Cyware Daily Threat Intelligence, January 30, 2026

Cybercriminals are turning the reputable Hugging Face platform into an unwitting accomplice by hosting over 6,000 variants of financial malware. The campaign lures a deceptive "security" app that uses alarming notifications to pressure victims into a fake update. By cycling through thousands of unique files, the attackers effectively slip past traditional signature-based detection.

A sophisticated trojanized extension for VS Code, known as ClawdBot Agent, has been caught masquerading as a high-end AI coding assistant. Exploiting the name recognition of a popular AI tool, the extension activates the moment the editor opens, quietly establishing a remote bridge to the victim’s machine.

SmarterTools has issued an urgent rescue for its SmarterMail software after a pair of critical vulnerabilities left servers wide open to total takeover. The most severe flaw allows unauthenticated attackers to trick the mail server into executing commands from a malicious HTTP source. This follows the discovery of an authentication bypass that was reverse-engineered and exploited by hackers just days after a patch was initially attempted.

Top Malware Reported in the Last 24 Hours

Hugging Face exploited to deploy Android malware

A new Android malware campaign has exploited the Hugging Face platform to distribute over 6,000 variants of malicious APKs designed to steal credentials from financial services. The attack begins with victims installing a dropper app called TrustBastion, which falsely claims to enhance device security. After installation, the app prompts users to update, redirecting them to a Hugging Face dataset repository to download the actual malware. This malware acts as a remote access tool, leveraging Android’s Accessibility Services to capture user activity, display fake login interfaces for services like Alipay and WeChat, and exfiltrate sensitive data to its operators. 

Fake ClawdBot extension spreads malware 

A recently discovered fake VS Code extension named ClawdBot Agent poses as a legitimate AI coding assistant while secretly deploying malware on Windows systems. This malicious extension activates automatically upon starting VS Code, downloading and executing harmful files without user interaction. The attackers cleverly used the name of the popular Clawdbot to exploit brand recognition, creating a polished interface and integrating with multiple AI providers. The extension's code includes a hidden payload delivery mechanism, relying on a command-and-control server to fetch additional malicious components. Notably, it installs a weaponized version of ScreenConnect, allowing remote access to infected machines. The sophisticated design features multiple layers of redundancy, ensuring the malware remains functional even if primary servers are taken down.

Swarmer tool enhances Windows registry persistence

Swarmer is a tool designed for stealthy modification of the Windows Registry by low-privileged users, circumventing detection by EDR systems. Traditional methods of achieving registry persistence, such as using the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, have become less effective due to EDR monitoring. Instead, Swarmer utilizes mandatory user profiles and the Offline Registry API (Offreg.dll) to manipulate the NTUSER.MAN file, which allows for the enforcement of specific user profiles that reset upon login. By exporting the target user's registry, making modifications offline, and converting the data into a binary hive, Swarmer enables users to establish persistence without triggering standard registry API alerts, thereby maintaining a low profile during operations.

Top Vulnerabilities Reported in the Last 24 Hours

SmarterMail patches critical RCE vulnerability

SmarterTools has addressed critical security vulnerabilities in its SmarterMail email software, including a significant unauthenticated RCE flaw identified as CVE-2026-24423, which has a CVSS score of 9.3. This vulnerability allows attackers to execute arbitrary commands by pointing SmarterMail to a malicious HTTP server. Additionally, another critical flaw, CVE-2026-23760, with the same CVSS score, has been actively exploited and was also patched in the latest update. Furthermore, a medium-severity vulnerability (CVE-2026-25067) was resolved, which could enable NTLM relay attacks through unauthenticated path coercion. These issues were addressed in the recent updates.

NVIDIA fixes series of bugs

NVIDIA has released critical updates to address high-severity vulnerabilities in its GPU Display Driver and Virtual GPU (vGPU) software. Among these, CVE-2025-33217 is a "Use After Free" vulnerability in the Windows driver that could lead to code execution and privilege escalation. Additionally, CVE-2025-33218 and CVE-2025-33219 involve "Integer Overflow" vulnerabilities affecting both Windows and Linux systems, posing similar risks. Another significant issue, CVE-2025-33220, pertains to the Virtual GPU Manager, where a malicious guest could exploit memory access vulnerabilities, potentially impacting the host server.