XenoRAT delivery and persistence activity
Malware Activity
Summary
Hide ▲
Show ▼
XenoRAT is being dropped through password-protected .ZIP archives that hide a .LNK shortcut and use obfuscated PowerShell to fetch the payload, making delivery harder to detect. The malware then establishes persistence with scheduled tasks. Once installed, it enables keystroke logging, screenshot capture, webcam and microphone access, file transfer, and remote shell control. The activity increases the risk of covert surveillance and long-term access on infected computers.
Related Happenings
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/Service
First: 01.04.2026 09:35
Last: 01.04.2026 09:35
Sources 1
About this happening:
**Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/ServiceAbout this happening: **Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
Google study on AI misuse in APT and malware workflows
Technical Analysis
First: 12.02.2026 14:45
Last: 12.02.2026 14:45
Sources 1
About this happening:
**Google Threat Intelligence Group** reported an **unknown threat actor** using **PROMPTFLUX**, an experimental **VB Script** malware, to query the **Gemini API** for **just-in-ti...
Google study on AI misuse in APT and malware workflows
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** reported an **unknown threat actor** using **PROMPTFLUX**, an experimental **VB Script** malware, to query the **Gemini API** for **just-in-ti...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityAbout this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
SantaStealer pre-launch memory-resident information stealer
Malware Activity
First: 16.12.2025 00:43
Last: 16.12.2025 00:43
Sources 1
About this happening:
The **SantaStealer** malware-as-a-service has surfaced as a **pre-launch infostealer** that can harvest **browser, chat, crypto-wallet, and document data**, raising theft risk for...
SantaStealer pre-launch memory-resident information stealer
Malware ActivityAbout this happening: The **SantaStealer** malware-as-a-service has surfaced as a **pre-launch infostealer** that can harvest **browser, chat, crypto-wallet, and document data**, raising theft risk for...
CDrivers macOS malware chain with LaunchAgent persistence and credential theft
Malware Activity
First: 25.11.2025 15:45
Last: 25.11.2025 15:45
Sources 1
About this happening:
A **macOS malware chain** centered on **CDrivers** now combines staged scripts, a **LaunchAgent** persistence mechanism, and a **Chrome-style password window** to steal credential...
CDrivers macOS malware chain with LaunchAgent persistence and credential theft
Malware ActivityAbout this happening: A **macOS malware chain** centered on **CDrivers** now combines staged scripts, a **LaunchAgent** persistence mechanism, and a **Chrome-style password window** to steal credential...
Timeline
-
18.08.2025 22:38 1 articles · 9mo ago
XenoRAT delivery and persistence activity
Initial DisclosureInitial delivery uses spearphishing emails carrying **password-protected .ZIP archives**. The archive hides a **.LNK file** disguised as a PDF, which starts the loader when opened.
Show sources
- XenoRAT malware campaign hits multiple embassies in South Korea — www.bleepingcomputer.com — 18.08.2025 22:38