Find notable cyber news and cases, enriched with sources, timelines, and signals.

ModeloRAT Windows RAT deployment with RC4 C2 and Registry persistence

Malware Activity
First reported
Last updated
Happening score
H score 24
2 unique sources, 2 articles

Summary

Hide ▲

The KongTuke operation is deploying ModeloRAT, a Python-based Windows RAT that gives attackers persistent remote control over infected systems. It communicates through RC4-encrypted C2 and can execute binaries, DLLs, Python scripts, and PowerShell commands. The implant also writes Registry persistence and supports self-update and termination commands. That combination raises the risk of durable compromise on Windows endpoints.

Related Happenings

DEEP#DOOR Python backdoor framework

Malware Activity
H score28 First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
H score28 First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

EDR killer abusing EnPortv.sys to disable 59 security tools

Malware Activity
H score19 First: 04.02.2026 16:17 Last: 04.02.2026 16:17 Sources 1

About this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
H score37 First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...

BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse

Malware Activity
H score39 First: 20.01.2026 20:41 Last: 20.01.2026 20:41 Sources 1

About this happening: **North Korean** threat actors tied to **Contagious Interview** are running the **PolinRider** malware activity across **108 unique packages and browser extensions** on **npm, Pac...

Latest development: 22.04.2026 17:48

North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.

Timeline

  1. 19.01.2026 11:09 2 articles · 5mo ago

    CrashFix campaign disclosure

    Initial Disclosure

    Researchers disclosed an ongoing KongTuke campaign dubbed CrashFix that uses a malicious Google Chrome extension on the Official Chrome Web Store to masquerade as an ad blocker, crash the browser with ClickFix-like lures, and deliver ModeloRAT as a next-stage payload.

    Show sources