The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations. The RAT was first observed in the wild as a tool lacking obfuscation, port-forwarding, and DNS tunneling capabilities. Its creators upgraded it to include all these features as observed when analyzing samples detected in subsequent attacks. The gang later used an upgraded version to target various industry verticals from healthcare to private companies. The ransomware gang is known for exfiltrating a wide range of sensitive data from victims’ servers.
Source: https://www.bleepingcomputer.com/news/security/pysa-ransomware-backdoors-education-orgs-using-chachi-malware/