Anomali Cyber Watch: Evelyn Stealer Abuses, PDFSider Malware, Open-Source Tools Deploy RAT and more

<div id="weekly" <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href="https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html" target="_blank" rel="noopener noreferrer">Evelyn Stealer Abuses Developer Tooling to Harvest Credentials </a></h2> <p>(published: January 19, 2026)</p> <p> Researchers have uncovered a sophisticated malware campaign dubbed Evelyn Stealer that weaponizes trusted developer tooling to compromise software engineers. The campaign starts with malicious Visual Studio Code extensions that masquerade as legitimate utilities. Once installed, these extensions deploy a trojanized DLL component alongside the real Lightshot.exe application, using DLL hijacking and hidden PowerShell commands to fetch and launch additional payloads. The final payload, Evelyn Stealer, executes quietly to harvest a wide range of sensitive information from infected machines, including browser credentials, session cookies, cryptographic wallet data, VPN profiles, Wi-Fi keys, and system artifacts, and then exfiltrates the stolen data to attacker-controlled infrastructure. <br> <br><b>Analyst Comment:</b> This campaign matters because it highlights the continued use of trusted developer workflows as an effective initial access path. Rather than relying exclusively on broad phishing, attackers embed themselves in familiar tools and extensions, allowing them to operate quietly and with less user suspicion. Developer machines often sit close to source repositories, cloud consoles, and production credentials, which means a single compromised endpoint can enable far wider access than a typical user device. For defenders, the key takeaway is that developer environments should be treated as privileged assets, with tighter control over extensions, better visibility into DLL loading and script execution, and an assumption that credential exposure is likely once compromise occurs. The greater risk lies in the follow-on access a compromised developer system can provide, rather than the immediate theft of credentials alone.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9611">T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/9597">T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/10105">T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/10031">T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> <b>Target Industry:</b> Technology<br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/pdfsider-anti-vm-checks-hidden/" target="_blank" rel="noopener noreferrer">Stealthy Backdoor Abuse: PDFSider Malware Evades Detection and Enables Persistent Access </a></h2> <p>(published: January 19, 2026)</p> <p> Researchers have identified PDFSider, a stealthy backdoor malware leveraged in targeted intrusions and ransomware-related operations, designed to evade modern endpoint detection and response controls. The malware is delivered via spear-phishing emails containing a ZIP archive that bundles a legitimate PDF24 Creator executable alongside a malicious cryptbase.dll, which is executed through DLL sideloading. Once loaded, PDFSider operates largely in memory, establishes encrypted command-and-control communications using AES-256-GCM, and deploys extensive anti-virtualization and anti-debugging checks to avoid sandbox and analyst environments. Additional reporting indicates the malware supports a persistent remote shell, system reconnaissance, and follow-on payload delivery, making it well suited for pre-ransomware staging. The activity has been observed in attacks against large enterprise targets, including Fortune 100 organizations, and reflects a broader trend of attackers abusing trusted software and living-off-the-land techniques to remain covert for extended periods.<br> <br><b>Analyst Comment:</b> PDFSider highlights how modern intrusions increasingly prioritize stealth and longevity over noisy exploitation. This malware is engineered to defeat common defensive assumptions by avoiding execution in virtualized or monitored environments, blending into legitimate software, and quietly exfiltrating data over DNS traffic that often escapes close inspection. The absence of alerts or detonated samples should not be mistaken for safety, as this tradecraft is designed to remain dormant when observed and active only on real targets. For defenders, effective defense requires greater focus on behavioral telemetry, DLL loading anomalies, and network level visibility rather than reliance on signatures or sandbox based detection alone.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/12893">T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10089">T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9891">T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/10083">T1573.002 - Encrypted Channel: Asymmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a><br> <b>Target Region:</b> Americas<br> <b>Target Country:</b> United states<br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html" target="_blank" rel="noopener noreferrer">Social Media Phishing Campaign Leverages Open-Source Tools to Deploy RAT </a></h2> <p>(published: January 20, 2026)</p> <p> A targeted phishing campaign uses LinkedIn private messages to deliver malicious payloads that ultimately deploy a Remote Access Trojan (RAT). The campaign begins with tailored LinkedIn messages designed to establish professional credibility and trust, eventually guiding targets to download a WinRAR self-extracting archive. When executed, the archive drops a legitimate PDF reader alongside a malicious DLL, a portable Python interpreter, and decoy files. DLL sideloading causes the malicious library to load within the trusted PDF reader process, allowing the malware to execute with reduced scrutiny. The Python component then runs in memory to establish persistent remote access and command-and-control, enabling follow-on activity such as data access and system control. <br> <br><b>Analyst Comment:</b> Email remains the dominant phishing vector, but attackers are increasingly supplementing it with professional and social platforms when targeting specific users or seeking to bypass well-established email protections. The technical tradecraft involved is intentionally simple and dependable, relying on trusted applications, DLL sideloading, and in-memory execution to blend into normal activity. The broader lesson is that malicious outreach can arrive through any channel that carries trust, making it important for individuals and organizations alike to stay alert to unexpected files, links, or requests regardless of where the interaction begins.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9827">T1059.006 - Command and Scripting Interpreter: Python</a> | <a href="https://ui.threatstream.com/attackpattern/9819">T1218 - Signed Binary Proxy Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a><br> </p> <h2 id="article-1"><a href="https://www.darkreading.com/cyberattacks-data-breaches/crashfix-scam-crashes-browsers-delivers-malware" target="_blank" rel="noopener noreferrer">Malicious Browser Extension CrashFix Campaign Targets Enterprise via ModeloRAT </a></h2> <p>(published: January 20, 2026)</p> <p> A deceptive campaign attributed to the threat actor KongTuke uses a malicious browser extension called NexShield to deliver what researchers describe as the CrashFix attack chain. Victims are lured through malicious advertising and deceptive search results into installing the extension, which closely imitates legitimate ad blocking tools and was briefly available through official browser extension stores. After remaining inactive for roughly an hour, the extension deliberately exhausts browser resources, causing Chrome or Edge to crash repeatedly. When users reopen the browser, a fake error message claims the application stopped unexpectedly and prompts them to copy and execute a repair command. That command triggers a PowerShell execution chain which, on domain joined systems, retrieves and installs a Python based remote access trojan known as ModeloRAT. The malware provides attackers with persistent access and system control, while non enterprise systems currently receive only a test payload. The campaign highlights a calculated blend of social engineering, delayed activation, and environment aware targeting designed to bypass trust and reach corporate endpoints.<br> <br><b>Analyst Comment:</b> This campaign illustrates how the classic abuse of user assisted execution paths continues to evolve rather than disappear. What makes CrashFix’s social engineering more effective than earlier variants is the deliberate introduction of a real technical failure. By intentionally crashing the browser, the attacker increases the perceived legitimacy of the follow up repair prompt and lowers user skepticism at the exact moment frustration is highest. The current use of a test payload on non enterprise systems should be viewed as a temporary measure, with more capable follow on payloads likely to be introduced as the technique matures and is refined. For defenders, the lesson is that extension governance and execution controls matter as much as malware detection. Organizations should assume users may follow plausible instructions under pressure and design controls to limit what those instructions can achieve when they do.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9784">T1189 - Drive-By Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/10114">T1176 - Browser Extensions</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/9827">T1059.006 - Command and Scripting Interpreter: Python</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9612">T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/gitlab-warns-of-high-severity-2fa-bypass-denial-of-service-flaws/" target="_blank" rel="noopener noreferrer">GitLab warns of high-severity 2FA bypass</a></h2> <p>(published: January 21, 2026)</p> <p> GitLab has issued urgent security updates for its self-managed Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities affecting authentication and service availability. One of the most critical flaws, CVE-2026-0723, is caused by an unchecked return value in GitLab’s authentication services that can allow an attacker with knowledge of a valid credential ID to bypass two-factor authentication by submitting crafted device responses. While exploitation requires specific conditions, the issue directly undermines a core security control. GitLab also patched several denial-of-service vulnerabilities, including flaws in the Releases API authorization logic, Jira Connect integration handling, Wiki redirects, and SSH authentication paths. These issues can be triggered using malformed requests, with most exploitable without authentication. GitLab recommends immediate upgrades to versions 18.8.2, 18.7.2, or 18.6.4 to mitigate these risks.<br> <br><b>Analyst Comment:</b> This advisory is a reminder that two-factor authentication can be weakened by flaws in application logic rather than broken outright. The key risk is not advanced exploitation but the ability to abuse trusted authentication workflows when supporting identifiers, such as credential IDs, are exposed or predictable. For defenders, the priority is rapid patching, followed by treating externally accessible GitLab instances as identity-critical infrastructure rather than internal tooling. Monitoring for unusual authentication behavior and reducing public exposure where possible are practical steps that limit impact. The broader insight is that attackers increasingly favor paths that look legitimate, and weaknesses in identity handling can carry consequences that extend well beyond a single platform.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/18596">T1556.006 - Modify Authentication Process: Multi-Factor Authentication</a> | <a href="https://ui.threatstream.com/attackpattern/9861">T1499 - Endpoint Denial Of Service</a><br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/01/21/lastpass_backup_phishing_campaign/" target="_blank" rel="noopener noreferrer">Phishing Emails Aim to Steal LastPass Master Passwords </a></h2> <p>(published: January 21, 2026)</p> <p> LastPass has issued an alert about an ongoing phishing campaign that began on or around January 19, 2026, targeting its users with fraudulent “scheduled maintenance” emails. These messages urge recipients to back up their vaults within 24 hours, a sense of urgency designed to bypass normal caution. Clicking the included “create backup” link first leads to an Amazon S3 hosted URL before redirecting to a counterfeit domain that mimics LastPass and attempts to harvest users’ master passwords. LastPass emphasized it will never request a master password or demand immediate backup actions, and warned that successful credential theft could expose an entire vault of sensitive data, including stored logins, payment details, and secure notes.<br> <br><b>Analyst Comment:</b> This campaign is a reminder that password managers are increasingly attractive identity targets because they sit at the center of a user’s digital life. Rather than attempting to defeat encryption or exploit the service itself, the attackers rely on credibility and urgency to pressure users into making a single mistake that can have wide downstream consequences. The timing around a U.S. holiday weekend and the use of legitimate cloud infrastructure suggest deliberate efforts to blend in and exploit reduced scrutiny. For defenders, the key lesson is that phishing impersonating trusted identity tools should be treated as a high-impact risk, not routine spam. Clear guidance on what password managers will never ask for, combined with strong reporting and rapid response processes, remains one of the most effective ways to blunt this class of attack.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9675">T1056.003 - Input Capture: Web Portal Capture</a> | <a href="https://ui.threatstream.com/attackpattern/10043">T1583.003 - Acquire Infrastructure: Virtual Private Server</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a><br> </p> <h2 id="article-1"><a href="https://www.security.com/threat-intelligence/new-ransomware-osiris" target="_blank" rel="noopener noreferrer">Osiris Ransomware Observed Using Driver Abuse and Pre-Encryption Data Theft </a></h2> <p>(published: January 22, 2026)</p> <p> Security researchers have identified a previously undocumented ransomware strain named Osiris following a late-2025 intrusion targeting a food service organization in Southeast Asia. This activity is unrelated to earlier Locky-era malware that used the same name. The attackers conducted data exfiltration prior to encryption, using Rclone to transfer files to a cloud storage bucket, indicating a deliberate double-extortion approach. Osiris includes functionality to terminate processes and services, remove system recovery artifacts, and selectively encrypt files, appending a “.Osiris” extension and deploying a ransom note for negotiation. Notably, the intrusion leveraged a vulnerable signed driver through a Bring-Your-Own-Vulnerable-Driver technique to disable endpoint security controls, alongside use of a modified RustDesk remote access tool. Encryption is implemented using a hybrid ECC and AES-128-CTR scheme with unique keys per file. While some tooling overlaps with activity associated with Inc ransomware operations, attribution remains unconfirmed.<br> <br><b>Analyst Comment:</b> This case highlights how some ransomware intrusions are increasingly shaped by what happens before encryption rather than by the encryption event itself. In this intrusion, the attackers focused first on weakening defenses and removing data quietly, which allowed them to establish leverage long before the ransom note appeared. The use of a vulnerable signed driver to disable security tooling shows intent to neutralize detection rather than evade it, while cloud-based exfiltration demonstrates how easily sensitive data can be removed without triggering traditional alerts. For defenders, the lesson is not that ransomware has fundamentally changed, but that relying on encryption-focused detection is no longer sufficient on its own. Early visibility into control loss, security tool tampering, and unexpected data movement is critical. The real opportunity to disrupt attacks like this lies in spotting those early indicators, when the intrusion is still reversible and leverage has not yet been established.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10079">T1562.001 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9770">T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9748">T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage</a> | <a href="https://ui.threatstream.com/attackpattern/9812">T1219 - Remote Access Software</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/inc-ransomware-opsec-fail-allowed-data-recovery-for-12-us-orgs/ " target="_blank" rel="noopener noreferrer">INC Ransomware OpSec Failure Enables Recovery of Stolen Victim Data</a></h2> <p>(published: January 22, 2026)</p> <p> An operational security lapse by the INC ransomware group allowed investigators to penetrate parts of the group’s data exfiltration infrastructure and recover stolen information belonging to at least 12 U.S. organizations across healthcare, legal services, manufacturing, and other sectors. Analysis revealed that the attackers abused the legitimate open source backup tool Rustic, renaming it and deploying it to resemble routine IT backup activity while encrypting and transferring victim data to attacker controlled cloud storage. Forensic examination of residual artifacts and metadata associated with this tooling enabled researchers to obtain access credentials, enumerate storage repositories, and retrieve victim datasets.<br> <br><b>Analyst Comment:</b> This incident shows how INC relied on trusted administrative tooling rather than custom malware to move and exfiltrate data while blending into normal IT activity. By renaming and misusing a legitimate backup utility, the attackers reduced their visibility but also created a clear operational dependency. Once investigators identified how the tool was configured and where data was being sent, that dependency became an entry point into the group’s infrastructure. For defenders, the lesson is that legitimate tools used outside expected workflows can be stronger indicators of compromise than unfamiliar binaries. Careful artifact preservation and behavioral analysis can expose attacker mistakes and, in rare cases, enable recovery without paying ransom.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9597">T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9746">T1567 - Exfiltration Over Web Service</a><br> <b>Target Industry:</b> Healthcare , Manufacturing , Legal services<br> <b>Target Region:</b> Americas<br> <b>Target Country:</b> United states<br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/ " target="_blank" rel="noopener noreferrer">Hybrid Vishing Attacks Powered by Adaptive Phishing Kits Target SSO Identities </a></h2> <p>(published: January 23, 2026)</p> <p> ShinyHunters and other threat actors are exploiting a new generation of voice phishing (vishing) campaigns that combine live social engineering with dynamic phishing kits designed to orchestrate the victim’s browser session in real time. Custom phishing kits enable attackers to spoof IT support calls and present tailored fake login pages for Okta, Microsoft Entra, Google and other services. These kits synchronize with the caller’s script to capture credentials and navigate multi-factor authentication (MFA) challenges by updating the phishing pages on the fly, effectively bypassing non-phishing-resistant MFA protections. Okta’s Threat Intelligence team and corroborating reports confirm the rise of “as-a-service” vishing tooling and associated SSO credential theft, with ShinyHunters claiming responsibility for multiple corporate data thefts and extortion attempts. This trend reflects an evolution from static phishing to hybrid adversary-in-the-middle social engineering optimized for real-time interaction.<br> <br><b>Analyst Comment:</b> These campaigns are effective because they exploit how employees are conditioned to respond to authority, urgency, and familiar support workflows. A live caller who sounds credible and can react in real time removes the hesitation that often stops traditional phishing, while adaptive phishing pages reinforce the illusion that the interaction is legitimate. When MFA prompts appear during a guided support call, users are more likely to comply because the action aligns with the narrative they are being given. This makes the attack less about technical bypass and more about behavioral influence. The most reliable countermeasure is enforcing out-of-band verification, where employees are required to independently confirm unexpected IT or security requests through known internal channels. This breaks the attacker’s control of the interaction and reintroduces friction where it matters.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/32052">T1566.004 - Phishing: Spearphishing Voice</a> | <a href="https://ui.threatstream.com/attackpattern/18596">T1556.006 - Modify Authentication Process: Multi-Factor Authentication</a> | <a href="https://ui.threatstream.com/attackpattern/12897">T1621 - Multi-Factor Authentication Request Generation</a> | <a href="https://ui.threatstream.com/attackpattern/9665">T1213.002 - Data from Information Repositories: Sharepoint</a><br> </p> <h2 id="article-1"><a href="https://www.darkreading.com/cyber-risk/contagious-interview-attack-delivers-backdoor" target="_blank" rel="noopener noreferrer">North Korean ‘Contagious Interview’ Malware Uses VS Code to Plant Backdoor </a></h2> <p>(published: January 21, 2026)</p> <p> North Korean threat actors associated with the long-running “Contagious Interview” campaign have expanded their tradecraft by abusing Microsoft Visual Studio Code’s trusted workspace features to deliver a stealthy JavaScript backdoor. Victims, often developers targeted through fake recruitment or coding challenges, are instructed to clone a malicious repository hosted on GitHub or GitLab. When the project is opened in VS Code and the user approves the workspace as trusted, embedded configuration files such as tasks.json or extension recommendations automatically trigger command execution through Node.js. According to researchers, this process enables silent payload retrieval and execution without additional prompts, user interaction, or visible artifacts. The backdoor operates persistently in the background, allowing reconnaissance and data exfiltration while blending into normal developer activity. This technique highlights a broader shift toward abusing legitimate development tools and trust decisions rather than exploiting software vulnerabilities, complicating detection for traditional security controls.<br> <br><b>Analyst Comment:</b> This activity underscores why the “Contagious Interview” technique has remained effective over several years. The attack does not rely on unexpected or random code delivery, but on carefully staged recruitment scenarios where developers are asked to clone and review repositories as part of a supposed job process. Its continued success reflects repeated adaptation of the same social engineering model to new tools and workflows rather than reliance on a single delivery mechanism. This context makes trust decisions feel routine and justified. The primary risk lies in approving workspace trust and allowing execution within development tools without closely inspecting embedded configuration files or execution paths. For defenders, the focus should be on awareness rather than anomaly alone. Development environments should be treated as a consistent attack surface, with clear guidance for engineers on interview-based coding requests and visibility into execution and network activity originating from developer tools.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> <b>Target Industry:</b> Technology<br> </p> </div> </div>