Cyware Daily Threat Intelligence, January 27, 2026

A new MaaS named Stanley is now being marketed on cybercrime forums for up to $6,000, promising a "guaranteed" bypass of the Chrome Web Store review process. The service offers multiple subscription tiers, including a "Luxe Plan" that features a management panel for real-time tracking, URL hijacking rules, and more.

The Amatera info-stealer is being distributed through a creative ClickFix campaign that weaponizes fake CAPTCHA prompts to trick users into compromising their own systems. Victims are instructed to manually execute a command via the Windows Run dialog, which leverages a signed Microsoft App-V script to launch a malicious PowerShell sequence while evading sandbox detection.

Critical unauthenticated RCE vulnerabilities have been uncovered in NetSupport Manager, specifically affecting version 14.10.4.0 and earlier. Attackers can exploit heap and stack-based overflows to gain entry into sensitive networks without any prior authentication, posing a severe risk to OT environments where this remote management software is frequently deployed for administrative access.

Top Malware Reported in the Last 24 Hours

New malware service targets Chrome extensions

A new MaaS named Stanley has emerged, enabling the creation of malicious Chrome extensions that can bypass Google's review process and be published on the Chrome Web Store. Advertised by a seller using the alias Stanley, this service facilitates phishing attacks by overlaying full-screen iframes with deceptive content while keeping the browser's address bar unchanged to maintain the illusion of legitimacy. Stanley offers silent auto-installation for browsers like Chrome, Edge, and Brave, along with various subscription tiers, including a Luxe Plan that provides a web panel for managing the malicious extensions. Additionally, the service allows operators to enable hijacking rules and send notifications to victims, enhancing the phishing process.

New ClickFix attacks deliver Amatera malware

A new malicious campaign utilizes the ClickFix method alongside fake CAPTCHA prompts and signed Microsoft App-V scripts to distribute the Amatera info-stealer. The attack initiates with a fake CAPTCHA that instructs victims to manually execute a command through the Windows Run dialog, exploiting the legitimate SyncAppvPublishingServer.vbs script to launch PowerShell. This execution verifies user interaction and thwarts automated analysis by stalling in sandbox environments. Subsequently, the malware retrieves configuration data from a public Google Calendar file and uses steganography to conceal payloads within PNG images hosted on public CDNs. The final stage involves decrypting and executing native shellcode to activate the Amatera infostealer, which connects to a hardcoded IP address to collect browser data and credentials from infected systems, operating as MaaS.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft patches actively exploited 0-day

Microsoft has released emergency out-of-band security updates to address a high-severity zero-day vulnerability (CVE-2026-21509) in Microsoft Office, which is being actively exploited in attacks. This vulnerability affects several versions, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. While Office 2021 and later versions receive automatic protection through service-side updates, patches for Office 2016 and 2019 are still forthcoming. The flaw allows unauthorized attackers to bypass security features by convincing users to open malicious Office files. Microsoft has not disclosed details about the discovery of the vulnerability or how it is exploited.

Critical vulnerabilities found in NetSupport Manager

Two critical 0-day vulnerabilities in NetSupport Manager, identified as CVE-2025-34164 and CVE-2025-34165, enable unauthenticated RCE. These vulnerabilities, affecting versions 14.10.4.0 and earlier, were discovered during security assessments of operational technology environments. CVE-2025-34164 involves a heap-based out-of-bounds write due to an integer overflow, while CVE-2025-34165 results from a stack-based out-of-bounds read caused by inadequate size validation. The broadcast feature of the software, introduced in version 14, allows attackers to exploit these vulnerabilities without authentication, facilitating lateral movement into sensitive networks.