ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine & More

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a hacking campaign targeting Ukrainian government institutions using phishing emails containing a ZIP archive (or a link to a website vulnerable to cross-site scripting attacks) to distribute SHADOWSNIFF and SALATSTEALER information-stealing malware and a Go backdoor called DEAFTICKK. The agency attributed the activity to a threat actor tracked as UAC-0252. The development comes as a suspected Russian espionage campaign is targeting Ukraine with two previously undocumented malware strains, BadPaw and MeowMeow, according to ClearSky. While the campaign is likely said to be the work of APT28, the cybersecurity company did not identify the targets of the campaign or say whether the attacks were successful.

A new malware-as-a-service (MaaS) dubbed TrustConnect ("trustconnectsoftware[.]com") masqueraded as a legitimate remote monitoring and management (RMM) tool for $300 per month. It's assessed that the threat actor behind TrustConnect was also a prominent user of RedLine Stealer. According to email security firm Proofpoint, multiple threat actors have been observed distributing the malware via phishing emails as of January 27, 2026. The emails claim to be event invites or bid proposals, tricking recipients into clicking on links that lead to the download of bogus executables that install TrustConnect RAT. The RAT backdoors users' machines and gives attackers full mouse and keyboard control, allowing them to record and stream the victim's screen. Some campaigns have also been observed delivering legitimate remote access software like ScreenConnect and LogMeIn Resolve alongside TrustConnect between January 31 and February 3, 2026. Customers who purchase the toolkit are granted access to a dashboard to remotely commandeer infected devices and generate branded installers containing the malware. After Proofpoint took steps to disrupt some of the malware's infrastructure on February 17, 2026, the threat actor resurfaced with a rebranded version of the malware platform called DocConnect. "Disruptions to MaaS operations like RedLine, Lumma Stealer, and Rhadamanthys have created new opportunities for malware creators to fill gaps in the cybercrime market," Proofpoint said. "Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors." The development comes amid skyrocketing abuse of legitimate RMM software in cyber attacks.

Google has announced that new Chrome iterations will be released every two weeks, moving away from the current four-week release cycle. Since 2021, Google has been shipping major Chrome versions every four weeks, and since 2023, it has been delivering security updates every week for a reduced patch gap and improved quality. "The web platform is constantly advancing, and our goal is to ensure developers and users have immediate access to the latest performance improvements, fixes, and new capabilities," Google said. The new release cycle will also apply to beta releases, starting with Chrome 153, which will arrive on September 8, 2026.

Researchers at IMDEA Networks Institute have found that Tire Pressure Monitoring System (TPMS) sensors inside each car wheel broadcast unencrypted wireless signals containing persistent identifiers. While the feature is designed for vehicle safety, each sensor transmits a unique ID that does not change, allowing the same car to be recognized again and tracked over time. This, in turn, opens the door to a low-cost monitoring network that uses software-defined radio receivers near roads (at a distance of up to 40m from the car) and parking areas to collect TPMS messages from thousands of vehicles and build profiles of their movements over time. "Malicious users could deploy passive receivers on large scales and track citizens without their knowledge. The advantage of such a system, over more traditional camera-based ones, is that no direct line-of-sight is needed with the TPMS sensors, and spectrum receivers could be placed in covert or hidden locations, making them harder to spot by victims," the researchers warned. "Our results show that TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight, or driving pattern of the driver." The disclosure adds to a growing body of research demonstrating how various components fitted into modern vehicles can become unintended conduits for surveillance and exploits.

A new analysis from CYFIRMA has pointed out how Telegram's structure offers threat actors a way to extend their reach globally without the need for specialized tooling, enable frictionless onboarding of buyers and affiliates, support payment options, and facilitate audience growth. The emergence of the platform has fundamentally changed the way cyber operations are coordinated, monetized, and publicized. "For financially motivated actors, Telegram functions as a scalable storefront and customer support hub," the company said. "For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks. In many cases, telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility."

A new analysis of AuraStealer from Intrinsec has uncovered 48 command-and-control (C2) domain names linked to the stealer's operations. The threat actor behind the malware has been found to use .shop and .cfd top-level domains, in addition to routing all traffic through Cloudflare as a reverse proxy to conceal the real server. AuraStealer first appeared on underground hacker forums in July 2025, shortly after the disruption of the Lumma Stealer as part of a law enforcement operation. It was advertised by a user named AuraCorp on the XSS forum. It comes in two subscription packages: $295/month for Basic and $585/month for Advanced. One of the primary mechanisms through which the stealer is distributed is ClickFix.

A malvertising campaign is using bogus ads on Google Search results pages to redirect users looking for ways to free up macOS storage to fraudulent web pages hosted on Medium, Evernote, and Kimi AI to serve ClickFix-style instructions that drop a new variant of the Atomic Stealer called malext to steal a wide range of data from compromised macOS systems. The campaign uses more than 50 compromised Google Ads accounts that push "over 485 malicious landing pages, ultimately leading to a ClickFix attack that deployed a potentially new version of AMOS Stealer onto infected systems," security researcher Gi7w0rm said.

A large-scale data gathering operation has submitted more than 10 million web scraping requests to hit DRAM product pages on e-commerce sites in an effort to find sellers carrying desirable DRAM stock. The bots have been found to check the stock of specific RAM kits every 6.5 seconds by using a technique called cache busting to ensure they get the most up-to-date information, DataDome said. "These bots aggressively target the entire supply chain, from consumer RAM to B2B industrial memory providers and raw hardware components like DIMM sockets," the company said. "Scrapers attempt to avoid detection by adding cache-busting parameters to every request and calibrating their speed to stay just below volumetric alarm thresholds. By rapidly snapping up the limited DDR5 memory inventory for profitable resale, these bots further deplete the consumer supply, effectively boxing out legitimate customers and driving market prices even higher."

The U.K. Information Commissioner's Office (ICO) has fined Reddit £14.47 million for unlawfully processing the personal information of children under the age of 13 and for failing to properly check the age of its users, thereby putting them at risk of being exposed to inappropriate and harmful content online. In July 2025, Reddit introduced age assurance measures that include age verification to access mature content and asking users to declare their age when opening an account. Reddit said it would appeal the decision, stating it doesn't require users to share information about their identities, regardless of age, to ensure users' online privacy and safety.

Texas Attorney General Ken Paxton announced that Samsung will no longer collect Automated Content Recognition (ACR) data without consumers' express consent. The development comes in the wake of a lawsuit filed against the South Korean electronics giant for its data collection practices and over allegations that the collected ACR information could be used to serve targeted ads. "Additionally, it compels Samsung to promptly update its smart TVs and implement disclosures and consent screens that are clear and conspicuous to ensure that Texans can make an informed decision regarding whether their data is collected and how it's used," the Office of the Attorney General said. Samsung has denied it spies on users.

Apple iPhones and iPads have been approved to handle classified information in NATO networks. They are the first consumer-grade devices to be approved for NATO use without additional special software or settings. iPhone and iPad previously received approval to handle classified German government data on devices using native iOS and iPadOS security measures following a security evaluation conducted by Germany's Federal Office for Information Security.

ByteDance's TikTok said it has no plans to add end-to-end encryption (E2EE) to direct messages because it would prevent law enforcement and safety teams from reading messages if necessary. In a statement shared with the BBC, the company said it wanted to protect users, especially young people, from harm.

A new phishing campaign using purchase order lures has leveraged a multi-stage attack chain to deliver Agent Tesla, allowing threat actors to harvest sensitive data, while taking steps to evade detection using techniques like obfuscation and in-memory execution. "From the initial obfuscated JSE loader to the reflective loading of .NET assemblies and process hollowing of legitimate Windows utilities, Agent Tesla is designed to stay invisible," Fortinet FortiGuard Labs said. "Its extensive anti-analysis checks further ensure that it only reveals its true nature when it’s certain it isn't being watched."

With organizations taking steps to tighten their traditional email and web filters, new research from Infoblox has found a novel campaign where actors are abusing the .arpa top-level domain, a space strictly reserved for network infrastructure, to host malicious content and bypass standard blocklists. The development shows cybercriminals are finding "impossible" hiding spots within the internet’s core infrastructure to bypass security, the DNS threat intelligence firm said. Elsewhere, threat actors are also abusing LNK shortcut files and WebDAV to download malicious files on targets' systems. "Because being able to remotely access things on the internet via File Explorer is a relatively unknown functionality to most people, WebDAV is an exploitable way to make people download files without going through a traditional web browser file download," Cofense said.

A new phishing campaign that commenced on March 1, 2026, is using lures related to unauthorized access to individuals' accounts to trick recipients into visiting fake LastPass login pages to take control of their accounts. The attack takes advantage of the fact that many email clients, especially mobile, show only the display name, hiding the real sender address unless users expand it. "Attackers are forwarding fake email chains to make it appear as though another individual is trying to take unauthorized action on their LastPass account (i.e., export vault, full account recovery, new trusted device registered, etc.)," LastPass said. "Attackers use display name spoofing so that the name portion of the sender field is manipulated to impersonate LastPass, while the actual sending email address is unrelated."

With the emergence of tools like Claude Code Security, OX Security is urging users to resist the temptation to outsource judgment, architecture, and validation to a single artificial intelligence (AI) model. "AI doesn't invent fundamentally new code patterns," it said. "It reproduces the most common ones it has seen before. That means it scales not only productivity, but also existing weaknesses in software engineering practice." The cybersecurity company also warned that AI systems may be prone to false positives and may not reliably inform a user if an issue flagged in a single repository is actually exploitable in a complex and unique environment. A pipeline that relies on the same AI system for both writing and reviewing code is not ideal, it added.

A team of academics from Anthropic, ETH Zurich, and MATS Research has developed large language models (LLMs) that can deanonymize internet users based on past comments or other digital clues they leave behind. "Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, we implement a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives," the researchers said. The method works even if targets use different pseudonyms across multiple platforms. The researchers said using their LLMs outperforms classical research methods, where digital footprints are examined manually by a human operator. This, in turn, enables fully automated deanonymization attacks that can work on unstructured data at scale, while also reducing the cost and effort that goes into intelligence gathering. "Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered," the researchers said. "The average online user has long operated under an implicit threat model where they have assumed pseudonymity provides adequate protection because targeted deanonymization would require extensive effort. LLMs invalidate this assumption."