MONTHLY WRAP MONTHLY WRAP

Overview

January 2026 reinforced a clear reality: attackers are gaining leverage by abusing trust and identity far more often than by inventing new exploits. This month featured sustained identity-driven intrusions (vishing, adversary-in-the-middle, OAuth abuse, Browser-in-the-Browser phishing), aggressive compromise of developer tooling and supply chains (VS Code extensions, PyPI/npm abuse, CI/CD misconfigurations), and expanding use of trusted platforms and legitimate services to deliver payloads and maintain access (Google workflows, Cloudflare tunnels, Vercel-hosted pages, GitHub forks, Hugging Face repositories, Telegram channels, Google Calendar configuration staging). In parallel, exploitation of high-impact perimeter and infrastructure weaknesses remained a consistent accelerator (email servers, firewalls, hypervisors), while botnets and mobile fraud ecosystems continued scaling through low-friction access paths and operationalized monetization.

  • Identity-first compromise is now the dominant intrusion path: Human-operated vishing against Okta, Microsoft Entra, and Google SSO; SharePoint-themed adversary-in-the-middle phishing enabling business email compromise; Browser-in-the-Browser credential harvesting; DocuSign and LastPass impersonation campaigns; and OAuth abuse through ConsentFix/ConsentFix-style flows that steal authorization codes and mint tokens without taking passwords.
  • Trusted platforms are being used as delivery infrastructure, not merely impersonated: Hugging Face repos hosting Android RAT payloads at scale; Cloudflare TryCloudflare tunnels backing WebDAV staging; Vercel-hosted phishing chains distributing legitimate remote support tooling; Google cloud automation and notification services sending fully authenticated phishing emails; GitHub forks manipulating “official” documentation-linked installers; and Google Calendar/ICS files serving live configurations for multi-stage malware.
  • Developer ecosystems remain a prime attack surface: Trojanized VS Code extensions (Solana-transaction command retrieval, encrypted loaders, credential and wallet theft, ScreenConnect deployment); mass-surveillance IDE extensions exfiltrating source code; npm and PyPI lookalike packages delivering RATs or cryptominers; “PackageGate” weaknesses undermining dependency controls; and targeted recruiter-driven repo lures abusing VS Code task automation to execute malware on folder open.
  • Cloud and AI infrastructure is being targeted for compute theft, access resale, and pivot opportunities: Large-scale LLM endpoint abuse (“LLMjacking”); prompt-driven session takeover techniques (Reprompt against Copilot Personal, prior to mitigation); Azure Private DNS/Private Endpoint behavior that can produce outage conditions through configuration changes; and cloud-aware Linux post-exploitation tooling built for containers and Kubernetes (VoidLink).
  • Remote administration tooling abuse is a persistent, high-confidence pattern: ScreenConnect delivered via malicious VS Code extensions; GoTo Resolve and LogMeIn Resolve installed silently via phishing chains and trojanized wallet installers; RustDesk implants used as operator-controlled footholds; and “legitimate tool” deployment used to lower detection rates and accelerate time-to-control.
  • Perimeter and core infrastructure weaknesses remain a force multiplier: active Exploitation against SmarterMail (admin takeover to SYSTEM-level code execution), FortiGate SSO bypass behavior with rapid config export, VMware guest-to-host escape chains enabling hypervisor compromise, Office security feature bypass requiring user interaction, and disruptive conditions tied to firewall maintenance-mode triggers.
  • Stealer and loader tradecraft continues shifting toward memory-resident execution and layered evasion: Multi-stage delivery via PNG steganography, fileless Remcos chains via remote templates, ClickFix-assisted loaders, cryptbase DLL sideloading into signed apps for memory-only backdoors, and staged payload decryption/injection into trusted Windows processes.
  • Botnets are evolving beyond simple scanning: Residential-proxy pivoting to reach devices behind NAT; aggressive multi-architecture botnet operations rapidly weaponizing newly disclosed web framework weaknesses; and brute-force botnets operationalizing credential reuse against exposed services at scale.
  • Geopolitically aligned operations continue prioritizing endurance and selective access: China-nexus access operations against critical infrastructure and telecom; North Korea targeting developers through recruiter lures and QR-code workflows; Iran-aligned espionage continuity with long-running tool ecosystems; and Russian-aligned emphasis on misconfigured edge devices and critical infrastructure positioning.

Threat Landscape Overview 

Criminal operations in January leaned heavily into identity compromise, trust abuse, and developer-supply-chain reach. Multiple campaigns demonstrated that a single successful interaction can now translate into broad SaaS access, durable token persistence, and rapid downstream data harvesting—without malware. At the same time, where malware was used, delivery increasingly blended into normal workflows: cloud-hosted archives, signed installers, trusted remote support products, and in-memory-only chains that leave minimal disk artifacts. The practical effect is a compressed intrusion lifecycle: faster initial access, faster privilege escalation, and faster data theft, with fewer of the classic indicators that defenders traditionally relied on.

Nation-state and state-aligned activity reinforced the same structural theme: low-noise access and long-term positioning beat noisy exploitation. Developer targeting remained prominent, both for direct credential and wallet theft and for potential supply-chain downstream impact. Cloud-first Linux frameworks and edge-device tradecraft reflected a strategic focus on where modern organizations actually run critical workloads: virtualization stacks, container platforms, telecom infrastructure, and identity layers. Separately, real-world infrastructure risk remained visible through operational disruptions and sabotage concerns, underscoring that availability and continuity are now inseparable from cyber risk management.

Industries Targeted

  • Developer, CI/CD, and software supply chain: VS Code marketplace abuse, GitHub documentation-link installer manipulation, AWS CI pipeline takeover exposure via webhook misconfiguration, PyPI/npm lookalike packages, and dependency-manager control gaps that can bypass “ignore scripts” and lockfile assumptions.
  • Cloud, SaaS, and AI infrastructure: LLM endpoint compromise for compute theft and access resale; Copilot session takeover technique prior to mitigation; Azure Private Endpoint DNS behaviors enabling unintended outage conditions; and cloud-tunneling services used for payload staging.
  • Government, defense, policy, and NGOs: Targeted spear-phishing with DLL sideloading; U.S. policy-adjacent targeting; quishing campaigns mapped to North Korea-aligned operations; and sustained access models tied to critical infrastructure intelligence priorities.
  • Telecommunications and internet infrastructure: China-nexus intrusions against telecom providers; Linux-based tooling tailored to network infrastructure; and heightened scrutiny around undersea cable damage events tied to critical communications routes.
  • Manufacturing, industrial, and critical infrastructure: Access-oriented campaigns against critical infrastructure-defined organizations; hypervisor and perimeter targeting that can rapidly expand blast radius across segmented environments; and botnet exploitation of widely deployed web platforms.

Most Active Threat Actors

  • GlassWorm (financially motivated, developer ecosystem): VS Code extension compromise waves using blockchain-based instruction retrieval and evolving macOS targeting, with escalation toward wallet replacement capability.
  • GRU-aligned activity and Sandworm-linked risk (Russia-aligned): Low-noise compromise models abusing misconfigured network edge devices for credential interception, plus continued critical infrastructure targeting pressure.
  • Infy / “Prince of Persia” (Iran-aligned): Long-running espionage continuity with persistent, iterative tooling and infrastructure discipline through late 2025 into current operational relevance.
  • Kimsuky (North Korea-aligned): Quishing operations using QR codes to move victims onto mobile devices for credential and token theft against policy-focused organizations.
  • Lazarus Group (North Korea-aligned): Developer targeting through recruiter lures and malicious repositories; VS Code task automation abuse enabling near-zero-friction execution on trusted workspaces.
  • Mustang Panda (China-aligned): Continued backdoor ecosystem evolution with expanded credential theft and deeper host control, paired with delivery via trusted software channels.
  • ShinyHunters / Scattered Spider / “Scattered LAPSUS$ Hunters (SLH)” (financially motivated): Identity-driven intrusions using vishing and real-time social engineering to compromise SSO and pivot into downstream SaaS platforms for bulk data theft and extortion.
  • TA584 (initial access broker): High-churn ClickFix adoption, rapid infrastructure rotation, and delivery of remote access tooling that can enable ransomware outcomes.
  • UAT-8099 (criminal, web infrastructure abuse): IIS compromise for SEO fraud with region-scoped BadIIS variants and extended post-exploitation tradecraft for dwell time and evasion.
  • UAT-7290 (China-nexus): Long-term espionage against telecom providers with edge-device exploitation, SSH targeting, modular Linux implant suites, and operational relay box infrastructure.
  • UAT-8837 and UAT-8837-style access operations (China-nexus): Initial access focuses on critical infrastructure organizations via vulnerability exploitation and credential abuse, followed by hands-on keyboard activity and AD reconnaissance.

Hunter Insights

Attack activity over the next 6–12 months is likely to sharpen around identity-centric access paths and trusted service abuse rather than novel exploit chains, further compressing the intrusion lifecycle from first contact to data theft and extortion. Expect continued growth in vishing, adversary‑in‑the‑middle, OAuth consent abuse, and Browser‑in‑the‑Browser techniques that harvest session tokens and authorization codes to “log in, not break in,” with ShinyHunters/SLH‑style groups and initial access brokers operationalizing playbooks that pivot from a single SaaS identity into broad cloud and AI estates without dropping traditional malware. As defenders raise friction around passwords and MFA, attackers will lean harder on low‑noise consent flows, device enrollment fraud, QR‑code and mobile workflows, and social‑engineering of help desks and identity administrators to reissue trust at scale.

In parallel, infrastructure‑focused campaigns will likely expand around three axes: weaponized developer ecosystems, cloud/AI compute abuse, and quiet edge‑device footholds. Trojanized VS Code extensions, poisoned PyPI/npm packages, and GitHub/Hugging Face repositories that blend legitimate AI artifacts with polymorphic loaders will continue to offer both criminal and state‑aligned actors efficient supply‑chain reach into CI/CD and wallet‑rich development environments. Cloud‑aware malware and “LLMjacking” of exposed AI endpoints will grow into a durable underground market that resells stolen compute and model access, while botnets and nation‑state units refine Linux and edge‑device tradecraft to sit on firewalls, hypervisors, and telecom gear as long‑term relay and disruption platforms.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.