Cybercriminals are leveraging the recent arrest of Venezuelan President Nicol\u00e1s Maduro to distribute sophisticated backdoor malware<\/a>. <\/p>\n The threat actors exploited news surrounding Maduro\u2019s arrest on January 3, 2025, demonstrating how geopolitical events continue to serve as effective lures for malicious campaigns.<\/p>\n The attack likely begins with a spear-phishing email containing a zip archive named \u201cUS now deciding what\u2019s next for Venezuela.zip\u201d. <\/p>\n Inside, victims find an executable file titled \u201cMaduro to be taken to New York.exe\u201d alongside a malicious dynamic-link library called \u201ckugou.dll\u201d. <\/p>\n The executable is a legitimate KuGou binary, but has been weaponized via DLL hijacking to load the malicious library, according to Darktrace security researchers<\/a>.<\/p>\n Once executed, the malware creates a directory at C:ProgramDataTechnology360NB and copies itself, renaming the files. <\/p>\n It establishes persistence by adding a registry key at \u201cHKCUSoftwareMicrosoftWindowsCurrentVersionRunLite360\u201d that runs automatically at system startup. <\/p>\n The malware then displays a dialog box prompting users to restart their computer, which triggers the malicious payload<\/a>.<\/p>\n After the system restarts, the malware initiates regular encrypted <\/a>connections to a command-and-control server at 172.81.60[.]97 on port 443. <\/p>\n These periodic connections enable the malware to receive instructions and configurations from the attackers.<\/p>\n The campaign shares similarities with previous operations by Mustang Panda, a Chinese threat group known for exploiting current events such as the Ukraine war, Tibet-related conventions, and Taiwan-related topics. <\/p>\n However, researchers note that there is insufficient evidence to attribute this activity to any specific group definitively.<\/p>\n This incident highlights the ongoing threat of geopolitical-themed phishing campaigns<\/a>. <\/p>\n Organizations and individuals should exercise extreme caution when opening email attachments, especially those referencing breaking news or world events.<\/p>\n Indicators of Compromise (IoCs)<\/strong><\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-39-1024x233.png?resize=1024%2C233&ssl=1\")
Malware Behavior<\/strong><\/h2>\n
![\"](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-40-1024x204.png?resize=1024%2C204&ssl=1\")
![\"Message](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-41.png?ssl=1\")
\n