Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Evelyn Stealer abuses Visual Studio Code extensions to compromise developer environments and exfiltrate credentials and crypto data
Researchers at Trend Micro analyzed a multi stage malware campaign delivering Evelyn Stealer, an information stealer specifically targeting software developers through weaponized Visual Studio Code (VS Code) extensions. The activity follows earlier reporting on malicious VS Code extension abuse, with this analysis providing deeper visibility into the full delivery chain and payload behavior. The campaign focuses on developer systems that may have access to source code, cloud environments, production credentials, or cryptocurrency assets. The infection begins when a developer installs a malicious VS Code extension that drops a disguised DLL loader, masquerading as a legitimate Lightshot component. This loader executes a hidden PowerShell command to download a second stage injector, which then uses process hollowing to inject the final Evelyn Stealer payload into a legitimate Windows process. The stealer employs AES-256-CBC encryption, extensive anti VM and anti sandbox checks, and dynamic API resolution to evade detection. Once active, it injects a malicious DLL into browser processes to harvest credentials and data before exfiltrating stolen information over FTP to attacker controlled infrastructure.
Impact: Evelyn Stealer enables broad theft of sensitive developer data, including browser credentials, cloud and source control tokens, VPN and Wi Fi credentials, clipboard contents, screenshots, and cryptocurrency wallets. Because developers often hold elevated access to internal systems and production environments, successful compromise can extend beyond individual endpoints and be leveraged for lateral movement, intellectual property theft, or follow on intrusion activity. The use of trusted developer tooling as the delivery mechanism increases the likelihood of successful execution and delayed detection.
Recommendation: Organizations should review Trend Micro’s findings and evaluate how developer tooling is governed in their environments. Critical recommendations include restricting and vetting third party VS Code extensions through allowlists, monitoring for suspicious DLL side loading and process hollowing into legitimate Windows binaries, and detecting abnormal browser launches with security disabling flags. Development endpoints should be treated as high value assets with enhanced monitoring, strong credential hygiene, and least privilege access to production systems. Security teams should also monitor for outbound FTP connections from developer workstations and implement behavioral controls capable of detecting multi stage loaders rather than relying solely on static indicators.
🚩 Check Point says VoidLink shows credible evidence of an advanced malware framework developed predominantly with AI assistance
Check Point Research (CPR) reports on VoidLink, describing it as the first clearly evidenced case of an advanced malware framework that appears to be authored largely through AI driven development, likely directed by a single individual. CPR says earlier examples of AI generated malware were mostly tied to low sophistication actors or reused open source functionality, while VoidLink shows higher engineering maturity. CPR attributes its visibility into the development process to operational security failures that exposed internal artifacts, including documentation, source code, and project materials. CPR describes the actor using a workflow it calls Spec Driven Development, where the model is used to generate a structured development plan, sprint schedules, specifications, and coding standards, then those artifacts are used as an execution blueprint to build and test the framework end to end. CPR states recovered materials suggest the framework reached a functional implant in under a week, and describes VoidLink as incorporating advanced components such as eBPF and Linux kernel module rootkits, plus modules for cloud enumeration and container focused post exploitation.
Impact: VoidLink highlights how AI tooling can reduce the time and effort required to produce complex malware, potentially enabling individuals or small teams to build frameworks that previously required larger, well resourced groups. That shift increases defender pressure because malware development cycles can compress significantly, allowing faster iteration on evasion, modular capability expansion, and operational deployment readiness.
Recommendation: Organizations should review CPR’s report as an early case study in how AI can change attacker development speed and operational scale. Recommendations include strengthening controls around Linux and cloud workloads, including tighter credential and secret management for cloud APIs, improved monitoring for unusual kernel level behavior, and deeper visibility into container and host telemetry. Security teams should also treat exposed development artifacts and misconfigured infrastructure as common precursors to rapid capability growth, and prioritize detection approaches that focus on behavior and privilege boundaries rather than assuming long lead times between initial tool creation and operational use.
🚩 Cisco Talos tracks UAT-8837 targeting North American critical infrastructure and leveraging server exploits or stolen credentials for initial access
Cisco Talos reports it is tracking UAT-8837, a threat actor Talos assesses with medium confidence is China nexus, based on overlaps in observed tactics, techniques, and procedures with other China aligned activity. Since at least 2025, Talos says the group has focused on critical infrastructure sectors in North America, and is primarily tasked with obtaining initial access to high value organizations. Talos observes UAT-8837 gaining access through exploitation of vulnerable servers or use of compromised credentials, then relying heavily on open source tooling during hands on keyboard activity. Reported post compromise behaviors include reconnaissance, staging tooling in common directories, credential and Active Directory discovery, and establishing multiple access channels. Talos highlights tooling such as Earthworm (tunneling), SharpHound and Certipy (AD recon and abuse), DWAgent (remote admin), and token theft tooling, plus registry changes related to Remote Desktop configuration. Talos also notes overlaps with recent exploitation of CVE-2025-53690, a Sitecore ViewState deserialization zero day, suggesting the actor may have access to zero day exploits.
Impact: For organizations in critical infrastructure, this activity increases the risk of rapid credential exposure, Active Directory mapping, and persistence through multiple remote access paths. The combination of initial access via internet facing systems or stolen credentials, followed by tunneling and AD focused discovery, can enable escalation and longer term footholds. Talos also notes signs of collection activity that could support future follow on operations, including potential preparation for supply chain style impacts in at least one observed case.
Recommendation: Organizations should review Talos reporting and assess exposure, especially internet facing servers and identity controls supporting privileged access. Critical recommendations include prioritizing remediation for exposed systems implicated in initial access, including Sitecore deployments impacted by CVE-2025-53690, and validating that http://ASP.NET machine keys are not sample or legacy values where applicable. Strengthen credential hygiene and access controls for privileged accounts, enforce MFA with robust reset procedures, and monitor for anomalous use of administrative tooling and remote management software. Hunt for common post compromise patterns described by Talos, including Earthworm style tunneling and reverse socks activity, SharpHound and Certipy execution from temp or public directories, DWAgent installation, and registry modifications that weaken RDP protections. Ensure EDR and network telemetry can surface tool staging and hands on keyboard activity, and treat repeated tool swapping as a potential signal of an operator testing what your controls miss.
🚩 Infostealer campaign abuses spoofed software installers and DLL sideloading to deploy credential and crypto theft malware
Researchers at VirusTotal identified an active infostealer campaign observed between January 11 and January 15, 2026, distributing malicious ZIP archives that impersonate legitimate software installers, most commonly branded as Malwarebytes. The activity is part of VirusTotal’s new “Flash Hunting Findings” and is tracked using a consistent ZIP structure and a shared behavioral hash 4acaac53c8340a8c236c91e68244e6cb, which enabled clustering and identification of related samples.
The campaign relies on DLL sideloading, placing a malicious CoreMessaging.dll alongside a trusted executable within the ZIP archive. When the legitimate executable is launched, Windows loads the malicious DLL, which then drops and executes secondary stage payloads. Behavioral analysis shows that these follow-on payloads are primarily infostealers, designed to harvest credentials and cryptocurrency wallet data. Distinctive DLL metadata, unusual export names, and consistent secondary payload behavior provide reliable pivots for tracking additional variants.
Impact: This activity poses a risk to users who download software installers from untrusted or spoofed sources, as the malware leverages trusted executables to evade basic security controls. Successful execution can result in theft of credentials and crypto-related data, and may enable broader account compromise if harvested credentials are reused across systems or services. The use of widely recognized software branding increases the likelihood of user execution and delayed detection.
Recommendation: Recommendations include restricting execution of software installers from untrusted sources, monitoring for DLL sideloading behavior where nonstandard DLLs are loaded by trusted executables, and detecting execution chains where ZIP archives spawn legitimate EXEs that immediately load unsigned or suspicious DLLs. Security teams should also incorporate behavioral hashes and metadata-based hunting, rather than relying solely on filenames or static hashes, to identify related activity. User awareness efforts should reinforce downloading software only from official vendor sites and verifying installer authenticity before execution.
Mandiant releases Net-NTLMv1 rainbow tables to accelerate deprecation of insecure authentication protocol
Researchers from Mandiant announced the public release of a comprehensive set of Net-NTLMv1 rainbow tables on January 15, 2026, aiming to demonstrate the continued risk posed by this long-deprecated authentication protocol. Despite being considered cryptographically broken for decades, Mandiant reports that Net-NTLMv1 remains in active use across customer environments, often due to legacy configurations and a lack of perceived urgency to migrate.
The released dataset significantly lowers the barrier to exploiting Net-NTLMv1 by enabling defenders or attackers to recover credential material in under 12 hours using consumer-grade hardware. If an attacker captures a Net-NTLMv1 hash without Extended Session Security, a known plaintext attack can be applied to recover the underlying password hash of an Active Directory user or computer account. In high-impact scenarios, attackers can coerce authentication from privileged systems such as domain controllers, recover the machine account hash, and use it to perform DCSync operations that compromise the broader domain.
Impact: Continued support for Net-NTLMv1 exposes organizations to trivial credential compromise and rapid privilege escalation, particularly in Active Directory environments. The availability of ready-to-use rainbow tables removes practical barriers that previously limited exploitation to specialized tooling or infrastructure. As a result, any environment that still permits Net-NTLMv1 authentication may be vulnerable to full domain compromise following hash capture, even without advanced attacker capabilities.
Recommendation: Organizations should review Mandiant’s release and assess whether Net-NTLMv1 is permitted anywhere in their environment. Critical recommendations include disabling Net-NTLMv1 by configuring systems to allow NTLMv2 only via local or group policy, and validating that these settings cannot be reverted by attackers with local administrative access. Teams should also monitor authentication logs for evidence of Net-NTLMv1 or LAN Manager usage, particularly Event ID 4624 where the authentication package indicates LM or NTLMv1. Where legacy dependencies exist, remediation plans should be prioritized, as the risk of credential compromise and domain escalation now carries a substantially lower barrier.
Unit 42 details payroll diversion attack driven by help desk social engineering and MFA reset abuse
Researchers at Unit 42 analyzed a real world incident in which attackers redirected employee paychecks by manipulating identity recovery and payroll workflows through social engineering. The case shows how attackers bypassed technical controls by impersonating employees and exploiting human operated processes rather than deploying malware or exploiting software flaws.
The attacker initiated access via phone based social engineering, repeatedly contacting payroll, IT, and HR help desks to learn verification procedures and successfully request password resets and MFA re enrollment. Using publicly available information gathered from social platforms, the attacker authenticated to cloud identity services, including Azure Active Directory, established persistence by adding an external email as an authentication method, and modified direct deposit details across multiple employee accounts. The activity blended into normal operations until employees reported missing paychecks.
Impact: This incident resulted in unauthorized changes to payroll data and financial loss risk for affected employees, with the potential for broader identity compromise had the activity gone undetected longer. Because valid credentials and MFA appeared legitimate, the attacker avoided triggering many traditional security alerts. The case highlights how identity and help desk workflows can become high impact attack paths even in environments with strong technical controls.
Recommendation: Organizations should review Unit 42’s findings and evaluate identity recovery and help desk processes as critical security controls. Key recommendations include strengthening help desk verification procedures, limiting and auditing MFA reset and re enrollment actions, and enforcing separation of duties for identity and payroll changes. Identity systems should log and alert on changes to authentication methods, especially the addition of external email addresses or devices, and forward these logs to centralized monitoring platforms. Regular testing of social engineering scenarios, combined with user and help desk training, can help reduce the likelihood of successful impersonation attacks.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.