Weekly Threat Briefing
Diamond Trail

Cyware Weekly Threat Intelligence, January 26–30, 2026

shutterstock 1262243092

The Good

In a coordinated strike against the dark web’s most resilient sanctuary for extortion, the FBI has seized the Russian Anonymous Marketplace, effectively ending its 14-year run as a primary hub for ransomware-as-a-service coordination. As the forum's digital storefront was replaced by federal seizure notices, the Bureau simultaneously pivoted to the defensive with the launch of Operation Winter SHIELD. This ten-week "cyber call to arms" provides a tactical roadmap for organizations to harden their infrastructure, emphasizing essential safeguards like phish-resistant authentication and offline immutable backups.

  • The FBI has successfully taken down the Russian Anonymous Marketplace (RAMP), a notorious dark web forum known for facilitating ransomware discussions and services. This operation, conducted in collaboration with the US Attorney’s Office and the Department of Justice, resulted in RAMP's websites being replaced with law enforcement seizure notices. Established in 2012, RAMP became a significant hub for low-to-mid-tier ransomware groups, particularly after other forums banned ransomware discussions. Its administrator, Stallman, confirmed the takedown and stated there are no plans to rebuild the platform.

  • Google, in collaboration with industry partners, has successfully disrupted IPIDEA, one of the largest residential proxy networks globally, which facilitated cybercrime and espionage. This initiative combined legal actions, including court orders to shut down malicious domains, with technical measures to enhance security. Google Play Protect now alerts users about applications containing IPIDEA's SDKs and blocks their installation on certified devices. The network has been linked to numerous botnets and was exploited by threat actors from countries like China, DPRK, Iran, and Russia for various attacks, including password spraying and accessing software-as-a-service environments. The disruption significantly reduced the number of available proxy devices, impacting affiliated services reliant on shared infrastructure.

  • The FBI launched Operation Winter SHIELD, a campaign outlining ten cybersecurity actions for organizations to protect IT and OT environments. The campaign aims to enhance resilience by identifying adversary focus areas and providing actionable steps to reduce exploitation risks. The initiative aligns with the US National Cyber Strategy and FBI Cyber Strategy, running for ten weeks with detailed recommendations. Recommendations include adopting phish-resistant authentication, managing third-party risks, protecting security logs, maintaining offline backups, and strengthening email protections.

  • Cybersecurity researchers have discovered two malicious packages on PyPI, named `spellcheckerpy` and `spellcheckpy`, which were designed to deliver a RAT. These packages, downloaded over 1,000 times, contained a base64-encoded payload hidden in a Basque language dictionary file. Initially, the packages were dormant, but version 1.2.0 activated the malicious functionality upon import. The RAT downloader is capable of fingerprinting compromised hosts and executing commands from an external domain associated with a hosting provider known for servicing nation-state actors. This incident is not isolated, as previous fake spell-checking tools have been found on PyPI, suggesting a consistent threat actor. Additionally, several malicious npm packages have emerged, targeting cryptocurrency wallets and executing phishing campaigns against specific industries in various countries.

The Bad

A sophisticated trojanized extension for VS Code, known as ClawdBot Agent, has been caught masquerading as a high-end AI coding assistant. Exploiting the name recognition of a popular AI tool, the extension activates the moment the editor opens. In Pakistan, a digital honey-trap dubbed GhostChat has turned the search for connection into a conduit for espionage. The malicious app uses the psychological lure of "exclusive" access. A Vietnam-based cybercrime group is breathing new life into traditional phishing by weaving artificial intelligence into their latest PureRAT campaigns. The operation is particularly notable for its AI-generated scripts.

  • A recently discovered fake VS Code extension named ClawdBot Agent poses as a legitimate AI coding assistant while secretly deploying malware on Windows systems. This malicious extension activates automatically upon starting VS Code, downloading and executing harmful files without user interaction. The attackers cleverly used the name of the popular Clawdbot to exploit brand recognition, creating a polished interface and integrating with multiple AI providers. The extension's code includes a hidden payload delivery mechanism, relying on a command-and-control server to fetch additional malicious components. Notably, it installs a weaponized version of ScreenConnect, allowing remote access to infected machines. The sophisticated design features multiple layers of redundancy, ensuring the malware remains functional even if primary servers are taken down.

  • ESET researchers have identified a sophisticated spyware campaign in Pakistan that uses a fake dating app called GhostChat to lure victims. Posing as a chat platform, the app features locked female profiles and requires users to enter hardcoded access codes, creating an illusion of exclusivity. Once installed, GhostChat covertly monitors device activity and exfiltrates sensitive data, including contacts and documents. The campaign is linked to broader espionage activities, including ClickFix attacks that compromise victims’ computers and a WhatsApp hijacking technique called GhostPairing, which allows attackers to access users' chat histories. This coordinated effort employs social engineering tactics and impersonates governmental organizations to distribute malware.

  • A Vietnam-based cybercrime group is utilizing AI to enhance its phishing campaigns, primarily distributing the PureRAT malware. These attacks typically begin with phishing emails disguised as job offers, leading victims to download malicious files hosted on cloud services like Dropbox. Once opened, these files initiate an infection chain that installs PureRAT or other payloads, such as HVNC. The attackers employ sophisticated techniques, including AI-generated scripts with detailed comments in Vietnamese, which guide the execution of malicious actions. The scripts create hidden directories, rename files, and establish persistence on compromised systems by adding entries to the Windows Startup registry. 

  • North Korean hacking group Konni has been observed using AI-generated PowerShell malware to target blockchain developers in Japan, Australia, and India. This phishing campaign, known as Operation Poseidon, exploits social engineering techniques, employing malicious emails disguised as financial notices to trick recipients into downloading harmful ZIP files. These files contain a Windows shortcut that executes an embedded PowerShell loader, leading to the deployment of a backdoor known as EndRAT. The malware is designed to evade detection and establish persistence on infected systems, allowing attackers to gain broader access to development environments.

  • A multi-stage phishing campaign has been identified targeting users in Russia, utilizing ransomware and Amnesia RAT. The attack begins with social engineering tactics, presenting seemingly benign business documents that distract victims while malicious activities occur in the background. The campaign effectively employs public cloud services for payload distribution, complicating detection and takedown efforts. Malicious scripts are delivered through compressed archives containing deceptive documents and Windows shortcuts, which, when executed, initiate a series of PowerShell commands to download additional payloads. The final stages include deploying Amnesia RAT for extensive data theft and a ransomware variant that encrypts files and manipulates cryptocurrency transactions.

New Threats

Cybercriminals are turning the reputable Hugging Face platform into an unwitting accomplice by hosting over 6,000 variants of financial malware. The campaign lures a deceptive "security" app that uses alarming notifications to pressure victims into a fake update. The cybercriminal group TA584 has hit a high-speed stride, deploying a relentless attack chain that pairs the new Tsundere Bot with the versatile XWorm RAT. Russian businesses are facing a dual-threat assault that combines espionage with extortion. A new campaign uses deceptive documents to distract users while silently installing Amnesia RAT and ransomware.

  • A new Android malware campaign has exploited the Hugging Face platform to distribute over 6,000 variants of malicious APKs designed to steal credentials from financial services. The attack begins with victims installing a dropper app called TrustBastion, which falsely claims to enhance device security. After installation, the app prompts users to update, redirecting them to a Hugging Face dataset repository to download the actual malware. This malware acts as a remote access tool, leveraging Android’s Accessibility Services to capture user activity, display fake login interfaces for services like Alipay and WeChat, and exfiltrate sensitive data to its operators.

  • A prolific initial access broker known as TA584 has recently adopted the Tsundere Bot alongside the XWorm RAT to facilitate ransomware attacks. Active since 2020, TA584 has significantly increased its operations, employing a sophisticated attack chain that evades static detection methods. The Tsundere Bot, attributed to a Russian-speaking operator and linked to the 123 Stealer malware, can gather information, exfiltrate data, and install additional payloads. This attack chain begins with emails from compromised accounts, leading targets through a series of redirects and CAPTCHA pages to execute a PowerShell command that loads the malware. TA584's activity has expanded beyond North America and the U.K to include Germany and Australia, indicating a broader targeting strategy. The malware operates as a service, utilizing the Ethereum blockchain for C2 communication and featuring capabilities to profile infected systems and execute arbitrary code.

  • A new MaaS named Stanley has emerged, enabling the creation of malicious Chrome extensions that can bypass Google's review process and be published on the Chrome Web Store. Advertised by a seller using the alias Stanley, this service facilitates phishing attacks by overlaying full-screen iframes with deceptive content while keeping the browser's address bar unchanged to maintain the illusion of legitimacy. Stanley offers silent auto-installation for browsers like Chrome, Edge, and Brave, along with various subscription tiers, including a Luxe Plan that provides a web panel for managing the malicious extensions. Additionally, the service allows operators to enable hijacking rules and send notifications to victims, enhancing the phishing process.

  • A new malicious campaign utilizes the ClickFix method alongside fake CAPTCHA prompts and signed Microsoft App-V scripts to distribute the Amatera info-stealer. The attack initiates with a fake CAPTCHA that instructs victims to manually execute a command through the Windows Run dialog, exploiting the legitimate SyncAppvPublishingServer.vbs script to launch PowerShell. This execution verifies user interaction and thwarts automated analysis by stalling in sandbox environments. Subsequently, the malware retrieves configuration data from a public Google Calendar file and uses steganography to conceal payloads within PNG images hosted on public CDNs. The final stage involves decrypting and executing native shellcode to activate the Amatera infostealer, which connects to a hardcoded IP address to collect browser data and credentials from infected systems, operating as MaaS.

Discover Related Resources