Threat Research | Weekly Recap [18 Jan 2026]

Cybersecurity Threat Research ‘Weekly’ Recap. The report highlights a surge in encryptionless extortion and the rise of new RaaS groups such as Qilin, Akira, and LockBit 5.0, tracks the December 2025 ransomware activity, surveys infostealers, phishing campaigns, RATs and loaders, and web skimming, notes notable vulnerabilities like MongoBleed (CVE-2025-14847), CVE-2020-8554 and CVE-2017-11882, and points to defense tools such as Landlock telemetry and AuraInspector along with AI/LLM attack surface insights and Validin’s research. #Qilin #Akira #LockBit5_0 #Sicarii #CrazyHunter #Medusa #Remcos #AsyncRAT #CastleLoader #VoidLink #KONGTUKE #LOTUSLITE #AshTag #AshenLepus #RustDesk #Winos4_0 #RedVDS #Magecart #SilentPush #MongoBleed #CVE2025_14847 #CVE2020_8554 #CVE2017_11882 #SolyxImmortal #ACRStealer #LummaC2 #Stealc #MonetaStealer #MEXCApiAutomator #MustangPanda

Ransomware & Extortion Trends

Record surge in encryptionless extortion and growth of new RaaS groups (Qilin, Akira, LockBit 5.0); advice to prioritize detection of reconnaissance and data‑theft precursors — Ransomware: Tactical Evolution
December 2025 snapshot of ransomware activity, group trends, and victim statistics — December 2025 Ransomware Report
New/low‑maturity RaaS “Sicarii”: functional ransomware with performative branding and geo‑fencing; indicators suggest immature or false‑flag operation — Sicarii: Truth vs Myth
CrazyHunter: Go‑based ransomware targeting Taiwanese healthcare with GPO abuse, driver BYOVD, memory loaders and AV‑killing—includes IOCs and mitigation guidance — CrazyHunter analysis
Medusa (aka Madusa/Storm-1175): rapid RaaS expansion exploiting unpatched RMM and public apps for access, exfiltration, and encryption — Medusa RMM exploitation

Infostealers, Clipboard Hijackers & Malicious Extensions

Python Windows infostealer that persists via Run key, harvests browser creds/docs/keystrokes and exfiltrates via hardcoded Discord webhooks — SolyxImmortal analysis
December 2025 infostealer landscape: heavy distribution of ACRStealer, LummaC2, Stealc via cracks/SEO‑poisoning, EXE droppers, DLL sideloading and clipboard crypto theft (BIP39 targeting) — Infostealer Trend Report (Dec 2025)
Mac‑targeting MonetaStealer masquerading as a Windows EXE (PyInstaller bundle) steals Chrome data, Keychain, Wi‑Fi creds and reports via Telegram — MonetaStealer (macOS) analysis
Five malicious Chrome extensions posing as productivity tools exfiltrate session tokens and enable full account takeover across HR/ERP platforms (2,300+ users) — Malicious Chrome extensions: session hijack
Malicious Chrome extension that creates MEXC API keys with withdrawal rights and exfiltrates keys to Telegram, enabling fund theft — MEXC API Automator
Discord/Telegram distribution of a PyInstaller clipboard hijacker that replaces crypto addresses (targets streamers/gambling communities) and persists via HKCU Run — Clipboard hijacker (RedLineCyber)

Phishing, AiTM & Credential Theft Campaigns

Mamba 2FA: scalable adversary‑in‑the‑middle phishing kit automating Microsoft auth flows to capture creds, bypass MFA and relay sessions; recommends FIDO2/WebAuthn and continuous monitoring — Mamba AiTM kit
Remcos delivered via fake shipping Word doc exploiting CVE‑2017‑11882 to execute in‑memory Remcos RAT (process hollowing, scheduled task persistence) — Remcos shipping‑doc campaign
Localized invoice phishing targeting German manufacturers uses CVE‑2024‑43451 and WebDAV shortcuts to deliver AsyncRAT/XWorm; proactive sandbox hunting recommended — AsyncRAT phishing (German manufacturing)
Multi‑stage AsyncRAT campaign abusing TryCloudflare tunnels and trusted Python environments to host WebDAV delivery, embedding Python runtime and APC‑injecting shellcode into explorer.exe — AsyncRAT multi‑stage analysis
Phishing that distributes legitimate RMM installers disguised as video downloads (Syncro, ScreenConnect, NinjaOne, SuperOps) to gain unauthorized access — RMM installers via phishing

RATs, Loaders, Backdoors & Malware Frameworks

VoidLink: modular, cloud‑native Linux C2 written in Zig with web C2, 30+ plugins (cred theft, container escape), multiple rootkit techniques and multi‑protocol C2 for stealth in cloud/container environments — VoidLink framework
CastleLoader: multi‑stage loader (Inno → AutoIt → process hollowing → in‑memory PE) delivering stealers/RATs against government targets; includes parser, YARA and IOCs — CastleLoader deep dive
KONGTUKE ClickFix loader: malicious Python/Figma package distribution via injected scripts and clipboard curl commands; persistence via scheduled tasks and HTTP/S C2 — KONGTUKE ClickFix campaign
LOTUSLITE: DLL‑sideloaded backdoor in politically themed lure targeting US government/policy entities; Run‑key persistence and Mustang Panda overlaps — LOTUSLITE targeted espionage
Konni LNK decoy: shortcut executing hidden PowerShell to reconstruct hex‑encoded payloads, drop files and run an EXE (behavioral overlap with RoKRAT) — Konni PowerShell LNK
Ashen Lepus “AshTag”: targeted espionage with custom payload encryption, in‑memory execution and obfuscated subdomain infrastructure — AshTag campaign analysis
Trojanized RustDesk installer (rustdesk[.]work) bundles real client plus Winos4.0 backdoor (memory‑resident keystroke/screenshot capture, C2) — RustDesk trojan / Winos4.0
RedVDS: criminal VDS marketplace selling cloned Windows RDP hosts used for mass phishing, BEC and financial fraud; disruption and IOCs published after takedown — Inside RedVDS marketplace

Web Skimming & E‑commerce Fraud

Long‑running Magecart network injecting obfuscated JS into e‑commerce sites to skim payment data across major card brands; key domains and injected filenames identified — New Magecart network (Silent Push)

Vulnerabilities, Patches & Cloud Risks

MongoBleed (CVE‑2025‑14847): critical unauthenticated memory leak in MongoDB allowing disclosure of credentials/API keys; active exploitation and ~146k exposed instances — MongoBleed (CVE‑2025‑14847)
Node.js AsyncLocalStorage crash bug patched (Node 20.20.0, 22.22.0, 24.13.0, 25.3.0) after stack‑overflow termination risk in production apps and observability tools — Node.js AsyncLocalStorage patch
Unpatchable Kubernetes traffic‑hijack via ExternalIP services (CVE‑2020‑8554): proof‑of‑concept redirects and mitigations (DenyServiceExternalIPs, Kyverno, Cilium kube‑proxy replacement) — CVE‑2020‑8554 analysis
Public exploitation of legacy RTF/CVE‑2017‑11882 continues to enable fileless RATs (e.g., Remcos) — RTF/CVE‑2017‑11882 exploitation

Detection Engineering & Defensive Tools

Landlock LSM telemetry offers low‑false‑positive filesystem/network denial logs useful for detection engineering and Sigma rule creation — Landlock telemetry for detection
AuraInspector: open‑source tool to audit Salesforce Aura/Experience Cloud for data‑exposure and access‑control misconfigurations — AuraInspector (Salesforce audit)
Guide on intelligence‑driven ransomware detection combining EDR/XDR, network detection and TI (Recorded Future recommended) to catch precursor behaviors — Best ransomware detection tools

AI, LLMs & Attack Automation

Technical attack surfaces in LLMs (tokenization, embeddings, attention) enable prompt injection, embedding/gradient attacks and attention hijacking; mitigations include smoothing and suffix filtering — Inside the LLM: attack mechanics
Widespread LLM use accelerates script authoring (PowerShell, commodity tooling) but tradecraft remains familiar; basic telemetry/MFA/segmentation stop many AI‑sped attacks — Reflecting on AI in 2025
“Reprompt”: one‑click Microsoft Copilot Personal exploit abusing deep links to inject prompts and exfiltrate conversation data; patched by Microsoft for personal Copilot — Reprompt Copilot attack

Supply & Research Intelligence

Validin’s 2025 recap highlights platform research, community growth and exposure of campaigns such as FreeDrain and phishing tied to Scattered Spider — Validin 2025 recap

Threat Research | Weekly Recap – hendryadrian.com