Cyware Daily Threat Intelligence, January 28, 2026

A Vietnam-based cybercrime group is breathing new life into traditional phishing by weaving artificial intelligence into their latest PureRAT campaigns. The operation is particularly notable for its AI-generated scripts, which feature meticulous Vietnamese commentary to guide the malware as it carves out hidden directories and secures its foothold.

PyPI has become a digital minefield where even a simple typo can lead to a compromised system. Researchers recently uncovered two malicious packages that hid a RAT inside a Basque language dictionary file. This malware remained inactive until an update triggered its ability to fingerprint hosts and receive commands from suspicious domains.

Spreadsheets are usually tools for organization, but the Cellbreak vulnerability in Grist-Core has turned them into potential weapons. This flaw allows malicious formulas to shatter their Pyodide sandbox, escaping the confines of a cell to execute commands directly on the host's operating system.

Top Malware Reported in the Last 24 Hours

Vietnamese cybercriminals drop PureRAT

A Vietnam-based cybercrime group is utilizing AI to enhance its phishing campaigns, primarily distributing the PureRAT malware. These attacks typically begin with phishing emails disguised as job offers, leading victims to download malicious files hosted on cloud services like Dropbox. Once opened, these files initiate an infection chain that installs PureRAT or other payloads, such as HVNC. The attackers employ sophisticated techniques, including AI-generated scripts with detailed comments in Vietnamese, which guide the execution of malicious actions. The scripts create hidden directories, rename files, and establish persistence on compromised systems by adding entries to the Windows Startup registry. 

Fake Python packages deliver RAT

Cybersecurity researchers have discovered two malicious packages on PyPI, named `spellcheckerpy` and `spellcheckpy`, which were designed to deliver a RAT. These packages, downloaded over 1,000 times, contained a base64-encoded payload hidden in a Basque language dictionary file. Initially, the packages were dormant, but version 1.2.0 activated the malicious functionality upon import. The RAT downloader is capable of fingerprinting compromised hosts and executing commands from an external domain associated with a hosting provider known for servicing nation-state actors. This incident is not isolated, as previous fake spell-checking tools have been found on PyPI, suggesting a consistent threat actor. Additionally, several malicious npm packages have emerged, targeting cryptocurrency wallets and executing phishing campaigns against specific industries in various countries.

Top Vulnerabilities Reported in the Last 24 Hours

Fortinet patches critical FortiCloud bug

Fortinet has issued emergency patches for a critical vulnerability in its FortiCloud SSO authentication system, tracked as CVE-2026-24858, which was actively exploited in the wild. This flaw allowed attackers with a FortiCloud account to log into devices registered to other accounts, facilitating unauthorized access and potential data breaches. The vulnerability, described as an authentication bypass, affects devices with FortiCloud SSO enabled, a feature that is typically active by default during registration. Following reports of automated attacks targeting FortiGate firewalls, Fortinet confirmed the exploitation and temporarily disabled the SSO feature to mitigate risks. The CISA has included this vulnerability in its KEV catalog, urging prompt action from federal agencies to address the issue.

Critical vulnerability discovered in Grist-Core

A critical vulnerability, known as Cellbreak (CVE-2026-24002), has been identified in Grist-Core, an open-source spreadsheet-database application. This flaw allows remote code execution through malicious spreadsheet formulas, exploiting a sandbox escape in the Pyodide environment. The vulnerability enables untrusted formulas to execute operating system commands or JavaScript, posing significant risks such as accessing sensitive data and facilitating lateral movement within networks. The issue arises from Grist's design, which employs a blocklist-style approach to sandboxing, allowing attackers to escape the confines of the sandbox and execute commands on the underlying host.