TLP:CLEAR-[ngCERT SECURITY ADVISORY ON CRITICAL INFRASTRUCTURE COMPROMISE BY MULTIPLE VARIANTS OF REMOTE ACCESS TROJAN]

Advisory ID:   ngCERT-2026-020003

SUMMARY/DESCRIPTION

ngCERT is issuing an urgent advisory on the compromise of critical infrastructure by multiple variants of Remote Access Trojans (RAT). In particular, variants such as Adwind, AsyncRAT, Firebird, Imminent Monitor, NetWire, Orcus, Remcos, Warzone, and WSH RATs can enable unauthorised remote control of infected systems. These tools are distributed through phishing, malicious attachments, exploit kits, or fake downloads, establishing persistence through registry modifications, scheduled tasks, or process injection. Their capabilities include keylogging, credential theft, screen capture, webcam/microphone access, file exfiltration, command execution, and evasion of antivirus or sandboxes. These have implications for data breaches, financial fraud and theft, cyber espionage, and operational disruption. ngCERT strongly recommends conducting immediate vulnerability scans and deploying endpoint detection tools to mitigate the threats posed by these RATs.

Damage:      Critical 

Probability:  High

Platform(s):  Mostly Windows, macOS, Linux and Android.

CONSEQUENCES

Successful exploitation may result in:

1. Unauthorised remote control and data breaches.
2. Financial fraud and theft.
3. Surveillance and cyber espionage.
4. Operational disruption.

SOLUTION/MITIGATION

Organisations are strongly advised to:

1. Apply timely patches to their OS and applications.
2. Enforce Multi-Factor Authentication (MFA) for accounts and restrict unnecessary ports/services like Remote Desktop Protocol (RDP).
3. Deploy endpoint detection and response (EDR).
4. Use network segmentation to limit lateral movement and maintain offline, encrypted backups.
5. Train users to recognise phishing attempts and implement email filtering to block malicious content.
6. Monitor indicators like registry changes or connections to malicious Command and Control (C2) servers.
7. Upon detection of system compromise, isolate systems, reset passwords, and report to authorities.
8. Adopt Zero-Trust models and Threat Intelligence for enhanced resilience.

HYPERLINK

• https://cybersight-security.github.io/Malware-Samples/rats.html
• https://cyberscoop.com/asyncrat-malware-variants-eset/
• https://thehackernews.com/2024/02/us-doj-dismantles-warzone-rat.html