Symantec
Coverage of Symantec in the Nexus archive.
- New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
A new backdoor named Mistic (MLTBackdoor) has been used in financially motivated attacks targeting organizations in insurance, education, IT, and professional services since April 2026. Symantec and Carbon Black's Threat Hunter Team linked it to an initial access broker named KongTuke and campaigns called ClickFix and ModeloRAT.
- DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors linked to DragonForce ransomware used Backdoor.Turn, a custom Go-based remote access trojan, to conceal command-and-control traffic via Microsoft Teams relay infrastructure. The malware was deployed against a major U.S. services firm, according to Symantec and Carbon Black.
- Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months
Hackers accessed a senior executive's Outlook mailbox at a major global stock exchange for five months, using Dropbox and OneDrive to exfiltrate inbox data in small batches. Symantec and Carbon Black's Threat Hunter Team identified the campaign as espionage-related, not financially motivated.
- MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
The Iranian hacking group MuddyWater has been linked to a cyber espionage campaign targeting nine organizations across nine countries in Q1 2026. The campaign used DLL side-loading to compromise industrial, electronics manufacturing, education, public-sector, financial services, and professional services sectors, according to the Threat Hunter Team from Symantec and Carbon Black.
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
Webworm, a China-aligned threat actor, has deployed custom backdoors using Discord and Microsoft Graph API for command-and-control communications, targeting government agencies since at least 2022. The group was first publicly documented by Symantec in September 2022. Webworm's activity has been flagged by cybersecurity researchers in 2025.
- Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations
The Lua-based fast16 malware was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations, corrupting uranium-compression simulations central to nuclear weapon design. This pre-Stuxnet tool was engineered by unknown actors. The discovery was made by Symantec and Carbon Black teams.
- Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API
The threat actor Harvester has deployed a Linux version of its GoGra backdoor in South Asia, utilizing the Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass network defenses. Symantec and Carbon Black Threat Hunter attribute the attacks to this group.