Virus Bulletin

The Raven File examines how AI chatbots perform in threat intelligence tasks, focusing on logical errors and failure. The goal was to classify common risks across LLMs and show where human validation is still essential. theravenfile.com/2026/02/05/l...

LevelBlue SpiderLabs continues its LockBit 5.0 series, with Part 3 analysing the Windows build. The analysis covers a targeted kill list that systematically dismantles the services needed for backups, virtualization and critical business databases. www.levelblue.com/blogs/spider...

Cisco Talos uncovers DKnife, a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least 2019, its C2 was still active in Jan 2026. blog.talosintelligence.com/knife-cuttin...

LevelBlue SpiderLabs continues its LockBit 5.0 series with part two, analysing the Linux x64 variant. The report compares behaviour across samples to show what stays consistent and what changes when the ransomware targets Linux systems. www.levelblue.com/blogs/spider...

Seqrite Labs tracks an RTO-themed Android malware campaign targeting Indian users via WhatsApp-distributed apps. The operation uses a multi-stage chain with anti-analysis and a structured backend for data collection and remote operations. www.seqrite.com/blog/inside-...

Huntress details an intrusion in which attackers gained access via compromised SonicWall SSLVPN credentials, then deployed an EDR killer using a revoked EnCase forensic driver to terminate security tools from kernel mode, reinforcing the growing BYOVD trend. www.huntress.com/blog/encase-...

SophosLabs investigates WantToCry remote ransomware cases in which attackers operated from virtual machines with auto-generated NetBIOS names derived from Windows templates provisioned by ISPsystem. www.sophos.com/en-us/blog/m...

Acronis TRU tracks Transparent Tribe (APT36) expanding beyond its usual government and defence focus to India’s startup ecosystem. The campaign uses startup-themed decoys and ISO files with malicious LNK shortcuts to deliver Crimson RAT. www.acronis.com/en/tru/posts...

Recorded Future’s Insikt Group profiles Rublevka Team, a Russian SOL wallet drainer operation that pushes a promotion or airdrop event and drains wallets after victims connect and sign a transaction. The group automates campaigns via Telegram bots. www.recordedfuture.com/research/rub...

RedAsgard shows how a Lazarus-linked fake job interview operation tricked developers into opening a repo & running npm install or loading it in VS Code, leading to credential theft. The investigation found 241k+ stolen credentials tied to 857 victims across 90 countries redasgard.com/blog/hunting...

Robin Dost details how APT28 uses CVE-2026-21509 in practice, relying on crafted RTF files that trigger OLE parsing without macros. The blog post walks through efficient IOC extraction from weaponised documents. blog.synapticsystems.de/apt28-geofen...

LevelBlue SpiderLabs analyses DragonForce’s evolving playbook, combining advanced RaaS features with a franchise-style affiliate model. The tooling supports full, header and partial encryption across multiple platforms. www.levelblue.com/blogs/spider...

Fake "Verify You Are Human" CAPTCHA page that can appear when viewing a page from a legitimate but compromised website.

Text from KongTuke's fake CAPTCHA page injected into the viewer's clipboard, and the CAPTCHA page contains instructions to run the text as a command in Window's Run window.

Traffic from the KongTuke activity and resulting infection filtered in Wireshark.

Reposted with correct malware names:

2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver RAT

Today's ClickFix uses the "finger" command, a tactic seen in previous ClickFix activity.

Further details available at www.malware-traffic-analysis.net/2026/02/02/i...

Screenshot showing Google search results for a cracked version of ArcGIS where I specify site:drive.google.com. The results shown here all lead to PDF files hosted on Google Drive, and these PDF files contains links that lead to malware.

Here's an example of one of these PDF files hosted on Google Drive with a link that leads to malware.

Here's the page that pushes a password-protected 7-zip archive that contains an inflated EXE padded with null bytes. This EXE is for Lumma Stealer malware.

Lumma Stealer traffic generated by the extracted malware. This is filtered in Wireshark to focus on the Lumma Stealer C2 traffic.

2026-02-01 (Sunday): It's easy enough to find #LummaStealer malware samples.

Just do a Google search for cracked versions of popular software and specify site:drive.google.com.

Details on today's haul at github.com/malware-traf...

Rapid7 reports on the Lotus Blossom campaign, including a compromise of Notepad++ hosting infrastructure used to deliver the Chrysalis backdoor. The report also details custom loaders, including one using Microsoft Warbird to hide shellcode execution. www.rapid7.com/blog/post/tr...

Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz ThreatLabz uncovers Operation Neusploit targeting Central and Eastern Europe, with APT28 exploiting CVE-2026-21509.

Zscaler ThreatLabz reports on Operation Neusploit, a January 2026 campaign targeting Central and Eastern Europe. Weaponised Microsoft RTF files exploit CVE-2026-21509 to deliver multi-stage backdoors. The campaign is attributed to APT28 with high confidence. www.zscaler.com/blogs/securi...

Forcepoint X-Labs tracks a multi-stage PDF phishing chain that evades email scanning by leaning on trusted hosting and layered redirects. The PDF is served from legitimate cloud infrastructure and redirects victims to a Dropbox style page to harvest credentials. www.forcepoint.com/blog/x-labs/...

Cyble CRIL uncovers ShadowHS, a fileless Linux post-exploitation framework where an obfuscated in-memory loader deploys a weaponised hackshell variant. The payload shows latent capability for credential access, privilege escalation, EDR/AV fingerprinting & data theft. cyble.com/blog/shadowh...

In a three-part series, LevelBlue SpiderLabs analyses LockBit 5.0 across 19 samples, showing how the cross-platform malware operates on Windows, Linux and ESXi. Part 1 focuses on the ESXi variant and highlights shared components plus ESXi-specific behaviours. www.levelblue.com/blogs/spider...

ESET Research updates its DynoWiper findings, sharing deeper technical details on a wiper used against an energy company in Poland. TTPs overlap with the ZOV wiper case in Ukraine, and the activity is attributed to Sandworm with medium confidence. www.welivesecurity.com/en/eset-rese...

Digital Security Lab Ukraine warns Ukrainian organisations were targeted on 22 Jan 2026 with National Bank of Ukraine themed phishing. The multi-stage chain led to installation of remote admin malware and established persistent endpoint control. dslua.org/publications...

Zimperium zLabs identifies Arsink, a cloud-native Android RAT that harvests sensitive data and enables remote device control. The malware leverages Google Apps Script and Drive for file uploads, and alternative builds use Firebase and Telegram for C2 and data theft. zimperium.com/blog/the-ris...

Point Wild analyses a multistage Windows malware chain, using LOTL tooling & in-memory payload delivery. A hidden BAT persists via a Run registry key, launches PowerShell & injects Donut shellcode into trusted processes before data exfiltration via Discord &Telegram www.pointwild.com/threat-intel...

Sekoia details IClickFix, a ClickFix campaign rotating multi-stage JavaScript loaders across compromised WordPress sites. The loader serves a fake Cloudflare Turnstile CAPTCHA, then clipboard-driven PowerShell drops NetSupport RAT. blog.sekoia.io/meet-iclickf...

HarfangLab reports RedKitten, a new campaign seen in early January 2026 targeting Iranian interests, including NGOs & people documenting abuses. It uses GitHub and Google Drive for config/modules and Telegram for C2, with signs of LLM-assisted development. harfanglab.io/insidethelab...

FortiGuard Labs tracks Interlock’s shifting toolkit across recent intrusions. A key addition is a process-killing tool that leverages a zero-day vulnerability in a gaming anti-cheat driver to try to disable EDR and AV. www.fortinet.com/blog/threat-...

FortiGuard Labs analyses EncystPHP, a weaponized web shell delivering remote command execution, persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. www.fortinet.com/blog/threat-...

ESET Research uncovered GhostChat, an Android spyware campaign using romance-scam tactics to target individuals in Pakistan. The campaign uses fake profiles (likely operated via WhatsApp), while the spyware exfiltrates victim data. www.welivesecurity.com/en/eset-rese...

Google’s Threat Intelligence Group warns WinRAR CVE-2025-8088 is still being exploited for initial access and payload delivery by both state-backed and financially motivated actors. The exploitation method allows files to be dropped into the Windows Startup folder. cloud.google.com/blog/topics/...

Watch out for AT&T rewards phishing text that wants your personal details Recently, we uncovered a realistic, multi-layered data theft phishing campaign targeting AT&T customers.

We saw a convincing text posing as AT&T, warning users their reward points were expiring. Only it wasn’t from AT&T.

It's a phishing campaign using realistic branding, social engineering, and data theft