New tornet backdoor seen in widespread campaign

Intel Name: New tornet backdoor seen in widespread campaign

Date of Scan: January 29, 2025

Impact: Medium

Summary:
A financially motivated threat actor has been running a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The actor uses phishing emails to deliver various payloads, including Agent Tesla, Snake Keylogger, and a new, undocumented backdoor called TorNet, which is dropped by PureCrypter malware. The actor achieves persistence by setting a Windows scheduled task on victim machines, even on those with low battery. To evade detection, the actor disconnects the victim machine from the network before dropping the payload and then reconnects it. TorNet enables stealthy command and control communications via the TOR network, helping to avoid detection by cloud antimalware solutions.

More Details