CyberSecurityBoard
Sponsor Register Login

Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications

Historically associated with credential theft and USB-based propagation, the malware now utilizes Microsoft’s infrastructure to evade traditional network defenses by masquerading as legitimate developer activity. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Microsoft Dev Tunnels, designed to expose local services via temporary HTTPS URLs for debugging purposes5, is being weaponized to host Njrat’s C2 servers. By routing traffic through Microsoft’s trusted domains (devtunnels.ms), attackers bypass IP/DNS reputation checks and leverage TLS encryption to obscure payloads. Defenders face visibility gaps, as Dev Tunnels traffic resembles legitimate developer activity. The threat remains active as of February 28, 2025, with infrastructure linked to historical Njrat campaigns in the Middle East and North Africa. Network telemetry showing prolonged connections to *.devtunnels.ms or processes like devtunnel.exe paired with unsigned binaries may indicate abuse. Security teams are advised to correlate these IOCs with DNS logs and endpoint process trees. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Feb 2025 12:15:02 +0000


Cyber News related to Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications

NJRat Campaign Unleashes Cyber Attack from Earth Bogle – The Hacker News - In a recent cyber attack, a well-known malware named NJRat is being unleashed from the Earth Bogle campaign, as reported by The Hacker News. An NJRat is a malicious code that can be used to gain system infiltration and access to web servers. It is ...
2 years ago Thehackernews.com
Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications - Historically associated with credential theft and USB-based propagation, the malware now utilizes Microsoft’s infrastructure to evade traditional network defenses by masquerading as legitimate developer activity. Cyber Security News is a Dedicated ...
4 hours ago Cybersecuritynews.com
CVE-2024-57929 - In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly ...
1 month ago Tenable.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
CVE-2023-52578 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
CVE-2025-21700 - In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following ...
2 weeks ago Tenable.com
CVE-2023-52784 - In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. ...
9 months ago Tenable.com
The Evolving Threat Landscape: Where Out-of-Band Communications Fit - On August 10, 2023, the Cyber Safety Review Board publicly released a critical report detailing cyberattacks perpetrated by Lapsus$ and related threat groups. The report came approximately a year and a half after Microsoft first warned about the ...
1 year ago Securityboulevard.com LAPSUS$
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com Black Basta
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
CISA Updates Toolkit with Nine New Resources to Promote Public Safety Communications and Cyber Resiliency - The Cybersecurity and Infrastructure Security Agency collaborates with public safety, national security, and emergency preparedness communities to enhance seamless and secure communications to keep America safe, secure, and resilient. Any ...
9 months ago Cisa.gov
CVE-2024-46800 - In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but ...
5 months ago Tenable.com
CVE-2021-47103 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
CVE-2021-47268 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
CVE-2018-0273 - A vulnerability in the IPsec Manager of Cisco StarOS for Cisco Aggregation Services Router (ASR) 5000 Series Routers and Virtualized Packet Core (VPC) System Software could allow an unauthenticated, remote attacker to terminate all active IPsec VPN ...
5 years ago
Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse - After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology. Alongside the warnings, Microsoft said it recently used a ...
1 year ago Therecord.media
CVE-2024-27010 - In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock ...
9 months ago Tenable.com
CVE-2024-50279 - In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug ...
3 months ago Tenable.com
CVE-2021-47299 - In the Linux kernel, the following vulnerability has been resolved: xdp, net: Fix use-after-free in bpf_xdp_link_release The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). At this point, dev_xdp_uninstall() is called. Then xdp ...
9 months ago Tenable.com
CVE-2024-50278 - In the Linux kernel, the following vulnerability has been resolved: dm cache: fix potential out-of-bounds access on the first resume Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache ...
3 months ago Tenable.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
10 months ago Securityboulevard.com APT29
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto - Microsoft has recently removed from its store a fraudulent Ledger Live app for cryptocurrency management after multiple users lost at least $768,000 worth of cryptocurrency assets. Published with the name Ledger Live Web3, the fake application ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)