed its C2 server at 3osch20.duckdns.org along with infection flags and persistence settings. Communication with the server was maintained over a TCP socket using custom packet formats.

Attack flow (Image via LevelBlue Labs)

AsyncRAT’s capabilities in this case included reconnaissance of the infected machine, logging of keystrokes, collection of browser data and extensions, and continuous persistence through scheduled tasks. Sensitive data such as user credentials and clipboard contents could be exfiltrated back to the operator.

LevelBlue Labs reports that attackers are now using AsyncRAT with fileless methods that avoid traditional disk-based detection tools. The full report, including indicators of compromise and technical details, is available from LevelBlue Labs.

New Fileless Malware Attack Uses AsyncRAT for Credential Theft

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.
"This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called **EggStreme**.

"This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.

"The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger."

The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that's engineered to establish a "resilient foothold" on infected machines.

The starting point of the multi-stage operation is a payload called EggStremeFuel ("mscorsvc.dll") that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.

EggStremeFuel's functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to -

*   Get drive information
*   Start cmd.exe and establish communication via pipes
*   Gracefully close all connections and shutdown
*   Read a file from server and save it to disk
*   Read a local file from a given path and transmit its content
*   Send the external IP address by making a request to myexternalip\[.\]com/raw
*   Dump the in-memory configuration to disk

Calling EggStremeAgent the "central nervous system" of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.

It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard ("xwizards.dll").

"The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain," Zavadovschi noted.

"This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline."

The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

"This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat," Bitdefender said.

"The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems

The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.

Wednesday, September 10, 2025 10:01

*   The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. 
*   The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement. 
*   CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts. 

**Overview **

The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery. 

Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve. 

Despite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed  Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve. 

**Details **

The CTI-CMM lists 11 domains where CTI can greatly improve decision-making,  and also details specific “missions” CTI can carry out to strengthen each domain. 

Domain 

Abridged Description 

Example CTI Mission 

Asset, Change and Configuration Management 

Manage the organization’s IT and OT assets. 

Rapidly detect at-risk assets. 

Threat and Vulnerability Management 

Detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. 

Reduce risk against new and emerging adversaries, malware, vulnerabilities, and exploits. 

Risk Management 

Identify, analyze and respond to cyber 

risk the organization is subject to. 

Improve risk decisions. 

Identity and Access Management 

Manage identities for entities that may be 

granted logical or physical access to the organization’s assets. 

Reduce incident detection times, accelerate remediation. 

Situational Awareness 

Establish situational 

awareness for operational state and cybersecurity state. 

Drive threat-informed decision-making based on the current and forecast threat landscape. 

Event and Incident Response, Continuity of Operations 

Respond to, and recover from cybersecurity events and incidents. 

Create an intelligence 

advantage for incident responders and strengthen the security posture. 

Third-Party Risk Management 

Manage the cyber risks arising from suppliers and other third parties 

Monitor, detect, assess and mitigate potential incidents posed by third-party vendors and suppliers. 

Fraud and Abuse Management 

Shield organizations from malicious digital scams and attacks. 

Share threats 

and findings with relevant stakeholders. 

Workforce Management 

Create a culture of cybersecurity 

and security competence. 

Support hardening of the human element. 

Cybersecurity Architecture 

Maintain the structure and behavior of the organization’s cybersecurity architecture. 

Provide insights into cyber threats that may 

target the organization. 

Cybersecurity Program Management 

Provides governance, strategic planning and sponsorship for the organization’s cybersecurity activities. 

Deliver tailored intelligence inputs to 

inform cybersecurity decision-making. 

  
The missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities. 

The CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path: 

A placeholder for practices that are not executed. 

Many threat intelligence activities begin here, characterized by basic, ad hoc and unplanned efforts focused on short-term, reactive results. 

As an activity matures, it becomes planned, with documented procedures and metrics demonstrating its support for stakeholders. The focus shifts towards proactive and predictive intelligence, delivering short- and intermediate-term results. 

At the highest level, activities are highly refined, focusing on delivering long-term strategic outcomes for the business. This level integrates prescriptive intelligence and recommendations, combined with continuous improvement practices, making practices measurable and aligned directly to business objectives. 

  
The framework espouses an improvement process analogous to the “plan, do, check, act” management model. In this case, the steps within a cycle of improvement are “prepare, assess, plan, deploy, measure.” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program. 

**History of CTI-CMM **

This approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense's desire to compare and evaluate software contractors. Largely thanks to the efforts of the Software Engineering Institute (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied Capability Maturity Model Integration (CMMI). 

The CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s. 

**Closing **

It's crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce “better” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering “good enough” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information. 

Ultimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.

Maturing the cyber threat intelligence program

Sofia, Bulgaria, 10th September 2025, CyberNewsWire

**Sofia, Bulgaria, September 10th, 2025, CyberNewsWire**

Kikimora, a cybersecurity specialist and a product developer, has announced the launch of Kikimora Agent, a new AI-powered platform providing accessible cybersecurity management, vulnerability detection, and asset monitoring for businesses, individuals, and students. Kikimora Agent combines conversational AI with automated security workflows, reducing the workload for small and medium-sized enterprises (SMEs) facing increased cyber attacks and growing security skills shortages.

> “Kikimora Agent reduces manual tool juggling and high skill requirements. The platform allows users to easily manage assets, run vulnerability scans, and generate compliance reports with simple prompts. It delivers immediate value to security teams with minimal setup and almost no learning curve.”, highlights Krasimir Kotsev, CEO of Kikimora.

Kikimora Agent is designed to simplify traditionally complex cybersecurity processes and provides a split-screen interface for conversational interactions and live inventory management. Users can interact via natural language prompts to access security tools, manage infrastructure, monitor vulnerabilities, and receive actionable recommendations for remediation and compliance.

Key segments supported include Attack Surface Management, Vulnerability Management, Asset Management, Endpoint Security, and Security Project Management.

> “Automation in cybersecurity is no longer a luxury – it’s a necessity for organizations with limited resources,” said Martin Malinov, Head of Product of Kikimora Agent.

Kikimora Agent combines a range of security integrations – such as Qualys web application scanning and Wazuh endpoint monitoring – ensuring users maintain control over data privacy and compliance requirements. Kikimora Agent supports full workflow management, including listing and updating assets, executing and tracking vulnerability scans, assigning remediation tasks, querying OWASP checklists, and onboarding new endpoints. The agent’s experiment-and-estimate vertical allows rapid learning, scenario analysis, and tool migration without lengthy setup cycles.

The agent can perform tasks based on local context, and provide actionable recommendations to improve your remediation efforts. Simply typing ‘Scan my web application…’, ‘List my current assets…’, or ‘Create a plan for NIS2 compliance…’ will prompt the agent to provide detailed information and a step-by-step guide to accomplish current objectives.

The launch comes at a time when European SMEs are facing more cyber threats, with rising attack rates and stricter regulations like GDPR and NIS2. The goal of the Kikimora Agent is to reduce operational complexity and provide consolidated access to AI-enhanced security tools to a wider range of organizations and budgets.

Users can start using Kikimora Agent at: https://agentic.kikimora.io/

Users can find Get Started Guides, Documentation & Example Prompts: https://kikimora.gitbook.io/kikimora-agent-guide-early-access/

**About Kikimora**

Built by the experienced team of SoCyber, Kikimora provides cybersecurity solutions for organizations across Europe, specializing in cybersecurity product development and accessible automation. The company is committed to improving accessibility and security through practical, AI-powered tools that simplify operations for small and midsize teams.

**Contact**

**CEO**  
**Krasimir Kotsev**  
**Kikimora**  
**\[email protected\]**

Kikimora Announces Launch of Kikimora Agent: Accessible AI-Powered Cybersecurity Platform for SME Security

As Kubernetes becomes the foundation of enterprise infrastructure, the underlying operating system must evolve alongside it.

The Quiet Revolution in Kubernetes Security

On Wednesday morning, Poland shot down several Russian drones that entered its airspace—a first since Moscow’s invasion of Ukraine. The incident disrupted air travel and set the region on edge.

Early Wednesday morning, Poland shot down several Russian drones that had violated its airspace during a massive strike against western Ukraine. The Polish military operation, confirmed by Prime Minister Donald Tusk through a social media message in the early morning hours, marks a turning point in Warsaw's involvement in the conflict that has affected the region for more than two and a half years. The Polish defense agency reported the presence of more than 10 objects coming from Ukrainian airspace and called the violation an “act of aggression.”

**Poland Invokes NATO Article 4**

In response to the raid, Poland activated Article 4 of NATO, the North Atlantic Treaty, requesting immediate consultations with allies. Tusk urgently convened a meeting of the Council of Ministers at 8 am local time, maintaining constant contact with the alliance's secretary general, Mark Rutte, to coordinate the political and diplomatic response.

Article 4 allows a NATO member to solicit consultations whenever it believes its security, territorial integrity, or political independence is threatened. Unlike Article 5, which provides for collective military action in the event of an armed attack, Article 4 does not compel immediate military action, but its activation nevertheless constitutes a significant political escalation, as it emphasizes the unity of the alliance in responding to perceived threats against NATO members.

Poland had already been on high alert for possible aircraft overruns since at least November 2022, when a stray Ukrainian missile accidentally hit a village in the south of the country, killing two people. Until now, however, there had been no recorded cases of Polish or allied defense systems shooting down drones on national territory. Ukrainian president Volodymyr Zelensky claimed on Wednesday that “at least eight” Iranian-made Shahed drones were “aimed in the direction of Poland” during the nighttime attack, suggesting the incursion into Polish airspace was intentional.

**NATO Defense Activated**

Residents of the affected Polish areas reported hearing explosions in the sky during the night, followed by the activation of warning sirens. The alert was triggered precisely during a large-scale Russian attack on Ukraine's western regions, particularly those in Volyn and Lviv that directly border Poland.

According to information released by the Polish military command, national and NATO air defense systems were activated immediately after radar detected the entry of unmanned aircraft into Polish airspace. The interception operation continued for several hours, with the armed forces neutralizing objects deemed dangerous using air defense systems. The search for the wreckage of the downed drones is still ongoing in the eastern parts of the country as of midday Wednesday.

**Airports Temporarily Closed**

The intervention led to the temporary closure of four airports, including Warsaw-Chopin and Lublin, as well as the Rzeszów airport, which has become a crucial hub for sending Western military aid to Ukraine in the past two years. The United States Federal Aviation Administration confirmed the temporary closure of the Polish airports for “unplanned military activity related to national security.”

The Russian drone strike also hit eastern Ukraine hard: According to reports by the BBC citing local Ukrainian officials, 24 people were killed and 19 wounded in an air raid on a village in the Donetsk region, where the victims were standing in line to collect their pensions. The incident comes amid a particularly intense phase of the conflict, where Moscow's troops are carrying out a slow but steady offensive in much of Donetsk, in western Ukraine. Meanwhile, diplomatic attempts to reach a peace agreement have essentially stalled, and contacts between Washington and Moscow in recent months have produced no concrete results.

**Rising Tensions**

The incident comes at a time of particular tension in the region. Only 24 hours before Poland shot down Russia's drones, the Polish president warned during a press conference in Helsinki that Russian president Vladimir Putin would be ready to invade other countries after the aggression against Ukraine. The timing of the incursion takes on even greater significance when one considers that on Friday, September 13, Russia and Belarus will kick off joint military exercises dubbed “Zapad,” which have already raised regional security concerns.

Poland had announced Tuesday that it was closing its border with Belarus precisely in response to what Warsaw calls “very aggressive” maneuvers, in addition to the growing number of provocations by Moscow and Minsk. Neighboring Lithuania has also decided to tighten border controls, a sign of widespread alertness among NATO member countries that border Russia and Belarus.

Wednesday's incident also comes at a delicate time for international diplomacy: US president Donald Trump declared over the weekend that he was ready to move to a second phase of sanctions against Russia after months of unsuccessful negotiations for a peace agreement between Moscow and Kyiv. The downing of drones on Polish territory now risks further complicating any mediation efforts.

_This story originally appeared on WIRED Italia and has been translated from Italian._

Here’s What to Know About Poland Shooting Down Russian Drones

The New York Blood Center has started sending out data breach notifications to those affected by a recent ransomware attack.

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data.

The New York Blood Center’s (NYBC) suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a subset of files. The security incident was first noticed on January 26, 2025, but this week NYBC has started notifying victims.

NYBC publicly acknowledged the scale but has not issued a precise number of affected people due to ongoing investigations and limitations in contact information for all service recipients. Based on documents that NYBC submitted to regulators in several states, hackers could have stolen information belonging to at least tens of thousands of people.

NYBC ranks among the largest independent community-based blood collection organizations in the US. It serves over 75 million people across more than 17 states and delivers about one million lifesaving blood products annually.

The information varies per affected individual but can include:

*   Name
*   Social Security number
*   Driver’s license or other government identification card number.
*   Financial account information if you participated in direct deposit.

NYBC also provides clinical services, and diagnostic blood testing, for which it needs clinical information from healthcare providers. New York Blood Center Enterprises said some of this information was also accessed by the attackers during the cyber incident.

So far it is unknown which ransomware group might have been behind the attack, and we have seen no threats to publish or sell the acquired data. But this could change quickly once negotiations about the ransom come to an end without the cybercriminals getting paid what they demand.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor** **authentication** **(****2FA****).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up** **identity monitoring****.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

 Ransomware attack at blood center: Org tells users their data&#8217;s been stolen 

An unsecured database managed by Hello Gym has exposed over 1.6 million audio recordings of gym members. Learn…

An unsecured database managed by Hello Gym has exposed over 1.6 million audio recordings of gym members. Learn why this data leak leaves customers vulnerable to spear-phishing, deepfakes, and identity theft.

A data exposure incident has hit Hello Gym, a Minnesota-based company that provides technology services to the fitness industry. Website Planet’s cybersecurity researcher Jeremiah Fowler discovered a database that was not protected by a password, exposing a substantial number of audio files.

****A Look at the Exposed Data****

Fowler’s findings, shared with Hackread.com, reveal that the database contained more than 1.6 million audio files (specifically 1,605,345 files), which included phone recordings and voicemails collected from 2020 to 2025. These files contained personal details that could be used for various malicious purposes. The data got exposed for being stored in an unprotected storage area, which means anyone with the right knowledge could access it without needing a password.

Further probing revealed that the records belonged to numerous gyms across the US and Canada. While the calls referenced well-known fitness brand names, Fowler identified that a third-party contractor, Hello Gym, managed the database. He confirmed this by speaking with corporate representatives who clarified that while the corporations themselves don’t record audio, some independent franchisees were using a third-party service for this purpose.

The concerning aspect is that the information inside the audio files includes customer names, phone numbers, and the reasons for their calls to the gym. This type of data is referred to as Personally Identifiable Information, or PII, and its exposure could potentially leave gym members and staff vulnerable to significant risks.

It is worth noting that the database was secured within hours of the researcher’s disclosure. However, it is not known how long the database was exposed or whether anyone else gained access to it.

****Risks and Dangers****

In a world where technology is always advancing, audio recordings, especially those containing a person’s voice, are highly valuable to cybercriminals as these can be used for spear-phishing or social engineering attacks, impersonation, or identity theft. As Fowler noted in the blog post that audio recordings and voicemails “should not have been publicly accessible, as they often included personal details.”

For example, a scammer could use the specific details from a voicemail to build trust and trick someone into giving away more private information. They could easily impersonate gym staff members and convince them to share sensitive payment information or other private data.

Furthermore, voice data can be used to create deepfakes, which refer to convincing but false recordings, and use them to impersonate individuals for scams or financial crimes. Though the immediate securing of the database is a positive step, the exposure of such sensitive data highlights the critical need for all companies to be alert in protecting their customers’ information.

Hello Gym Data Leak Exposes 1.6 Million Audio Files of Gym Members

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.
According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.
CHILLYHELL is the name assigned to a malware

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called **CHILLYHELL** and a Go-based remote access trojan (RAT) named **ZynorRAT** that can target both Windows and Linux systems.

According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.

CHILLYHELL is the name assigned to a malware that's attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.

According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.

The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.

Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75\[.\]252 or 148.72.172\[.\]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators.

To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user's shell profile (.zshrc, .bash\_profile, or .profile) to inject a launch command into the configuration file.

A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.

"If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command," Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said.

CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from "/etc/passwd" and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.

"Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible," Jamf said. "Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape."

"Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned."

The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts. Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families.

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution -

*   /fs\_list, to enumerate directories
*   /fs\_get, to exfiltrate files from the host
*   /metrics, to perform system profiling
*   /proc\_list, to run the "ps" Linux command
*   /proc\_kill, to kill a specific process by passing the PID as input
*   /capture\_display, to take screenshots
*   /persist, to establish persistence

ZynorRAT's Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress.

"Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot," Sysdig researcher Alessandra Rizzo said. "Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine."

Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have "infected" their own machines to test out the functionality.

ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats.

"Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch," Rizzo said. "ZynorRAT's customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Latest News