malware

Securonix researchers document a sophisticated malware campaign that chains IPFS hosting, virtual hard disk abuse, and in-memory shellcode injection to deliver AsyncRAT while evading traditional detection.

Russia's APT28 has deployed LAMEHUG and PROMPTSTEAL malware that queries large language models via Hugging Face to dynamically generate attack commands, marking the first confirmed use of AI-powered malware in active cyber operations.

A sophisticated malware attack on South Korea's largest mobile carrier compromised USIM authentication data for nearly the entire subscriber base, forcing mass SIM replacements and costing over $120 million.

Lotus Blossom APT compromised Notepad++'s hosting provider to intercept update traffic and deliver the Chrysalis backdoor to targeted government and financial organizations over a six-month period.

Over 400 malicious OpenClaw AI agent skills on ClawHub deploy Atomic Stealer via ClickFix-style social engineering. The hightower6eu account alone published 314 malicious skills targeting crypto and developer credentials.

CVE-2025-8088 (CVSS 8.8), a path traversal flaw abusing Windows Alternate Data Streams, continues to be exploited by Russian APTs, Chinese actors, and cybercriminals to achieve persistence via Startup folder drops.

GlassWorm, a self-propagating worm using Solana blockchain for C2 and invisible Unicode obfuscation, has infected 35,800+ developers through compromised VS Code extensions on Open VSX.

The GootLoader malware loader now creates malformed ZIP files containing hundreds of concatenated archives, causing security tools to extract harmless files while Windows extracts malicious JavaScript.

Attackers compromised an eScan regional update server on January 20, 2026, distributing signed malicious updates that deployed a multi-stage backdoor. IOCs and detection guidance included.

A malicious VS Code extension posing as an AI coding assistant deploys ConnectWise ScreenConnect for persistent remote access using quadruple impersonation tactics and Rust-based backup delivery.

The EVALUSION campaign uses social engineering, Google Calendar C2, and steganography to distribute Amatera information stealer—part of a technique now used in 47% of observed attacks.

APT group targets government entities across Southeast Asia with enhanced malware featuring clipboard monitoring, browser credential theft, and kernel-mode rootkit capabilities.

Packages 'spellcheckerpy' and 'spellcheckpy' downloaded over 1,000 times use multi-layer encryption and fileless execution to deliver cryptocurrency-stealing RAT. Same threat actor linked to November 2025 campaign.

Five malicious Chrome extensions disguised as HR and ERP platforms like Workday, NetSuite, and SuccessFactors stole authentication tokens and enabled account takeover before being removed from the Chrome Web Store.

CloudSEK analysis reveals MuddyWater's upgraded toolkit targeting diplomatic, maritime, financial, and telecom entities across the Middle East with Rust-based malware featuring advanced evasion techniques.