Find notable cyber news and cases, enriched with sources, timelines, and signals.

AshTag modular .NET backdoor deployment via sideloading

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The AshTag backdoor was deployed through DLL sideloading and in-memory execution, enabling persistence and remote command execution in targeted environments. It also disguised itself as a legitimate VisualServer utility and used loader/stager components to keep the intrusion covert. The malware’s capabilities included screen capture, file management, and system fingerprinting, increasing the operator’s ability to spy and move laterally inside victim systems.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions

Malware Activity
H score15 First: 26.06.2026 19:21 Last: 26.06.2026 19:21 Sources 1

About this happening: The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...

TinyRCT backdoor with persistence, exfiltration, and self-deletion

Malware Activity
H score22 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

Timeline

  1. 11.12.2025 13:00 2 articles · 7mo ago

    WIRTE Ashen Lepus AshTag espionage campaign update

    Technical Analysis Update

    Palo Alto Networks tracks WIRTE as Ashen Lepus and describes an AshTag modular .NET backdoor campaign against government and diplomatic entities across the Middle East, using phishing-delivered PDF decoys, RAR archives, AshenLoader and AshenStager sideloading, in-memory payload execution, and Rclone-based document exfiltration, with expanded focus on Oman and Morocco and continued activity after the October 2025 Gaza ceasefire.

    Show sources