Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AshTag modular .NET backdoor deployment via sideloading

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The AshTag backdoor was deployed through DLL sideloading and in-memory execution, enabling persistence and remote command execution in targeted environments. It also disguised itself as a legitimate VisualServer utility and used loader/stager components to keep the intrusion covert. The malware’s capabilities included screen capture, file management, and system fingerprinting, increasing the operator’s ability to spy and move laterally inside victim systems.

Related Happenings

MiniFast Windows DLL backdoor activity

Malware Activity
First: 26.05.2026 12:10 Last: 26.05.2026 12:10 Sources 1

About this happening: The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...

Open Happening

Showboat Linux post-exploitation backdoor framework

Malware Activity
First: 21.05.2026 17:17 Last: 21.05.2026 17:17 Sources 1

About this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...

Open Happening

Showboat / kworker Linux post-exploitation malware activity

Malware Activity
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...

Open Happening

AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft

Malware Activity
First: 13.03.2026 19:33 Last: 13.03.2026 19:33 Sources 1

About this happening: The intrusion used **AppleChris**, **MemFun**, and **Getpass** to keep access on compromised **Windows** endpoints and steal credentials. The backdoors supported **persistence**,...

Open Happening

GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping

Technical Analysis
First: 19.12.2025 17:34 Last: 19.12.2025 17:34 Sources 1

About this happening: A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...

Open Happening

Timeline

  1. 11.12.2025 13:00 2 articles · 5mo ago

    WIRTE Ashen Lepus AshTag espionage campaign update

    Technical Analysis Update

    Palo Alto Networks tracks WIRTE as Ashen Lepus and describes an AshTag modular .NET backdoor campaign against government and diplomatic entities across the Middle East, using phishing-delivered PDF decoys, RAR archives, AshenLoader and AshenStager sideloading, in-memory payload execution, and Rclone-based document exfiltration, with expanded focus on Oman and Morocco and continued activity after the October 2025 Gaza ceasefire.

    Show sources
    Open in new tab