Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported APT28 rapidly weaponized a Microsoft Office zero-day (CVE-2026-21509) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver Covenant backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described ShadowHS, a stealthy fileless Linux post-exploitation framework that runs in-memory (e.g., via memfd-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration.
Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a supply-chain compromise affecting eScan (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted Crunchbase confirmed a breach affecting 2M+ records claimed by ShinyHunters, and cited extortion/leak claims involving Qilin (Tulsa International Airport) and WorldLeaks (Nike). Google’s legal/technical disruption of the IPIDEA residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via DLL sideloading (malicious jli.dll) and process hollowing into AddInProcess32.exe to run Phantom Stealer; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Weekly reports highlight emergency patching and active exploitation trends
Security roundups published on February 2 summarized major ongoing developments, including emergency Microsoft and Ivanti patches for actively exploited zero-days and broader active exploitation of enterprise vulnerabilities. They also highlighted related incidents such as Static Tundra attacks in Poland, Google disruption of the IPIDEA proxy botnet, and continued abuse of exposed AI and cloud services.
Detection rules added for CVE-2026-21509 and other active threats
A detections digest covering the period from January 26 to February 2 reported new and updated rules for multiple ecosystems, including hunting content for CVE-2026-21509, FortiGate post-exploitation tied to CVE-2026-24858, and other active threats. The update also introduced YARA detections for malware families such as HijackLoader, Mythic/Apollo, Tiny Shell, and UNC2891 SLAPSTICK.
ShadowHS fileless Linux malware framework is uncovered
Researchers reported a new fileless Linux malware framework called ShadowHS that runs entirely in memory using encrypted multi-stage loaders and memfd-style execution. The framework includes environment fingerprinting, credential theft, lateral movement, privilege escalation, covert exfiltration, and anti-competition features.
Researchers document fake DHL invoice campaign delivering Phantom Stealer
A multi-stage malware campaign was reported using fake DHL invoice emails with a ZIP attachment containing a renamed signed Java utility and a malicious DLL for sideloading. The chain used process hollowing into AddInProcess32.exe and ultimately deployed Phantom Stealer v3.5.0 for credential theft and data exfiltration.
APT28 begins exploiting CVE-2026-21509 against Ukrainian and EU targets
Within 24 hours of Microsoft's disclosure, CERT-UA said Russian state-linked APT28 (UAC-0001) began exploiting CVE-2026-21509 using malicious Word documents sent via impersonation emails. The campaign targeted Ukrainian government agencies and also used similar lures against organizations in EU countries, fetching follow-on payloads over WebDAV and deploying Covenant with Filen.io for C2.
Microsoft discloses Office zero-day CVE-2026-21509
Microsoft publicly disclosed the Microsoft Office zero-day vulnerability CVE-2026-21509 and later issued an emergency fix. The disclosure set off rapid defensive guidance and follow-on reporting about active exploitation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
2nd February - Threat Intelligence Report - Check Point Research
research.checkpoint.com
Open sourceNew Stealthy Fileless Linux Malware 'ShadowHS' Emphasizes Automated Propagation
cybersecuritynews.com
Open source⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
thehackernews.com
Open sourceRussian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability - The Cyber Express
thecyberexpress.com
Open sourceDetections Digest #20260202 - by RuleCheck.io
detections-digest.rulecheck.io
Open sourceSigned & Stolen: "Phantom Stealer" Hijacks Java App via Fake DHL Invoice
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weekly Cyber Threat Intelligence Roundup: Microsoft Patch Tuesday, FortiSIEM Exploitation, and Emerging Malware/Phishing Trends
A weekly threat-intelligence roundup highlighted **Microsoft’s January Patch Tuesday** release addressing **112 vulnerabilities** across Windows and *Microsoft Edge*, spanning multiple classes including elevation of privilege, remote code execution, and information disclosure. The same briefing reported active interest in **CVE-2025-64155**, a **critical FortiSIEM** vulnerability, with observed exploitation activity against honeypot environments following an out-of-band alert from Kroll Threat Intelligence—an indicator of likely broader scanning and attempted exploitation. The update also covered multiple threat developments: Check Point research described **VOIDLINK**, a Linux-focused malware framework (implants/rootkits/loaders) designed for long-term access, including in cloud environments; **North Korean-linked KTA082 (Kimsuky/APT43)** was reported using **QR-code phishing (“quishing”)** to target government, education, and think tanks; and **Iran-linked KTA060 (MuddyWater)** was associated with development of the **RUSTYWATER RAT**. Separately, detection-engineering updates noted new and refined rules for **OAuth/Entra ID consent phishing** patterns (including *ConsentFix*-style authorization flows), correlations between Entra ID risk events and privileged actions (e.g., PIM elevation/device-code auth), Windows persistence/defense-evasion behaviors (e.g., scheduled tasks by unsigned executables, Chrome security feature tampering), and updated YARA/behavioral detections for malware families (e.g., **Agent Tesla**, **MintsLoader**) and **Cobalt Strike** TTPs; the briefing also referenced a leak of a database purportedly containing ~**324,000 BreachForums** user records posted to `shinyhunte[.]rs`.
Mar 21, 2026
Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly **low-noise initial access** and **living-off-the-land** execution on Windows endpoints. CyStack reported activity attributed to **APT-Q-27 (GoldenEyeDog)** targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a **Zendesk ticket**, leading to download of an executable masquerading as an image/`.pif` file (aided by Windows’ hidden-extension defaults). The malware was signed with a **revoked certificate** that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts. Separately, Securonix described the **Dead#Vax** multistage campaign using phishing links to **VHD files hosted on IPFS**, where mounting/opening the VHD triggers **Windows Script Files**, obfuscated batch, and **PowerShell** loaders to support encrypted data theft and conceal execution logic, culminating in **AsyncRAT** deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked **Operation Neusploit** to **APT28**, exploiting **CVE-2026-21509** (Microsoft Office/365 **OLE** bypass) via crafted **RTF** documents to drop payloads including **MiniDoor** (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and **PixyNetLoader** (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
Apr 10, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026