Security News > 2023 > February > RedEyes hackers use new malware to steal data from Windows, phones

The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.
The threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.
In a new report released today by AhnLab Security Emergency response Center, researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine.
For persistence on the system, the malware adds a new value in the "Run" Registry key, with commands to execute a PowerShell script via "Cmd.exe." This same command was also seen in a 2021 Kaspersky report about APT37.
Another interesting feature of M2RAT is that it uses a shared memory section for command and control communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system.
Using a memory section on the host for the above functions minimizes the exchange with the C2 and makes analysis harder, as security researchers have to analyze the memory of infected devices to retrieve the commands and data used by the malware.
News URL
Related news
- Steam pulls game demo infecting Windows with info-stealing malware (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)