![Threat Research | Weekly Recap [25 Jan 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [25 Jan 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: the report highlights AI‑generated malware frameworks like VoidLink, AI‑driven KONNI backdoors, real‑time LLM‑assembled phishing, and evolving ransomware such as AnubisRaaS and Osiris, alongside supply‑chain and watering‑hole compromises across multiple industries. It also covers state‑sponsored espionage, credential theft campaigns, and defensive insights for detection, telemetry, and incident response. #VoidLink #KONNI #AnubisRaaS #Osiris #CharmingKitten #APT28 #PurpleBravo #Evelyn
AI & LLM‑Augmented Malware and Adversary Tradecraft
- AI‑authored modular Linux implant: rapid AI‑driven development, eBPF/LKM rootkits and server‑side compiled kernel modules — VoidLink: AI‑generated malware (Check Point)
- AI‑generated PowerShell backdoors & ad redirection: KONNI campaign using Discord lures, weaponized LNKs, UAC bypass and PHP/JS/AES C2 challenge (also abused Google Ads redirects in Operation Poseidon) — KONNI targets developers (Check Point)
- Runtime LLM‑assembled phishing JS: benign pages request LLM code to assemble polymorphic malicious JavaScript in‑browser to render personalized phishing pages — Real‑time malicious JS via LLMs (Unit42)
- Defender readiness vs LLMs: benchmarks fail to capture multi‑hop, collaborative SOC work and practical operational outcomes — LLMs in the SOC — why benchmarks fail (SentinelLabs)
Ransomware & Extortion Trends
- Anubis RaaS: affiliate model offering encryption, destructive wipe mode, data‑only extortion and access resale focused on high‑value targets — Anubis profile (SOCRadar)
- Osiris ransomware: new family with hybrid ECC+AES encryption, VSS deletion, BYOVD signed driver (Poortry/Abyssworker) and Wasabi exfiltration — New Osiris ransomware (Security.com)
- BlackSuit/Royal evolution & emulation: configurable partial‑encryption double‑extortion tactics; AttackIQ released emulation for detection validation — Emulating BlackSuit (AttackIQ)
Developer & Software Supply‑Chain Compromise
- Stanley MaaS (Chrome extension overlays): $6k toolkit selling WebStore publication, iframe overlay phishing and large‑scale credential harvesting — Stanley malware kit (Varonis)
- VSCode extension abuse — Evelyn: weaponized extensions delivering DLL downloader → injector → developer credential/crypto theft — Evelyn stealer (Trend Micro)
- GitHub recruiter/dev persona campaign — PurpleBravo: fraudulent repos and deploys infostealers/RATs (BeaverTail, GolangGhost) targeting devs and crypto firms — PurpleBravo targeting dev supply chain (Recorded Future)
- PyPI impersonation: malicious sympy‑dev package delivering ELF loaders and XMRig cryptominer (>1k downloads day‑one) — sympy‑dev cryptominer (Socket)
Phishing, AiTM & Credential Theft Campaigns
- AiTM phishing abusing trusted SharePoint: multi‑stage credential/session theft, inbox rule abuse and large BEC propagation; remediation requires cookie revocation and MFA/conditional access — AiTM/BEC abusing SharePoint (Microsoft)
- SPID‑themed targeted phishing: multiple campaigns using fake SPID portals (AdE logo + Google Sites) pre‑filling victim data to harvest SPID and banking credentials — SPID phishing (CERT‑AGID)
Weaponized Shortcuts & LNK‑Based Spear‑Phishing
- Operation Covert Access (Argentina): authentic judicial docs delivering Rust‑based CovertRAT via LNK→BAT→GitHub second stage with IPv4/IPv6 C2 fallbacks and anti‑VM checks — CovertRAT LNK campaign (Seqrite)
Browser Extension & WebStore Abuse
- CrashFix / KongTuke: malicious Chrome extension typosquatting uBlock, delays execution, triggers DoS popup and leads to ModeloRAT/GateKeeper payloads — CrashFix malicious extension (Huntress)
Supply‑Chain & Watering‑Hole Compromises
- EmEditor watering‑hole: compromised official MSI ran PowerShell to retrieve multistage malware that disables PowerShell ETW, harvests credentials and geofences victims — EmEditor supply‑chain compromise (Trend Micro)
- Proxyware via cracked installers: Larva‑25012 distributing Infatica/DigitalPulse proxyware through Notepad++‑themed fake installers, persisting via scheduled tasks and DLL side‑loading — Proxyware disguised as Notepad++ (AhnLab)
Infostealers, RATs & Commodity Malware
- MacSync macOS stealer: Terminal one‑liner installs Zsh daemon + AppleScript to harvest browsers, Keychain, wallets; trojanizes Electron wallet apps to steal PINs/phrases — MacSync wallet trojanization (CloudSEK)
- SolyxImmortal: Python Windows stealer exfiltrating via hardcoded Discord webhooks with Run‑key persistence — SolyxImmortal Python stealer (CyFirma)
- Remcos RAT (Korea): fake blocklist tools and counterfeit VeraCrypt installers delivering multi‑stage droppers and .NET injector using Discord webhooks — Remcos distribution in Korea (AhnLab)
State‑Linked Espionage, Leaks & Infrastructure
- Charming Kitten / APT35 leak: procurement spreadsheets, invoices and hosting records revealing operational funding and infrastructure chains — APT35 dump — backstage pass (DomainTools)
- KnownSec contractor leak: internal docs show contractor‑driven espionage stack, tradecraft, IOCs and focus on Taiwanese critical infrastructure — KnownSec leak (DomainTools)
- APT28 profile: GRU‑linked long‑running campaign with new AI‑assisted tooling (LAMEHUG) and credential/token harvesting — APT28 dark‑web profile (SOCRadar)
- SilverFox DNS/SEO poisoning: Chinese APT abused Teams and SEO lures to deliver ValleyRAT; large infrastructure and IoC set identified — SilverFox DNS spotlight (CircleID)
Detection, Telemetry & Defensive Techniques
- JA3 TLS fingerprinting utility: durable tool‑level indicators for clustering malicious tooling and revealing exfil channels when enriched with context — Using JA3 to expose attackers (ANY.RUN)
Embedded, Physical & Operational Security
- Rust in embedded systems: reduces memory‑safety issues but still requires attention to unsafe blocks, tooling gaps and logic/hardware flaws — Rust’s role in embedded security (NetSPI)
- LABScon25 — bugging hotel rooms: portable Home Assistant + Z‑Wave + mm‑wave radar demo for through‑wall presence detection and automated alerts — How to bug hotel rooms v2.0 (SentinelLabs)
Industry Incidents & Security Operations
- Korean/global financial sector incidents: database leak (3M records), ransomware breach (~100GB) and phishing campaigns with IoCs/hashes for investigators — Dec 2025 financial sector issues (AhnLab)
- 2026 cybersecurity budgeting trends: shift to growth‑focused precision investments, emphasis on Adversarial Exposure Validation (AEV) and continuous testing to prove ROI and reduce tool sprawl — Optimize cybersecurity budget 2026 (Picus)