Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications.

A new cybersecurity threat has been discovered that exploits a common office tool to create a backdoor. The malware, known as PDFSIDER, was recently identified by the research firm Resecurity after a Fortune 100 corporation successfully blocked an attempt to break into its network.

This investigation, which was shared with Hackread.com, reveals a highly organised campaign designed to evade modern security systems.

****How Legitimate Software is Being Manipulated****

The attack starts with spear-phishing emails that are highly targeted messages that trick victims into downloading a ZIP file. Inside it is a legitimate program called PDF24 App, created by Miron Geek Software GmbH. While the app itself is a real tool for managing documents, the hackers exploit its vulnerabilities using a technique called DLL side-loading.

In this case, this method works by placing a malicious file named cryptbase.dll in the same folder as the real PDF24.exe. When the user opens the program, the computer is tricked into loading the attacker’s code instead of the real system file. The malware runs entirely in the system’s memory, which allows it to bypass traditional antivirus tools.

To keep the victim unaware, researchers noted that the malware uses a hidden command string labelled CREATE_NO_WINDOW, ensuring that “no visible console appears” on the screen while it operates.

****A Tool Built for Espionage****

According to Resecurity’s blog post, PDFSIDER is classified as an Advanced Persistent Threat (APT). This means it is built for long-term spying rather than a quick hit. The malware is also very cautious; it uses the GlobalMemoryStatusEx function to check the system’s RAM. If it detects low memory (a common sign of a sandbox used by security experts for testing), it will trigger an early exit to stay hidden.

Once active, the malware uses the Botan 3.0.0 cryptographic library to secure its communications. It uses AES-256-GCM encryption to lock up the data it steals, creating a “unique ID” for your computer and sending the output back to a private VPS server via DNS port 53.

Malware analysis (source: Resecurity)

****Links to Known Hacking Groups****

The campaign has shown a high level of persistence. In one recent case, the hackers even tried “impersonating technical support” using QuickAssist to gain remote access. They have also used fake documents designed to look like the PLA Intelligence Bureau authored them to lure in victims.

Fake document from the PLA Intelligence Bureau of the Joint Staff Department (中央军委联合参谋部情报局) (Source: Resecurity)

Researchers believe this style of attack overlaps with groups like Mustang Panda, which was found using the new LOTUSLITE backdoor to spy on the US government using a Venezuela news-themed lure.

While this specific investigation focused on a single corporate target, the Resecurity HUNTER team warned that several ransomware groups are now using PDFSIDER as a way to deliver their own payloads. This makes the discovery a vital piece of information for anyone looking to protect their online workspace.

Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor

Researchers have found a new spying campaign using news about Venezuela to trick US government officials. Learn how the LOTUSLITE virus sneaks into computers to steal secrets.

Cybersecurity researchers at Acronis Threat Research Unit (TRU) have found that hackers are using news headlines to spy on US government groups. Instead of using complex exploits, these attackers are relying on a much simpler trick- curiosity about current events.

Report authors Ilia Dafchev and Subhajeet Singha explained that the campaign uses the ongoing political tension between the US and Venezuela as bait. The trap starts with a file called “US now deciding what’s next for Venezuela.zip,” which is a classic move involving using big news stories to trick a government official into clicking before they think.

****The Backdoor Strategy****

The technical side of the attack is based on a sneaky move called DLL sideloading, in which the hackers hide a virus inside a program that looks safe. In this particular campaign, they used a renamed music player from a company called Tencent, naming it “Maduro to be taken to New York.exe.”

The spear phishing archive named US now deciding what’s next for Venezuela.zip and the malicious files are clearly visible (Source: Acronis)

When someone runs that music player, the computer is tricked into opening a hidden, malicious file called kugou.dll. This file is a backdoor that researchers have named LOTUSLITE. Once it is active, the hackers obtain a secret way in, allowing them to steal files, watch the screen, or run commands as if they were sitting at the desk.

The malware even tries to stay invisible by pretending to be Googlebot, the tool Google uses to browse the web. It sends stolen information to a computer at the IP address 172.81.60.97 in Phoenix, Arizona.

****Clues Leading to Mustang Panda****

In ther report, researchers noted that the hackers left some odd clues behind; the code contained hidden messages where the author claimed to be Chinese and specifically said they were not Russian. “The loader demonstrates low development maturity,” the team noted, which suggests the hackers were in a rush to get the attack out while the news was still fresh.

Based on these patterns, the Acronis team believes with “moderate confidence” that the China-backed hacking group Mustang Panda (aka HoneyMyte) is responsible, which is well-known for using breaking news to launch quick spying missions.

The goal here is clearly espionage, involving gathering political and strategic intelligence rather than stealing money. By choosing reliable, simple methods over complex ones, the attackers prioritise getting the job done over being technically fancy.

This approach is common for state-aligned groups who want a steady stream of information, and this shows that even a simple email about the news can be a powerful tool for a spy to peek into government secrets.

Mastang Panda Uses Venezuela News to Spread LOTUSLITE Malware

The activist website called "ICE List" was offline after a massive DDoS attack. The crash followed a leak of 4,500 federal agent names linked to the Renee Nicole Good shooting.

The website ICE List, also known as the (ICE List Wiki), was crippled by a major cyber attack after it prepared to publish the identities of thousands of federal agents in the United States, particularly those associated with Immigration and Customs Enforcement, ICE.

The site’s founder, Netherlands-based activist Dominick Skinner, confirmed that a massive DDoS attack began flooding their servers on Tuesday evening last week.

For your information, a DDoS attack works by flooding a website with so much fake traffic that it eventually crashes. Skinner told reporters that the length and intensity of this attack suggest a deliberate, organised effort to keep the leaked information from reaching the public.

Homepage of the ICE List website

****The Shooting That Sparked the Leak****

According to The Daily Beast, the data at the centre of this battle was provided by a whistleblower from the Department of Homeland Security (DHS). The leak reportedly includes the names, personal phone numbers, and work histories of roughly 4,500 employees from ICE and Border Patrol.

Further probing revealed that the whistleblower was moved to act following the death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026.

Within hours of the shooting, activists managed to identify the agent involved as Jonathan E. Ross. Skinner noted that for the whistleblower, this tragic incident was the “last straw,” leading them to hand over a dataset full of work emails, job titles, and résumé-style background info.

****Identifying the Attackers****

While the site is back online, Skinner observed that much of the malicious traffic appeared to originate from a bot farm in Russia. However, it is nearly impossible to track the true source, as in the world of hacking, proxies are often used to bounce signals through different countries to hide a person’s tracks. Skinner described the attack as “sophisticated,” suggesting that the attackers are highly determined to keep the names hidden.

Skinner’s team continues to operate out of the Netherlands to stay beyond the immediate reach of US authorities. Despite the crash, they remain committed to the project with plans to move to more secure servers. They plan to publish most of the names, though they intend to omit certain staff members, such as nurses or childcare workers.

ICE Agent Doxxing Platform was Crippled After Coordinated DDoS Attack

A supply chain vulnerability in AWS CodeBuild recently put the entire AWS Console at risk. Learn how Wiz Research found the flaw and how Amazon responded to prevent a global security crisis.

A massive security hole that could have given hackers total control over Amazon Web Services (AWS) was recently fixed before anyone could actually use it for harm. The discovery, made by Wiz Research, prevented what they called a “historic near miss” for the millions of businesses and people who rely on the cloud every day.

****A Two-Character Mistake****

The vulnerability, which researchers named CodeBreach, was found inside a tool called AWS CodeBuild. In technical terms, this tool is part of a supply chain, which is basically the automated series of steps that take a developer’s raw code and turn it into a finished software product. In this case, the flaw hit the AWS JavaScript SDK, a key library that acts as the engine for the AWS Console.

As we know it, the Console is the main dashboard where users manage their entire cloud presence. Because the dashboard depends on this specific library to work, a flaw here meant the entire management platform was at risk.

The root of the problem was surprisingly simple, related to two missing characters in a security filter. This filter used a search pattern (known as a Regex) to decide which code updates were safe to run, and those two missing characters meant the filter wasn’t properly anchored.

According to researchers, this allowed them to “infiltrate the build environment and leak privileged credentials.” Further probing revealed that once they had those credentials, they could have taken over the entire software repository.

****Preventing a Global Crisis****

If a malicious actor had spotted this first, they could have injected backdoor code directly into the AWS infrastructure. Wiz, which shared this research with Hackread.com, noted in the blog post that the scale of such an attack could have eclipsed the infamous SolarWinds breach.

According to researchers, they alerted Amazon to the issue on August 25, 2025. AWS acted fast, fixing the main issue within 48 hours and rolling out global security improvements shortly after. If you are a regular AWS user, you don’t need to do anything. Amazon has already handled the cleanup on its end.

Attack process explained (source: Wiz Research)

****Lessons for Developers****

While this specific fire was put out, researchers noted that these types of risks are on the rise because “one small thing can lead to an insanely large break.” This follows a similar incident from last July involving the Amazon Q extension.

To stay safe, Wiz Research suggests that anyone using CodeBuild should turn on a Pull Request Comment Approval gate. This ensures that no automated build starts until a trusted human reviews the request.

How 2 Missing Characters Nearly Compromised AWS

Dutch police arrest the alleged AVCheck operator at Schiphol as part of Operation Endgame, a global effort targeting malware services and cybercrime.

Dutch police have arrested a 33-year-old man at Amsterdam’s Schiphol Airport, allegedly the mastermind behind AVCheck. This arrest marks the latest victory for Operation Endgame, a global mission that has dismantled major malware networks like DanaBot and Rhadamanthys.

The search for the person behind a dangerous testing ground for hackers has officially ended in the Netherlands. According to official reports, the Royal Netherlands Marechaussee, the country’s military police, arrested a 33-year-old man believed to be the head of a massive criminal service, AVCheck.

The arrest took place at Schiphol Airport in Amsterdam this past Sunday evening. The suspect had reportedly been living in the United Arab Emirates (UAE) for some time, but he was caught the moment he returned to the Netherlands.

****What was his alleged crime?****

According to the Dutch Police’s press release, the man is allegedly the person behind AVCheck, a malware screening website. Before criminals sent out malware, they would upload it to AVCheck to see if it could be caught by antivirus software.

If the antivirus found it, the hackers would keep changing their code until it was invisible. This allegedly allowed them to break into computers and steal data without anyone knowing. For your information, this service is believed to have helped criminals refine dangerous tools like the Lumma Stealer, which is used to snatch people’s private login details.

How AVCheck worked (Source: eSentire)

****How they caught him****

This arrest was a major win for a huge international mission called Operation Endgame. The Dutch police worked closely with the FBI and authorities in Finland to take the AVCheck website down in mid-2025. The data found on the site’s servers led investigators straight to this suspect and two companies in Amsterdam that allegedly helped him run the platform.

AVCheck official seizure notice

Hackread.com has covered this massive operation for years, noting its deep impact on the cybercrime world. While this specific arrest is new, it follows a series of successful strikes against hacker networks.

For instance, in early 2024, police dismantled dropper networks like Smokeloader and Bumblebee, which are tools used to secretly install viruses on victims’ computers. In May 2025, authorities successfully took down the DanaBot network, which had infected 300,000 computers and caused an estimated $50 million in damages.

Most recently, in November 2025, authorities shut down systems used by groups like Rhadamanthys, which had targeted thousands of cryptocurrency wallets and stolen millions of login details.

****What happens now?****

While those earlier missions targeted the hackers themselves, this current arrest focuses on the person who allegedly provided the tools to help those groups stay hidden. The suspect’s name has not been released to the public to protect his privacy until a court actually decides if he is guilty.

When he was caught at the airport, the police seized his phones and computers. Experts are now looking through these devices to see if he was helping other famous hacker groups. For now, he remains in custody as the investigation moves into its next phase.

Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator

Hackread.com exclusive: Scammers are using verified PayPal invoices to launch callback phishing attacks. Learn how the "Alexzander" invoice bypasses Google filters.

A new phishing scam is leveraging PayPal’s legitimate invoice system to trick unsuspecting users, even appearing with the coveted “blue tick” verification mark in their inboxes. This sophisticated attack is bypassing traditional email security filters and leaving even tech-savvy individuals confused.

Hackread.com has obtained direct evidence of this escalating threat, confirming that attackers are exploiting PayPal’s own services to send fraudulent money requests, making them appear entirely authentic.

****The Deception: Why the Blue Tick is a Lie****

You’ve been taught to look for red flags: spelling errors, suspicious links, and unverified senders. But this scam exploits trust. Earlier today, one of our team members at Hackread.com received an invoice email with a PayPal blue tick, addressed to a completely unknown email: [email protected].” It looked completely legitimate, directly from [email protected], but the content was clearly malicious.

Here’s how this “no-phish” phish works:

*   **Legitimate Source:** Scammers create a legitimate (albeit fraudulent) business account on PayPal.

*   **Real Invoices:** They use PayPal’s actual “Money Request” or “Invoice” feature. Because PayPal itself is sending the email, it passes all authentication checks (SPF, DKIM, DMARC) and earns the “blue tick” (Brand Indicators for Message Identification – BIMI) in your inbox. In this case, the email bypassed the security filters offered by Google Workspace.

*   The Hidden Trap: The actual scam isn’t in a malicious link (though a link to a legitimate PayPal invoice is present). Instead, it’s in the “Note to Customer” section of the invoice. Here, scammers insert their messages like: “Your account has been charged $843.29, if you did not approve this, Contact Support +1-805-400-3162.”

*   **The Wrong Recipient Trick:** By addressing the email to an obscure or group email address (like [email protected]), the attackers aim to confuse recipients. Users often think, “This isn’t for me, but it’s from PayPal… something is wrong!” This confusion is designed to make you call the fraudulent phone number.

Screenshot of the actual CC’d email (Credit: Hackread.com)

****The Real Danger: Call-Back Phishing****

This is a straightforward callback phishing attack. The FBI has issued multiple warnings about this tactic. The phone number provided in the invoice note does NOT belong to PayPal. It connects directly to a scam call center. Once on the phone, the scammers will employ social engineering tactics to:

*   Gain **remote access** to your computer (e.g., asking you to install “AnyDesk” or “TeamViewer”).

*   Trick you into logging into your bank account or other sensitive financial platforms.

*   “Help” you reverse the fraudulent charge, often by making you believe you accidentally transferred too much money, leading them to demand you send them money back.

****What You MUST Do to Stay Safe:****

*   **DO NOT Call Any Number in the Email:** This is the primary trap. PayPal will never ask you to call a number from an invoice note.

*   **DO NOT Click Any Links in the Email (Even if they look real):** While the link might go to a real PayPal invoice, engaging with it can still lead to confusion.

*   **Access PayPal Directly:** If you receive such an email, immediately open your web browser, type www.paypal.com manually, and log into your account.

*   **Check for Pending Requests:** Look for any unexpected “Money Requests” or “Invoices” in your PayPal activity. If you find the fraudulent one, do not pay it.

*   **Report the Fraud:** On the legitimate PayPal website, you can usually “Cancel” or “Report” the invoice directly. You should also forward the scam email (as an attachment if possible) to PayPal’s phishing team: [email protected].

*   **Educate Others:** Warn your friends, family, and colleagues about this evolving threat. The “blue tick” is no longer a guaranteed sign of safety.

****PayPal Acted Quickly****

Hackread.com reported the incident to PayPal, which responded within hours by removing the invoice and replacing its content with a scam warning: “We removed this invoice because it may have been a scam. Our fraud detection tools work around the clock to help keep online commerce safe for everyone.”

The invoice has been deleted and replaced with a warning (Image credit: Hackread.com)

Yet, this scam goes on to show a growing trend where attackers are finding ways to use legitimate platforms and services to deliver their malicious payloads. Therefore, trust your instincts, and always verify information through official channels, never by clicking links or calling numbers from unexpected emails.

New PayPal Scam Sends Verified Invoices With Fake Support Numbers

Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.

What started as a single suspicious browser add-on has grown into a much larger cybersecurity concern that many users never saw coming. Last month, Koi Security published an analysis of a Firefox extension it named GhostPoster, describing a method of abuse that avoided the usual warning signs reviewers look for when scanning browser extensions.

GhostPoster’s modus operandi included hiding the payload inside a harmless looking PNG image file. That image was later decoded and executed, allowing the extension to bypass static analysis tools and manual reviews without raising suspicion.

****LayerX After Koi Security****

After Koi shared its findings, LayerX began tracing the infrastructure behind the extension. Their investigation revealed 17 more add-ons using the same backend systems and operating playbook. Combined, those extensions were installed more than 840,000 times, with some sitting on user devices for nearly five years without detection.

LayerX also noted the presence of a more advanced variant within the same campaign that relied on additional evasion methods and accounted for 3,822 installs on its own. While smaller in number, the design showed careful planning and patience rather than quick profit.

> _“Following their publication, our investigation identified 17 additional extensions associated with the same infrastructure and tactics, techniques, and procedures (TTPs). Collectively, these extensions were downloaded over 840,000 times, with some remaining active in the wild for up to five years.”_
> 
> LayerX

The campaign itself did not begin on Firefox. Investigators traced its early activity to Microsoft Edge, where it later spread to Chrome and Firefox as the infrastructure matured. Researchers believe that the slow expansion suggests a long-term operation that favored persistence over speed, letting extensions remain useful and trusted before activating harmful behavior.

****Extensions Removed From Marketplaces, Not From Browsers****

In response to the disclosures, as per layerX’s blog post shared with Hackread.com, Mozilla and Microsoft removed the identified extensions from their official stores. The removals stop new downloads, but extensions already installed continue running on user systems, which means users must remove them manually.

The findings go on to show how extensions have become easiast way for cyber criminals to compromise browser security. Therefore, users must regularly review installed extensions, limit permissions, and remove anything that is no longer needed.

GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs

New York, United States, 15th January 2026, CyberNewsWire

**New York, United States, January 15th, 2026, CyberNewsWire**

BreachLock, a global leader in offensive security, today announced that its Adversarial Exposure Validation (AEV) solution now supports autonomous red teaming at the application layer, expanding beyond its initial network-layer capabilities introduced in early 2025. 

BreachLock AEV’s generative AI-powered autonomous red teaming engine can now emulate real-world attacker behavior at the application layer, capturing how adversaries think, pivot, and chain exploits. AEV continuously validates exploitable weaknesses in applications, including cross-site scripting (XSS), code injection flaws, OWASP Top 10 vulnerabilities, business logic flaws, and complex exploit paths.

BreachLock AEV goes beyond simply identifying theoretical risks and validates their real-world exploitability and business impact. These deep contextual insights help enterprise security teams scale their coverage and reduce critical risks faster with a sharper focus on remediating the validated risks that pose the greatest threat to their organization. 

> “Security teams don’t need more tools—they need better outcomes,” Seemant Sehgal, Founder & CEO of BreachLock, said. “With agentic autonomous penetration testing for web applications, we’re pushing the boundaries of what offensive security can do by continuously thinking, adapting, and validating risk the way real attackers do. This is a fundamental shift in how organizations measure and improve their security posture,” he added. 

BreachLock AEV includes an interactive, real-time attack path visualization feature, allowing users to see where their defenses pass and fail across the attack chain. Users can also download detailed, MITRE ATT&CK-aligned PDF reports directly from the BreachLock Unified Platform, making it easier to communicate findings, prioritize remediation, and demonstrate compliance. 

To learn more about BreachLock AEV, users can visit BreachLock.com.

**About BreachLock** 

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries. 

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution. 

**Contact**

**Marketing Communications Manager**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

BreachLock Expands Adversarial Exposure Validation (AEV) to Web Applications

McLean, Virginia, United States, 15th January 2026, CyberNewsWire

**McLean, Virginia, United States, January 15th, 2026, CyberNewsWire**

A new Top 10 Cybersecurity Innovators profile by AppGuard has been released, spotlighting growing concerns over AI-enhanced malware. AI makes malware even more difficult to detect. Worse, they use AI to assess, adapt, and move faster than any cyber stack can keep up.

The report advocates for a fundamental change in approach, highlighting the limitations of reactive security measures. Rather than constantly adding or changing detection layers of cyber stacks, the profile emphasizes the importance of reducing endpoint attack surface—a perspective that challenges conventional industry practices.

**The Detection Gap Crisis: Why “Magic AI” Fails**

> **CEO Fatih Comlekoglu** mentions that “You can’t keep trying to tell good from bad among infinite possibilities. Not even the most magical AI can parse infinity.”

The industry is trapped in a futile chase, piling on detection tools and adding AI enhancements that still fail to close the foundational gap. In fact, enterprises now face an overwhelming flood of alerts, with many organizations reportedly beginning to limit the amount of data they ingest simply because they can no longer keep up.

**The New Threat: Lateral Movement at the Speed of AI**

Once remote control is established on an endpoint, adversarial AI reportedly adjusts the malicious process’s activities in real-time to evade detection and adapt to the environment. This dramatically shortens the time defenders have to respond and exacerbates flaws in detection-based security that depend on human approvals or interventions.

**Every Cyber Stack Needs a “Default-Deny” Layer**

AI cannot parse infinity; AI can only parse what it can, faster. Instead of joining the futile chase, “default-deny” or Zero Trust enforced within endpoints shrinks the attack surface. By restricting what can run and what the running can do, attacks run into walls, regardless of disguise or AI acceleration. The concept is akin to football: shrink the adversary’s “playing field” as well as its “playbook”. 

Many controls-based layers can theoretically shrink the attack surface to some degree but few do so practically, thoroughly, and without considerable friction. AppGuard does this with 10 to 100 times fewer policy rules than alternatives. Even better, it uniquely auto-adapts to endpoint changes and malware technique variations. Fewer rules and fewer rules changes equate to easier operations and greater efficacy against malware, even AI-guided malware.

**AI is Not Detection Magic, But it is Helpful**

While AI is increasingly promoted as a breakthrough in cybersecurity, it remains a form of advanced pattern matching—subject to the same limitations as traditional detection methods. AppGuard affirms that it does not rely on AI for malware detection. Instead, the company sees AI enhancing its controls-based approach to endpoint protection. This includes improving attack surface management, minimizing disruption to legitimate workflows, and providing clearer visibility into policy enforcement and blocked events.

**ANNOUNCING: Expanded Insider Release for Veteran Operators**

Following recognition in the recent cybersecurity innovators profile, AppGuard has reopened its Insider Release program. The initiative seeks experienced endpoint security professionals—particularly those at MSSPs and MSPs managing multiple client environments—to provide hands-on feedback on AppGuard’s upcoming reengineered endpoint protection platform.

Selected participants will have early access to deploy the newly architected lightweight agent in combination with AppGuard’s new cloud-based management console.

Seats are limited and reserved for qualified teams with proven operational experience. Readers apply here. **Selected participants receive:** early access to the new agent and cloud console and direct influence on final features and roadmap priorities.

**Resources**

*   AppGuard Home Page
*   Read the December 2025 industry profile
*   Video overviewing AppGuard
*   Apply for the Insider Release

**Adding AppGuard Anywhere: Proven Effectiveness and Pragmatism** 

Adding AppGuard to ANY cyber stack to stop what other layers miss entirely or detect too late: zero-days, ransomware, process injection, credential theft, info-stealers, living-off-the-land techniques. 

AppGuard’s effectiveness is not theoretical. It has been proven repeatedly in the field for very large organizations to very small. For example, one of the world’s largest airlines, managing more than 40,000 endpoints, had been plagued by weekly malware incidents despite deploying multiple high-end cybersecurity solutions. After implementing AppGuard in 2019, the organization has experienced no successful malware breaches—a testament to the product’s real-world impact. Small businesses appreciate its easy deployment and the resulting end-user productivity.

**About AppGuard**

AppGuard is the real-time, controls-based endpoint protection layer that stops what detection tools miss entirely or detect too late. It extends Zero Trust principles into the endpoint itself—down to the computing process—filling a critical gap where traditional Zero Trust models treat the endpoint as a black box. Adding it to any cyber stack delivers enterprise-grade protection with dramatically fewer rules, far less tuning, and far less operational overhead. AppGuard is ideal for both smaller organizations and large enterprises tired of spending fortunes on porous, alert-heavy defenses that still fail.

**Contact**

**Marketing**  
**Eirik Iverson**  
**AppGuard Inc**  
**\[email protected\]**

AppGuard Critiques AI Hyped Defenses; Expands its Insider Release for its Next-Generation Platform

ANY.RUN report reveals how the new CastleLoader malware targets US government agencies using stealthy ClickFix tricks and memory-based attacks to bypass security.

A new name is surfacing in cyber intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go-to tool for attackers targeting high-security environments since early 2025.

As Hackread.com reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cybersecurity analysis firm ANY.RUN has now detected a newer and more stealthy version.

ANY.RUN researchers identified it as a ‘loader,’ which is essentially a specialised software that acts as a silent entry point for far more destructive attacks. Investigation revealed that CastleLoader has already compromised at least 469 devices, with a heavy focus on US government agencies and critical infrastructure across Europe, including the logistics and travel sectors.

****Tricked into Clicking****

Researchers noted that CastleLoader doesn’t always rely on complex hacking; often, it just needs a person to make one mistake. It uses a social engineering trick known as ClickFix. In these cases, a user might see a fake “update” or “verification” pop-up. If the user clicks to “fix” the issue, they are actually giving the malware permission to start its work. The malware often uses a fake message saying:

“The program can’t start because VCRUNTIME140.dll is missing from your computer.”

It’s a clever disguise because it looks like a boring, everyday Windows glitch. But while the user is confused, CastleLoader is already busy. It typically arrives as a package using Inno Setup, a common installer tool, and runs a script called AutoIt to prepare the system for the next stage of the attack.

After it successfully invades a system, the malware performs process hollowing. This is a trick where a legitimate Windows tool called jsc.exe is hijacked. According to researchers, the malware “hollows out” the safe code and replaces it with malicious instructions. Because the “bad” code runs inside a “good” program’s memory, most standard antivirus tools won’t even flag it.

Further probing revealed that once CastleLoader is settled in, it calls back to a command center at the address 94.159.113.32. From there, it can download information stealers to grab passwords or RATs (Remote Access Trojans) to give a stranger total control of the network.

What is most dangerous is that CastleLoader uses memory-based attacks. Instead of saving a visible file to your hard drive, the malicious code hides entirely in the computer’s temporary memory (RAM). Since it never leaves a permanent file, it acts like a ghost, allowing it to evade standard antivirus programs that only scan for bad files on the disk. Because this malware is so evasive, traditional security measures are usually unable to detect it.

CastleLoader’s discovery proves that the best defence is a mix of smart technology and staying alert. While security experts work to block the technical backdoors, our own caution with suspicious pop-ups remains the strongest shield we have against digital threats.

Source

HackRead