Cybercrime
-
PeckBirdy JScript framework used by China-aligned actors to target gambling and government sites
A JScript C2 framework called PeckBirdy has been used since 2023 to compromise gambling sites and Asian government and private organizations. The framework runs across browsers and common binaries and delivers modular backdoors including HOLODONUT and MKDOOR.
-
Multiple groups exploit WinRAR CVE-2025-8088 using Alternate Data Streams since July 2025
Multiple state-backed and criminal groups have exploited the high severity WinRAR path traversal CVE-2025-8088 since July 18, 2025. Exploits hide payloads in Alternate Data Streams and can drop persistent launchers to Startup folders.
-
Pakistan-linked campaigns use new tradecraft to target Indian government in September 2025
Two campaigns codenamed Gopher Strike and Sheet Attack targeted Indian government entities in September 2025 using phishing and legitimate services for command and control. Malware included a Golang downloader, GitHub-based backdoors and a loader for Cobalt Strike.
-
New MaaS Stanley promises phishing extensions on Chrome Web Store
A technical analysis found the Stanley MaaS offers Chrome extensions that overlay phishing iframes and promises to pass Chrome Web Store review. The service includes auto-install, persistent C2 polling, geotargeting, and a paid Luxe plan.
-
Phishing campaign in India deploys Blackmoon variant and SyncFuture TSM
Security researchers found a phishing campaign targeting Indian taxpayers that uses fake Income Tax Department notices to deliver a multi stage backdoor which installs a Blackmoon variant and SyncFuture TSM for persistent remote access.
-
Konni uses AI generated PowerShell malware to target blockchain developers
Konni used AI generated PowerShell malware to target blockchain developers in Japan, Australia and India, using spear-phishing with LNK files and multi stage loaders to deploy a persistent backdoor, according to a Check Point Research technical report.
-
Multi-stage phishing campaign in Russia delivers Amnesia RAT and ransomware via GitHub and Dropbox
A multi-stage phishing campaign observed in Russia delivers Amnesia RAT and Hakuna Matata ransomware. The chain uses GitHub and Dropbox for payload staging and disables Defender before stealing data and encrypting files.
-
Sandworm used DynoWiper in failed cyber attack on Poland power system
ESET technical analysis said Sandworm used a new wiper called DynoWiper in an unsuccessful attack on Poland’s power system on December 29 and 30 2025. Targets included CHP plants and a renewable generation management system.
-
Phishing campaign leverages stolen credentials to deploy legitimate RMM for persistent access
Researchers reported a dual-wave phishing campaign that harvests Outlook, Yahoo and AOL credentials to register with LogMeIn and deploy LogMeIn Resolve via a signed executable named GreenVelopeCard.exe to maintain persistent remote access.
-
Multi-stage AitM phishing and BEC campaign abused SharePoint to target energy organisations
Microsoft flagged a multi-stage AitM phishing and BEC campaign using SharePoint links and inbox rules to persist. One observed case sent over 600 phishing messages. Mitigation requires revoking session cookies and deleting attacker-created rules.
