The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself.  

Cybersecurity researchers at Netskope have discovered a new, functional, but possibly still-in-development, Golang-based backdoor that uses Telegram for command and control (C2).

This malware (Trojan.Generic.37477095), apparently of Russian origin, takes advantage of cloud services like Telegram, which are easy for attackers to use and difficult for researchers to monitor. This method of C2 communication avoids the need for dedicated attacker infrastructure. Other cloud platforms like OneDrive, GitHub, and Dropbox could also be misused in this way.

Upon execution, the malware, compiled in Go, initiates an “installSelf” function. This function checks if the malware is running from the designated location and filename: “C:\\Windows\\Temp\\svchost.exe”. If it does not, the malware copies itself to that location, creates a new process to launch the copy, and then terminates the original instance. This process, executed in an initialization function, ensures the malware runs from the intended location before proceeding. 

Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)

For C2 communication, the backdoor employs an open-source Go package to interact with Telegram. It establishes a bot instance using the Telegram BotFather feature and a specific token (8069094157:AAEyzkW\_3R3C-tshfLwgdTYHEluwBxQnBuk in the analysed sample). The malware then monitors a designated Telegram chat for new commands.

The malware supports four commands, but only three are currently implemented. It validates the length and content of received messages before execution. The “/cmd” command requires two messages: the command itself, followed by a PowerShell command to be executed.

In the next phase, the malware sends a Russian-language prompt (“Enter the command:”) to the chat after receiving the initial command and then waits for the subsequent PowerShell command. This command is then executed in a hidden PowerShell window. 

The “/persist” command replicates the initial installation check and process, relaunching the malware and exiting. The “/screenshot” command, while not fully implemented, still sends a “Screenshot captured” message to the Telegram channel. 

The “/selfdestruct” command deletes the malware file (C:\\Windows\\Temp\\svchost.exe) and terminates the process, notifying the Telegram channel with a “Self-destruct initiated” message. All command outputs are transmitted back to the Telegram channel via the “sendEncrypted” function.

This exploitation of cloud applications for malicious purposes highlights the challenges faced by defenders.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted in their technical blog post.

To stay protected, ensure you have up-to-date and reputable antivirus and anti-malware software installed on all your devices. These solutions should be capable of detecting and blocking malicious files, including Go-based executables.

Hackers Exploit Telegram API to Spread New Golang Backdoor

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications.
Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin.
"The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire.

As the United States reels from the upheaval caused by Elon Musk’s so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar.

New research shows that China’s Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11.

Russia’s notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an “initial access operation,” breaching targets for the purpose of handing over access to those systems to other Sandworm hackers.

Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**The Official DOGE Website Launch Was a Security Mess**

Elon Musk’s DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn’t the only entity publishing on the site.

Two web developers, working independently, found that it is possible to push updates to the DOGE.gov domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: “This is a joke of a .gov site,” one read, while the other says: “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN.”

The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been “slapped together.”

The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be “maximally transparent.” That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material.

As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE’s homepage is a feed of its own X posts, but it also uses code that directs search engines to X.com instead of DOGE.gov, a WIRED review of the site found. “This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,” one developer told WIRED.

**RedNote Security Flaws Come Into Focus**

Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto’s Citizen Lab has highlighted how a lack of encryption could have opened up US users to “surveillance by any government or ISP \[Internet Service Provider\], and not just the Chinese government.”

The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have “read” permissions on a phone; and it “transmitted insufficiently encrypted device metadata.” The flaws were contained in RedNote’s app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them.

The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. “As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,” the research says.

It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. “Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,” the analysis says.

**Military Spy Planes Increase Surveillance Flights at US-Mexico Border**

Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a “dramatic escalation in activity,” the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation’s security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor “negative” social media posts that people make about it.

**Backlash Mounts Against UK’s Secret Apple Encryption Order**

Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK’s controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there’s been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world.

US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. “If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,” the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance “backdoor.” Since details of the order emerged, Human Rights Watch has called it an “alarming overreach,” while 109 civil society organizations, companies, and other groups signed an open letter saying the “demand jeopardizes the security and privacy of millions.”

The Official DOGE Website Launch Was a Security Mess

A phishing attack dubbed DEEP#DRIVE is targeting South Korean entities, with thousands already affected. North Korean hackers from…

A phishing attack dubbed DEEP#DRIVE is targeting South Korean entities, with thousands already affected. North Korean hackers from the Kimsuky group are the prime suspects behind this cyber espionage campaign.

Securonix has shared its investigation into the DEEP#DRIVE attack campaign, a multi-stage operation targeting South Korean businesses, government entities, and cryptocurrency users since September 2024. The attack’s primary objective is most likely espionage to gather sensitive information from South Korean entities and has already claimed thousands of victims.

The investigation shared with Hackread.com ahead of its publishing, reveals that attackers employed _tailored phishing lures_ written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files, to successfully infiltrate targeted environments. 

Securonix has shared an image of a phishing lure disguised as the Telegram.exe application, labelled 대차 및 파레트 (Korean term for bogie and pallet) revealing logistics-related details like product name (제품명), P9 basement factory (P9 지하공장), total weight (총중량), etc., indicating a likely attempt to trick victims in the logistics sector.

These lures, crafted to appeal to their intended audience, were often distributed in trusted file formats like .hwp, .xlsx, and .pptx and hosted on widely used platforms like Dropbox, allowing attackers to evade traditional security defences and “blend into normal user behaviour.”

“It is evident that phishing was the primary method of malware distribution in this campaign as the collected samples and their filenames strongly align with common themes and wording typically used in phishing lures” Secrounix’s researchers explained in their report.

****Campaign Analysis****

The campaign heavily leveraged PowerShell scripts for payload delivery, reconnaissance (gathering system info like IP address, OS details, antivirus software, and running processes), and establishing persistence (using scheduled tasks like “ChromeUpdateTaskMachine”). Dropbox was also used for data exfiltration.  

The attack chain typically begins with a .lnk file disguised as a legitimate document, which initiates the execution of malicious PowerShell scripts. These scripts download further payloads, including a .NET assembly, disguised as a legitimate application (such as “Telegram.exe”), and establish persistence. A key reconnaissance script, “system\_first.ps1,” collects and exfiltrates system information.  

The final payload, often delivered via a script like “temp.ps1,” is suspected to be a backdoor, though researchers could not capture it during analysis. The attackers’ Dropbox account analysis showed a large number of compromised system configuration files and various malicious payloads.

Stealth and obfuscation are key elements, with attackers using techniques like meaningless variable names, repeated irrelevant assignments, and string concatenation to evade detection, and the removal of associated Dropbox links suggests the attack infrastructure was temporary. 

Although the attacker’s infrastructure, particularly Dropbox links, appeared short-lived, the tactics, techniques, and procedures (TTPs) strongly resemble those used by Kimsuky, a North Korean Advanced Persistent Threat (APT) group “known for targeting South Korea and using similar Dropbox-based methods in previous campaigns,” researchers observed.

Securonix recommends user education on phishing, monitoring of malware staging directories, and reliable endpoint logging (e.g. PowerShell logging) to defend against similar attacks.

N. Korean Hackers Suspected in DEEP#DRIVE Attacks Against S. Korea

Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities.

Source: Zoonar GmbH via Alamy Stock Photo

Attackers are finding more and more ways to post malicious projects to Hugging Face and other repositories for open source artificial intelligence (AI) models, while dodging the sites' security checks. The escalating problem underscores the need for companies pursuing internal AI projects to have robust mechanisms to detect security flaws and malicious code within their supply chains.

Hugging Face's automated checks, for example, recently failed to detect malicious code in two AI models hosted on the repository, according to a Feb. 3 analysis published by software supply chain security firm ReversingLabs. The threat actor used a common vector — data files using the Pickle format — with a new technique, dubbed "NullifAI," to evade detection.

While the attacks appeared to be proofs-of-concept, their success in being hosted with a "No issue" tag shows that companies should not rely on Hugging Face's and other repositories' safety checks for their own security, says Tomislav Pericin, chief software architect at ReversingLabs.

"You have this public repository where any developer or machine learning expert can host their own stuff, and obviously malicious actors abuse that," he says. "Depending on the ecosystem, the vector is going to be slightly different, but the idea is the same: Someone's going to host a malicious version of a thing and hope for you to inadvertently install it."

Related:This Security Firm's 'Bias' Is Also Its Superpower

Companies are quickly adopting AI, and the majority are also establishing internal projects using open source AI models from repositories — such as Hugging Face, TensorFlow Hub, and PyTorch Hub. Overall, 61% of companies are using models from the open source ecosystem to create their own AI tools, according to a Morning Consult survey of 2,400 IT decision-makers sponsored by IBM.

Yet many of the components can contain executable code, leading to a variety of security risks, such as code execution, backdoors, prompt injections, and alignment issues — the latter being how well an AI model matches the intent of the developers and users.

**In an Insecure Pickle**

One significant issue is that a commonly used data format, known as a Pickle file, is not secure and can be used to execute arbitrary code. Despite vocal warnings from security researchers, the Pickle format continues to be used by many data scientists, says Tom Bonner, vice president of research at HiddenLayer, an AI-focused detection and response firm.

"I really hoped that we'd make enough noise about it that Pickle would've gone by now, but it's not," he says. "I've seen organizations compromised through machine learning models — multiple \[organizations\] at this point. So yeah, whilst it's not an everyday occurrence such as ransomware or phishing campaigns, it does happen."

Related:How Banks Can Adapt to the Rising Threat of Financial Crime

While Hugging Face has explicit checks for Pickle files, the malicious code discovered by ReversingLabs sidestepped those checks by using a different file compression for the data. Other research by application security firm Checkmarx found multiple ways to bypass the scanners, such as PickleScan used by Hugging Face, to detect dangerous Pickle files.

Despite having malicious features, this model passes security checks on Hugging Face. Source: ReversingLabs

"PickleScan uses a blocklist which was successfully bypassed using both built-in Python dependencies," Dor Tumarkin, director of application security research at Checkmarx, stated in the analysis. "It is plainly vulnerable, but by using third-party dependencies such as Pandas to bypass it, even if it were to consider all cases baked into Python, it would still be vulnerable with very popular imports in its scope."

Rather than Pickle files, data science and AI teams should move to Safetensors — a library for a new data format managed by Hugging Face, EleutherAI, and Stability AI — which has been audited for security. The Safetensors format is considered much safer than the Pickle format.

Related:Warning: Tunnel of Love Leads to Scams

**Deep-Seated AI Vulnerabilities**

Executable data files are not the only threats, however. Licensing is another issue: While pretrained AI models are frequently called "open source AI," they generally do not provide all the information needed to reproduce the AI model, such as code and training data. Instead, they provide the weights generated by the training and are covered by licenses that are not always open source compatible.

Creating commercial products or services from such models can potentially result in violating the licenses, says Andrew Stiefel, a senior product manager at Endor Labs.

"There's a lot of complexity in the licenses for models," he says. "You have the actual model binary itself, the weights, the training data, all of those could have different licenses, and you need to understand what that means for your business."

Model alignment — how well its output aligns with the developers' and users' values — is the final wildcard. DeepSeek, for example, allows users to create malware and viruses, researchers found. Other models — such as OpenAI's o3-mini model, which boasts more stringent alignment — has already been jail broken by researchers.

These problems are unique to AI systems and the boundaries of how to test for such weaknesses remains a fertile field for researchers, says ReversingLabs' Pericin.

"There is already research about what kind of prompts would trigger the model to behave in an unpredictable way, divulge confidential information, or teach things that could be harmful," he says. "That's a whole other discipline of machine learning model safety that people are, in all honesty, mostly worried about today."

Companies should make sure to understand any licenses covering the AI models they are using. In addition, they should pay attention to common signals of software safety, including the source of the model, development activity around the model, its popularity, and the operational and security risks, Endor's Stiefel says.

"You kind of need to manage AI models like you would any other open source dependencies," Stiefel says. "They're built by people outside of your organization and you're bringing them in, and so that means you need to take that same holistic approach to looking at risks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source AI Models: Perfect Storm for Malicious Code, Vulnerabilities

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

The UK has demanded Apple provides it with a worldwide backdoor into iCloud backups. Privacy organizations are furious.

Last week, an article in the Washington Post revealed the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. Since then, privacy focused groups have uttered their objections.

The UK government has demanded to be able to access encrypted data stored by Apple users worldwide in its cloud service. However, Apple itself doesn’t have access to it at the moment, only the holder of the Apple account can access data stored in this way.

Neither the Home Office nor Apple responded on the record to queries about the demand served by the Home Office under the Investigatory Powers Act (IPA) , but the BBC confirmed that it had heard the same information from reliable sources.

Privacy International said the demand is a “misguided attempt” that uses disproportionate government powers to access encrypted data, which may:

> “Set a damaging precedent and encourage abusive regimes around the world to take similar actions.”

The Electronic Frontier Foundation (EFF) stated:

> “Encryption is one of the best ways we have to reclaim our privacy and security in a digital world filled with cyberattacks and security breaches, and there’s no way to weaken it in order to only provide access to the good guys.”

The main goal for the Home Office is an optional feature that turns on end-to-end encryption for backups and other data stored in iCloud. This feature is called Advanced Data Protection. Enabling Advanced Data Protection (ADP), protects the majority of your iCloud data — including iCloud Backup, Photos, Notes, and more — using end-to-end encryption.

For some time, these backups presented law enforcement agencies with a loophole to obtain access to data otherwise not available to them on iPhones with device encryption enabled. If the user hasn’t enabled ADP, this loophole still exists.

The EFF recommends users should turn off the option to create iCloud backups should the UK get its way. As the EFF has said before, and we agree, there is no backdoor that only works for the “good guys” and only targets “bad guys.” It’s all or nothing, and the bad guys will have enough money to find alternatives, while regular users may run out of free options if governments keep doing this.

**What can I do?**

How you wish to proceed after this news is obviously up to you, but we have some options you may be interested in. If you think Apple will stand up against the UK’s Home Office you can enable iCloud backup and Advanced Data Protection.

But if you want to find another place for your backups, these instructions may come in handy.

****How to turn off iCloud backups********On iPhone or iPad****

*   Tap **Settings** > {username} > **iCloud On your iPhone or iPad**.
*   This will list the devices with iCloud Backup turned on.
*   To delete a backup, tap the name of a device, then tap **Turn Off and Delete from iCloud** (or **Delete & Turn Off Backup**).

iCloud backup disabled

****On Mac****

*   Click **Manage** > **Backups**.
*   A list of devices that have iCloud Backup turned on is shown.
*   To delete a backup, select a device, then click **Delete** or the **Remove** button.

Note: If you turn off iCloud Backup for a device, any backups stored in iCloud are kept for 180 days before being deleted.

**How to turn on Advanced Data Protection**

If you haven’t enabled ADP and you want it, first update the iPhone, iPad, or Mac that you’re using to the latest software version.

Turning on ADP on one device enables it for your entire account and all your compatible devices.

****On iPhone or iPad****

1.  Open the **Settings** app.
2.  Tap your name, then tap **iCloud**.
3.  Scroll down, tap **Advanced Data Protection**, then tap **Turn on Advanced Data Protection**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

****On Mac****

1.  Choose **Apple menu** > **System Settings**.
2.  Click your name, then click **iCloud**.
3.  Click **Advanced Data Protection**, then click **Turn On**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Note: If you’re not able to turn on Advanced Data Protection for a certain period of time, the onscreen instructions may provide more details.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple ordered to grant access to users&#8217; encrypted data 

SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks.

Threat analysts have identified a new and emerging threat: a variant of the SystemBC RAT (Remote Access Trojan) that is now actively targeting Linux-based platforms. This development puts corporate networks, cloud infrastructures, and IoT devices at risk.

The latest version of SystemBC RAT is more stealthy and harder to detect, using encrypted communication to stay hidden while letting attackers move freely through compromised systems.

****SystemBC RAT: From Windows to Linux****

SystemBC is a Remote Access Trojan (RAT) commonly used in cyberattacks to provide attackers with remote control over infected systems. 

Initially a Windows-only threat, it has now expanded to Linux, making it even more dangerous as Linux-based servers are widely used in enterprise environments.

ANY.RUN’s analysts compared SystemBC’s Windows and Linux traffic

****What Makes the Linux Version of SystemBC RAT Dangerous?****

Let’s look at how this malware operates and why it poses a serious threat to Linux-based systems.

****Encrypted Communication with C2 Servers****

The SystemBC RAT for Linux maintains encrypted communication with C2 servers using the same custom protocols as its Windows counterpart. 

This allows attackers to keep a stable connection across a unified infrastructure of both Windows and Linux implants, making it easier to control infected machines without raising suspicion.

While SystemBC RAT is designed to keep its C2 communication encrypted and hidden, it becomes fully visible inside an ANY.RUN analysis session. By running a real sample in the sandbox, security teams can see the malware’s network connections, file modifications, and process activities in real time.

**View ANY.RUN analysis session**

SystemBC RAT analyzed inside ANY.RUN sandbox

Below the Linux Virtual Machine window, all network connections and system modifications related to this specific attack are clearly displayed. 

Suricata rule triggered by SystemBC RAT

In the Threats section, we can see that an alert was triggered by the Suricata rule: “Malware Command and Control Activity Detected – BOTNET SystemBC.Proxy Connection.” This immediate detection allows analysts to track the infection process and understand how the malware operates.

****Proxy Implant for Lateral Movement****

The malware operates as a proxy implant, meaning it can facilitate lateral movement within a compromised network without deploying additional, easily detectable tools. This makes it a powerful weapon for attackers who seek persistence and deeper infiltration within corporate infrastructures.

****Evasion of Traditional Detection****

One of the most concerning aspects is that security vendors struggle to detect this version as belonging to the SystemBC family. This stealthy approach allows the RAT to remain undetected for extended periods, making it a persistent threat.

****Sandbox and Virtualization Evasion****

Besides signature-based evasion, SystemBC also detects virtualized environments to resist dynamic analysis. In a real ANY.RUN analysis session mentioned above, the MITRE ATT&CK framework flags reveal “Virtualization/Sandbox Evasion- System Checks,” showing that the malware actively performs system checks to determine if it’s running inside a security sandbox or virtual machine. 

By identifying these environments, SystemBC can alter its behaviour or terminate execution, helping attackers bypass automated malware analysis tools while remaining fully operational on real infected systems.

Defense evasion techniques and tactics detected by ANY.RUN sandbox

****Integration with Other Malware Strains****

SystemBC is rarely deployed on its own. It often works alongside other malware to expand an attack’s impact. In Windows attacks, it has been observed delivering ransomware like Ryuk and Conti, as well as banking trojans and infostealers. 

With its new Linux variant, similar threats will likely follow, putting enterprise servers and cloud environments at greater risk of data theft, ransomware encryption, and persistent backdoor access.

****Unmasking Hidden Threats Before They Strike****

Cyber threats are getting smarter, and businesses can’t afford to play catch-up. With SystemBC RAT now hitting Linux, attackers have a new way to hide C2 traffic, move through networks unnoticed, and drop additional malware. Traditional security tools often miss these stealthy tactics, leaving corporate networks, and critical infrastructure at risk.

However, with tools like ANY.RUN interactive sandbox, hidden doesn’t mean unstoppable. Your security team can:

*   Analyze threats safely in a controlled environment.
*   Respond faster, containing threats before they spread and cause real harm.
*   Spot evasion techniques before they do damage, exposing how threats slip past defences.
*   Extract key IOCs, strengthening your threat intelligence and prevention strategies.
*   See hidden malware behaviours in real-time, from network traffic to system changes.

SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers

Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.

Source: Diana Vyshniakova via Alamy Stock Photo

Attackers are exploiting Google Tag Manager by planting malicious code within e-commerce sites built on the Magento platform. The code can steal payment card data, demonstrating a new type of Magecart attack that leverages Google's free, legitimate website marketing tool.

Researchers from Sucuri discovered an ongoing Magecart campaign in which attackers load code that appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking script from a database onto e-commerce sites. These tracking scripts are typically used for website analytics and advertising purposes; however, the code used in the campaign has been tweaked to act as a card skimmer for the infected site, the researchers revealed in a recent blog post.

"Within the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer," Sucuri security analyst Puja Srivastava wrote in the post. "This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers."

So far, Sucuri has uncovered at least six sites affected by the campaign, "indicating that this threat is actively affecting multiple sites," Srivastava wrote.

**Exploiting a Legitimate Google Tool for Card Skimming**

Related:Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

The attack demonstrates a nontypical Magecart attack that leverages a legitimate free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site's code directly. GTM eliminates the need for developer intervention each time a marketer aims to track or modify an ad or marketing campaign.

Sucuri researchers were alerted to the Magecart activity by a customer who found that someone was stealing credit card payment data from its e-commerce site. An investigation led to the discovery of malware being loaded from a database table cms\_block.content file for the website. The malware abused a GTM tag, which was altered by embedding an encoded JavaScript payload that acted as a credit card skimmer.

Attackers obfuscated the script using the technique function \_0x5cdc, which maps index values to specific characters in the array. This makes it difficult for someone to immediately understand the purpose of the script, Srivastava wrote.

The script also uses a series of mathematical operations in a loop, further scrambling the code, and also uses Base64 encoding. "This is a trick often used by attackers to disguise the true purpose of the script," she wrote.

The researchers also discovered an undeployed backdoor in one of the website's files that "could have been exploited to further infect the site, providing attackers with persistent access," Srivastava added. Indeed, Magecart attackers last year demonstrated a new tactic of stashing backdoors on websites to deploy malware automatically.

Related:Behavioral Analytics in Cybersecurity: Who Benefits Most?

Sucuri also previously investigated malicious activity that abused GTM to hide other types of malicious activity, including malvertising as well as malicious pop-ups and redirects.

**Mitigation & Remediation of Magecart Attacks**

"Magecart" refers to a loose collective of cybercriminal groups involved in online payment card-skimming attacks. These attacks typically inject card skimmers into websites to steal payment card data that can later be monetized. Big-name organizations that have been targeted by these attacks include Ticketmaster, British Airways, and the Green Bay Packers NFL team.

Once they identified the source of infection on their customer's site, Sucuri researchers removed the malicious code from any other compromised areas of the site, as well as cleaned up the obfuscated script and the backdoor to prevent the malware from being reintroduced.

To ensure an organization's e-commerce site has not been affected by the campaign, administrators should log in to GTM, and then identify and delete any suspicious tags that are being used on the site, Sucuri recommended. They also should perform a full website scan to detect any other malware or backdoors, and remove any malicious scripts or backdoor files.

Related:Cybercrime Forces Local Law Enforcement to Shift Focus

E-commerce sites built on Magento and their extensions also should be updated with the latest security patches, while all site administrators should regularly monitor e-commerce site traffic as well as GTM activity for anything unusual.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Magecart Attackers Abuse Google Ad Tool to Steal Data

Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
Website security company Sucuri said the code, while appearing to be a typical GTM and Google Analytics script used for website analytics and advertising purposes, contains an obfuscated backdoor capable of providing attackers with persistent

Tag

#backdoor