All news with #threat research tag

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.

🛡️ Palo Alto Networks' Unit 42 warns that the generalization of vibe coding — using natural-language AI prompts to write code — has already been linked to data breaches, arbitrary code injection and authentication bypass incidents. Researchers say rapid adoption by both hobbyists and experienced developers often outpaces governance, leaving organizations with limited visibility and inadequate monitoring. To help customers assess and mitigate these risks, Unit 42 introduced SHIELD, a targeted security governance framework outlining separation of duties, human-in-the-loop checks, input/output validation, security-focused helper models, least agency and defensive technical controls.

🔒 Researchers found eight malicious npm packages impersonating n8n community nodes that were designed to steal developers' OAuth credentials. The packages mimicked legitimate integrations (for example, Google Ads), saved encrypted OAuth tokens to n8n's credential store, then used the instance master key at runtime to decrypt and exfiltrate tokens to attacker-controlled servers. Analysts urge disabling community nodes and auditing packages before installation.

🔐 Samantha Stallings argues that cybersecurity benefits from a wide range of backgrounds and talents, not just traditional STEM training. She challenges common stereotypes — the lone hacker or the inevitable technical prodigy — and shows how many roles contribute to effective threat research. Drawing on her own path from art school to Technical Writing Manager and referencing examples such as Dr. Sian Proctor, Stallings emphasizes that writers, marketers, product managers, and social media professionals all have valuable places in security teams. The piece is a direct invitation for nontechnical professionals to consider careers in cybersecurity.

🔒 RansomHouse has upgraded its encryptor to a multi-layered variant called 'Mario', shifting from a single-pass linear transform to a two-stage process that uses a 32-byte primary key and an 8-byte secondary key. The change increases entropy, speeds processing, and aims to improve reliability on modern targets. It also introduces dynamic chunk sizing with intermittent encryption for files over 8GB, complicating static analysis. The updated binary targets VM files, appends the .emario extension, drops a How To Restore Your Files.txt ransom note, and Unit 42 warns this upgrade makes decryption and reverse engineering notably harder.

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.

🔍 Fortinet and academic partners, including UC Berkeley’s CLTC and the Berkeley Risk and Security Lab, collaborated on global tabletop exercises and analysis to assess how AI is reshaping cybercrime. The Singapore TTX demonstrated that AI amplifies existing attack vectors—speeding reconnaissance, phishing, and malware development—while lowering barriers to entry and fostering criminal specialization. Defenders reported that governance, decision rights, and human judgment often mattered more than specific tools, underscoring the need for strong public-private collaboration and human oversight of AI-assisted detection.

🔎 Fortinet and UC Berkeley partners analyzed a Singapore tabletop exercise to assess how AI is reshaping cybercrime and defense. The practitioner perspective complements CLTC’s academic work and shows AI is amplifying existing attack vectors—speeding phishing, reconnaissance, code generation, and malware iteration—while lowering barriers to entry. The exercise highlighted that governance, human judgment, and cross-sector collaboration frequently determine response effectiveness more than specific tools.

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

🔍 Google Threat Intelligence Group (GTIG) analysis shows that Intellexa, vendor of the Predator spyware, continues to develop and deploy zero‑day exploits against mobile browsers and operating systems despite sanctions. GTIG attributes 15 unique zero‑days to Intellexa out of roughly 70 discovered since 2021, spanning RCE, sandbox escape, and LPE flaws on iOS, Android, and Chrome. The company uses modular exploit frameworks, acquires exploit chain steps from third parties, delivers payloads via one‑time messaging links and malvertising, and embeds anti‑analysis watcher modules to abort operations on detection.

🔒 Check Point Software achieved the highest security effectiveness rating in the recent NSS Labs Enterprise Firewall Test, posting a 99.59% score. The result spotlights its prevention-first architecture and comprehensive threat coverage, which the company says outperformed competing vendors. The blog links this independent validation to rising AI-driven risks, citing Check Point Research findings that 1 in 54 GenAI prompts carries a high risk of sensitive-data exposure and that 91% of frequent AI users are affected, underscoring the need for robust network defense.

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

⚠️Google's Threat Intelligence Group reports a surge in malware that integrates large language models to enable dynamic, mid-execution changes—what Google calls "just-in-time" self-modification. Notable examples include the experimental PromptFlux VBScript dropper and the PromptSteal data miner, plus operational threats like FruitShell and QuietVault. Google disabled abused Gemini accounts, removed assets, and is hardening model safeguards while collaborating with law enforcement.

⚠️ The Google Threat Intelligence Group (GTIG) reports that adversaries are evolving beyond simple productivity uses of AI toward operational misuse. Observed behaviors include state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, automated phishing lure creation and data exfiltration. The report documents AI-powered malware that can generate and modify malicious scripts in real time and attackers exploiting deceptive prompts to bypass model guardrails. Google says it has disabled assets linked to abuse and applied intelligence to improve classifiers and harden models against misuse.

🔍 Check Point Research applied generative AI to accelerate reverse engineering of XLoader 8.0, reducing days of manual work to hours. The models autonomously identified multi-layer encryption routines, decrypted obfuscated functions, and uncovered hidden command-and-control domains and fake infrastructure. Analysts were able to extract IoCs far more quickly and integrate them into defenses. The AI-assisted workflow delivered timelier, higher-fidelity threat intelligence and improved protection for users worldwide.

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.