Research
-
Cross platform RAT campaigns target Indian defense and government aligned organisations
Multiple campaigns used Geta RAT, Ares RAT and DeskRAT to compromise Windows and Linux systems at Indian defense and government aligned organizations in late 2025 and early 2026.
-
Crazy ransomware gang abuses employee monitoring and SimpleHelp to maintain access
A technical analysis by Huntress found Crazy gang operators abused Net Monitor and SimpleHelp to keep access, move files, execute commands, and prepare ransomware. Initial access used compromised SSL VPN credentials and defenders should enforce multifactor authentication.
-
New Linux botnet SSHStalker uses IRC C2 and scanned nearly 7,000 hosts
SSHStalker is a Linux botnet that uses IRC for command and control and performed nearly 7,000 SSH scans in January. It compiles C bots on infected hosts and persists via one minute cron jobs. Operators should monitor compilers and block IRC outbound traffic.
-
North Korean operatives apply to remote jobs using real LinkedIn accounts, security post says
North Korean operatives are applying for remote jobs using real LinkedIn accounts they impersonate, using verified workplace details to appear legitimate. Employers are advised to validate candidate email control and confirm account ownership before hiring.
-
DKnife targets network gateways in long-running AitM campaign
DKnife is a modular adversary-in-the-middle framework that has operated on network gateways since at least 2019. It inspects and manipulates traffic to hijack updates and deliver malware to downstream devices.
-
Bloody Wolf campaign installs NetSupport RAT in Uzbekistan and Russia
A spear-phishing campaign installed NetSupport RAT on about 50 devices in Uzbekistan and 10 in Russia using PDF-based loaders that enforce install limits and set persistent autorun scripts while Mirai payloads were staged.
-
Worm-driven TeamPCP campaign compromises cloud native infrastructure at scale
A worm-driven campaign by TeamPCP exploited exposed Docker, Kubernetes, Ray and React vulnerabilities around Dec 25, 2025 to build proxy and scanning infrastructure for data theft, extortion and cryptocurrency mining, researchers report.
-
BeyondTrust patches critical pre-auth RCE in Remote Support and Privileged Remote Access
BeyondTrust released patches for CVE-2026-1731, a critical pre-auth remote code execution flaw affecting Remote Support and older Privileged Remote Access versions. Self-hosted instances must apply updates or upgrade to reach patchable releases.
-
Infy resumes operations with new C2 infrastructure after nationwide outage
Infy paused C2 activity on January 8, 2026 and reestablished new command and control servers on January 26, 2026, deploying Tornado version 51 and new delivery methods that include a weaponized WinRAR SFX.
-
Critical vulnerability CVE-2026-25049 in n8n could allow system command execution
A critical CVE-2026-25049 vulnerability in a workflow automation platform can enable authenticated users to run system commands. The flaw has CVSS 9.4 and is fixed in 1.123.17 and 2.5.2. Restrict workflow creation and apply patches.
