Cyware Daily Threat Intelligence, February 02, 2026

The Arsink RAT has transformed legitimate cloud infrastructure into a global surveillance engine, compromising over 45,000 devices across 143 countries. By masquerading as popular apps on Telegram and Discord, it lures users into installing malicious APKs that abuse Firebase and Google Apps Script for data exfiltration. Once active, it silently harvests SMS logs, contacts, and live audio, cleverly blending its illicit traffic with routine cloud activity to evade detection.

For Linux environments, ShadowHS represents a masterclass in stealth, operating as a fileless threat that exists entirely in system memory. It gains entry via SSH brute-force attacks and deploys an AES-encrypted "hackshell" to avoid leaving a footprint on the physical disk. Designed for long-term control rather than quick profit, it actively hunts and terminates rival malware, ensuring it remains the sole, invisible master of the compromised server.

The AI social network Moltbook recently demonstrated the dangers of rapid scaling after a database misconfiguration exposed the private API keys and tokens of 1.5 million users. This vulnerability allowed anyone to hijack autonomous agents through simple GET requests, potentially turning them into tools for mass misinformation.

Top Malware Reported in the Last 24 Hours

Arsink RAT: A rising global menace

Arsink is a sophisticated cloud-native Android RAT that exfiltrates sensitive user data and grants remote control over infected devices. Leveraging social engineering tactics, Arsink impersonates popular brands and distributes malicious APKs through platforms like Telegram, Discord, and MediaFire. The malware utilizes various exfiltration methods, including Firebase, Google Apps Script, and Telegram bots, to collect a wide range of data, such as SMS messages, call logs, contacts, and audio recordings. With approximately 45,000 unique infected IP addresses identified across 143 countries, Arsink has demonstrated a broad geographic reach, particularly in regions with prevalent third-party APK distribution. Its operational variants showcase its adaptability, as it continuously evolves to exploit legitimate cloud services, posing a significant threat to users worldwide.

ShadowHS malware targets Linux systems 

ShadowHS is a sophisticated fileless malware that targets Linux systems, utilizing a hidden loader to execute a modified "hackshell" tool entirely in memory, thus avoiding detection through traditional antivirus methods. It spreads via automated SSH brute-force attacks, focusing on stealth and long-term control rather than immediate financial gain. ShadowHS employs AES-256-CBC encryption for its payload, using tools like OpenSSL and Perl in memory to remain undetected. The malware scans for security tools to eliminate rivals and begins its operations by mapping the system and assessing defenses. Its capabilities include credential dumping, privilege escalation, and crypto-mining, all while maintaining a low profile to avoid drawing attention. 

PeckBirdy group exploits LOLBins

PeckBirdy is a sophisticated JScript-based command-and-control framework that has been exploiting living-off-the-land binaries (LOLBins) since 2023 to deploy modular backdoors, including HOLODONUT and MKDOOR, across various environments. It has been involved in two major campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, targeting Chinese gambling industries and Asian government entities. The framework's cross-platform capabilities allow it to adapt to different execution environments, utilizing encrypted communication methods to evade detection. In these campaigns, attackers have employed social engineering tactics and vulnerabilities like CVE-2020-16040 to compromise systems, demonstrating the evolving nature of cyber threats. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in Moltbook AI

A critical vulnerability in Moltbook, an AI agent social network launched in January, exposes sensitive information such as email addresses, login tokens, and API keys for its 1.5 million users. Security researchers found that the platform's user count was largely inflated by unchecked bot registrations, with one bot creating 500,000 fake accounts. The vulnerability arises from a database misconfiguration that allows unauthenticated access to agent profiles, enabling attackers to extract data through simple GET requests. This issue is compounded by the platform’s lack of rate limiting and design flaws, leading to significant security risks. The exposed endpoint allows for rapid enumeration of agent IDs, resulting in the potential for credential theft and other malicious actions.