Threat Trends Digest – January 2026

Insights

?????????

Welcome to the Threat Trends Digest, a monthly view of real-world threat patterns.

This report compiles data from the previous month using Malware Patrol’s global telemetry and live attack observations to surface key stats on malware, phishing, ransomware, C2s, and domain generation algorithms (DGAs). You’ll find insights into the most exploited TLDs, frequently seen malware hashes and IPs, and other critical indicators. Use this digest to keep a close pulse on attacker behavior, uncover shifting patterns, and better align your defenses with the latest threat activity.

For more articles, check out our #onpatrol4malware blog.

CONTENTS

Infrastructure Trends
Honeypot Activity
IOCs

January Threat Trends
January Threat Trends
January Threat Trends
??

IOCs

Top Malicious IPs

91.238.72.69
120.138.9.38
103.15.20.10
81.91.85.141
176.53.12.17
43.231.112.25
45.114.225.27
46.59.86.3
72.9.148.195
163.44.198.41
192.250.229.213
31.31.198.199
203.175.8.87
194.93.14.42
198.187.31.106
95.173.180.70
212.99.45.180
203.98.83.109
103.16.146.2
198.38.87.214

Top Malware Hashes

59ce0baba11893f90527fc951ac69912
8bdd2cdd39b2ad7b679faa50f629ce2b
3849f30b51a5c49e8d1546960cc206c7
a73ddd6ec22462db955439f665cad4e6
eec5c6c219535fba3a0492ea8118b397
fbe51695e97a45dc61967dc3241a37dc
9b6c3518a91d23ed77504b5416bfb5b3
3a9349af006440c7e0da677724551239
5377e8f2ebdb280216c37a6195da9d6c
724f25e7f93eae0ae54a80142e11b7ef
dbc520ea1518748fec9fcfcf29755c30
221d8352905f2c38b3cb2bd191d630b0
cbcb58ffe45c202c11bcf2070496aed6
b8ed2cb3e9fedec5b164ce84ad5a08d0
6a16e166948ddb9e6e9f9de503e21c60
fd28239ca545da6ae157a6c7ab14dbf0
ebbcfb749a959fb53e9fc8b6dc915838
c3c561c20e48169f4906c6b0b135984b
936b35bfee8232f437bf6b46e88401dd
5f49ac82edd8f3a3d7c47746b6523de9

Top Attacking IPs

80.75.212.112
205.209.119.82
85.192.63.30
80.75.212.116
80.75.212.126
162.220.15.190
162.220.15.170
193.141.60.60
130.12.183.19
134.209.37.214
69.164.255.130
65.109.32.114
20.12.212.103
204.76.203.223
65.108.231.96
38.190.177.184
135.181.128.54
65.21.123.25
142.132.220.146
65.108.120.126

To learn more about how we collect, analyze, and deliver actionable threat intelligence, explore our Threat Intelligence Services. If you’re interested in running your own queries – whether for threat actors, CVEs, infrastructure, or emerging activity – see how our MCP Server helps turn intelligence into practical security insight. Both are designed to support real-world analysis, investigation, and decision-making.

Take advantage of our free threat intel trial.

REQUEST NOW
?

Security Signals (07/29/25 – 08/12/25)

Cybersecurity News

?

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activities, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

A

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

?

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE
?

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

ShinyHunters Tactics Now Mirror Scattered Spider
Source: DARK READING
Recent cyber incidents reveal patterns in timing, shared infrastructure, and similar targets. This suggests a coordinated approach, combining ShinyHunters’ data theft with Scattered Spider’s social engineering. Read more.

Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569
Source: SILENT PUSH
SocGholish, managed by TA569, acts as a Malware-as-a-Service provider, selling access to compromised systems. Their main method is fake browser update pop-ups, delivered via JavaScript on hacked sites. Read more.

Attack Surface Watch: Exploring Digital Risks

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
Source: The Hacker News
SafeBreach researchers have found a new attack method, Win-DDoS, that could use thousands of public domain controllers to build a botnet for DDoS attacks. Read more.

Over 29,000 Exchange servers unpatched against high-severity flaw
Source: BLEEPING COMPUTER
More than 29,000 Exchange servers are still unpatched for CVE-2025-53786, a flaw that lets attackers move through Microsoft cloud and take over domains. Read more.

WinRAR zero-day exploited to plant malware on archive extraction
Source: BLEEPING COMPUTER
A recently fixed WinRAR vulnerability (CVE-2025-8088) was used in #phishing attacks to install RomCom malware. The bug allowed files to be extracted to any folder chosen by attackers. Read more.

Incident Radar: Breaches & Attacks

‘Chairmen’ of $100 million scam operation extradited to US
Source: BLEEPING COMPUTER
The U.S. Department of Justice charged four Ghanaian nationals for their roles in a $100M fraud ring involving romance scams and business email compromise. The suspects, extradited from Ghana, allegedly targeted U.S. companies and individuals from 2016 to 2023. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

CastleLoader
Source: PolySwarm
CastleLoader is a malware loader that has infected 469 devices since May 2025. It uses Cloudflare-themed ClickFix phishing and fake GitHub links to deliver info stealers and RATs. Read more.

Wave of 150 crypto-draining extensions hits Firefox add-on store
Source: BLEEPING COMPUTER
A campaign named ‘GreedyBear’ has targeted Firefox users with 150 fake extensions on the Mozilla add-ons store. These copy well-known crypto wallets like MetaMask and TronLink, stealing over $1,000,000. Read more.

SCENE 1: SoupDealer – Technical Analysis of a Stealth Java Loader Used in Phishing Campaigns Targeting Türkiye
Source: Malwation
A recent malware bypassed almost every public sandbox and antivirus, except Threat.Zone, and even evaded EDR/XDR in real-world incidents. Many banks, ISPs, and organizations were impacted. Read more.

Makop Ransomware Identified in Attacks in South Korea
Source: ASEC
ASEC has identified Makop ransomware attacks targeting South Korean users. The ransomware is spread through fake resumes, copyright emails, and now uses RDP for attacks. Read more.

Want more articles? Check out the previous edition of Security Signals here.

?

InfoSec Articles (07/01/25 – 07/15/25)

Cybersecurity News

???????

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Source: Unit 42

Researchers discovered HazyBeacon, a sophisticated backdoor targeting government agencies in Southeast Asia. Read more.

Octalyn Stealer Unmasked

Source: CYFIRMA

Octalyn Forensic Toolkit on GitHub appears as research tool but functions as credential stealer. Built with C++ and Delphi, uses Telegram for control and hides in Windows startup. Read more.

Google Gemini flaw hijacks email summaries for phishing

Source: BLEEPING COMPUTER

Google Gemini for Workspace has a newly discovered vulnerability. Attackers can embed hidden instructions in emails that manipulate Gemini’s summary generation, potentially directing users to phishing sites. Read more.

Dark Web Profile: Arkana Ransomware

Source: SOCRadar

Arkana Ransomware made headlines attacking WOW! internet provider in March 2025. Linked to Qilin Ransomware network, they disguise extortion as “post-penetration testing services.” Read more.

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

Source: BLEEPING COMPUTER

The FrostyNeighbor threat group (UNC1151), attributed to Belarus, is actively targeting Eastern European nations with malicious CHM files. Read more.

295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Source: The Hacker News

Researchers discovered 295 malicious IP addresses launching coordinated brute-force attacks against Apache Tomcat Manager interfaces worldwide. Read more.

Hackers are exploiting critical RCE flaw in Wing FTP Server

Source: BLEEPING COMPUTER

Wing FTP Server vulnerability is being actively exploited by threat actors. This flaw allows remote code execution with full system privileges without authentication. Read more.

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

Source: SentinelOne

macOS.ZuRu malware hides in fake versions of popular apps like iTerm2 and Remote Desktop. Hackers trick users through poisoned search results. Read more.

GreyNoise Identifies New Scraper Botnet Concentrated in Taiwan

Source: GreyNoise

A scraper botnet variant has been identified with the user-agent “Hello-World/1.0”. Researchers are tracking it through unique behavioral patterns. Read more.

Count(er) Strike – Data Inference Vulnerability in ServiceNow

Source: Varonis

Researchers discovered a critical ServiceNow vulnerability dubbed “Count(er) Strike” that could expose sensitive data across hundreds of tables. It required only basic user access to exploit. Read more.

?

Security Signals (07/15/25 – 07/29/25)

Cybersecurity News

????????

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

A

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

?

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025
Source: Security Affairs
Fire Ant, a China-linked cyber group, is exploiting VMware and F5 vulnerabilities to access secure, segmented networks, according to Sygnia. They have targeted VMware ESXi and vCenter, using layered attacks to reach restricted systems. Read more.

Scattered Spider is running a VMware ESXi hacking spree
Source: BLEEPING COMPUTER
Scattered Spider hackers are targeting VMware ESXi hypervisors at U.S. companies in retail, airline, transportation, and insurance. They use social engineering, not software flaws, to bypass security. Read more.

Unmasking the new Chaos RaaS group attacks
Source: Cisco Talos
Cisco Talos IR recently observed Chaos, a new ransomware-as-a-service group, targeting businesses with spam, social engineering, and remote tools. Their attacks use fast, selective encryption and anti-analysis methods, making detection and recovery difficult. Read more.

Attack Surface Watch: Exploring Digital Risks

ToolShell: An all-you-can-eat buffet for threat actors
Source: We Live Security
Microsoft has confirmed that ToolShell, a set of zero-day vulnerabilities (CVE-2025-53770 & CVE-2025-53771), is being used to attack on-premises SharePoint servers. These attacks can let hackers access restricted systems and steal data. Read more.

Organizations Warned of Exploited PaperCut Flaw
Source: Security Week
CISA has warned about a security vulnerability (CVE-2023-2533) in PaperCut NG and MF print management products. This issue lets attackers change security settings or run code remotely. Read more.

Incident Radar: Breaches & Attacks

Microsoft probing whether cyber alert tipped off Chinese hackers
Source: The Straits Times
Microsoft is looking into whether a leak from its early alert system allowed hackers to exploit SharePoint flaws before they were fixed. The system is meant to help cyber-security experts fix issues early, but it may have led to global problems. Read more.

US Targets North Korea’s Illicit Funds: $15M Rewards Offered as American Woman Jailed in IT Worker Scam
Source: Security Week
An Arizona woman was sentenced for helping North Korean IT workers get jobs at over 300 US companies using stolen identities. She ran a laptop farm at home, helping generate $17M in illegal revenue. Read more.

Amazon AI coding agent hacked to inject data wiping commands
Source: BLEEPING COMPUTER
A hacker planted data-wiping code in the Amazon Q Developer Extension for Visual Studio Code. This free AI-powered tool, with nearly 1M installs, helps developers code and debug. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration.
Source: Cyfirma
Raven Stealer is a lightweight malware that targets browsers like Chrome and Edge, stealing passwords, cookies, and payment info. It uses Telegram bots for data theft and is easy for attackers to use. Read more.

Oyster Backdoor: The Malvertising Menace Masquerading as Popular Tools
Source: CyberProof
CyberProof Threat Researchers found an OysterBackdoor infection in July 2025. Attackers used a fake Putty installer, but the backdoor was blocked before any harm. This blog shares technical details about the files seen in this attack. Read more.

InfoSec Articles (06/17/25 – 07/01/25)

Cybersecurity News

???

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Crypto Operation Using Fake Investment Platforms Dismantled in Spain

Source: Bitdefender

Spain’s Guardia Civil, in collaboration with Europol and other global law enforcement agencies, has arrested five individuals suspected of laundering hundreds of millions of euros through cryptocurrency scams that have affected over 5,000 victims worldwide. Read more.

New FileFix attack runs JScript while bypassing Windows MoTW alerts

Source: BLEEPING COMPUTER

A new FileFix attack, created by security researcher mr.d0x, exploits browser handling of saved HTML files to bypass Windows’ MoTW protection, tricking victims into executing a disguised PowerShell command via a phishing page. Read more.

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update

Source: The Hacker News

Google has issued security updates to address a zero-day vulnerability, CVE-2025-6554, currently being exploited in the wild, characterized as a type confusion flaw in the V8 JavaScript and WebAssembly engine. Read more.

Godfather Evolves With Advanced On-Device Virtualization Capabilities

Source: PolySwarm

Godfather malware exploits Android’s Accessibility Service to capture detailed tap events and screen information, targeting around 484 applications with commands sent through a Base64-encoded C2 server. Read more.

Bluetooth flaws could let hackers spy through your microphone

Source: BLEEPING COMPUTER

Recent vulnerabilities in a Bluetooth chipset affect 29 audio devices from brands like Beyerdynamic, Bose, and Sony, potentially allowing for eavesdropping or data theft. Read more.

Taking the shine off BreachForums

Source: SOPHOS

French authorities have reported the arrest of four members of the ShinyHunters (also known as ShinyCorp) cybercriminal group across various regions in France for their involvement in cybercrime activities and the underground forum BreachForums. Read more.

GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool

Source: The Hacker News

The threat actor behind the GIFTEDCROOK malware has upgraded it from a simple browser data stealer to a sophisticated intelligence-gathering tool. Read more.

Evidence Suggests Exploitation of CitrixBleed 2 Vulnerability

Source: SECURITY WEEK

The Citrix NetScaler vulnerability, known as CitrixBleed 2 and CVE-2025–5777, might be exploited in real-world scenarios, as indicated by cybersecurity firm ReliaQuest. Read more.

Microsoft 365 Direct Send Abused for Phishing

Source: SECURITY WEEK

Varonis has identified a phishing campaign exploiting Microsoft 365 Direct Send, which allows attackers to send spoofed emails that seem to originate from within the victim’s organization. Read more.

CyberAv3ngers: From Infrastructure Hacks to Propaganda Machines in the Iran-Israel Cyber War

Source: Domain Tools

A prominent group, CyberAv3ngers, has been involved in hijacking water systems, altering PLCs, and mocking Israeli cybersecurity initiatives on platforms like Telegram and Twitter. Read more.

?