Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NET-STAR .NET malware activity against IIS web servers

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

NET-STAR is a new .NET malware suite being used against IIS web servers, expanding Phantom Taurus's intrusion capability. The payload runs almost entirely in memory as a fileless backdoor, reducing on-disk artifacts and making detection harder. It also establishes encrypted C2 sessions and can perform arbitrary code execution on compromised systems. The suite's loaders add AMSI and ETW bypass features that weaken defensive visibility.

Related Happenings

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...

Open Happening

AshTag modular .NET backdoor deployment via sideloading

Malware Activity
First: 11.12.2025 13:00 Last: 11.12.2025 13:00 Sources 1

About this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...

Open Happening

RONINGLOADER multi-stage delivery of modified Gh0st RAT

Malware Activity
First: 17.11.2025 13:20 Last: 17.11.2025 13:20 Sources 1

About this happening: **RONINGLOADER** is being used to deploy a modified **Gh0st RAT**, creating a multi-stage infection chain that raises the risk of **payload execution** and **defense bypass** on i...

Open Happening

VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave

Exploitation Wave
First: 30.09.2025 17:54 Last: 30.09.2025 17:54 Sources 1

About this happening: A **CVE-2025-41244** exploitation wave has affected **VMware Aria Operations** and **VMware Tools** since **mid-October 2024**, creating **privilege-escalation** risk on vulnerabl...

Latest development: 31.10.2025 09:09

CISA added CVE-2025-41244 affecting Broadcom VMware Tools and VMware Aria Operations to the KEV catalog after reports of active exploitation in the wild. Broadcom had already addressed the flaw, which NVISO Labs says was abused as a zero-day since mid-October 2024 to escalate a local actor to root on vulnerable VMs. Federal Civilian Executive Branch agencies must apply mitigations by November 20, 2025.

Open Happening

Timeline

  1. 01.10.2025 00:09 2 articles · 7mo ago

    NET-STAR targets IIS web servers

    Initial Disclosure

    Phantom Taurus is using the .NET malware suite NET-STAR against Internet Information Services (IIS) web servers. The suite includes the in-memory fileless backdoor IIServerCore, which accepts commands and encoded .NET payloads, establishes encrypted command-and-control sessions, and can execute arbitrary code on compromised systems; the newer AssemblyExecuter V2 loader adds AMSI and ETW bypass capabilities.

    Show sources
    Open in new tab