Find notable cyber news and cases, enriched with sources, timelines, and signals.

DeskRAT Linux persistence and command-set analysis

Technical Analysis
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

Researchers detailed DeskRAT's Linux persistence methods and command set, giving defenders concrete indicators for spotting the malware on BOSS Linux hosts. The analysis matters because the trojan can survive reboots through systemd, cron, autostart, and .bashrc modifications while also supporting file collection and payload execution. It also shows the malware using WebSockets for C2 and shifting toward dedicated staging infrastructure, which can complicate network-based detection.

Related Happenings

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

CHILLYHELL and ZynorRAT malware activity

Malware Activity
H score23 First: 10.09.2025 16:04 Last: 10.09.2025 16:04 Sources 1

About this happening: The discovery of **CHILLYHELL** and **ZynorRAT** expands cross-platform malware risk across **macOS**, **Windows**, and **Linux** with backdoor, RAT, persistence, and exfiltration...

MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers

Malware Activity
H score23 First: 02.09.2025 17:56 Last: 02.09.2025 17:56 Sources 1

About this happening: Researchers disclosed **MystRodX**/**ChronosRAT**, a stealthy **backdoor** that can capture data and execute remote commands on compromised systems. The malware uses **DNS** and *...

Timeline

  1. 24.10.2025 17:00 1 articles · 8mo ago

    DeskRAT Linux persistence and commands

    Technical Analysis Update

    Researchers analyzing DeskRAT on BOSS (Bharat Operating System Solutions) Linux identified four persistence mechanisms: a systemd service, a cron job, a Linux autostart entry under $HOME/.config/autostart, and a .bashrc launcher that runs a shell script from $HOME/.config/system-backup/. The malware also supports ping, heartbeat, browse_files, start_collection, and upload_execute commands for status beacons, directory listings, targeted file collection, and execution of Python, shell, or desktop payloads; related Linux variants communicate over either WebSockets or HTTP and can recursively collect files from /.

    Show sources