Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cyber Security Weekly Briefing, 24-30 January
KONNI uses AI-generated PowerShell malware to attack blockchain developers
Check Point Research has revealed a new phishing campaign led by the North Korean group KONNI that specifically targets developers and engineering teams, especially in environments associated with blockchain and cryptocurrencies. The attackers send malicious links via Discord that download a ZIP file containing a malicious shortcut (LNK) and a decoy PDF.
When executed, the shortcut launches a highly obfuscated PowerShell backdoor, along with scripts and an executable to bypass user account controls, establishing persistence through scheduled tasks and continuous communication with a command and control server.
The centrepiece of the malware shows signs of having been generated with the help of artificial intelligence, with integrated documentation and a modular structure that are uncommon in traditional malware. KONNI is expanding its traditional focus beyond geopolitical targets to digital technical and financial assets.
The SLSH super alliance exploits Okta SSO and carries out attacks against more than 100 large companies
Silent Push warns of an ongoing campaign led by the criminal group known as SLSH, an alliance between Scattered Spider, LAPSUS$ and ShinyHunters.
This threat is attacking Okta SSO accounts at more than 100 large international organisations, including technology companies such as Atlassian and Zoominfo, healthcare companies such as Moderna, financial companies such as Blackstone, in telecommunications such as Telstra, in retail such as Carvana and energy companies such as Halliburton.
The attackers use live phishing panels and vishing (voice phishing) tactics to intercept credentials and multi-factor authentication tokens in real time, allowing them to bypass even advanced MFA protections and take complete control of business environments. The consequences include data exfiltration, lateral movement within internal networks, and possible data encryption for extortion.
It is recommended to audit SSO logs, alert employees, and use phishing-resistant MFA, such as FIDO2.
Mustang Panda updates CoolClient backdoor with browser credential theft modules
A report by Kaspersky warns that the Mustang Panda threat group has updated its CoolClient backdoor with expanded capabilities for browser credential theft, clipboard monitoring, HTTP proxy credential sniffing, and file and service management operations using specialised plugins. CoolClient maintains persistence through modifications to the Registry, Windows services and scheduled tasks, and uses DLL sideloading with legitimate binaries to evade detection.
Kaspersky identified three variants: one targeting Chrome, another targeting Edge, and a general variant for Chromium-based browsers, capable of extracting and decrypting stored login data. In addition, collection and exfiltration scripts were observed gathering system information, recent documents, and credentials before uploading them to public services such as Pixeldrain and Google Drive.
These tools have been deployed against government entities in Asia and Russia, indicating an espionage campaign focused on sensitive data exfiltration and persistent surveillance.
State actors and cybercriminals exploit CVE-2025-8088 vulnerability in WinRAR six months after patch
Google Threat Intelligence has detailed the active exploitation of the vulnerability in WinRAR CVE-2025-8088 (CVSSv4 8.4 according to ESET), a path traversal flaw that allows an attacker to place and execute files outside the intended extraction directory, taking advantage of alternative data streams in specially crafted RAR files. Google confirms active exploitation since at least 18 July 2025 (the vulnerability was patched on 30 July), employed by both state actors linked to Russia and China and cybercriminals to establish initial access and deliver various payloads.
According to the report, Russian groups UNC4895 (also known as RomCom or Cigar), APT44 (Frozenbarents), TEMP. Armageddon (Carpathian) and Turla (Summit) have exploited the flaw to distribute malware such as Stockstay, among others; an unidentified Chinese state-sponsored group managed to infect a victim with PoisonIvy, and various financially motivated cybercriminals installed RAT malware (Xworm or AsyncRAT) on business organisations.
It is recommended to update to the latest available version of WinRAR.
Operation Bizarre Bazaar: first attributed LLMjacking campaign with monetisation
Pillar Security has identified a massive campaign called Operation Bizarre Bazaar, which represents the first systematic "LLMjacking" operation for commercial monetisation purposes. This consists of hijacking Artificial Intelligence infrastructure by distributed network scanning in search of exposed development environments and large language model (LLM) endpoints that lack authentication or use default configurations.
The threat actors, operating through a coordinated supply chain that includes the criminal marketplace "silver.inc," use these resources to perform free inferences, exfiltrate data from conversation histories, or perform lateral movements into internal systems through the Model Context Protocol (MCP). The campaign's impact has been global, affecting multiple sectors with more than 35,000 detected attack sessions seeking to resell access to stolen computing capacity.
It is strongly recommended to enable authentication on all AI endpoints, perform MCP server exposure audits, block known malicious infrastructure subnets, and implement rate limits and behaviour monitoring to detect enumeration patterns from multiple vendors.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
