Cybercrime
-
Pirated software lure spreads wormable XMRig miner that uses BYOVD to boost hashrate
Trellix reported a cryptojacking campaign that used pirated software bundles to deliver a wormable XMRig miner on Windows hosts. The malware uses a vulnerable driver to raise mining hashrate and spread via removable media during November and early December 2025.
-
Arkanix Stealer MaaS advertised on forums targeted 22 browsers and crypto wallets
Kaspersky analysis found Arkanix Stealer marketed in October 2025 as malware as a service. The campaign used Python and native loaders to harvest data from 22 browsers, gaming clients and crypto wallets before the panel was taken down.
-
MuddyWater launches Operation Olalampo targeting MENA with new Rust backdoor and loaders
A technical analysis by Group-IB found Iranian-linked MuddyWater launched Operation Olalampo on January 26, 2026 targeting MENA organisations. The campaign uses downloaders GhostFetch and HTTP_VIP, Rust backdoor CHAR and GhostBackDoor.
-
Malicious NPM package hides Pulsar RAT inside PNG images using steganography and obfuscated dropper
A malicious NPM package ‘buildrunner-dev’ downloads an obfuscated batch loader and hides encrypted payloads inside PNG images. Extraction recovered a .NET loader and a Pulsar RAT embedded via steganography.
-
Advantest hit by ransomware that may have exposed customer or employee data
A Tokyo-based test equipment company detected a ransomware intrusion on February 15 that may have exposed customer or employee data. The firm isolated affected systems and engaged third-party cyber specialists while an investigation continues.
-
ClickFix campaign uses compromised sites to deliver new MIMICRAT remote access trojan
A ClickFix campaign abused compromised legitimate sites to install MIMICRAT, a previously undocumented C++ remote access trojan. The multi-stage PowerShell chain drops a Lua loader and the RAT supports 22 commands.
-
Three former Google engineers indicted over alleged trade secret theft, files reportedly sent to Iran
Three San Jose residents, including two former Google engineers, were indicted on charges of stealing trade secrets related to processor security and cryptography and transferring files to unauthorized locations including Iran, the Justice Department said.
-
Operation Red Card 2.0 yields 651 arrests and $4.3 million recovered across 16 African countries
Operation Red Card 2.0 resulted in 651 arrests and more than $4.3 million recovered across 16 African countries during December 2025 and January 2026. Authorities seized devices and took down malicious infrastructure linked to large scale scams.
-
Attackers use device code vishing to take over Microsoft Entra accounts
Threat actors used device code phishing and vishing to abuse the OAuth 2.0 device flow and compromise Microsoft Entra accounts. The attacks use legitimate OAuth client IDs to obtain refresh tokens and access connected SSO applications.
-
Intruder accessed France’s FICOBA registry exposing data for 1.2 million accounts
A late January 2026 breach of France’s FICOBA exposed data tied to 1.2 million bank accounts including IBANs and personal details. Banks were alerted and authorities filed a criminal complaint.
