Ethical Hacking News
Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate in a Wave of Financial Fraud. According to Arctic Wolf Labs, a financially motivated hacking group has been behind the recent surge in attacks targeting Mexican organizations.
The cybersecurity landscape is plagued by a surge in Credential Theft and Remote Access attacks. Malware variants like AllaKore, PureRAT, and Hijack Loader are being used to conduct financially motivated fraud. A group called Greedy Sponge has been behind the recent surge in attacks, targeting Mexican organizations since early 2021. The AllaKore RAT payload can send select banking credentials and unique authentication information back to a C2 server for financial fraud. Greedy Sponge's limited geographic targeting and financial motivation set them apart from other threat actors. New malware variants like Ghost Crypt, Neptune RAT, and RedLine information stealer are emerging. The attacks highlight the need for organizations to implement robust cybersecurity measures.
The cybersecurity landscape has been plagued by a surge in Credential Theft and Remote Access attacks, with malicious actors capitalizing on the growing use of remote access tools to compromise sensitive data. At the forefront of this trend are the AllaKore, PureRAT, and Hijack Loader malware variants, which have been employed by threat actors to conduct financially motivated fraud.
According to Arctic Wolf Labs, a financially motivated hacking group known as Greedy Sponge has been behind the recent surge in attacks. The group, whose true identity remains unknown, has been targeting Mexican organizations since early 2021, using a variety of tactics to compromise sensitive data and gain access to remote access tools.
The AllaKore RAT payload has been heavily modified to enable threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server. This modification allows for the conduct of financial fraud, such as identity theft and credit card scams, on a large scale.
Arctic Wolf Labs attributes the attacks to Greedy Sponge's limited geographic targeting and strictly financial motivation, which sets them apart from other threat actors. The group's operational longevity points to probable operational success, with their tactics proving effective over an extended period.
The attack flow of one campaign using Ghost Crypt reveals that initial access was gained through social engineering, where the threat actor impersonated a new client and sent a PDF containing a link to a Zoho WorkDrive folder containing malicious zip files. The attacker also created a sense of urgency by calling the victim and requesting that they extract and execute the file immediately.
The malicious file contains a DLL payload encrypted with Ghost Crypt, which then extracts and injects the trojan into a legitimate Windows csc.exe process using a technique called process hypnosis injection. This allows the threat actor to bypass Microsoft Defender Antivirus and serve several stealers, loaders, and trojans, including Lumma, Rhadmanthys, StealC, BlueLoader, PureLoader, DCRat, and XWorm.
The emergence of a new version of Neptune RAT (aka MasonRAT) distributed via JavaScript file lures has also been noted. This variant allows threat actors to extract sensitive data, take screenshots, log keystrokes, drop clipper malware, and download additional DLL payloads.
Furthermore, malicious Inno Setup installers have been employed as conduits for Hijack Loader (aka IDAT Loader), which delivers the RedLine information stealer. The attack "leverages Inno Setup's Pascal scripting capabilities to retrieve and execute the next-stage payload in a compromised or targeted host," according to the Splunk Threat Research Team.
The proliferation of these malware variants highlights the need for organizations to implement robust cybersecurity measures, including regular software updates, secure password management, and awareness training for employees. By staying vigilant and proactive, businesses can reduce their risk of falling victim to Credential Theft and Remote Access attacks.
In conclusion, the recent surge in Credential Theft and Remote Access attacks is a stark reminder of the ongoing threat landscape. The emergence of new malware variants, such as AllaKore RAT and PureRAT, highlights the need for organizations to prioritize cybersecurity and implement robust measures to protect themselves against financially motivated fraud.
Related Information:
https://www.ethicalhackingnews.com/articles/Credential-Theft-and-Remote-Access-Surge-as-AllaKore-PureRAT-and-Hijack-Loader-Proliferate-in-a-Wave-of-Financial-Fraud-ehn.shtml
https://thehackernews.com/2025/07/credential-theft-and-remote-access.html
https://www.bleepingcomputer.com/news/security/red-report-2025-unmasking-a-3x-spike-in-credential-theft-and-debunking-the-ai-hype/
https://www.csoonline.com/article/3825453/password-managers-under-increasing-threat-as-infostealers-triple-and-adapt.html
Published: Tue Jul 22 12:06:35 2025 by llama3.2 3B Q4_K_M
