Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
January 2026 Edition
Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.
This Edition’s Articles
Early February 2026 Cyber Threat Reports capture the momentum behind real-world attacks: APT28 exploiting CVE-2026-21509, DynoWiper destructive activity, and ransomware tradecraft tied to LockBit/Black Basta, alongside infostealer- and phishing-driven abuse of platforms like Google Cloud, WordPress, and macOS/Android.
New Year, New Sector: Transparent Tribe Targets India’s Startup Ecosystem
Source: Acronis Threat Research Unit
(Published: 27 January 2026)
Transparent Tribe, a well-known APT group, has expanded its targeting to India’s rapidly growing startup ecosystem. Read more.
The Pyrat Code: Python-Based RAT and Its Internals
Source: K7 Labs
(Published: 28 January 2026)
Pyrat is a Python-based Remote Access Trojan that has been observed in multiple attack campaigns targeting Windows systems. Read more.
Interlock Ransomware: New Techniques, Same Old Tricks
Source: Fortinet Threat Research
(Published: 27 January 2026)
Interlock ransomware operators continue to refine their tooling while relying on well-established intrusion techniques. Read more.
No Place Like Home Network: Disrupting the World’s Largest Residential Proxy Network
Source: Google Cloud Blog
(Published: 28 January 2026)
This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. Read more.
Shadow Campaigns: Uncovering Global Espionage
Source: Palo Alto Networks Unit 42
(Published: 28 January 2026)
Unit 42 researchers have uncovered a set of previously undocumented campaigns conducting cyber espionage across multiple regions. Read more.
PureRAT: Attacker Now Using AI to Build Toolset
Source: SECURITY.COM
(Published: 28 January 2026)
A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. Read more.
TAMECAT – Analysis of an Iranian PowerShell-Based Backdoor
Source: Pulsedive Threat Research
(Published: 29 January 2026)
Artifacts from our analysis are available on our GitHub. Read more.
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
Source: Sekoia.io
(Published: 29 January 2026)
In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging the ClickFix social engineering tactic through a Traffic Distribution System (TDS). Read more.
Dissecting UAT-8099: New persistence mechanisms and regional focus
Source: Cisco Talos Intelligence Blog
(Published: 29 January 2026)
Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. Read more.
RedKitten: AI-accelerated campaign targeting Iranian protests
Source: HarfangLab
(Published: 29 January 2026)
RedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses, first observed in early January 2026. Read more.
Honeymyte Updates: CoolClient Uses Browser Stealers and Scripts
Source: Securelist (Kaspersky)
(Published: 29 January 2026)
We continue to track the Honeymyte activity cluster and recently observed new updates to the CoolClient malware family. Read more.
New ShadowSyndicate Infrastructure Identified
Source: Group-IB
(Published: 29 January 2026)
Group-IB researchers have identified new infrastructure linked to the ShadowSyndicate cybercriminal group. Read more.
Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails
Source: SentinelOne
(Published: 29 January 2026)
A joint research project between SentinelLABS and Censys reveals that open-source AI deployment has created an unmanaged, publicly accessible layer of AI compute infrastructure spanning 175,000 hosts worldwide, operating outside the guardrails and monitoring systems that platform providers implement by default. Read more.
The Rise of Arsink Rat
Source: Zimperium
(Published: 29 January 2026)
Arsink is a cloud-native Android Remote Access Trojan (RAT) that aggressively harvests private data and gives remote operators intrusive control over infected devices. Read more.
PRC Targets NATO Frontline States
Source: Jamestown Foundation
(Published: 30 January 2026)
The People’s Republic of China (PRC) is expanding its presence along the North Atlantic Treaty Organization’s (NATO) frontline through technology access, influence networks, and dual-use infrastructure, creating openings that could weaken alliance cohesion and expose vulnerabilities in Europe’s defense posture. Read more.
Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS
Source: Google Cloud Blog
(Published: 30 January 2026)
Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. Read more.
Stan Ghouls in Uzbekistan
Source: Securelist (Kaspersky)
(Published: 30 January 2026)
We uncovered a series of attacks in Uzbekistan that appear to be linked to the long-running “Stalkerware” ecosystem. Read more.
DynoWiper update: Technical analysis and attribution
Source: WeLiveSecurity (ESET Research)
(Published: 30 January 2026)
In this blog post, we provide more technical details related to our previous DynoWiper publication. Read more.
Iconics Suite Vulnerability Exploited in the Wild (CVE-2025-0921)
Source: Palo Alto Networks Unit 42
(Published: 31 January 2026)
Unit 42 researchers have observed active exploitation of a vulnerability in the Iconics Suite software platform. Read more.
DynoWiper: Destructive Malware Targeting Hybrid Environments
Source: Elastic Security Labs
(Published: 1 February 2026)
Elastic Security Labs identified DynoWiper, a destructive malware strain designed to disrupt hybrid cloud environments. Read more.
The Autonomous Adversary: From Chatbot to Criminal Enterprise
Source: InfoStealers
(Published: 1 February 2026)
Advances in large language models are beginning to reshape how cybercriminals automate operations and decision-making. Read more.
Android Trojan Campaign Uses Hugging Face to Host RAT Payload
Source: Bitdefender Labs
(Published: 2 February 2026)
Bitdefender researchers have identified an Android malware campaign abusing the Hugging Face platform to host malicious payloads. Read more.
Dark Web Marketplaces: An Overview
Source: DEXpose
(Published: 2 February 2026)
Dark web marketplaces continue to play a central role in the cybercrime ecosystem by facilitating the sale of illicit goods and services. Read more.
Citrix Recon Using Residential Proxies
Source: GreyNoise
(Published: 2 February 2026)
GreyNoise researchers observed widespread reconnaissance activity targeting Citrix environments using residential proxy infrastructure. Read more.
Infostealers Without Borders: macOS Python Stealers and Platform Abuse
Source: Microsoft Security Blog
(Published: 2 February 2026)
Microsoft researchers are tracking a rise in macOS-focused Python-based infostealers abusing legitimate platforms for distribution. Read more.
APT28 Leverages CVE-2026-21509 in Operation Neusploit
Source: Zscaler ThreatLabz
(Published: 2 February 2026)
In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. Read more.
APT28: Geofencing as a Targeting Signal (CVE-2026-21509 Campaign)
Source: Synaptic Security Blog
(Published: 3 February 2026)
Since the beginning of this year, we have again observed an increased number of attacks by APT28 targeting various European countries. Read more.
APT28’s Campaign Leveraging CVE-2026-21509 and Cloud C2 Infrastructure
Source: StrikeReady
(Published: 3 February 2026)
APT28 has launched a new campaign exploiting CVE-2026-21509 and leveraging cloud-hosted command-and-control infrastructure. Read more.
Likely Fake Ransomware Operator 0apt Causes Panic: Our Analysis
Source: Intel 471
(Published: 3 February 2026)
Intel 471 analysts assess that the ransomware operator known as 0apt is likely engaging in deception rather than conducting real attacks. Read more.
SnappyBee Malware Analysis
Source: Darktrace
(Published: 3 February 2026)
Darktrace analysts investigated a new malware family dubbed SnappyBee observed in recent intrusions. Read more.
19 Shades of LockBit 5.0: Inside the Latest Cross-Platform Ransomware (Part 1)
Source: LevelBlue SpiderLabs
(Published: 3 February 2026)
Researchers analyzed LockBit 5.0 to understand how the ransomware has evolved into a cross-platform threat. Read more.
Analysis of Suspected Malware Linked to APT-Q-27 Targeting Financial Institutions
Source: CyStack
(Published: 4 February 2026)
In mid-January 2026, CyStack’s security team observed anomalous activity on a corporate customer’s environment. Read more.
Russian Cyber Threat Activity Ahead of the 2026 Winter Olympics
Source: Palo Alto Networks Unit 42
(Published: 4 February 2026)
Russian cyber threat actors are likely to increase activity in the lead-up to the 2026 Winter Olympics, according to Unit 42 analysis. Read more.
When Malware Talks Back
Source: PointWild
(Published: 4 February 2026)
Modern malware increasingly incorporates interactive capabilities that allow operators to adapt campaigns in real time. Read more.
Operation Bizarre Bazaar
Source: Pillar Security
(Published: 4 February 2026)
Operation Bizarre Bazaar documents a coordinated campaign abusing trusted platforms to distribute malicious payloads. Read more.
Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering
Source: Seqrite
(Published: 4 February 2026)
In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. Read more.
CISA tells agencies to stop using unsupported edge devices
Source: CyberScoop
(Published: 5 February 2026)
A binding operational directive issued Thursday looks to combat an attack pathway that has been behind some of the biggest attacks and most common exploits in recent years. Read more.
Substack Breach: 662,752 User Records Leaked on Cybercrime Forum
Source: Hackread
(Published: 5 February 2026)
Three days before Substack told users about a security incident, a very different version of the story was already circulating in underground cyber crime forums. Read more.
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Source: Cisco Talos Intelligence Blog
(Published: 5 February 2026)
Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Read more.
Please Don’t Feed the Scattered Lapsus-Shiny Hunters
Source: Krebs on Security
(Published: 5 February 2026)
Researchers are warning that attention-seeking cybercrime groups thrive on publicity and notoriety. Read more.
ClickFix Variant CrashFix Deploying Python RAT Trojan
Source: Microsoft Security Blog
(Published: 5 February 2026)
Microsoft has identified a new ClickFix variant dubbed CrashFix that deploys a Python-based RAT. Read more.
Reynolds: Defense Evasion Capability Embedded in Ransomware Payload
Source: SECURITY.COM
(Published: 5 February 2026)
A recent Reynolds ransomware campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself. Read more.
AppleScript Abuse: Unpacking a macOS Phishing Campaign
Source: Darktrace
(Published: 5 February 2026)
Darktrace researchers uncovered a phishing campaign abusing AppleScript to target macOS users. Read more.
China’s Salt Typhoon Hackers Broke Into Norwegian Companies
Source: TechCrunch
(Published: 6 February 2026)
Hackers linked to the Chinese state-sponsored group known as Salt Typhoon have breached multiple Norwegian companies. Read more.
Incognito Market Operator Sentenced to Thirty Years
Source: The Record
(Published: 6 February 2026)
The operator of the darknet drug marketplace Incognito Market has been sentenced to thirty years in prison. Read more.
Git Metadata Leak Exposes Sensitive Information
Source: Mysterium VPN
(Published: 6 February 2026)
Researchers uncovered widespread exposure of sensitive information due to leaked Git metadata in public repositories. Read more.
Nginx Traffic Hijacking in React2Shell Campaign
Source: The Cybersecurity Guru
(Published: 7 February 2026)
Researchers have uncovered a campaign abusing exposed Nginx configurations to hijack web traffic and deploy malicious payloads. Read more.
Malicious Bing Ads Lead to Widespread Azure Tech Support Scams
Source: Netskope
(Published: 7 February 2026)
Netskope researchers uncovered a large-scale campaign abusing Bing ads to deliver Azure-themed tech support scams. Read more.
Aisuru Botnet Sets New Record With 3.14 Tbps DDoS Attack
Source: BleepingComputer
(Published: 8 February 2026)
The Aisuru botnet has set a new distributed denial-of-service record with a massive 3.14 Tbps attack. Read more.
Labyrinth Chollima Evolves Into Three Adversaries
Source: CrowdStrike
(Published: 8 February 2026)
CrowdStrike researchers have observed the threat group Labyrinth Chollima splintering into three distinct adversaries. Read more.
The GRU Illegals
Source: Lab52
(Published: 8 February 2026)
Russian intelligence services have historically relied on so-called “illegals” – deep-cover operatives who live for years in foreign countries under false identities. Read more.
Prince of Persia, Part II
Source: SafeBreach Labs
(Published: 8 February 2026)
SafeBreach researchers continue their analysis of the Prince of Persia campaign, revealing additional tradecraft and tooling. Read more.
LTX Stealer: Analysis of a Node.js-Based Credential Stealer
Source: Cyfirma
(Published: 9 February 2026)
Cyfirma researchers analyzed a new credential-stealing malware written in Node.js dubbed LTX Stealer. Read more.
Re-Emerging Telegram Phishing Campaign Targeting User Authorization Prompts
Source: Cyfirma
(Published: 9 February 2026)
A phishing campaign abusing Telegram authorization prompts has resurfaced with updated infrastructure and lures. Read more.
S’pore’s major telcos came under attack by UNC3886 in 2025
Source: The Straits Times
(Published: 9 February 2026)
SINGAPORE – All four major telcos in Singapore came under attack by state-sponsored cyberespionage group UNC3886, whose activities to disrupt critical services here were first made public in July 2025. Read more.
Want more articles? Check out the previous edition of Security Signals here.