Reprompt: One-Click Copilot Session Hijack Enables Stealth Data Exfiltration
Security researchers at Varonis disclosed an attack method dubbed “Reprompt” that could let an attacker take over a user’s Microsoft Copilot Personal session and drive actions that expose sensitive data. The concept is simple and high-impact: a malicious prompt is hidden within a legitimate Copilot URL via the q parameter, and Copilot can automatically execute it when the page loads after a single click. From that initial interaction, the attacker can exploit the victim’s already-authenticated Copilot session and continue operating even after the Copilot tab is closed, turning a one-time click into ongoing access. The risk stems from Copilot’s ability to work with user prompts, conversation history, and certain Microsoft account data, depending on permissions, which creates a pathway for quiet data extraction. Varonis reports the method does not rely on plugins, extensions, or local malware, which lowers friction and reduces traditional detection opportunities. The net effect is that the user sees a normal link, while Copilot is being steered in the background. Reprompt combines three techniques to bypass safeguards and sustain exfiltration over time: injecting instructions via the URL parameter, abusing a “double request” pattern in which protections apply to the first request but can be weakened in follow-on actions, and chaining instructions, where Copilot repeatedly pulls the next steps from the attacker's infrastructure. Because the real instructions arrive after the first prompt, defenders cannot reliably determine what data is being taken by inspecting only the initial link, and client-side tools have limited visibility into what Copilot is being told to do next. Varonis disclosed the issue to Microsoft on August 31 and reported that it was fixed in the January 2026 Patch Tuesday, with no confirmed public exploitation prior to the fix. Researchers also clarified that the issue impacted Copilot Personal, not Microsoft 365 Copilot, which benefits from stronger enterprise controls and oversight. Organizations should prioritize applying the January 2026 Windows security updates, reinforce user guidance on avoiding unsolicited Copilot links, and review access policies that influence what Copilot can reach within personal Microsoft accounts.
Update: LLMs Are Accelerating Ransomware, Not Reinventing It
Recent research from SentinelOne shows that large language models are not changing what ransomware actors do, but they are dramatically increasing how fast, broadly, and efficiently they operate. Threat groups are using LLMs across the full attack lifecycle, including reconnaissance, phishing, data review, and ransom negotiations, resulting in higher attack volume and improved precision. These tools help actors write convincing messages in a victim’s native language and rapidly identify sensitive data across regions and industries that previously posed language barriers. Rather than introducing new attack methods, LLMs are speeding up existing ones by automating routine work that once required time and expertise. This has lowered the barrier to entry for less skilled actors while allowing experienced groups to scale operations with fewer resources. At the same time, the ransomware ecosystem is fragmenting into smaller crews and overlapping with state-aligned activity, increasing noise and complicating attribution. More advanced groups are increasingly shifting toward self-hosted, open-source models to avoid provider safeguards and monitoring, signaling a future in which defenders have less visibility into attacker tooling. Real-world incidents already show LLMs being used to automate extortion workflows, tailor ransom demands, and assist malware in identifying valuable files on compromised systems. The primary risk is not intelligent malware making independent decisions, but industrialized extortion driven by faster execution and broader reach. Organizations should prepare for a more aggressive threat tempo by strengthening detection focused on behavior rather than signatures, accelerating incident response readiness, and improving resilience around phishing and credential exposure. Leadership teams should also plan for multilingual extortion attempts and more polished attacker communications during incidents. For additional insights on the latest LLM-driven attack methods, including prompt injection and AI abuse trends, visit our blog page for ongoing updates and analysis.
Update: CastleLoader Stealth Malware Loader Driving High-Impact Intrusions
Any.Run security researchers are warning about CastleLoader, a stealthy first-stage malware loader now tied to campaigns targeting US government entities and multiple high-value industries. Researchers observed activity consistent with targeting public-sector environments, including systems associated with government operations, though no specific U.S. agencies have been publicly identified. Additionally, reporting indicates activity across public sector networks, IT providers, logistics and travel firms, and critical infrastructure organizations in Europe, with one tracked wave affecting at least 469 devices. CastleLoader’s role is to establish an initial foothold and quietly deliver follow-on malware, most often information stealers and remote access tools that enable credential theft, data access, and longer-term control of victim environments. The loader has been active since early 2025 and is gaining traction because it reliably compromises systems and adapts to different intrusion chains. In several cases, it is introduced through “ClickFix” social engineering, where victims are tricked into running attacker-provided commands during fake troubleshooting or update steps. From there, CastleLoader works as the next stage and prepares the environment for the main payload to run without leaving an obvious file trail. CastleLoader is built to evade common defenses by using a multi-step execution flow where each piece appears ordinary when viewed on its own, while the real malicious code runs inside a legitimate Windows process. Analysts observed an installer-based delivery that drops helper components, then starts a legitimate Windows program in suspended state and injects the malicious module into it, allowing the final payload to reside primarily in memory. This approach can reduce the effectiveness of signature-based tools and basic monitoring because defenders may only see a normal installer and a standard Windows component running. Deep analysis recovered the loader’s configuration details, including network behavior and a command-and-control endpoint at 94[.]159[.]113[.]32, indicating structured remote control for tasking and status reporting. The broader takeaway is that modern loaders are increasingly engineered to blend into routine-looking process chains and minimize disk artifacts, which pushes defenders toward higher-quality telemetry and timely threat intelligence. Organizations should prioritize controls that detect in-memory threats, review unusual process chains involving older system tools, harden user workflows against ClickFix-style deception, and integrate fresh threat intelligence and validated detections from real executions.
VoidLink Malware Signals a New Class of Cloud-Focused Linux Threats
Checkpoint researchers have identified VoidLink, a highly advanced Linux post-exploitation framework built specifically for modern cloud and container environments. The framework is modular, actively developed, and unusually well-documented, suggesting it may be intended for structured, possibly commercial use rather than opportunistic attacks. VoidLink is designed to understand where it runs, detecting Docker, Kubernetes, and major cloud platforms, then adapting its behavior based on the environment. It collects detailed system and security information and assigns a risk score that influences how aggressively it operates, favoring stealth in monitored environments. Communication is flexible and deliberately camouflaged to resemble normal web or API traffic, reducing the chance of detection. Although no confirmed infections have been observed, the framework's maturity indicates it is ready for real-world deployment. What makes VoidLink particularly concerning is its breadth of capabilities and its focus on remaining hidden for long periods. It supports dozens of in-memory plugins covering reconnaissance, credential theft, lateral movement, persistence, and evidence cleanup, allowing operators to expand functionality without redeploying the core implant. The framework includes multiple rootkit techniques that vary based on kernel version, enabling it to hide processes, files, and network activity across a wide range of Linux systems. Advanced anti-analysis features detect debugging or tampering and trigger self-removal and cleanup to limit forensic visibility. This design reflects a broader shift toward cloud-native threats that target Linux workloads, containers, and developer-accessible systems rather than traditional desktops. Organizations should strengthen cloud and container security baselines, tightly control access to instance metadata and credentials, monitor for abnormal outbound traffic patterns and in-memory activity, and prioritize behavioral detection and runtime visibility over reliance on static signatures.
Patch Tuesday January 13th 2026
Patch Tuesday – Microsoft has released its latest Patch Tuesday updates addressing multiple security vulnerabilities across Windows, Microsoft Office, and other supported products. These updates include fixes for both critical and important severity issues that could allow remote code execution, privilege escalation, or information disclosure if left unpatched. This Patch Tuesday also includes two zero-day vulnerabilities, one of which Microsoft reports is actively exploited increasing the urgency to prioritize deployment of these updates.
