China-linked LapDogs Campaign Drops ShortLeash Backdoor with Fake Certs

ShortLeash backdoor, used in the China-linked LapDogs campaign since 2023, enables stealth access, persistence, and data theft via compromised SOHO routers and fake certs...

Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to Hackers

Threat hunters have exposed a novel campaign that makes use of search engine optimization SEO poisoning techniques to target employee mobile devices and facilitate payroll fraud. The activity, first detected by ReliaQuest in May 2025 targeting an unnamed customer in the manufacturing sector, is...

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan RAT referred to as Quasar RAT since June 2024. "Attacks have originated with phishing emails impersonating the...

Cybercriminals Forge Alliances via Compromised Routers

...

AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service

More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office SOHO routers as part of a multi-year campaign active since at least May 2021. AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware...

Threat Advisory: Cyclops Blink

Update Feb. 25, 2022In our ongoing research into activity surrounding Ukraine and in cooperation with Cisco Duo data scientists Talos discovered compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on devices protected by multi-factor authentication. This...

Roaming Mantis, part IV

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics. Mobile config for...

Newsmaker Interview: Troy Mursch on Top Botnet Trends

Botnet activity saw a healthy amount of dynamism in 2018. There were new types of devices being targeted, such as carrier-grade MikroTik hardware; and, there was also a host of new types of criminal activity surfacing making the point that botnets aren’t just for DDoS anymore. New types of...

Fake browser update seeks to compromise more MikroTik routers

This blog post was authored by @hasherezade and Jérôme Segura. MikroTik, a Latvian company that makes routers and ISP wireless systems, has been dealing with several vulnerabilities affecting its products' operating system over the past few months. Ever since a critical flaw in RouterOS was...

Scan of Internet for Compromised Cisco Routers Finds Fewer Than 100

A day after researchers detailed a technique that attackers are using to upload malicious firmware images to Cisco routers, academic researchers say they have scanned the entire IPv4 address space and discovered a total of 79 likely compromised routers. The researchers at the University of Michig...