New malware strains, ransomware campaigns, botnet activity
The QuickLens Chrome extension was compromised and used to distribute malware, with the goal of stealing cryptocurrency from users. Google has since removed the malicious extension from its Web Store.
This article investigates the identity of "Dort," the individual believed to be the botmaster behind Kimwolf, a massive botnet responsible for significant disruptive attacks. Following the disclosure of a vulnerability that enabled the creation of Kimwolf, Dort has orchestrated retaliatory DDoS, doxing, and harassment campaigns against those involved in exposing the botnet.
A new remote access trojan (RAT) called Steaelite is being sold on cybercrime networks. This RAT bundles ransomware and data theft capabilities, along with credential and cryptocurrency stealers, and live surveillance features, enabling double extortion attacks.
A ransomware attack has impacted a Mississippi healthcare system, mirroring a storyline in HBO's "The Pitt". The real-world incident highlights the ongoing threat ransomware poses to the healthcare sector.
A new backdoor, potentially linked to North Korea, has been used to target US education and healthcare organizations since December. Security researchers discovered the malware, indicating ongoing cyber espionage or disruptive activities.
The North Korean APT37 hacking group is using new malware, delivered via removable drives, to bridge air-gapped networks and conduct covert surveillance. This new toolset allows them to move data between connected and isolated systems.
Ransomware payments significantly decreased in 2025, despite a surge in the number of ransomware attacks reaching record levels. This suggests that while attacks are becoming more frequent, victims are less willing or able to pay the ransom demands, possibly due to improved defenses or a shift in attacker tactics.
CISA has released information regarding RESURGE malware, used in conjunction with the CVE-2024-1709 exploit, targeting Ivanti Connect Secure devices. RESURGE is a malicious implant that can remain dormant on compromised systems.
A malicious Go module, disguised as a legitimate crypto library, steals passwords entered in the terminal and deploys the Rekoobe backdoor on Linux systems. The module, github[.]com/xinfeisoft/crypto, mimics the 'golang.org/x/crypto' codebase but contains malicious code for data exfiltration and backdoor deployment.
Approximately 900 Sangoma FreePBX instances have been infected with web shells. The attacks leveraged a post-authentication command injection vulnerability present in the endpoint manager interface.
The North Korean threat actor ScarCruft is using new tools, including a Zoho WorkDrive backdoor for C2 and USB-based malware to breach air-gapped networks. The campaign, dubbed Ruby Jumper, relies on malware deployment.
A fake FedEx email is being used to deliver malware instead of just redirecting users to phishing sites. The email claims to be a delivery notification but contains a malicious payload.
North Korean hackers are posing as recruiters to target job seekers in the programming field. They lure candidates into running malicious code during coding challenges, which installs malware on their systems.
The Aeternum botnet loader is utilizing the Polygon blockchain for its command and control (C&C) infrastructure. This approach increases the botnet's resilience by making the C&C infrastructure more difficult to disrupt.
Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to deploy a Java-based remote access trojan (RAT). The attack involves a malicious downloader that stages a portable Java runtime and executes a malicious JAR file.
Ransomware groups are shifting tactics towards stealthy infiltration and long-term access, focusing on data exfiltration and the threat of public exposure as their main extortion mechanism. They are using defense evasion and persistence techniques, routing command-and-control traffic through trusted enterprise services to blend in with normal business traffic, and chaining vulnerabilities for greater impact.
Aeternum C2 is a new botnet loader that leverages the Polygon blockchain for command and control, making it more resilient to takedown attempts. The botnet stores encrypted commands on the blockchain, avoiding traditional server-based infrastructure.
Cisco Talos is tracking a new threat activity cluster, UAT-10027, which has been targeting the U.S. education and healthcare sectors since at least December 2025. The group deploys a novel backdoor called Dohdoor that leverages DNS-over-HTTPS (DoH) for command and control.
The ransomware payment rate has dropped to a record low of 28% in the past year, even as the number of claimed ransomware attacks has risen significantly. This indicates that organizations are becoming more resilient to ransomware demands, potentially due to improved backup strategies, incident response plans, and a greater willingness to restore from backups rather than pay the ransom.
Microsoft is warning developers about a coordinated campaign that uses malicious repositories disguised as legitimate Next.js projects and technical assessments. The goal is to trick victims into executing these projects, leading to persistent access on compromised machines.
A malicious NuGet package, "StripeApi.Net," was discovered impersonating the official Stripe.net library to steal API tokens. The imposter package, uploaded by a deceptive user, aimed to target the financial sector.
A new remote access trojan (RAT) called Steaelite has emerged, combining data theft and ransomware capabilities into a single tool, available on underground cybercrime sites since November. It allows attackers to perform reconnaissance, credential harvesting, data exfiltration, and soon, ransomware deployment, all from a single dashboard, potentially lowering the barrier to sophisticated double extortion attacks.
Microsoft Defender has uncovered a campaign where threat actors are backdooring developer's machines through malicious repositories disguised as Next.js projects and coding tests. The malicious code installs an information-stealing backdoor, enabling unauthorized access and data exfiltration.
The seizure of the RAMP forum has disrupted the ransomware ecosystem, causing groups to fracture and potentially reform. Researchers advise defenders to monitor these shifts and use the intelligence to inform their security strategies.
Hackers are distributing malicious repositories disguised as legitimate Next.js projects to lure developers into running secret-stealing malware. Microsoft has identified a direct connection between some of these repositories and observed compromises.
Malicious Next.js repositories are targeting developers through fake job interviews. These poisoned repositories, linked to North Korean fake job-recruitment campaigns, aim to establish persistent access to infected machines.
Marquis Software Solutions is suing SonicWall, alleging negligence and misrepresentation related to a backup breach that resulted in a ransomware attack affecting 74 U.S. banks. The lawsuit claims SonicWall failed to adequately protect its systems, leading to the breach and subsequent ransomware incident.
Medical device maker UFP Technologies has been hit by a cyberattack, suspected to be a ransomware attack. The attack involved data theft and file-encrypting malware.
Researchers have discovered four malicious NuGet packages that steal ASP.NET Identity data from web application developers. The packages also manipulate authorization rules to establish backdoors in compromised applications, highlighting risks associated with supply chain attacks targeting developers.
Microsoft is warning of a coordinated campaign targeting software developers through malicious repositories disguised as legitimate Next.js projects and technical assessments. The campaign uses various methods to execute malicious code, including exploiting trust in shared code and developer workflows, to gain persistence within developer systems and access sensitive data.
A phishing campaign is targeting freight and logistics organizations in the U.S. and Europe, with the financially motivated threat group 'Diesel Vortex' using 52 domains to steal credentials. The attackers are focusing on the freight and logistics sector to potentially gain access to financial resources or sensitive shipment data.
The article discusses various types of ransomware attacks, including crypto ransomware, double extortion ransomware, encryptionless ransomware, locker ransomware, scareware, and Ransomware-as-a-Service (RaaS). It highlights that cybercriminals are constantly seeking vulnerabilities and adapting their tactics to maximize profits, with crypto ransomware being the most common type.
The Lazarus Group, a North Korean threat actor, has added Medusa ransomware to its arsenal. They also used Comebacker backdoor, Blindingcan RAT, and Infohook info stealer in recent attacks, indicating a diverse toolkit for targeting victims.
The Lazarus Group, a North Korean threat actor, is now using Medusa ransomware to target healthcare organizations and other victims. At least one US healthcare organization and an entity in the Middle East have been targeted, according to researchers at Symantec and Carbon Black.
The 'Arkanix Stealer' malware, written in C++ and Python, has disappeared shortly after its debut. The malware was designed to exfiltrate system information, browser data, and steal files.
A Russia-aligned threat actor (UAC-0050) targeted a European financial institution using social engineering and RMS malware. This activity signals a potential expansion of the threat actor's focus beyond Ukraine to include entities supporting the country.
A new supply chain attack dubbed 'Sandworm_Mode' has been discovered targeting the NPM package repository. The malicious code spreads like a worm, poisons AI assistants, exfiltrates secrets, and includes a destructive kill switch.
The Lazarus Group, a North Korean threat actor, has been observed using Medusa ransomware in attacks targeting entities in the Middle East and U.S. healthcare. The attacks, reported by Symantec and Broadcom, highlight the group's evolving tactics and continued focus on financially motivated cybercrime.
A supply chain attack dubbed SANDWORM_MODE is targeting developers through typosquatted npm packages. The worm steals credentials from local environments and CI systems and uses them to modify other repositories, potentially wiping the home directory upon detection.
The North Korean Lazarus group is linked to Medusa ransomware attacks targeting U.S. healthcare organizations. These attacks are extortion-based and highlight the group's continued evolution and targeting of critical infrastructure sectors.
UnsolicitedBooker, a threat actor, is now targeting telecommunications companies in Central Asia (Kyrgyzstan and Tajikistan) after previously targeting Saudi Arabian entities. The attacks involve deploying backdoors named LuciDoor and MarsSnake.
Iranian threat group MuddyWater has launched new attacks against organizations in the Middle East and Africa, deploying fresh malware strains and payloads. The group, known for its persistent activity, is exploiting heightened tensions in the region to target vulnerable organizations.
APT28, a Russian state-sponsored threat actor, conducted a campaign targeting Western and Central European entities between September 2025 and January 2026. Dubbed Operation MacroMaze, the campaign utilized webhook-based macro malware and exploited legitimate services.
A new cryptojacking campaign uses pirated software bundles to deploy a customized XMRig miner on compromised systems. The multi-stage infection prioritizes cryptocurrency mining hashrate, often destabilizing the victim's machine.
Vanta Diagnostics (formerly Vikor Scientific) has reported a data breach affecting 140,000 individuals. The Everest ransomware group has claimed responsibility for the attack.
The article discusses a malware campaign using malicious JPEG files with embedded payloads, similar to campaigns previously discussed on the SANS Internet Storm Center. The author found a new campaign using this technique while reviewing malware samples caught by a customer's email proxy.
This weekly recap summarizes several cybersecurity incidents and trends, including double-tap skimmers, the PromptSpy AI vulnerability, a massive 30Tbps DDoS attack, and Docker malware. The article highlights the blurring line between normal behavior and hidden risks across various platforms.
Kaspersky researchers have discovered a new infostealer called "Arkanix" that is being marketed as Malware-as-a-Service (MaaS). Arkanix is written in both Python and C++, allowing its subscribers to target a wider range of environments, and is suspected to have been developed with the aid of a large language model.
A recently patched vulnerability in RoundCube Webmail is being actively exploited. The flaw, patched in December 2025 (likely a typo and meant to be 2023 or 2024 given the current date), allows for cross-site scripting (XSS) attacks through the use of animate tags within SVG documents.
Attackers are actively exploiting two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in Ivanti's Endpoint Manager Mobile (EPMM) to remotely execute arbitrary code and gain unauthenticated control of enterprise mobile device management infrastructure. These vulnerabilities allow attackers to install backdoors that persist even after patches are applied, impacting mobile fleets and corporate networks.
