Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported APT28 rapidly weaponized a Microsoft Office zero-day (CVE-2026-21509) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver Covenant backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described ShadowHS, a stealthy fileless Linux post-exploitation framework that runs in-memory (e.g., via memfd-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration.
Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a supply-chain compromise affecting eScan (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted Crunchbase confirmed a breach affecting 2M+ records claimed by ShinyHunters, and cited extortion/leak claims involving Qilin (Tulsa International Airport) and WorldLeaks (Nike). Google’s legal/technical disruption of the IPIDEA residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via DLL sideloading (malicious jli.dll) and process hollowing into AddInProcess32.exe to run Phantom Stealer; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
1 more from sources like security online info
Related Stories
Weekly Cyber Threat Intelligence Roundup: Microsoft Patch Tuesday, FortiSIEM Exploitation, and Emerging Malware/Phishing Trends
A weekly threat-intelligence roundup highlighted **Microsoft’s January Patch Tuesday** release addressing **112 vulnerabilities** across Windows and *Microsoft Edge*, spanning multiple classes including elevation of privilege, remote code execution, and information disclosure. The same briefing reported active interest in **CVE-2025-64155**, a **critical FortiSIEM** vulnerability, with observed exploitation activity against honeypot environments following an out-of-band alert from Kroll Threat Intelligence—an indicator of likely broader scanning and attempted exploitation. The update also covered multiple threat developments: Check Point research described **VOIDLINK**, a Linux-focused malware framework (implants/rootkits/loaders) designed for long-term access, including in cloud environments; **North Korean-linked KTA082 (Kimsuky/APT43)** was reported using **QR-code phishing (“quishing”)** to target government, education, and think tanks; and **Iran-linked KTA060 (MuddyWater)** was associated with development of the **RUSTYWATER RAT**. Separately, detection-engineering updates noted new and refined rules for **OAuth/Entra ID consent phishing** patterns (including *ConsentFix*-style authorization flows), correlations between Entra ID risk events and privileged actions (e.g., PIM elevation/device-code auth), Windows persistence/defense-evasion behaviors (e.g., scheduled tasks by unsigned executables, Chrome security feature tampering), and updated YARA/behavioral detections for malware families (e.g., **Agent Tesla**, **MintsLoader**) and **Cobalt Strike** TTPs; the briefing also referenced a leak of a database purportedly containing ~**324,000 BreachForums** user records posted to `shinyhunte[.]rs`.
1 months ago
Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly **low-noise initial access** and **living-off-the-land** execution on Windows endpoints. CyStack reported activity attributed to **APT-Q-27 (GoldenEyeDog)** targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a **Zendesk ticket**, leading to download of an executable masquerading as an image/`.pif` file (aided by Windows’ hidden-extension defaults). The malware was signed with a **revoked certificate** that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts. Separately, Securonix described the **Dead#Vax** multistage campaign using phishing links to **VHD files hosted on IPFS**, where mounting/opening the VHD triggers **Windows Script Files**, obfuscated batch, and **PowerShell** loaders to support encrypted data theft and conceal execution logic, culminating in **AsyncRAT** deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked **Operation Neusploit** to **APT28**, exploiting **CVE-2026-21509** (Microsoft Office/365 **OLE** bypass) via crafted **RTF** documents to drop payloads including **MiniDoor** (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and **PixyNetLoader** (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
1 months ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago