![Threat Research | Weekly Recap [04 Jan 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [04 Jan 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: This edition highlights information stealers and browser-extension abuse, including the VVS stealer, the EmEditor supply-chain incident with a Google Drive Caching extension, and the widespread ShadyPanda extension campaign affecting millions of users. It also covers APT activity and targeted intrusions (ToneShell and HoneyMyte kernel rootkit), Indian government‑focused LNK/HTA loaders and campaigns (APT36), Lazarus and Kimsuky shared infrastructure, RondoDoX botnet evolution with React2Shell, and ongoing tooling updates from Validin.
#VVSstealer #GoogleDriveCaching #ShadyPanda #ToneShell #HoneyMyte #APT36 #Lazarus #Kimsuky #RondoDoX #React2Shell #Validin #EmEditor #avocadomechanism #potherbreference
#VVSstealer #GoogleDriveCaching #ShadyPanda #ToneShell #HoneyMyte #APT36 #Lazarus #Kimsuky #RondoDoX #React2Shell #Validin #EmEditor #avocadomechanism #potherbreference
Information stealers & browser-extension abuse
- Python-based Discord/browser stealer using Pyarmor obfuscation, PyInstaller packaging, AES encryption, injected JS, Startup persistence and Discord webhook exfiltration. — VVS stealer (Unit42)
- Compromised official MSI installers (Dec 19–22, 2025) delivered an info‑stealer and installed a persistent malicious browser extension “Google Drive Caching” for credential/file/clipboard theft and remote control. — EmEditor supply‑chain (Qi An Xin)
- Long‑running campaign using verified Chrome/Edge extensions to push silent malicious updates, impacting ~4.3M users and producing domains, IPs and email‑connected IoCs. — ShadyPanda extension campaign (CircleID)
APT activity & targeted intrusions
- Kernel‑mode malicious driver (ProjectConfiguration.sys) signed with a leaked cert used to inject and protect a new ToneShell backdoor; C2s include avocadomechanism[.]com and potherbreference[.]com. — HoneyMyte kernel rootkit & ToneShell (Kaspersky)
- Multi‑stage, fileless espionage campaign targeting Indian government entities using weaponized LNK→HTA loaders, in‑memory .NET deserialization, RATs (ReadOnly/WriteOnly), AV‑aware persistence and encrypted C2 to 2.56.10.86. — APT36 LNK campaign (CYFIRMA)
- Mapped DPRK operational infrastructure linking Lazarus, Kimsuky and subgroups via reused open directories, credential‑harvest toolkits, FRP tunneling (port 9999), a new Linux Badcall variant and certificate pivots. — Lazarus/Kimsuky shared infrastructure (Hunt.io)
Botnets, web‑app exploitation & infrastructure abuse
- RondoDoX/Rondo botnet evolved from reconnaissance and web‑app exploitation to large‑scale IoT deployment and a December 2025 Next.js Server Actions RCE wave; observed mass binary downloads (e.g., /nuts/poop) and C2s like 51.81.104.115, 5.255.121.141. — RondoDoX botnet & React2Shell (CloudSEK)
Product & research tooling update
- Completely rewritten documentation hub with unified search, expanded integrations, API coverage and advanced features including YARA‑based workflows; docs live at docs.validin.com. — Validin documentation update (Validin)