Threats Tagged 'reverse-shell'

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

A Russian government organization was targeted by the Cavalry Werewolf hacker group, aiming to collect confidential information and network data. The attack began with phishing emails containing malware disguised as documents. The group utilized various tools including backdoors, trojans, and modified legitimate programs. They employed open-source software, reverse-shell backdoors, and Telegram API for control. The attackers focused on information gathering, network configuration, and establishing persistence in compromised systems. Their tactics included using Windows built-in tools, modifying the registry, and exploiting public directories for malware deployment. The group's sophisticated approach and diverse toolset highlight the evolving threat landscape for government institutions.

MediumMalwareRussiaGermanyFrance+4#open-source tools#trojan.packed2.49708#telegram api