A new version of the Neptune RAT malware has emerged, security researchers have warned, and is spreading on GitHub, Telegram, and even YouTube.
The remote access trojan is 'an extremely serious threat' being offered on the ransomware-as-a-service model, according to researchers at Cyfirma.
Affecting Windows devices, it hijacks Chromium-based browsers including Chrome, Brave, and Opera using a Chromium.dll attack that decrypts stored login data and installs itself as a scheduled Windows task.
It includes a crypto clipper and a password stealer with the ability to exfiltrate the credentials of more than 270 different applications, along with ransomware capabilities and live desktop monitoring.
Advanced anti-analysis techniques and persistence methods, such as modifying the Windows Registry and adding tasks to the Task Scheduler, mean it can maintain its presence on the victim’s system for extended periods of time.
"The analysis of the latest version of Neptune RAT reveals a sophisticated and highly dangerous piece of malware designed for persistent, covert operations on Windows systems," Cyfirma researchers said.
"Its ability to generate direct PowerShell commands (using irm and iex) enables seamless delivery and execution, effectively bypassing traditional security measures. It also has the capability to destroy Windows OS and features advanced password-grabbing functionalities."
Neptune RAT lowers the bar for cyber criminals
The new version has been made available without the source code, making analysis more challenging. Notably, it's being offered via an unusual model, with the developer claiming that while it's free to use, there's a more advanced version behind a paywall.
Chris Hauk, consumer privacy advocate at Pixel Privacy, said the emergence of the new Neptune RAT variant shows the “try it before you buy it era of malware has arrived”.
“Neptune RAT is available as a download from GitHub, making it available to a wider variety of internet users than usual," he said.
"As antivirus and anti-malware apps have not yet been able to detect and remove Neptune RAT, internet users will need to stay alert and practice safe computing by not clicking on links or opening attachments that are shared by unknown users."
Paul Bischoff, consumer privacy advocate at Comparitech, echoed Hauk’s comments, noting that the accessibility of the variant will have wide-reaching implications for consumers and enterprises alike and lower the barrier of entry for cyber criminals.
"The maker of Neptune RAT is giving their malware out for free, so it's not just one hacker group we need to worry about," he said.
"Anyone could use it to launch attacks through email, text, ads, or download links. Once the malware has infected a system, it is extremely destructive, dangerous, and hard to remove."
Given its anti-detection features, the new Neptune RAT version is hard to avoid, Cyfirma researchers said, adding that this poses a “significant risk to both individuals and organizations”.
"Continuous monitoring, robust endpoint protection, and proactive threat detection strategies are crucial to mitigating the impact of this malware."
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
