Threats Tagged 'persistence'

A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.

A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\EdgeBroker\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.