Threat Landscape Updates: Malware Patrol

Security Signals (3/24/26-4/7/26)

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

March 2026 Edition

Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.

READ

This Edition’s Articles

Early April 2026 Cyber Threat Reports spotlights a fast-changing threat landscape shaped by Medusa ransomware activity, Axios and PyPI supply chain compromises, EvilTokens-driven BEC fraud, and malware campaigns abusing Claude Code, SaaS notifications, and Kubernetes exposure. This roundup reflects how quickly attackers are scaling social engineering, open-source compromise, credential theft, and cloud-focused intrusion techniques across real-world environments.

AppsFlyer Supply Chain Attack Analysis

Source: Reflectiz
(Published: 26 March 2026)
Researchers uncovered a supply chain attack targeting AppsFlyer, where malicious code was injected into third-party integrations to compromise downstream users. Read more.

Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client

Source: Trend Micro
(Published: 28 March 2026)
A compromised Axios npm package introduced malicious code into a widely used JavaScript HTTP client, impacting downstream applications and developers. Read more.

The Axios Breach: When NPM Trust Becomes an APT Attack Vector

Source: PolySwarm
(Published: 31 March 2026)
The Axios compromise demonstrates how trusted open-source packages can be weaponized as advanced persistent threat vectors within software supply chains. Read more.

EvilTokens: An AI-Augmented Phishing-as-a-Service for Automating BEC Fraud (Part 2)

Source: Sekoia
(Published: 01 April 2026)
EvilTokens is an AI-augmented phishing-as-a-service platform designed to automate business email compromise attacks and streamline credential harvesting operations. Read more.

BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product

Source: CyberSec Sentinel
(Published: 01 April 2026)
Threat actors are increasingly leveraging bring-your-own-vulnerable-driver techniques to bypass endpoint detection and response solutions across major security platforms. Read more.

Supply Chain Attacks Surge in March 2026

Source: Zscaler
(Published: 01 April 2026)
Researchers observed a significant increase in supply chain attacks throughout March 2026, targeting open-source ecosystems and developer pipelines. Read more.

ClickFix Detection With YARA Rules

Source: ReversingLabs
(Published: 01 April 2026)
ReversingLabs developed YARA-based detection techniques to identify ClickFix-related malware activity across compromised systems. Read more.

NightSpire Ransomware Analysis

Source: Huntress
(Published: 02 April 2026)
NightSpire ransomware has emerged as a new threat, using multi-stage execution and stealthy techniques to evade detection and encrypt victim systems. Read more.

CrystalX RAT With Prankware Features

Source: Kaspersky Securelist
(Published: 02 April 2026)
Researchers identified CrystalX RAT, a remote access trojan that combines espionage capabilities with disruptive prankware features targeting victims. Read more.

Iran, US, and Israel Cyberwar Analysis 2026

Source: Seqrite
(Published: 02 April 2026)
Analysts highlight escalating cyber conflict activity involving Iran, the United States, and Israel, with increased targeting of critical infrastructure and government entities. Read more.

The Axios Breach: Plain Crypto JS Compromises Packages

Source: Resecurity
(Published: 02 April 2026)
A supply chain malware incident involving compromised crypto libraries demonstrates how attackers can poison widely used packages to distribute malicious code. Read more.

Hermes PyPI Package Analysis

Source: JFrog Security Research
(Published: 02 April 2026)
JFrog researchers analyzed a malicious PyPI package named Hermes that steals sensitive data from AI-related workflows and developer environments. Read more.

A Technique-Based Approach to Hunting Web-Delivered Malware

Source: Censys
(Published: 02 April 2026)
Researchers outline a technique-driven methodology for detecting and tracking malware delivered via web-based attack chains. Read more.

Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

Source: Trend Micro
(Published: 03 April 2026)
A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code, which threat actors rapidly weaponized to distribute Vidar and GhostSocks malware via fake GitHub repositories. Read more.

Weaponizing SaaS Notification Pipelines

Source: Cisco Talos
(Published: 03 April 2026)
Threat actors are abusing SaaS notification systems to deliver malicious payloads and bypass traditional security controls. Read more.

ComfyUI Servers Abused in Cryptomining Proxy Botnet

Source: Censys
(Published: 03 April 2026)
Exposed ComfyUI servers are being leveraged as part of a cryptomining proxy botnet, enabling attackers to route malicious traffic through compromised infrastructure. Read more.

Reddit and TradingView Lures Lead to Vidar and Amos Stealers

Source: HexaStrike
(Published: 03 April 2026)
Threat actors are using Reddit and TradingView-themed lures to distribute Vidar and Amos stealer malware to unsuspecting users. Read more.

Team PCP Strikes Again: Telnyx Library Supply Chain Compromise

Source: JFrog Security Research
(Published: 03 April 2026)
Threat actor Team PCP continues supply chain attacks by compromising a widely used Telnyx library to inject malicious functionality. Read more.

CIFRAT Malware Analysis

Source: CERT Polska
(Published: 03 April 2026)
CERT Polska analyzed CIFRAT malware, highlighting its modular design and capabilities for credential theft and remote control. Read more.

Axios Supply Chain Compromise: Detection and Response

Source: Elastic Security Labs
(Published: 03 April 2026)
Elastic provides detection strategies and telemetry insights for identifying malicious activity stemming from the Axios npm supply chain compromise. Read more.

The Scanner Was the Weapon: DevSecOps Supply Chain Attacks

Source: CloudSEK
(Published: 03 April 2026)
CloudSEK documents long-term supply chain attacks targeting DevSecOps infrastructure through malicious scanning tools and automation pipelines. Read more.

Contagious Interview Campaign Spreads Across 5 Ecosystems

Source: Socket
(Published: 04 April 2026)
The Contagious Interview campaign has expanded across multiple software ecosystems, distributing malicious packages designed to steal credentials and deploy backdoors. Read more.

Malicious Hermes PyPI Package Steals AI Conversation Data

Source: SafeDep
(Published: 04 April 2026)
A malicious PyPI package disguised as Hermes has been discovered stealing sensitive AI-generated conversation data from developers. Read more.

Modern Kubernetes Threat Landscape

Source: Unit 42 (Palo Alto Networks)
(Published: 04 April 2026)
Unit 42 outlines evolving threats targeting Kubernetes environments, including misconfigurations, exposed services, and supply chain vulnerabilities. Read more.

DPRK Malware: Modularity, Diversity, and Functional Specialization

Source: DomainTools
(Published: 04 April 2026)
Researchers detail how DPRK-linked malware ecosystems are evolving with modular architectures and specialized tooling for targeted campaigns. Read more.

Tax Season 2026: Cybercriminal Campaign Preparation

Source: Check Point
(Published: 04 April 2026)
Cybercriminals are preparing tax-themed phishing campaigns months in advance, leveraging seasonal lures to maximize victim engagement. Read more.

Tycoon 2FA Infrastructure Update Following Global Takedown

Source: eSentire
(Published: 04 April 2026)
Threat actors behind Tycoon 2FA phishing infrastructure have adapted their operations following disruption efforts by global law enforcement coalitions. Read more.

Anthropic Claude Code Leak: Security Implications

Source: Zscaler
(Published: 04 April 2026)
Zscaler analyzes the security risks introduced by the Claude Code leak and how attackers are leveraging it in active campaigns. Read more.

A Little Bit Pivoting: What Web Shells Are Attackers Looking For

Source: SANS ISC
(Published: 05 April 2026)
Attackers are actively scanning for specific web shells that enable lateral movement and pivoting within compromised environments. Read more.

Malicious Strapi Plugin Deploys Command-and-Control Agent

Source: SafeDep
(Published: 05 April 2026)
A malicious npm plugin targeting Strapi deployments installs a command-and-control agent to maintain persistence within compromised environments. Read more.

Qilin Ransomware EDR Killer Analysis

Source: Cisco Talos
(Published: 05 April 2026)
Cisco Talos examines how Qilin ransomware incorporates EDR-killing techniques to disable security defenses prior to encryption. Read more.

Fake Installers Deliver Monero Mining Malware

Source: Elastic Security Labs
(Published: 05 April 2026)
Elastic researchers identified campaigns distributing fake software installers that deploy Monero cryptomining malware on infected systems. Read more.

Axios NPM Supply Chain Compromise Analysis

Source: Datadog Security Labs
(Published: 05 April 2026)
Datadog researchers provide detailed analysis of the Axios npm compromise and its impact on developer ecosystems and production environments. Read more.

Storm-1175 Targets Vulnerable Web-Facing Assets in Medusa Ransomware Operations

Source: Microsoft
(Published: 06 April 2026)
Microsoft observed Storm-1175 conducting high-tempo ransomware operations by exploiting vulnerable internet-facing assets to deploy Medusa ransomware. Read more.

Business Email Compromise Fraud Becomes More Accessible

Source: Cisco Talos
(Published: 06 April 2026)
The democratization of business email compromise is lowering the barrier to entry, enabling more threat actors to launch sophisticated fraud campaigns. Read more.

Understanding the Axios NPM Compromise

Source: Endor Labs
(Published: 06 April 2026)
Endor Labs examines how the Axios compromise unfolded and what it reveals about modern supply chain attack techniques. Read more.

Phantom Stealer: Credential Theft Campaign Analysis

Source: Group-IB
(Published: 06 April 2026)
Phantom Stealer is being distributed through phishing campaigns to harvest credentials and sensitive user data across multiple platforms. Read more.

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

Source: Trend Micro
(Published: 07 April 2026)
Threat actors continue to exploit the Claude Code packaging error as a lure, distributing Vidar, GhostSocks, and PureLog stealer malware through malicious GitHub releases. Read more.

Cybersecurity Advisory AA26-097A

Source: CISA
(Published: 07 April 2026)
CISA released advisory AA26-097A detailing ongoing threat activity and providing guidance for detecting and mitigating active cyber threats affecting organizations. Read more.

Mamont Banking Trojan: Android Malware Analysis

Source: NCC Group
(Published: 07 April 2026)
NCC Group analyzes Mamont, an Android banking trojan designed to steal financial data and credentials from infected mobile devices. Read more.

Want more articles? Check out the previous edition of Security Signals here.

How big are your threat data gaps?

See for yourself.

Free Data Evaluation

Security Signals (3/10/24-3/24/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

February 2026 Edition

Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.

READ

This Edition’s Articles

Late March 2026 Cyber Threat Reports captures a surge in real-world attacks – from ClickFix and Agent Tesla campaigns to MuddyWater activity and Trivy supply chain compromise impacting CI/CD pipelines. This cycle highlights the growing abuse of trusted platforms like GitHub, Microsoft Teams, and browser extensions, alongside AI-assisted phishing, credential theft, and ransomware operations moving faster and scaling wider across enterprise environments.

Phishers hide scam links with IPv6 trick in “free toothbrush” emails

Source: Malwarebytes
(Published: 11 March 2026)
United Healthcare impersonators are using an IPv6 trick to hide the real destination of phishing links in emails promising free Oral-B toothbrushes. Read more.

Evil evolution: ClickFix and macOS infostealers

Source: Sophos
(Published: 11 March 2026)
Across three recent campaigns, Sophos X-Ops notes shifts in both lures and malware capabilities, as threat actors leveraging ClickFix techniques increasingly target macOS users with infostealers. Read more.

Ransomware TTPs Shifting in the Threat Landscape

Source: Google Cloud
(Published: 12 March 2026)
Ransomware operators are continuing to evolve their tactics, techniques, and procedures to improve access, persistence, and monetization across targeted environments. Read more.

Moving up the Assemblyline: Exposing malicious code in browser extensions

Source: Red Canary
(Published: 12 March 2026)
Browser extensions are ubiquitous, offering users enhanced functionality and customization. Read more.

Fileless Multi-Stage Remcos RAT: From Phishing to Memory

Source: Trellix
(Published: 12 March 2026)
Trellix researchers detail a fileless multi-stage attack chain delivering Remcos RAT entirely in memory to evade traditional detection mechanisms. Read more.

Fake ChatGPT Invites Target Users With Malware

Source: CyberPress
(Published: 13 March 2026)
Threat actors are distributing fake ChatGPT invitation links to lure victims into downloading malware disguised as legitimate AI tools. Read more.

GIBCrypto Ransomware With Snake Keylogger Connection

Source: K7 Computing
(Published: 13 March 2026)
Researchers identified GIBCrypto ransomware as a destructive threat linked to Snake keylogger activity and capable of significant data loss. Read more.

The Rise of Fake Shipment Tracking Scams in MEA

Source: Group-IB
(Published: 13 March 2026)
Every day, billions of people rely on postal and courier services to deliver everything from handwritten letters to high value online orders. Read more.

Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams

Source: Infoblox
(Published: 13 March 2026)
Infoblox researchers identified ongoing abuse of Keitaro traffic distribution systems to deliver AI-driven investment scams targeting unsuspecting users. Read more.

Slopoly Backdoor Powers Interlock Ransomware Intrusion

Source: Hive Pro
(Published: 14 March 2026)
Threat actors are using the Slopoly backdoor, enhanced with AI-assisted techniques, to support Interlock ransomware intrusion campaigns. Read more.

Asyncing Feeling: When Your Download Comes With Something Extra

Source: NCC Group
(Published: 14 March 2026)
NCC Group researchers uncovered a malware campaign where compromised downloads include hidden payloads that execute during installation. Read more.

ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push

Source: StepSecurity
(Published: 14 March 2026)
The StepSecurity threat intelligence team was the first to discover and report on an ongoing campaign – which we are tracking as ForceMemo – in which an attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of Python repositories. Read more.

Scarface Stealer: An In-Depth Analysis

Source: SonicWall
(Published: 15 March 2026)
SonicWall researchers analyze Scarface Stealer, a credential harvesting malware designed to extract sensitive information from infected systems. Read more.

Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys

Source: StepSecurity
(Published: 15 March 2026)
The StepSecurity threat intelligence team discovered that dev-protocol – a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project – has been hijacked and is now being used to distribute malicious Polymarket trading bots. Read more.

AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data

Source: Cyble
(Published: 16 March 2026)
Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and exfiltrate the data to attacker-controlled Telegram bots. Read more.

Boggy Serpens Threat Assessment

Source: Unit 42 (Palo Alto Networks)
(Published: 16 March 2026)
Unit 42 provides a detailed assessment of the Boggy Serpens threat group, including its tactics, infrastructure, and observed campaigns. Read more.

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Source: Trend Micro
(Published: 16 March 2026)
Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC, Yuze, and a persistent BYOVD technique leveraging the NSec driver. Read more.

Casting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat

Source: ReliaQuest
(Published: 17 March 2026)
Ransomware operator “LeakNet” is currently averaging about three victims per month, but it’s scaling up and shifting tactics. Read more.

MuddyWater APT Uses Tsundere Botnet and EtherHiding for C2

Source: eSentire
(Published: 17 March 2026)
The MuddyWater threat group is leveraging the Tsundere botnet and EtherHiding techniques to obscure command-and-control infrastructure. Read more.

PureLog Stealer Delivered Through Copyright Lures

Source: Trend Micro
(Published: 17 March 2026)
Attackers are using copyright infringement lures to deliver a multi-stage infection chain that ultimately installs the PureLog information stealer. Read more.

Trivy Supply Chain Attack: What You Need to Know

Source: Aqua Security
(Published: 18 March 2026)
A supply chain attack targeting Trivy introduced malicious code into CI/CD pipelines through compromised GitHub Actions workflows. Read more.

Data Exfiltration Infrastructure Exposed

Source: Huntress
(Published: 18 March 2026)
Huntress uncovered a threat actor infrastructure used for large-scale data exfiltration operations across compromised environments. Read more.

AI-Enhanced Ransomware Attacks Leveraging Slopoly

Source: IBM X-Force
(Published: 18 March 2026)
IBM X-Force reports that threat actors are incorporating AI capabilities into ransomware campaigns to improve targeting and execution efficiency. Read more.

Microsoft Teams Social Engineering Delivers A0Backdoor Malware

Source: Hive Pro
(Published: 19 March 2026)
Threat actors are using Microsoft Teams as a delivery mechanism for A0Backdoor malware through social engineering tactics. Read more.

WebRTC Skimmer Targets E-Commerce Platforms

Source: Sansec
(Published: 19 March 2026)
Researchers uncovered a WebRTC-based skimmer that captures payment data from compromised e-commerce sites in real time. Read more.

Fake Telegram Malware Campaign Uses Multi-Stage Loader

Source: K7 Computing
(Published: 20 March 2026)
A multi-stage malware campaign is leveraging fake Telegram applications distributed via typosquatted domains to infect users. Read more.

PixRevolution: Android Trojan Targets Brazil’s PIX Payment System

Source: Zimperium
(Published: 20 March 2026)
PixRevolution is an Android banking trojan that hijacks Brazil’s PIX payment system in real time to steal funds from victims. Read more.

ROADK1LL: A WebSocket-Based Pivoting Implant

Source: Blackpoint Cyber
(Published: 21 March 2026)
ROADK1LL is a post-exploitation implant that uses WebSocket communication to pivot within compromised networks and maintain persistence. Read more.

TeamPCP Expands Supply Chain Compromise From Trivy to Checkmarx

Source: Sysdig
(Published: 22 March 2026)
The TeamPCP threat actor has expanded its supply chain attack operations by targeting additional CI/CD tools and GitHub Actions workflows. Read more.

Perseus DTO Malware: Stealthy Data Theft Capabilities

Source: ThreatFabric
(Published: 22 March 2026)
Perseus DTO malware enables attackers to silently capture sensitive data while maintaining persistence on infected systems. Read more.

Bucklog: Kubernetes-Focused Threat Activity Observed in the Wild

Source: GreyNoise
(Published: 23 March 2026)
GreyNoise observed active exploitation attempts targeting Kubernetes environments associated with a campaign dubbed Bucklog. Read more.

CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem

Source: StepSecurity
(Published: 23 March 2026)
Following Trivy’s compromise, StepSecurity’s AI Package Analyst flagged suspicious new releases across multiple npm scopes – revealing CanisterWorm, a self-propagating npm worm deployed by the TeamPCP threat actor. Read more.

VoidStealer Bypasses ABE Protections

Source: Gen Digital
(Published: 24 March 2026)
Researchers identified VoidStealer malware capable of bypassing Application Bound Encryption protections to extract sensitive credentials. Read more.

Want more articles? Check out the previous edition of Security Signals here.

How big are your threat data gaps?

See for yourself.

Free Data Evaluation

Security Signals (2/24/26-3/10/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

February 2026 Edition

Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.

READ

This Edition’s Articles

Early March 2026 Cyber Threat Reports highlights fast-moving threats shaping the current landscape, from Agent Tesla, LockBit, MuddyWater, and APT37 to attacks targeting AWS credentials, Android devices, AI development tools, and enterprise SaaS access. This roundup reflects the real-world pace of phishing, credential theft, supply chain compromise, exposed infrastructure abuse, and ransomware-driven operations affecting defenders right now.

Punchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials

Source: Cofense
(Published: 24 February 2026)
In today’s digital age, receiving online invitations to events has become commonplace. Read more.

Open Redirects: A Forgotten Vulnerability

Source: SANS Internet Storm Center
(Published: 24 February 2026)
Open redirect vulnerabilities often receive less attention than other web security issues, but they can still be abused in phishing campaigns and malware delivery chains. Read more.

Abusing Windows File Explorer and WebDAV for Malware Delivery

Source: Cofense
(Published: 25 February 2026)
Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. Read more.

Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains – Part 1

Source: Abstract Security
(Published: 25 February 2026)
The ASTRO team has been actively tracking Contagious Interview techniques that abuse task auto-execution in integrated development environments (IDEs) such as Microsoft Visual Studio Code (VSCode) and Cursor to deliver malware. Read more.

Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

Source: Google Cloud Blog
(Published: 25 February 2026)
Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. Read more.

OCRFix: Botnet Trojan delivered through ClickFix and EtherHiding

Source: CYJAX
(Published: 25 February 2026)
During routine analysis, CYJAX identified a typosquatting phishing campaign which impersonated the Optical Character Recognition (OCR) tool Tesseract OCR. Read more.

Reynolds Ransomware: BYOVD Evasion & NSecKrnl Abuse

Source: Brandefense
(Published: 25 February 2026)
A new ransomware group tracked as “Reynolds” emerged in February 2026 and is reported to use Bring Your Own Vulnerable Driver (BYOVD) technique to disable security controls before encryption, thereby significantly increasing its chances of success even in well-equipped environments. Read more.

Unmasking Agent Tesla: A Deep Dive Into a Multi-Stage Campaign

Source: Fortinet
(Published: 25 February 2026)
Agent Tesla remains one of the most persistent threats in the cyber landscape today, continuing to evolve through multi-stage delivery chains and stealthy credential theft techniques. Read more.

[Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed

Source: Deception.Pro
(Published: 26 February 2026)
During a 12-day Deception.Pro operation, researchers observed a high-severity, multi-stage intrusion chain that began with malvertising and a ClickFix-style fake CAPTCHA. Read more.

Free Games, Costly Consequences

Source: G DATA Security Blog
(Published: 26 February 2026)
PiviGames, a popular Spanish gaming platform is well-known in the gaming community for providing download links to pirated PC games. Read more.

GTFire Phishing Scheme Targets Organizations

Source: Group-IB
(Published: 26 February 2026)
Researchers uncovered a phishing campaign dubbed GTFire that leverages convincing login pages and infrastructure designed to harvest credentials from targeted organizations. Read more.

Henry IV, Hotspur, Hal, and hallucinations

Source: Cisco Talos
(Published: 26 February 2026)
Welcome to this week’s edition of the Threat Source newsletter. Read more.

Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor

Source: Socket
(Published: 26 February 2026)
Socket’s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang[.]org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. Read more.

New Dohdoor malware campaign targets education and health care

Source: Cisco Talos
(Published: 26 February 2026)
Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”. Read more.

Novel DPRK stager using Pastebin and text steganography

Source: kmsec.uk
(Published: 26 February 2026)
This is a quick one as FAMOUS CHOLLIMA has been keeping me busy this week by testing Google Drive as a stager and my longer write-up on tracking their IP addresses through temporary mailboxes. Read more.

PlugX Meeting Invitation via MSBuild and GDATA

Source: LAB52
(Published: 26 February 2026)
In relation to the latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT, LAB52 aims to complement this information with additional observed deployment activity and encryption characteristics in samples analyzed by this team. Read more.

ShinyHunters Fast-Tracks SaaS Access With Subdomain Impersonation

Source: ReliaQuest
(Published: 26 February 2026)
Researchers observed threat actor ShinyHunters leveraging subdomain impersonation techniques to accelerate access to SaaS environments and improve the credibility of phishing lures. Read more.

VEN0m Ransomware: DFIR Analysis, Detection Engineering & Key Recovery

Source: Ransom-ISAC
(Published: 26 February 2026)
On February 23, 2026, Tammy Harper raised with the Ransom-ISAC community of a new ransomware payload utilising User Access Control (UAC) bypass and Bring Your Own Vulnerable Driver (BYOVD) techniques. Read more.

APT36 : Multi-Vector Execution Malware Campaign Targeting Indian Government Entities

Source: CYFIRMA
(Published: 27 February 2026)
CYFIRMA has identified a targeted malware campaign attributed to the Pakistan-aligned threat actor Transparent Tribe (also known as APT36). Read more.

Contagious Interview Campaign Abusing VSCode Distributed on Github

Source: ENKI WhiteHat
(Published: 27 February 2026)
We recently identified multiple instances of malware on Github that abuse VS Code automation features. Read more.

Fake Zoom and Google Meet Scams Install Teramind

Source: Malwarebytes
(Published: 27 February 2026)
Researchers identified a campaign using fake Zoom and Google Meet downloads that silently install the Teramind monitoring tool to spy on victims. Read more.

Hook, line, and vault: A technical deep dive into the 1Phish kit

Source: Datadog Security Labs
(Published: 27 February 2026)
The 1Phish kit evolved between September 2025 and February 2026 from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. Read more.

Inside a Fake Google Security Check That Becomes a Browser RAT

Source: Malwarebytes
(Published: 27 February 2026)
A website disguised as a Google Account security check is distributing a browser-based remote access tool capable of surveillance and credential theft. Read more.

StegaBin: 26 Malicious npm Packages Use Pastebin Steganography to Deploy Multi-Stage Credential Stealer

Source: Socket
(Published: 27 February 2026)
Socket’s AI-powered threat detection systems identified 26 malicious npm packages published over a two-day period that deploy a multi-stage credential and secret harvesting operation targeting developers. Read more.

The ClawHavoc Campaign

Source: PolySwarm
(Published: 27 February 2026)
The ClawHavoc campaign exploited the permissive nature of ClawHub, the official marketplace for OpenClaw Skills, which are plugin packages that extend the open-source AI agent’s capabilities across automation, cryptocurrency monitoring, social media assistance, and productivity tasks. Read more.

Why Digital Squatting Still Works in 2026-And Why Defense Is So Hard

Source: LastPass
(Published: 27 February 2026)
Digital squatting and phishing are often treated as separate threat vectors, but they are deeply intertwined. Read more.

Zerobot Malware Targets n8n Automation Platform

Source: Akamai
(Published: 27 February 2026)
The Akamai SIRT discovered an ongoing Mirai-based malware campaign, dubbed Zerobot, targeting a variety of recent CVEs, including those affecting Tenda AC1206 routers and the n8n workflow automation platform. Read more.

A Fake FileZilla Site Hosts a Malicious Download

Source: Malwarebytes
(Published: 02 March 2026)
Attackers are distributing malware through a fake FileZilla website designed to trick users into downloading a malicious installer. Read more.

Exorcising Demons: Fake Tech Support Delivers Havoc Command and Control

Source: Huntress
(Published: 02 March 2026)
Fake browser alerts and tech support lures are being used to deliver the Havoc command-and-control framework through deceptive user prompts and staged execution chains. Read more.

Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks

Source: QiAnXin X Lab
(Published: 02 March 2026)
Funnull (Funnull Technology Inc.), also known as Fangneng CDN, is a Philippines-registered company that publicly claims to provide CDN services. Read more.

Iranian APT Activity During Geopolitical Escalation

Source: Nozomi Networks
(Published: 02 March 2026)
Researchers observed increased cyber activity linked to Iranian threat groups during escalating geopolitical tensions in the Middle East. Read more.

Oblivion RAT – An Android Spyware Platform With a Built-In APK Factory

Source: iVerify
(Published: 02 March 2026)
Oblivion RAT is a new Android remote access trojan sold as a malware-as-a-service (MaaS) platform on cybercrime networks for $300/month. Read more.

PromptSpy Android Malware Uses Generative AI

Source: PolySwarm
(Published: 02 March 2026)
PromptSpy is the first documented Android malware family to integrate generative AI, specifically Google’s Gemini, into its execution flow for dynamic, context-aware persistence. Read more.

SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh

Source: Arctic Wolf
(Published: 02 March 2026)
Over the last 12 months, Arctic Wolf has been tracking an extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. Read more.

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

Source: Unit 42 (Palo Alto Networks)
(Published: 03 March 2026)
Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. Read more.

Doppelganger RRN Disinformation Infrastructure Ecosystem

Source: DomainTools Intelligence
(Published: 04 March 2026)
Researchers identified a large disinformation infrastructure linked to the Doppelganger campaign that leverages cloned news domains and coordinated social amplification. Read more.

Fake Discount Scams Spread Across E-Commerce Platforms

Source: Guard.io
(Published: 04 March 2026)
Security researchers observed a wave of fake discount campaigns designed to lure users into phishing pages that harvest payment details and login credentials. Read more.

Fake FedEx Email Delivers Donut Malware

Source: SANS Internet Storm Center
(Published: 04 March 2026)
A phishing email impersonating FedEx delivery notifications is distributing malware using malicious attachments designed to trick recipients into executing embedded payloads. Read more.

Malicious NuGet Package Targets Stripe Developers

Source: ReversingLabs
(Published: 04 March 2026)
Researchers discovered a malicious NuGet package designed to target developers working with Stripe integrations and steal sensitive credentials. Read more.

SurxRAT Downloads Large LLM Module From Hugging Face

Source: Cyble
(Published: 04 March 2026)
Security researchers discovered SurxRAT downloading a large language model module from Hugging Face to enhance its command processing and evasion capabilities. Read more.

2026 Ransomware Cartelization: Qilin, LockBit, and Akira Convergence

Source: SecureBlink
(Published: 05 March 2026)
Researchers highlight increasing collaboration between ransomware groups including Qilin, LockBit, and Akira as part of a growing trend of ransomware cartelization. Read more.

ActiveMQ Exploit Deploys LockBit Ransomware

Source: CyberPress
(Published: 05 March 2026)
Threat actors are exploiting vulnerable Apache ActiveMQ servers to deploy LockBit ransomware in targeted intrusion campaigns. Read more.

Agent Tesla Campaign Evolves to Evade Detection

Source: CyberPress
(Published: 05 March 2026)
A new campaign distributing Agent Tesla malware is using updated delivery techniques and obfuscation to evade traditional detection mechanisms. Read more.

ZeroDayRAT Targets Mobile Devices

Source: CyberPress
(Published: 05 March 2026)
Researchers uncovered a new remote access trojan called ZeroDayRAT designed to target mobile devices and steal sensitive data. Read more.

Charming Kitten Activity Escalates in Iran-Israel Cyber Conflict

Source: FalconFeeds
(Published: 06 March 2026)
Researchers observed increased cyber activity linked to the Iranian threat group Charming Kitten amid escalating tensions in the Iran-Israel cyber conflict. Read more.

Inside a New Violetrat Campaign

Source: SonicWall
(Published: 06 March 2026)
Researchers uncovered a multi-stage malware campaign delivering Violetrat through layered payload execution designed to evade security detection. Read more.

Moonrise RAT: Emerging Remote Access Threat

Source: CyberSec Sentinel
(Published: 06 March 2026)
The Moonrise RAT malware family has emerged as a serious threat capable of persistent access, credential theft, and remote command execution. Read more.

TAXISPY RAT : Analysis of TaxiSpy RAT – Russian Banking – Focused Android Malware with Full Remote Control

Source: CYFIRMA
(Published: 06 March 2026)
This report analyzes a highly sophisticated Android Banking Trojan with integrated Remote Access Trojan (RAT) functionality, specifically targeting Russian financial institutions. Read more.

UnsolicitedBooker Deploys MarsSnake Against Telecom Providers

Source: CyberSec Sentinel
(Published: 06 March 2026)
A threat actor tracked as UnsolicitedBooker has been deploying the MarsSnake malware family against telecommunications organizations. Read more.

Hydra-Saiga: Covert Espionage and Infiltration of Critical Utilities

Source: VMRay
(Published: 07 March 2026)
Analysts detail a covert espionage campaign dubbed Hydra-Saiga that targets critical utility infrastructure with stealthy malware implants. Read more.

Iran-Linked Dust Specter Launches Cyberattack on Iraqi Officials

Source: Hive Pro
(Published: 07 March 2026)
Iranian-linked threat group Dust Specter conducted targeted cyber operations against Iraqi officials in a campaign involving credential harvesting and malware delivery. Read more.

Mercenary Akula’s Court-Themed Campaign Hits European Finance

Source: Hive Pro
(Published: 07 March 2026)
A campaign attributed to Mercenary Akula used court-themed lures to target financial institutions across Europe with phishing and malware payloads. Read more.

Operation Olalampo: MuddyWater Expands Campaign Across MENA

Source: Hive Pro
(Published: 08 March 2026)
The MuddyWater threat group expanded its Operation Olalampo campaign targeting organizations across the Middle East and North Africa region. Read more.

APT37 Adds New Capabilities to Target Air-Gapped Networks

Source: Zscaler
(Published: 09 March 2026)
Researchers report that North Korean threat group APT37 has developed new techniques for targeting air-gapped networks and sensitive systems. Read more.

Behind the console: Active phishing campaign targeting AWS console credentials

Source: Datadog Security Labs
(Published: 09 March 2026)
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials. Read more.

Iranian APT MuddyWater Uses Dindoor Malware to Target U.S. Networks

Source: SOCRadar
(Published: 09 March 2026)
A recently uncovered cyber espionage campaign attributed to the Iranian state-linked threat group MuddyWater has drawn attention from security researchers after several organizations in the United States were compromised using newly observed malware. Read more.

Sandworm_MODE NPM Supply Chain Attack Targets AI Development Tools

Source: Hive Pro
(Published: 09 March 2026)
Researchers uncovered a supply chain attack on the NPM ecosystem targeting AI development tools and attributed to activity consistent with Sandworm operations. Read more.

Want more articles? Check out the previous edition of Security Signals here.

How big are your threat data gaps?

See for yourself.

Free Data Evaluation

Security Signals (1/27/26-2/10/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

January 2026 Edition

Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.

READ

This Edition’s Articles

Early February 2026 Cyber Threat Reports capture the momentum behind real-world attacks: APT28 exploiting CVE-2026-21509, DynoWiper destructive activity, and ransomware tradecraft tied to LockBit/Black Basta, alongside infostealer- and phishing-driven abuse of platforms like Google Cloud, WordPress, and macOS/Android.

New Year, New Sector: Transparent Tribe Targets India’s Startup Ecosystem

Source: Acronis Threat Research Unit
(Published: 27 January 2026)
Transparent Tribe, a well-known APT group, has expanded its targeting to India’s rapidly growing startup ecosystem. Read more.

The Pyrat Code: Python-Based RAT and Its Internals

Source: K7 Labs
(Published: 28 January 2026)
Pyrat is a Python-based Remote Access Trojan that has been observed in multiple attack campaigns targeting Windows systems. Read more.

Interlock Ransomware: New Techniques, Same Old Tricks

Source: Fortinet Threat Research
(Published: 27 January 2026)
Interlock ransomware operators continue to refine their tooling while relying on well-established intrusion techniques. Read more.

No Place Like Home Network: Disrupting the World’s Largest Residential Proxy Network

Source: Google Cloud Blog
(Published: 28 January 2026)
This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. Read more.

Shadow Campaigns: Uncovering Global Espionage

Source: Palo Alto Networks Unit 42
(Published: 28 January 2026)
Unit 42 researchers have uncovered a set of previously undocumented campaigns conducting cyber espionage across multiple regions. Read more.

PureRAT: Attacker Now Using AI to Build Toolset

Source: SECURITY.COM
(Published: 28 January 2026)
A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. Read more.

TAMECAT – Analysis of an Iranian PowerShell-Based Backdoor

Source: Pulsedive Threat Research
(Published: 29 January 2026)
Artifacts from our analysis are available on our GitHub. Read more.

Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic

Source: Sekoia.io
(Published: 29 January 2026)
In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging the ClickFix social engineering tactic through a Traffic Distribution System (TDS). Read more.

Dissecting UAT-8099: New persistence mechanisms and regional focus

Source: Cisco Talos Intelligence Blog
(Published: 29 January 2026)
Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. Read more.

RedKitten: AI-accelerated campaign targeting Iranian protests

Source: HarfangLab
(Published: 29 January 2026)
RedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses, first observed in early January 2026. Read more.

Honeymyte Updates: CoolClient Uses Browser Stealers and Scripts

Source: Securelist (Kaspersky)
(Published: 29 January 2026)
We continue to track the Honeymyte activity cluster and recently observed new updates to the CoolClient malware family. Read more.

New ShadowSyndicate Infrastructure Identified

Source: Group-IB
(Published: 29 January 2026)
Group-IB researchers have identified new infrastructure linked to the ShadowSyndicate cybercriminal group. Read more.

Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails

Source: SentinelOne
(Published: 29 January 2026)
A joint research project between SentinelLABS and Censys reveals that open-source AI deployment has created an unmanaged, publicly accessible layer of AI compute infrastructure spanning 175,000 hosts worldwide, operating outside the guardrails and monitoring systems that platform providers implement by default. Read more.

The Rise of Arsink Rat

Source: Zimperium
(Published: 29 January 2026)
Arsink is a cloud-native Android Remote Access Trojan (RAT) that aggressively harvests private data and gives remote operators intrusive control over infected devices. Read more.

PRC Targets NATO Frontline States

Source: Jamestown Foundation
(Published: 30 January 2026)
The People’s Republic of China (PRC) is expanding its presence along the North Atlantic Treaty Organization’s (NATO) frontline through technology access, influence networks, and dual-use infrastructure, creating openings that could weaken alliance cohesion and expose vulnerabilities in Europe’s defense posture. Read more.

Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS

Source: Google Cloud Blog
(Published: 30 January 2026)
Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. Read more.

Stan Ghouls in Uzbekistan

Source: Securelist (Kaspersky)
(Published: 30 January 2026)
We uncovered a series of attacks in Uzbekistan that appear to be linked to the long-running “Stalkerware” ecosystem. Read more.

DynoWiper update: Technical analysis and attribution

Source: WeLiveSecurity (ESET Research)
(Published: 30 January 2026)
In this blog post, we provide more technical details related to our previous DynoWiper publication. Read more.

Iconics Suite Vulnerability Exploited in the Wild (CVE-2025-0921)

Source: Palo Alto Networks Unit 42
(Published: 31 January 2026)
Unit 42 researchers have observed active exploitation of a vulnerability in the Iconics Suite software platform. Read more.

DynoWiper: Destructive Malware Targeting Hybrid Environments

Source: Elastic Security Labs
(Published: 1 February 2026)
Elastic Security Labs identified DynoWiper, a destructive malware strain designed to disrupt hybrid cloud environments. Read more.

The Autonomous Adversary: From Chatbot to Criminal Enterprise

Source: InfoStealers
(Published: 1 February 2026)
Advances in large language models are beginning to reshape how cybercriminals automate operations and decision-making. Read more.

Android Trojan Campaign Uses Hugging Face to Host RAT Payload

Source: Bitdefender Labs
(Published: 2 February 2026)
Bitdefender researchers have identified an Android malware campaign abusing the Hugging Face platform to host malicious payloads. Read more.

Dark Web Marketplaces: An Overview

Source: DEXpose
(Published: 2 February 2026)
Dark web marketplaces continue to play a central role in the cybercrime ecosystem by facilitating the sale of illicit goods and services. Read more.

Citrix Recon Using Residential Proxies

Source: GreyNoise
(Published: 2 February 2026)
GreyNoise researchers observed widespread reconnaissance activity targeting Citrix environments using residential proxy infrastructure. Read more.

Infostealers Without Borders: macOS Python Stealers and Platform Abuse

Source: Microsoft Security Blog
(Published: 2 February 2026)
Microsoft researchers are tracking a rise in macOS-focused Python-based infostealers abusing legitimate platforms for distribution. Read more.

APT28 Leverages CVE-2026-21509 in Operation Neusploit

Source: Zscaler ThreatLabz
(Published: 2 February 2026)
In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. Read more.

APT28: Geofencing as a Targeting Signal (CVE-2026-21509 Campaign)

Source: Synaptic Security Blog
(Published: 3 February 2026)
Since the beginning of this year, we have again observed an increased number of attacks by APT28 targeting various European countries. Read more.

APT28’s Campaign Leveraging CVE-2026-21509 and Cloud C2 Infrastructure

Source: StrikeReady
(Published: 3 February 2026)
APT28 has launched a new campaign exploiting CVE-2026-21509 and leveraging cloud-hosted command-and-control infrastructure. Read more.

Likely Fake Ransomware Operator 0apt Causes Panic: Our Analysis

Source: Intel 471
(Published: 3 February 2026)
Intel 471 analysts assess that the ransomware operator known as 0apt is likely engaging in deception rather than conducting real attacks. Read more.

SnappyBee Malware Analysis

Source: Darktrace
(Published: 3 February 2026)
Darktrace analysts investigated a new malware family dubbed SnappyBee observed in recent intrusions. Read more.

19 Shades of LockBit 5.0: Inside the Latest Cross-Platform Ransomware (Part 1)

Source: LevelBlue SpiderLabs
(Published: 3 February 2026)
Researchers analyzed LockBit 5.0 to understand how the ransomware has evolved into a cross-platform threat. Read more.

Analysis of Suspected Malware Linked to APT-Q-27 Targeting Financial Institutions

Source: CyStack
(Published: 4 February 2026)
In mid-January 2026, CyStack’s security team observed anomalous activity on a corporate customer’s environment. Read more.

Russian Cyber Threat Activity Ahead of the 2026 Winter Olympics

Source: Palo Alto Networks Unit 42
(Published: 4 February 2026)
Russian cyber threat actors are likely to increase activity in the lead-up to the 2026 Winter Olympics, according to Unit 42 analysis. Read more.

When Malware Talks Back

Source: PointWild
(Published: 4 February 2026)
Modern malware increasingly incorporates interactive capabilities that allow operators to adapt campaigns in real time. Read more.

Operation Bizarre Bazaar

Source: Pillar Security
(Published: 4 February 2026)
Operation Bizarre Bazaar documents a coordinated campaign abusing trusted platforms to distribute malicious payloads. Read more.

Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering

Source: Seqrite
(Published: 4 February 2026)
In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. Read more.

CISA tells agencies to stop using unsupported edge devices

Source: CyberScoop
(Published: 5 February 2026)
A binding operational directive issued Thursday looks to combat an attack pathway that has been behind some of the biggest attacks and most common exploits in recent years. Read more.

Substack Breach: 662,752 User Records Leaked on Cybercrime Forum

Source: Hackread
(Published: 5 February 2026)
Three days before Substack told users about a security incident, a very different version of the story was already circulating in underground cyber crime forums. Read more.

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Source: Cisco Talos Intelligence Blog
(Published: 5 February 2026)
Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Read more.

Please Don’t Feed the Scattered Lapsus-Shiny Hunters

Source: Krebs on Security
(Published: 5 February 2026)
Researchers are warning that attention-seeking cybercrime groups thrive on publicity and notoriety. Read more.

ClickFix Variant CrashFix Deploying Python RAT Trojan

Source: Microsoft Security Blog
(Published: 5 February 2026)
Microsoft has identified a new ClickFix variant dubbed CrashFix that deploys a Python-based RAT. Read more.

Reynolds: Defense Evasion Capability Embedded in Ransomware Payload

Source: SECURITY.COM
(Published: 5 February 2026)
A recent Reynolds ransomware campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself. Read more.

AppleScript Abuse: Unpacking a macOS Phishing Campaign

Source: Darktrace
(Published: 5 February 2026)
Darktrace researchers uncovered a phishing campaign abusing AppleScript to target macOS users. Read more.

China’s Salt Typhoon Hackers Broke Into Norwegian Companies

Source: TechCrunch
(Published: 6 February 2026)
Hackers linked to the Chinese state-sponsored group known as Salt Typhoon have breached multiple Norwegian companies. Read more.

Incognito Market Operator Sentenced to Thirty Years

Source: The Record
(Published: 6 February 2026)
The operator of the darknet drug marketplace Incognito Market has been sentenced to thirty years in prison. Read more.

Git Metadata Leak Exposes Sensitive Information

Source: Mysterium VPN
(Published: 6 February 2026)
Researchers uncovered widespread exposure of sensitive information due to leaked Git metadata in public repositories. Read more.

Nginx Traffic Hijacking in React2Shell Campaign

Source: The Cybersecurity Guru
(Published: 7 February 2026)
Researchers have uncovered a campaign abusing exposed Nginx configurations to hijack web traffic and deploy malicious payloads. Read more.

Malicious Bing Ads Lead to Widespread Azure Tech Support Scams

Source: Netskope
(Published: 7 February 2026)
Netskope researchers uncovered a large-scale campaign abusing Bing ads to deliver Azure-themed tech support scams. Read more.

Aisuru Botnet Sets New Record With 3.14 Tbps DDoS Attack

Source: BleepingComputer
(Published: 8 February 2026)
The Aisuru botnet has set a new distributed denial-of-service record with a massive 3.14 Tbps attack. Read more.

Labyrinth Chollima Evolves Into Three Adversaries

Source: CrowdStrike
(Published: 8 February 2026)
CrowdStrike researchers have observed the threat group Labyrinth Chollima splintering into three distinct adversaries. Read more.

The GRU Illegals

Source: Lab52
(Published: 8 February 2026)
Russian intelligence services have historically relied on so-called “illegals” – deep-cover operatives who live for years in foreign countries under false identities. Read more.

Prince of Persia, Part II

Source: SafeBreach Labs
(Published: 8 February 2026)
SafeBreach researchers continue their analysis of the Prince of Persia campaign, revealing additional tradecraft and tooling. Read more.

LTX Stealer: Analysis of a Node.js-Based Credential Stealer

Source: Cyfirma
(Published: 9 February 2026)
Cyfirma researchers analyzed a new credential-stealing malware written in Node.js dubbed LTX Stealer. Read more.

Re-Emerging Telegram Phishing Campaign Targeting User Authorization Prompts

Source: Cyfirma
(Published: 9 February 2026)
A phishing campaign abusing Telegram authorization prompts has resurfaced with updated infrastructure and lures. Read more.

S’pore’s major telcos came under attack by UNC3886 in 2025

Source: The Straits Times
(Published: 9 February 2026)
SINGAPORE – All four major telcos in Singapore came under attack by state-sponsored cyberespionage group UNC3886, whose activities to disrupt critical services here were first made public in July 2025. Read more.

Want more articles? Check out the previous edition of Security Signals here.

How big are your threat data gaps?

See for yourself.

Free Data Evaluation

Security Signals (1/13/26-1/27/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Late January 2026 Cyber Threat Reports spotlight real-world abuse of trusted platforms and exposed infrastructure – from LockBit 5.0 and KONNI to BRICKSTORM, Gootloader-style delivery tricks, and attacks leveraging tools like Visual Studio Code, PAN-OS GlobalProtect, and Google Gemini. Expect recurring themes of phishing/credential theft, malware staging, and operational tooling that turns everyday enterprise workflows into attack paths.

Planned failure: Gootloader’s malformed ZIP actually works perfectly

Source: Expel
(Published: 15 January 2026)
Gootloader malware is delivered to victims in a ZIP archive and the ZIP itself is designed to bypass detection. Read more.

Keylogger targets 200,000+ employees at major US bank

Source: Sansec
(Published: 15 January 2026)
Sansec discovered an active keylogger on the employee merchandise store of a top 3 US bank. Read more.

Inside LockBit 5.0: Analyzing the Ransomware Group’s Latest Affiliate Panel and Encryption Variants

Source: Flare
(Published: 16 January 2026)
The leaked materials provide unprecedented visibility into LockBit’s affiliate management system, showing the interface used by ransomware operators to coordinate attacks and manage victim negotiations. Read more.

Remcos RAT Being Distributed to Korean Users

Source: ASEC (AhnLab)
(Published: 16 January 2026)
AhnLab SEcurity intelligence Center (ASEC) has confirmed the distribution of the Remcos RAT targeting users in South Korea. Read more.

Mandiant releases rainbow table that cracks weak admin password in 12 hours

Source: Ars Technica
(Published: 16 January 2026)
Windows laggards still using the vulnerable hashing function: Your days are numbered. Read more.

Poland Under Intensified DDoS Siege: Weekly DDoS Threat Intelligence Analysis

Source: SOCRadar
(Published: 18 January 2026)
Between 12 and 18 January 2026, SOCRadar identified an intensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their DDoSia attack tool. Read more.

CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal

Source: Palo Alto Networks
(Published: 19 January 2026)
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Read more.

NCSC issues warning over hacktivist groups disrupting UK organisations and online services

Source: UK National Cyber Security Centre (NCSC)
(Published: 19 January 2026)
New alert warns of state-aligned hacktivists targeting UK organisations, looking to cripple services and disable websites. Read more.

Hacker admits to leaking stolen Supreme Court data on Instagram

Source: BleepingComputer
(Published: 19 January 2026)
A Tennessee man has pleaded guilty to hacking the U.S. Supreme Court’s electronic filing system and breaching accounts at the AmeriCorps U.S. federal agency and the Department of Veterans Affairs. Read more.

Broker who sold malware to the FBI set for sentencing

Source: The Register
(Published: 19 January 2026)
Feras Khalil Ahmad Albashiti, 40, admitted to facilitating cyberattacks on at least 50 companies stateside. Read more.

Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT

Source: Seqrite
(Published: 19 January 2026)
Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s judicial sector. Read more.

Weaponizing Calendar Invites: A Semantic Attack on Google Gemini

Source: Miggo
(Published: 19 January 2026)
A standard calendar invite became an attack vector, exposing how prompt injection in Google Gemini bypassed privacy controls through language alone. Read more.

Kimwolf Botnet Lurking in Corporate, Govt. Networks

Source: Krebs on Security
(Published: 20 January 2026)
A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Read more.

BRICKSTORM Malware Report Highlights the Criticality of Network-Derived Telemetry

Source: Gigamon
(Published: 20 January 2026)
Although GTIG laments the lack of security telemetry in its analysis of the BRICKSTORM malware, network-derived telemetry from the analysis of network traffic is a rich source that can and should be leveraged by threat hunters and IR teams. Read more.

Inside a Multi-Stage Windows Malware Campaign

Source: Fortinet (FortiGuard Labs)
(Published: 20 January 2026)
FortiGuard Labs recently identified a multi-stage malware campaign primarily targeting users in Russia. Read more.

IntelBroker Unmasked – The Story of Hacker Kai Logan West

Source: Picus Security
(Published: 20 January 2026)
If you’ve been following cybersecurity news lately, you’ve almost certainly heard the name “IntelBroker.”. Read more.

Threat Actors Expand Abuse of Microsoft Visual Studio Code

Source: Jamf
(Published: 20 January 2026)
Jamf Threat Labs identifies additional abuse of Visual Studio Code. Read more.

Predator bots are exploiting APIs at scale. Here’s how defenders must respond.

Source: CyberScoop
(Published: 20 January 2026)
With malicious bots now accounting for roughly 37% of all web traffic, security teams are left feeling like they’re playing a giant game of bot whack-a-mole. Read more.

PyPI Package Impersonates SymPy to Deliver Cryptomining Malware

Source: Socket
(Published: 21 January 2026)
Socket’s Threat Research Team identified a malicious PyPI package, sympy-dev, that impersonates SymPy, a widely used symbolic mathematics library with roughly 85 million downloads per month. Read more.

Peruvian Peaks: The digital loan illusion

Source: Group-IB
(Published: 21 January 2026)
A deep dive into loan phishing scams in Peru and Latin America. Read more.

Detailed Analysis of LockBit 5.0

Source: S2W (Medium)
(Published: 21 January 2026)
The LockBit ransomware group was affiliated with the Maze ransomware cartel, but after Maze announced its retirement, it began operating independently under the name ABCD ransomware starting in September 2019. Read more.

Phishing kits adapt to the script of callers

Source: Okta
(Published: 22 January 2026)
The threat actor convinces the targeted user to navigate in their browser to the phishing site under the pretext of an IT support or security requirement. Read more.

KONNI Adopts AI to Generate PowerShell Backdoors

Source: Check Point Research
(Published: 22 January 2026)
The PowerShell backdoor strongly indicates AI-assisted development rather than traditional operator-authored malware. Read more.

Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign

Source: eSentire
(Published: 22 January 2026)
eSentire’s Threat Response Unit tracks this activity as “SyncFuture Espionage campaign” based on the abuse of SyncFuture/Yangtu enterprise software and a sophisticated multi-stage infection chain targeting Indian entities. Read more.

Microsoft Gave FBI Keys To Unlock Encrypted Data, Exposing Major Privacy Flaw

Source: Forbes
(Published: 22 January 2026)
Microsoft confirmed it does provide BitLocker recovery keys if it receives a valid legal order. Read more.

ErrTraffic: Inside a GlitchFix Attack Panel

Source: Censys
(Published: 20 January 2026)
ErrTraffic is a Traffic Distribution System (TDS) designed specifically for ClickFix-like campaigns. Read more.

Microsoft shared BitLocker keys with FBI, raising privacy fears

Source: TechRepublic
(Published: 26 January 2026)
Microsoft confirmed it can hand over BitLocker recovery keys stored in the cloud under warrant, reviving debate over who controls encrypted data. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

« Older Entries