The Good

There has been positive momentum in the threat landscape, as the Executive Office of the President of the United States released the Cyber Strategy for America and an Executive Order to strengthen cyber deterrence, protect critical infrastructure, and expand the cyber workforce. The Government of the United Kingdom launched the Government Cyber Profession and Cyber Academy to address cybersecurity skills shortages and improve public sector cyber resilience. Meanwhile, a coalition including the United States, United Kingdom, Australia, Canada, Japan, Finland, and Sweden introduced new cybersecurity and resilience guidelines for future 6G networks at Mobile World Congress 2026 to improve the security of next-generation telecom infrastructure.

• The Trump Administration released a seven-page Cyber Strategy for America, outlining a vision for cybersecurity, emphasizing aggressive cyber deterrence, private sector cooperation, and the adoption of emerging technologies like AI. An Executive Order on Combatting Cybercrime was issued to enhance interagency coordination, public-private collaboration, and international diplomacy against cybercrime. The Cyber Strategy is organized into six policy pillars: shaping adversary behavior, promoting common-sense regulation, modernizing federal networks, securing critical infrastructure, sustaining technological superiority, and building a skilled cyber workforce.

• The UK government has launched the Government Cyber Profession to recruit and train top-tier cyber experts, streamline recruitment, and establish clear career pathways aligned with professional standards. A Cyber Academy and apprenticeship scheme are being set up to strengthen long-term public sector IT capabilities, with the primary hub located at Manchester Digital Campus. The National Audit Office reported that the cyber threat to government is severe and advancing, with skills gaps posing the biggest risk to resilience. The Government Cyber Action Plan, backed by £210m funding, aims to address skills shortages, improve career development, and enhance understanding of cyber risks among leaders and professionals.

• A coalition of seven countries, including Australia, Canada, Japan, the UK, the US, Finland, and Sweden, has launched voluntary cybersecurity and resilience guidelines for 6G networks at the Mobile World Congress 2026. Known as the Global Coalition on Telecoms (GCOT), the group aims to enhance the security and resilience of future mobile networks through principles focusing on containment of malicious activities, data confidentiality, integrity, and regulatory compliance. The guidelines emphasize the importance of robust failover mechanisms and the integration of alternative positioning and navigation solutions to reduce vulnerabilities. GCOT also advocates for Open RAN frameworks to promote flexibility and innovation within the telecommunications ecosystem, ensuring that 6G infrastructure is prepared to meet emerging challenges.

• The DOJ recently seized $61 million in Tether connected to fraudulent cryptocurrency schemes known as pig butchering. These scams typically involve criminals establishing fake romantic relationships with victims through social media and dating apps, ultimately coercing trafficked individuals into executing the fraud. Victims are lured into investing by deceptive platforms showcasing fictitious high returns, only to face demands for additional fees when attempting to withdraw their funds. Once the money is transferred to wallets controlled by scammers, it is quickly laundered through various accounts to obscure its origin. In response to these illicit activities, Tether has frozen approximately $4.2 billion in assets linked to scams, including $250 million since mid-2025.

The Bad

The threat landscape continues to worsen, with several significant incidents reported this week. DeepLoad malware is leveraging ClickFix social engineering to trick users into executing malicious PowerShell commands, enabling AI-driven obfuscation, covert process injection, browser credential theft, and persistent reinfection via WMI. A South Asian financial institution has been compromised by the BRUSHWORM and BRUSHLOGGER malware toolkit, combining modular backdoor capabilities, USB propagation, and DLL side-loaded keylogging to conduct large-scale data theft and financial espionage. Meanwhile, the pro-Ukrainian group Bearlyfy has launched over 70 targeted ransomware attacks on Russian organizations using evolving strains like GenieLocker and PolyVice, executing rapid intrusions and demanding increasingly high ransoms through customized attack workflows.

• DeepLoad is a sophisticated malware that employs the ClickFix social engineering tactic to distribute itself and steal browser credentials. It utilizes AI-assisted obfuscation and process injection to evade detection, starting its attack by tricking users into executing PowerShell commands via a deceptive lure. The malware hides within legitimate Windows processes, such as "LockAppHost.exe," and disables PowerShell command history to avoid monitoring. It generates a temporary Dynamic Link Library (DLL) in the user’s Temp directory to bypass file-based detection and employs asynchronous procedure call injection to execute its payload covertly. DeepLoad not only extracts browser passwords but also installs malicious extensions that capture credentials in real-time. Additionally, it can reinfect hosts using Windows Management Instrumentation, ensuring persistence without user interaction.

• A South Asian financial institution has fallen victim to a sophisticated cyberattack involving a custom malware toolkit known as BRUSHWORM and BRUSHLOGGER. BRUSHWORM, a modular backdoor, facilitates installation, persistence, and C2 operations while enabling USB worm propagation and bulk file theft across critical file formats. Complementing this, BRUSHLOGGER functions as a DLL side-loaded keylogger, capturing keystrokes and user activity with detailed context. The malware employs basic anti-analysis techniques, such as checking for sandbox environments and monitoring user activity before executing its payloads. It also infects removable drives with deceptive filenames to exfiltrate sensitive data. Despite displaying signs of an inexperienced developer, including coding errors and unsophisticated implementation, the toolset demonstrates a significant capability for financial espionage.

• A pro-Ukrainian hacking group named Bearlyfy has conducted over 70 cyber attacks on Russian companies since January 2025, utilizing a custom ransomware strain called GenieLocker. Initially, the group employed ransomware families like LockBit 3 and Babuk, but by May 2025, they transitioned to using PolyVice ransomware, demanding ransoms that escalated to around €80,000. Bearlyfy's tactics include exploiting vulnerabilities in external services and applications, followed by deploying tools like MeshAgent for remote access. Their attacks are characterized by rapid execution and personalized ransom notes crafted by the attackers rather than generated by the ransomware itself. 

• China-linked threat actor Red Menshen has been conducting a sophisticated cyber-espionage campaign against telecom networks in the Middle East and Asia since 2021. This group employs advanced techniques, including kernel-level implants and passive backdoors, to maintain stealthy access to critical environments. Central to their operations is BPFDoor, a Linux backdoor that utilizes Berkeley Packet Filter functionality to monitor network traffic without detection. Unlike conventional malware, BPFDoor activates only upon receiving specially crafted trigger packets, allowing it to remain hidden. The campaign targets internet-facing infrastructure, such as VPN appliances and firewalls, enabling the attackers to gain initial access and deploy additional malicious tools. 

• UAT-9244 is a China-nexus APT actor that has been targeting South American telecommunications infrastructure since 2024. This group employs three primary malware implants: TernDoor, PeerTime, and BruteEntry. TernDoor, a variant of the CrowDoor backdoor, uses DLL side-loading for infection and incorporates an encrypted Windows driver for process management. PeerTime is an ELF-based backdoor utilizing the BitTorrent protocol, enabling it to infect various architectures and execute commands through a peer-to-peer network. BruteEntry functions as a brute-force scanner, converting compromised devices into operational relay boxes to attack SSH, Postgres, and Tomcat servers. Each implant showcases sophisticated techniques for evasion and persistence, indicating a well-coordinated effort to compromise critical telecommunications systems.

• SloppyLemming, a threat actor known for targeting government and critical infrastructure entities, has launched a series of attacks against Pakistan and Bangladesh. Utilizing dual malware chains, the group deployed BurrowShell, a sophisticated backdoor, alongside a Rust-based keylogger. These attacks, occurring between January 2025 and January 2026, involved spear-phishing emails containing PDF lures and macro-enabled Excel documents to initiate infections. BurrowShell enables file manipulation, remote shell execution, and network tunneling while disguising its command-and-control traffic as legitimate Windows Update communications. The keylogger is designed for information theft and network enumeration. Notably, SloppyLemming has significantly increased its use of Cloudflare Workers domains, employing advanced techniques such as DLL side-loading and ClickOnce execution, targeting sectors like nuclear regulation and telecommunications to gather intelligence in the region.

• Cybersecurity researchers have identified malicious PHP packages on Packagist that masquerade as Laravel utilities, enabling a cross-platform RAT affecting Windows, macOS, and Linux systems. Notably, the package "nhattuanbl/lara-swagger" does not contain malicious code itself but relies on "nhattuanbl/lara-helper," which embeds the RAT. This RAT connects to a C2 server, sending system reconnaissance data and executing commands such as running shell commands and capturing screenshots. The RAT employs various obfuscation techniques to evade detection and is designed to maintain persistent connections to the C2 server, attempting reconnections every 15 seconds. The threat actor has also published additional libraries that appear legitimate, likely to build trust and lure users into installing the malicious packages.

• Cisco recently revealed a critical vulnerability in its Secure Firewall Management Center (FMC) Software that allows unauthenticated remote attackers to gain complete root access to affected devices. With a maximum CVSS severity score of 10.0, this flaw poses a significant risk to enterprise network infrastructure. Discovered during internal security testing, the vulnerability arises from an improperly initialized system process during the device’s boot sequence. Attackers can exploit this weakness by sending specially crafted HTTP requests to the FMC web interface, bypassing authentication protocols entirely. Once successful, they can execute malicious scripts and take full control of the operating system. This situation represents a worst-case scenario, as it enables attackers to alter security policies and monitor network traffic, thereby compromising the entire organizational security landscape. 

• A Chrome extension named "QuickLens - Search Screen with Google Lens" was removed from the Chrome Web Store after being compromised to distribute malware and steal cryptocurrency from users. Initially popular, the extension was sold to a new owner who released a malicious update that stripped essential browser security headers, facilitating ClickFix attacks. This update enabled the extension to connect to a command-and-control server, allowing it to execute harmful scripts that targeted various cryptocurrency wallets, capturing sensitive data like seed phrases and login credentials. The malware also scraped personal information from Gmail, Facebook, and YouTube accounts. Following the discovery of these malicious activities, Google disabled the extension and flagged it as malware, affecting around 7,000 users.

• North Korean hackers have released 26 malicious npm packages as part of the ongoing Contagious Interview campaign, disguising them as legitimate developer tools. These packages contain functionality to extract C2 server URLs hidden within innocuous Pastebin content, utilizing steganography to encode the addresses. The malware executes upon installation, running a payload that decodes the C2 URLs and connects to infrastructure hosted on Vercel. This sophisticated approach allows the malware to target multiple operating systems, including Windows, macOS, and Linux, while extracting sensitive information such as credentials, browser data, and SSH keys.

New Threats

Several new threats have emerged in the threat landscape, including a vulnerability in OpenAI’s ChatGPT enabling covert data exfiltration and remote command execution, along with a command injection flaw in OpenAI Codex that could expose GitHub credentials; meanwhile, the RoadK1ll malware is enabling covert lateral movement through WebSocket reverse tunneling, and F5 Networks has warned that a critical RCE vulnerability in BIG-IP Access Policy Manager is being actively exploited to deploy webshells.

• A newly discovered vulnerability in OpenAI's ChatGPT allowed sensitive user data to be exfiltrated covertly through a DNS-based communication channel, bypassing existing security measures. This flaw enabled attackers to exploit the Linux runtime used by the AI, potentially gaining remote shell access and executing commands without user knowledge. The risk escalates with custom GPTs that could embed malicious prompts, making data leakage undetectable. Concurrently, a critical command injection vulnerability in OpenAI's Codex platform could compromise GitHub credentials, allowing attackers to execute arbitrary commands and access users' codebases.

• A newly identified malware implant named RoadK1ll allows attackers to navigate through compromised networks by utilizing a custom WebSocket protocol. Discovered by Blackpoint during an incident response, this lightweight reverse tunneling tool transforms infected machines into relay points, enabling attackers to access internal services and systems that are otherwise unreachable. RoadK1ll establishes outbound connections to attacker-controlled infrastructure, facilitating covert communication and traffic forwarding without detection. It supports multiple commands, including opening TCP connections and managing data flow, while its reconnection mechanism ensures persistent access even if the channel is interrupted. However, it operates without traditional persistence methods, relying solely on the active process of the implant.

• F5 Networks has reclassified a vulnerability in its BIG-IP APM (Access Policy Manager) as a critical RCE flaw, previously identified as a denial-of-service (DoS) issue. This security flaw, tracked as CVE-2025-53521, allows attackers to execute remote code on unpatched devices without requiring privileges, particularly targeting systems with specific access policies. F5 warned that the vulnerability is actively being exploited to deploy webshells, prompting the CISA to include it on its KEV catalog. With over 240,000 BIG-IP instances exposed online, the extent of vulnerable configurations remains uncertain. 

• Microsoft has disclosed a new ClickFix campaign that utilizes the Windows Terminal app to deploy Lumma Stealer. This campaign instructs users to launch Windows Terminal directly, creating a more trustworthy environment for executing malicious commands. By bypassing traditional detection methods aimed at the Run dialog, attackers exploit Windows Terminal to guide victims into executing hex-encoded commands that trigger a multi-stage attack. This process includes downloading a ZIP payload, extracting files, and establishing persistence through scheduled tasks. Lumma Stealer targets high-value browser artifacts, harvesting stored credentials and exfiltrating them to attacker-controlled servers. Additionally, a secondary attack pathway involves downloading batch scripts to execute further malicious actions.

• Researchers have identified a targeted Russian cyber campaign against Ukraine that utilizes two new malware strains, BadPaw and MeowMeow. The attack begins with a phishing email that contains a ZIP archive, which, when extracted, launches an HTA file displaying a lure document in Ukrainian about border crossing appeals. This initial infection triggers the download of BadPaw, a .NET-based loader, which establishes command-and-control communication and deploys MeowMeow, a sophisticated backdoor. Both malware strains are heavily obfuscated to evade detection and incorporate advanced defense mechanisms, such as parameter validation and environmental awareness, allowing them to remain dormant unless executed under specific conditions. ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor, likely APT28, based on the targeting of Ukrainian entities and the use of established Russian cyber tactics.

• AuraStealer is a newly emerged infostealer actively targeting users through 48 C2 domains, primarily utilizing platforms like TikTok and cracked software sites for distribution. Launched in mid-2025 on Russian cybercrime forums, it positions itself as a competitor to LummaC2, rapidly gaining traction among cybercriminals. The malware is available under a subscription model, with frequent updates enhancing its capabilities. AuraStealer employs various delivery methods, including social engineering tactics and deceptive tools, to infect systems. It utilizes inexpensive top-level domains and sophisticated anti-analysis techniques to evade detection. Once installed, it harvests sensitive data from over 100 browsers and applications, exfiltrating this information via encrypted channels to its rotating C2 infrastructure. 

North Korean hacking group APT37, also known as ScarCruft, has launched a new malware campaign named "Ruby Jumper," targeting air-gapped networks. This campaign employs removable drives to facilitate data transfer between isolated systems. Researchers from Zscaler identified five malicious tools used in this operation: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection begins when a victim opens a malicious Windows shortcut, which deploys a PowerShell script to extract embedded payloads while simultaneously launching a decoy document. RESTLEAF establishes communication with APT37's command-and-control infrastructure, leading to the download of further malware components. THUMBSBD collects system information and prepares data for exfiltration, while VIRUSTASK spreads the infection to new air-gapped machines. This sophisticated approach allows APT37 to bridge air gaps and maintain covert control over compromised systems.