Anomali Cyber Watch: Remcos RAT, BitB phishing, Linux Malware Framework, Supply Chain Intrusion and more

<div id="weekly"> <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html" target="_blank" rel="noopener noreferrer">New Malware Campaign Delivers Remcos RAT Through Text-Only Staging and Living-Off-the-Land Execution </a></h2> <p>(published: January 13, 2026)</p> <p> Cybersecurity researchers have dissected a sophisticated Windows malware campaign tracked as SHADOW#REACTOR, which uses an intricate multi-stage infection chain to deploy the commercially available Remcos RAT. The intrusion begins with an obfuscated Visual Basic Script (VBS) launched via wscript.exe, which invokes a PowerShell stager to repeatedly download fragmented, text-only payload files from attacker infrastructure. These files are reassembled and decoded in memory by a .NET Reactor–protected assembly, effectively hiding malicious logic from static analysis. Later stages leverage legitimate tools like MSBuild.exe as trusted binaries to execute code and establish persistence. The campaign’s use of text artifacts, reflective loading, obfuscation, and living-off-the-land (LOLBin) abuse makes it difficult to detect with traditional signature-based defenses.<br> <br><b>Analyst Comment:</b> The real significance of this campaign is not the Remcos payload itself but the delivery strategy used to conceal it. By relying on text-only staging, in-memory reconstruction, and abuse of trusted Windows tools, SHADOW#REACTOR demonstrates how routine scripting activity can be weaponized to evade file-based and signature-driven defenses. None of the individual techniques are new, but their careful sequencing creates blind spots when security controls evaluate events in isolation. For defenders, this reinforces the importance of monitoring script execution chains, unexpected use of build utilities, and cross-process behavior rather than focusing solely on identifying known malware binaries.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9853">T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/12881">T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9952">T1127.001 - Trusted Developer Utilities Proxy Execution: Msbuild</a> | <a href="https://ui.threatstream.com/attackpattern/9819">T1218 - Signed Binary Proxy Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a><br> </p> <h2 id="article-1"><a href="https://www.helpnetsecurity.com/2026/01/13/browser-in-the-browser-bitb-phishing/" target="_blank" rel="noopener noreferrer">Browser-in-the-Browser Phishing Evolves into a High-Fidelity Credential Trap </a></h2> <p>(published: January 13, 2026)</p> <p> Browser-in-the-Browser (BitB) phishing has re-emerged as a highly effective credential theft technique, leveraging modern web technologies to convincingly imitate legitimate browser login windows within a malicious webpage. Instead of redirecting victims to a separate phishing site, attackers use HTML, CSS, and JavaScript to render a fake authentication pop-up that closely mirrors real single sign-on dialogs from services such as Microsoft, Google, and social media platforms. Victims are often funneled through fake CAPTCHA challenges to reduce automated detection before being presented with the spoofed login prompt. Because the interface appears authentic and operates within the browser context, users frequently submit credentials without suspicion. The growing availability of phishing-as-a-service kits has accelerated BitB adoption, making this technique accessible to a wider range of threat actors and increasing overall phishing success rates.<br> <br><b>Analyst Comment:</b> This technique deliberately removes the visual and URL-based cues that many security awareness programs emphasize, shifting the attack surface squarely onto user behavior. The practical risk is not limited to careless users; even security-aware individuals can be fooled when authentication prompts appear in familiar contexts and behave almost identically to legitimate ones. The intelligence signal here is the growing operational maturity of BitB, driven by phishing-as-a-service kits that package this capability at scale. Defenders should treat BitB as evidence that password-based authentication is increasingly fragile and that identity security controls and behavioral awareness, not cosmetic checks, are now central to phishing defense.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/" target="_blank" rel="noopener noreferrer">Cloud-Aware Linux Malware Framework Poised for Future Threats </a></h2> <p>(published: January 13, 2026)</p> <p> Security researchers have unveiled VoidLink, an advanced, cloud-native Linux malware framework designed to maintain stealthy, long-term access to cloud and containerized environments. VoidLink’s architecture is highly modular, incorporating custom loaders, implants, rootkits, and more than 30 plugins that cover reconnaissance, credential harvesting, persistence, lateral movement, container escape, and anti-forensic tasks. It detects when it runs in cloud platforms (AWS, Azure, GCP, Alibaba, Tencent) and container runtimes like Docker and Kubernetes and adapts behavior accordingly. Operational security features include runtime encryption, anti-analysis checks, and self-destruction upon tampering. Samples appear to originate from a Chinese-affiliated development environment and include debug artifacts, suggesting ongoing active development rather than widespread deployment. Though no confirmed real-world attacks exist yet, VoidLink signals a shift in adversary focus toward Linux-centric cloud infrastructure and persistent malware frameworks.<br> <br><b>Analyst Comment:</b> The framework’s value lies in its breadth: environment detection across major cloud providers, deep container awareness, and a plugin ecosystem that supports reconnaissance, persistence, and lateral movement without relying on noisy exploits. The inclusion of rootkit components and anti-forensic controls suggests an emphasis on durable access and stealth over speed. While there is no evidence of active deployment, the development artifacts point to a tool still being refined, not shelved. Defenders should read this as a prompt to reassess post-access assumptions in cloud environments by tightening IAM scope, improving Linux and container runtime monitoring, and prioritizing behavioral detection over static indicators. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9818">T1014 - Rootkit</a> | <a href="https://ui.threatstream.com/attackpattern/9593">T1552 - Unsecured Credentials</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9604">T1021 - Remote Services</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9767">T1070 - Indicator Removal On Host</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html " target="_blank" rel="noopener noreferrer">Weaponized n8n Community Nodes Expose OAuth Credentials in Supply Chain Intrusion </a></h2> <p>(published: January 13, 2026)</p> <p> Threat actors have launched a sophisticated supply chain attack against the n8n workflow automation ecosystem by publishing malicious npm packages disguised as legitimate community nodes. These rogue packages, such as n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, appeared to be Google Ads integrations and tricked users into entering OAuth and API credentials. Once installed, the malicious code leveraged n8n’s trust model to decrypt stored credentials during workflow execution and exfiltrate them to attacker-controlled servers. Multiple such packages were available on the npm registry and have since been removed, but more may still be in circulation. The campaign takes advantage of n8n’s model where community nodes execute with full platform privileges, giving attackers a path into sensitive token stores for services like Google Ads, Stripe, and Salesforce. This incident underscores inherent risks in extensible automation platforms and the growing sophistication of supply chain threats. <br> <br><b>Analyst Comment:</b> This incident is a clear reminder that automation platforms are quietly becoming credential aggregation hubs, making them attractive targets even without exploitable vulnerabilities. The attackers did not bypass security controls; they operated within n8n’s intended trust model by abusing community extensions that users willingly installed. It means traditional dependency scanning and vulnerability management are not enough on their own. Organizations relying on workflow automation should reassess how much trust they grant third-party nodes, implement stricter governance around extensions, and monitor how and when credentials are accessed at runtime. From an intelligence perspective, this campaign reinforces a broader trend toward supply chain abuse at the operational layer, where legitimate functionality is repurposed to enable stealthy, high-impact credential theft.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9611">T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/10014">T1552.001 - Unsecured Credentials: Credentials In Files</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/01/12/breachforums_breach/" target="_blank" rel="noopener noreferrer">Massive Dark Web Forum Database Leak Exposes Cybercrime Community</a></h2> <p>(published: January 12, 2026)</p> <p> On January 9, 2026, the complete user database of BreachForums, a prominent English-language cybercrime forum, was leaked online by an individual using the alias "James," and hosted on a site named after the ShinyHunters extortion gang. The archive, titled breachedforum.7z, contains approximately 323,986 records including usernames, registration dates, email addresses, Argon2-hashed passwords, metadata, and around 70,000 public IP addresses. Analysis suggests the exposure stemmed from an unsecured backup left accessible during a forum restoration rather than active exploitation of MyBB software vulnerabilities. The dataset potentially contains PGP keys and internal information linked to known underground personas and groups. While some fields (e.g., loopback IPs) offer little investigative value, the public IPs and associated metadata represent rare intelligence that could aid law enforcement in mapping dark-web identities to real actors. The incident underscores persistent operational security failures within illicit infrastructure and raises questions about BreachForums' credibility and future viability.<br> <br><b>Analyst Comment:</b> This incident is less about embarrassment and more about exposure at scale. BreachForums functioned as a trust hub for data brokers and threat actors, and this leak cuts directly into that trust model. The real intelligence value is not the account count, but the metadata that can be correlated over time to link aliases, infrastructure, and real-world activity. Analysts should expect short-term disruption in underground markets, with actors abandoning handles, rotating infrastructure, or shifting platforms. For defenders and law enforcement, this creates a narrow but valuable window to map relationships and identify repeat offenders. The key is restraint, treat the dataset as a starting point for correlation, not a source of ground truth, and focus on patterns rather than individual records.<br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/gootloader-now-uses-1-000-part-zip-archives-for-stealthy-delivery/" target="_blank" rel="noopener noreferrer">Malformed ZIP Abuse Expands GootLoader’s Evasion Playbook</a></h2> <p>(published: January 15, 2026)</p> <p> GootLoader operators have refined their delivery chain by abusing malformed ZIP archives to bypass security tooling and increase execution reliability. Recent analysis shows attackers distributing archives that intentionally violate ZIP format specifications, including inconsistent file headers, malformed or truncated directory structures, and excessive fragmentation into hundreds or thousands of parts. While these archives may fail validation by security scanners and automated analysis tools, they are still successfully reconstructed by standard extraction utilities on victim systems. Delivered primarily through search engine poisoning, the campaign targets users seeking business or legal documents, prompting them to manually extract and execute embedded JavaScript payloads. This technique allows GootLoader to evade static inspection, sandboxing, and email gateway defenses that rely on strict archive parsing. As an initial access malware, GootLoader continues to enable downstream infections, reinforcing its role as a reliable entry point for financially motivated threat actors.<br> <br><b>Analyst Comment:</b> GootLoader is not relying on novel evasion, but on inconsistent handling of malformed ZIP archives across defensive tooling and operating systems. When scanners fail early on invalid headers or malformed directory structures, the file is effectively passed over, while Windows extraction utilities still reconstruct it successfully. This behavior creates a dependable delivery path for initial access malware without requiring exploit code or heavy obfuscation. Defenders should treat malformed or partially corrupted archives as higher risk indicators and prioritize detection of script execution originating from extracted content, particularly when the download originates from search engine results tied to business or legal document queries.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9819">T1218 - Signed Binary Proxy Execution</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/ " target="_blank" rel="noopener noreferrer">Silent One-Click Microsoft Copilot Data Exfiltration Threat </a></h2> <p>(published: January 14, 2026)</p> <p> Researchers have uncovered a new exploitation technique, dubbed Reprompt, that allowed attackers to hijack Microsoft Copilot Personal sessions and silently extract sensitive data with a single click on a crafted link. The flaw abused how Copilot accepts pre-filled prompts via a URL parameter, enabling attackers to embed malicious instructions that execute automatically. By chaining follow-up requests, threat actors could maintain control of the victim’s session and siphon emails, files, and other personal information without further interaction or visible signs. Reprompt bypassed Copilot’s built-in safeguards and persisted even after users closed the session. Microsoft has issued a patch for the vulnerability and confirmed that enterprise Copilot variants with stronger controls are not impacted. Strong link filtering, session controls, and monitoring are recommended to mitigate similar AI-centric threats. <br> <br><b>Analyst Comment:</b> It is worth calling out that this issue was limited to Copilot Personal. Microsoft 365 Copilot, which runs inside enterprise tenants, was not affected due to controls such as Purview auditing, DLP enforcement, and admin-managed restrictions. That difference matters. AI assistants are being woven deeper into everyday work, and attackers are starting to treat them like any other trusted interface that can be manipulated. Personal AI tools rely heavily on session trust and user context, which makes them easier to abuse through social engineering. As AI adoption grows, this kind of logic-driven attack is likely to become more common, especially where AI operates outside managed environments.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9668">T1114 - Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9664">T1213 - Data From Information Repositories</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/ " target="_blank" rel="noopener noreferrer">GhostPoster Campaign Abuses Trusted Browser Extensions to Monetize User Traffic at Scale</a></h2> <p>(published: January 17, 2026)</p> <p> Security researchers have uncovered a large-scale malicious browser extension campaign, tracked as GhostPoster, that amassed more than 840,000 installs across Google Chrome, Microsoft Edge, and Mozilla Firefox before removal. The extensions, distributed through official marketplaces operated by Google, Microsoft, and Mozilla, masqueraded as benign utilities while secretly executing ad fraud, redirecting traffic, and harvesting browsing-related data. Analysis published by BleepingComputer shows the extensions relied on excessive permissions, remote command updates, and delayed activation to evade detection. Additional reporting indicates the campaign aligns with a growing pattern of abuse targeting trusted extension ecosystems, where attackers exploit weak vetting and user trust rather than software vulnerabilities. All identified extensions have been taken down, but the incident highlights ongoing risks tied to browser add-ons sourced from official stores.<br> <br><b>Analyst Comment:</b> GhostPoster highlights how browser extensions are evolving from simple monetization tools into staged, modular execution platforms. The newer variants go beyond basic ad fraud by hiding executable logic inside benign-looking image files and only activating it at runtime, extending dormancy and complicating detection. This shift reflects a broader trend seen over the past year, where attackers favor resilience and longevity over speed, especially inside trusted ecosystems like extension stores. Even after removal, users who installed these add-ons may remain exposed, underscoring why extension hygiene matters. As the reporting shows, the real risk is not a single campaign but a repeatable model that blends in, persists quietly, and scales through trust rather than exploitation. For defenders, this means treating browser extensions as managed software: limit them by default, review permissions regularly, and monitor for unexpected network or runtime behavior.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10114">T1176 - Browser Extensions</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/12893">T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/12878">T1213.003 - Data from Information Repositories: Code Repositories</a><br> </p> <h2 id="article-1"><a href="https://www.darkreading.com/mobile-security/predator-spyware-sample-vendor-controlled-c2 " target="_blank" rel="noopener noreferrer">Advanced Mobile Spyware’s Vendor-Managed Infrastructure Uncovered </a></h2> <p>(published: January 15, 2026)</p> <p> Researchers analyzing a sample of Predator commercial spyware have revealed that the spyware’s command-and-control architecture likely remains tightly managed by its developer, Intellexa. Unlike traditional spyware, Predator’s sophisticated anti-analysis mechanisms send detailed error codes back to C2 servers whenever a deployment attempt fails, giving operators insight into why infections did not succeed. The presence of standardized error taxonomies and centralized reporting functions suggests a unified infrastructure rather than disparate customer-run systems. Previous investigations by Google Threat Analysis Group and Citizen Lab have shown Predator bundles multiple zero-day exploit chains to target Android and iOS devices, enabling covert access to microphones, cameras, messages, and location data. Amnesty International’s “Intellexa Leaks” further indicates that the vendor historically maintained deep access into customer environments. Continued global reporting highlights Predator’s use in targeting journalists, politicians, and civil society figures, raising serious concerns about misuse and privacy abuses.<br> <br><b>Analyst Comment:</b> This research is important because it challenges a blind spot many organizations still have. Mobile devices are often treated as secondary endpoints, yet Predator shows they are prime targets for high-end surveillance. When attackers use zero-day exploits, prevention is not always realistic. What is realistic is limiting how much access a compromised device actually provides. Phones routinely hold corporate email, messaging apps, VPN access, MFA approvals, and sensitive contacts, which makes them frontline assets, not accessories. Defenders should read this as a reminder that mobile security posture directly affects enterprise risk. Hardening mobile configurations, reducing implicit trust, and limiting access from mobile devices can significantly reduce blast radius even when advanced exploitation succeeds.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9714">T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/12893">T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/17806">T1429 - Capture Audio</a> | <a href="https://ui.threatstream.com/attackpattern/17820">T1430 - Location Tracking</a> | <a href="https://ui.threatstream.com/attackpattern/17838">T1417 - Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/01/14/deadlock_ransomware_smart_contracts/" target="_blank" rel="noopener noreferrer">Ransomware Group Conceals Infrastructure via Public Blockchain </a></h2> <p>(published: January 14, 2026)</p> <p> Researchers have identified a low-profile ransomware operation, dubbed DeadLock, that is leveraging public blockchain smart contracts to obscure its command-and-control (C2) infrastructure and evade traditional defenses. First observed in July 2025, DeadLock does not use a public data-leak site or an affiliate program, contributing to its under-reported profile. Instead, the malware embeds JavaScript in HTML files dropped on infected systems that query a smart contract deployed on the Polygon blockchain to retrieve rotating proxy server addresses. By storing these proxy endpoints on-chain and updating them via smart contract functions, attackers can rotate infrastructure without maintaining centralized servers that defenders can block or seize. This technique is similar to so-called “EtherHiding,” previously seen with other threat actors abusing Ethereum. Once executed, DeadLock encrypts files (appending a “.dlock” extension), modifies system icons, and presents ransom instructions; newer variants also signal exfiltration and potential data sale. <br> <br><b>Analyst Comment:</b> This piece matters because it shows how ransomware operators are quietly changing the rules, not by being louder or more destructive, but by being harder to pin down. Using a public blockchain to store live infrastructure details removes many of the pressure points defenders normally rely on, like blocking servers or working with providers to take systems offline. That should be a wake-up call. If this approach spreads, some forms of disruption simply will not work the way they used to. For defenders, the value here is understanding where to focus next: earlier detection, closer inspection of script-based execution, and attention to “legitimate” services being used in unexpected ways. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9724">T1102.003 - Web Service: One-Way Communication</a> | <a href="https://ui.threatstream.com/attackpattern/9735">T1568.003 - Dynamic Resolution: Dns Calculation</a> | <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> </div> </div>