Threat Research | Weekly Recap [08 Feb 2026]

Cybersecurity Threat Research ‘Weekly’ Recap: the report surveys supply-chain compromises, ransomware/defense evasion, infostealers, targeted espionage, cloud and identity threats, phishing, vulnerabilities and detection, labs automation and resilience guidance. It highlights notable campaigns and families such as the Notepad++ supply-chain attack, GlassWorm on Open VSX, dYdX npm/PyPI abuse, DYNOWIPER in Polish energy, Black Basta kernel-driver evasion, SonicWall SSLVPN intrusion, APT28 and Shadow Campaigns, Amaranth-Dragon, Transparent Tribe, Stan Ghouls, Prometei, ShinyHunters, NGOSS and ZHGUI breaches, plus attempts at web-infra abuse (Quest KACE, NGINX hijacking, CrashFix/ClickFix) and AI-assisted cloud intrusion via Amazon Bedrock. #NotepadPlusPlus #GlassWorm #OpenVSX #dYdX #DYNOWIPER #BlackBasta #SonicWall #APT28 #ShadowCampaigns #AmaranthDragon #TransparentTribe #StanGhouls #Prometei #ShinyHunters #NGOSS #ZHGUI #QuestKACE #CrashFix #ClickFix #GOAD #NGINX #Baota #AmazonBedrock #DetectionsAsCode

Supply‑chain & repository compromises

Attackers abused hosting and developer accounts to deliver signed/updated binaries and extensions that load backdoors and steal credentials; selective update redirects and NSIS/Lua/DLL sideloading observed. Notepad++ supply‑chain analysis
Compromised Open VSX developer account published malicious extensions that staged AES loaders and delivered a macOS stealer (cookies, keychain, AWS/SSH tokens). GlassWorm hits Open VSX
Coordinated typosquatting releases on npm and PyPI embedded wallet‑stealing exfiltration and a RAT in PyPI — seed phrases and device fingerprints targeted. dYdX malicious packages (npm/PyPI)

Ransomware, destructive campaigns & defense evasion

DYNOWIPER wiped data at Polish energy sites; detection and canary protections blocked damage; attribution links to multiple nation‑linked clusters. DYNOWIPER destructive campaign (Poland)
Black Basta bundled a vulnerable kernel driver to kill security processes and evade detection, followed by side‑loaded loaders and GotoHTTP RAT presence. Black Basta: kernel‑driver EDR evasion
SonicWall SSLVPN compromise led to aggressive reconnaissance and a signed (revoked) kernel driver dropped as OemHwUpd.sys to terminate EDRs and persist as a kernel service. SonicWall intrusion & EDR‑killer
Trend: infostealers increasingly feed Initial Access Brokers and compress timelines to rapid ransomware/extortion chains — focus on credential hygiene and identity defenses. Convergence of infostealers & ransomware

Infostealers, crypto drainers & fraud ecosystems

Marco Stealer exfiltrates browser and crypto‑wallet data using runtime decryption, anti‑analysis, named pipes and DLL injection; AES‑encrypted exfil to HTTP C2s. Marco Stealer technical analysis
Infostealer campaigns increasingly target macOS and cross‑platform stacks (AppleScript, fake installers, Python stealers) to harvest credentials, keychain and developer secrets. Infostealers without borders (macOS & Python)
Affiliate cryptoscam operation uses JS Solana wallet drainers, spoofed landing pages and Telegram automation to harvest and launder ~USD 10.9M from victims. Rublevka Team: Solana drainers

APTs & targeted espionage

Large state‑aligned campaign (TGR‑STA‑1030 / “Shadow Campaigns”) used phishing, custom loaders and a novel eBPF rootkit to compromise government and infrastructure across 37 countries. Shadow Campaigns: global espionage
Amaranth‑Dragon weaponized WinRAR CVE‑2025‑8088 to deliver Amaranth Loader, Havoc C2 and a Telegram RAT in targeted SE Asia espionage ops. Amaranth‑Dragon (CVE‑2025‑8088)
APT28 actively exploited CVE‑2026‑21509 (Kill‑Bit bypass) via weaponized RTF docs to deploy MiniDoor and PixyNetLoader with COM hijack and steganographic staging. APT28 / CVE‑2026‑21509 (Operation Neusploit)
Transparent Tribe (APT36) shifted toward India’s startup ecosystem, delivering Crimson RAT via ISO/LNK lures; reuse of established APT tooling observed. Transparent Tribe targets startups
Stan Ghouls (Bloody Wolf) targeted Uzbekistan and nearby regions with spear‑phishing PDFs and a Java loader that installs NetSupport components; Mirai binaries found near infrastructure. Stan Ghouls: NetSupport campaign
Prometei botnet infection on a Windows Server dissected: deployment, unpacking, persistence, C2, YARA and remediation guidance included for containment. Prometei botnet on Windows Server

Cloud, SaaS & identity threats (incl. AI‑assisted operations)

Attackers used exposed S3 creds and injected code into Lambda to create admin keys, move across 19 principals, abuse Amazon Bedrock and provision GPUs — evidence of LLM‑assisted playbooks. AI‑assisted cloud intrusion (Sysdig)
Expansion of ShinyHunters‑branded SaaS extortion: vishing, SSO credential harvesting and MFA enrollment abuse to exfiltrate cloud data; immediate containment and phishing‑resistant MFA recommended. ShinyHunters SaaS data‑theft & defenses
Leaked fourth‑party engineer credentials exposed a central NGOSS portal for >200 airports — vendor revoked access and forced emergency MFA to avert operational outages. Hidden backdoor to 200 airports (NGOSS)

Phishing, scams & social engineering

Widespread WhatsApp account takeovers push urgent money requests; users urged to verify via other channels, close active sessions, enable two‑step verification and report incidents. WhatsApp money‑request scam
PHALT#BLYX phishing used fake CAPTCHAs and BSOD decoys to deliver DCRat; expanded IoCs and thousands of potential victim IPs/domains uncovered. PHALT#BLYX / DCRat campaign
Phishing kits increasingly use legitimate cloud/CDN platforms (Cloudflare, Azure, Firebase, AWS) and reverse‑proxy AiTM tooling (Tycoon2FA, EvilProxy) to bypass enterprise detections. Enterprise phishing abusing trusted platforms
ZHGUI mirror‑exchange crypto scam targeted Mandarin speakers via WhatsApp communities, fake dashboards and a structured on‑chain laundering pipeline. Cross‑border crypto investment scam (ZHGUI)

Vulnerabilities, exploitation techniques & web infra abuse

Quest KACE Desktop Authority exposed a SYSTEM‑owned named pipe that allowed authenticated users to invoke privileged actions (RCE, credential retrieval); vendor patches or segmentation recommended. Quest KACE named‑pipe RCE
Active campaign injects malicious NGINX config to intercept and proxy traffic (Baota panel abused); automation covers discovery, injection, persistence and exfiltration. NGINX config injection & traffic hijacking
ClickFix evolved into “CrashFix”: malicious Chrome extension impersonates uBlock, forces browser crashes and tricks users into executing commands that deploy obfuscated PowerShell/Python RATs. CrashFix / ClickFix variant (browser extension)

Detection, labs & SOC automation

Automated, scalable cyber‑range built with Ludus runs live malware (GOAD, XZbot) in isolated VMs instrumented with Elastic Agent to validate detections and AI‑assist hunting. Automating GOAD & live malware labs
Detections as Code: Elastic extended rule repositories, CI/CD, testing and schema tools so teams can author, version and deploy detection rules as code. Elastic: Detections as Code
Elastic introduced Agent Builder + Workflows to combine probabilistic agents and deterministic automation for alert enrichment, triage and safe containment — moving toward an autonomous SOC. From alert fatigue to agentic response

Trends & telemetry

MS‑ISAC Q4 2025 telemetry: overall malware notifications +7% QoQ; SocGholish ~30% of detections; CoinMiner and Agent Tesla also prevalent with diverse vectors (malvertising, WMI, malspam). Top 10 malware — Q4 2025

Operational security & digital resilience

Practical, incremental guidance to reduce dependence on non‑EU hosted messaging and cloud services: inventory, triage by importance, adopt realistic alternatives (Signal/Matrix/Nextcloud) and favor gradual replacement. Go European — alternatives & migration steps

Threat Research | Weekly Recap – hendryadrian.com