Threat Research | Weekly Recap [01 Feb 2026]

Cybersecurity Threat Research ‘Weekly’ Recap: A sweeping roundup covers ransomware, Android threats, fileless tools, nation-state campaigns, cloud abuse, browser extension hijacks, supply-chain incidents, AI governance risks, and defensive improvements. It highlights actor-tool pairs and campaigns such as LockBit5.0, BravoX, Amnesia RAT, Arsink RAT, PlayCloak, PureRAT, PyRAT, GOGITTER, GITSHELLPAD, SheetCreep, VSCode tunnel, DarkSpectre, PayTool, SquarePhish2 and Graphish among others.
#LockBit5_0 #BravoX #AmnesiaRAT #ArsinkRAT #PlayCloak #PureRAT #PyRAT #GOGITTER #GITSHELLPAD #SheetCreep #VSCodeTunnel #DarkSpectre #PayTool #SquarePhish2 #Graphish

Ransomware & extortion

Cross‑platform, stealthy ransomware using ChaCha20, in‑memory execution and anti‑analysis targeting Windows, Linux and ESXi. LockBit 5.0 report
New RaaS operation surfaced with Tor leak site and initial U.S. victims; affiliate model advertised to scale attacks. BravoX profile
Multi‑stage Windows campaign: staged loaders → Defender tampering → Amnesia RAT data theft → WinLocker/Hakuna Matata ransomware; uses GitHub/Dropbox and Telegram for modular hosting/C2. Multi‑stage Windows campaign

Mobile Android threats & malicious apps

Cloud‑native Android RAT abusing Firebase, Google Apps Script/Drive and Telegram for C2 and exfiltration across 1,216 APKs. Arsink RAT analysis
Android dropper using Hugging Face hosting to stage polymorphic RATs; abuses Accessibility and overlay permissions. TrustBastion / Hugging Face campaign
Play‑store app that morphs into coercive loan platform on Indian devices—runtime obfuscation, contact harvesting, remote WebView control. PlayCloak / Hicas report
Vietnamese-linked phishing using AI‑assisted code to build and distribute PureRAT and HVNC via archives, cloud hosts and DLL sideloading. PureRAT AI‑assisted campaign
Cross‑platform Python RAT packaged as ELF with HTTP C2, file transfer, screenshots, and persistence (XDG autostart / Run key). PyRAT internals

Fileless tools, web shells & post‑exploitation

Fileless Linux post‑exploit framework reconstructs an encrypted hackshell in memory for stealthy lateral movement, credential theft and covert rsync exfiltration. ShadowHS analysis
Base64‑encoded PHP web shell deployed via a FreePBX flaw (CVE‑2025‑64328) enabling RCE, SSH backdoor creation and cron persistence. EncystPHP web shell
Espionage actor upgraded toolkit: CoolClient backdoor, browser stealers, USB worms, PlugX and multiple exfil channels targeting SE Asia/EU. HoneyMyte toolset update

Nation‑state / APT campaigns & toolkits

TA584 increased tempo and diversified initial access (ClickFix lure, layered redirects), using new payloads (Tsundere Bot, XWorm) and WebSocket/Ethereum C2 retrieval. TA584 activity
JScript LOLBins framework abused by China‑aligned groups to deliver modular backdoors (HOLODONUT, MKDOOR) across multiple execution vectors. PeckBirdy framework
Pakistan‑linked campaigns targeting Indian government entities: Golang toolchain (GOGITTER/GITSHELLPAD/GOSHELL) leading to Cobalt Strike. Gopher Strike (Part 1)
Follow‑on Indian targeting abusing Google Sheets/Firebase/Microsoft Graph for C2 with backdoors SHEETCREEP, FIREPOWER and MAILCREEP; generative AI signs noted. Sheet Attack (Part 2)
DPRK‑aligned campaign delivered a JSE script to deploy a VS Code tunnel for persistent remote access and exfiltration of tunnel tokens. VS Code tunnel campaign
Campaign targeting Iranian protests using weaponized XLSM to deploy C# implant SloppyMIO, stego GitHub configs, Google Drive modules, and Telegram C2; possible AI‑assistance. RedKitten campaign
Tracking of multi‑campaign cluster (Zoom Stealer, ShadyPanda, GhostPoster) uncovered aged domain reuse, China‑hosted infrastructure and prioritized IoCs tied to DarkSpectre. DarkSpectre DNS analysis

Cloud abuse, phishing & account takeover

Threat actors host phishing pages and send obfuscated emails via AWS services (S3, SES, Amplify) to scale credential theft while evading takedown/forensics. AWS abuse for phishing
Attackers hijack real email threads (compromised contractor mailbox) to deliver layered redirects and Cloudflare Turnstile to an EvilProxy AiTM Microsoft credential‑theft page. Enterprise thread phishing (EvilProxy)
Legitimate, signed emails abused by embedding scam text in fields (meeting names, document titles) to get messages redirected/resent and bypass SPF/DKIM/DMARC and many gateways. Signed-but‑malicious email abuse
Compromised Public Administration accounts used to send Figma links that redirect to fake Microsoft 365 login pages for credential theft. Figma → Microsoft 365 phishing
INPS‑themed smishing campaign asks for identity docs, CUD and employment data to build rich profiles for higher‑value fraud. INPS smishing (Italy)
Interconnected Canadian fraud/phishing ecosystem (PayTool) impersonates government and major brands via SMS, typosquats and fake payment gateways; kits sold on underground forums. PayTool / Canada fraud
OAuth bypass/ATO clusters using SquarePhish2 and Graphish to steal Microsoft 365 access; 46 IoCs collated for hunting. SquarePhish2 / Graphish analysis

Browser extensions, website and marketplace abuse

WordPress‑injected JavaScript framework (>3,800 sites) shows fake Cloudflare Turnstile (“ClickFix”) to deliver NetSupport RAT via PowerShell dropper. IClickFix / ClickFix framework
Multiple deceptive Chrome extensions (100k+ users) performing clipboard access, cookie exfiltration, C2 communications, search hijacking and ad injection; immediate removal advised. Malicious Chrome extensions report
Chrome extension silently replacing Amazon affiliate tags with developer’s tag (10xprofit‑20), violating store policies and performing non‑consensual affiliate hijacking. Amazon Ads Blocker affiliate hijack

Supply‑chain, software vulnerabilities & patch guidance

Supply‑chain compromise of eScan update server delivered Reload.exe, modified HOSTS, established persistence (scheduled tasks) and staged additional payloads; vendor containment followed. eScan supply‑chain incident
Widespread exploitation of critical WinRAR CVE‑2025‑8088 (ADS + path traversal) to drop startup persistence; urgent patching and hunting recommended. WinRAR CVE‑2025‑8088 exploitation
OpenSSL security update: multiple issues including CVE‑2025‑15467 (CMS AuthEnvelopedData stack overflow) and PKCS#12 PBKDF2 overflow—upgrade affected builds and monitor CMS/PKCS#12 parsing. OpenSSL Jan 2026 update
SmarterMail account takeover → privilege escalation and RCE (CVE‑2026‑23760); mass automated exploitation observed—update to Build 9511. SmarterMail RCE advisory
Serialization injection in langchain‑core (CVE‑2025‑68664 “LangGrinch”) enables secret exfiltration and unintended class instantiation—upgrade to patched versions and apply Defender/XDR hunting. LangGrinch / LangChain guidance
Reversed cracking/cheat tools can carry malware or local‑privilege exploits (example: macOS AutoHackGUI XPC root execution), highlighting risks of cracked software. Dangers of cracking tools

AI, models, tool‑chains & governance risks

Agentic tool chain attacks manipulate tool manifests/schemas and context to cause data leaks or unauthorized actions without code changes; defenses need reasoning‑layer controls (signed manifests, pinning, parameter validation). Agentic tool chain threats
Large unmanaged Ollama deployment ecosystem (~175k hosts; ~23k core) exposes tool‑calling and multimodal capabilities, creating governance gaps and a brittle monoculture (Q4_K_M quantized models). Silent Brothers (Ollama) study
Check Point synthesis: AI embedded across the attack lifecycle—recon, social engineering, malware dev—and risks from ungoverned AI and Model Context Protocol weaknesses. Cyber Security Report 2026

Detection, defensive tooling & operational improvements

IDE‑SHEPHERD extension intercepts dangerous IDE APIs (child_process, http(s)) to block malicious extension/workspace actions and harden developer environments. IDE‑SHEPHERD release
Validin adds JA4+ fingerprints to detect anomalous X.509 structures and hunt C2 infra linked to BianLian and QuasarRAT. Validin JA4+ support
Elastic Defend event filtering and policy tuning cut endpoint event volume ~75% and lowered storage costs—example for noisy process/host filtering and event aggregation. Elastic Defend optimization
Huntress added an Incident Report Timeline to Managed ITDR to show attacker actions vs remediation steps, improving visibility and MSP communication. Huntress ITDR timeline
Outlook add‑ins can be weaponized for zero‑trace email exfiltration—review add‑in security posture and monitor add‑in activity. Outlook add‑in exfiltration

Infrastructure takedowns & marketplace abuse

Disruption of the IPIDEA residential proxy network: takedown of C2/marketing domains, Play Protect removals and SDK intelligence sharing to curb millions of enrolled consumer devices. IPIDEA residential proxy disruption

Threat Research | Weekly Recap – hendryadrian.com