The ReaderUpdate malware, which previously went relatively unnoticed, now includes variants written in Crystal, Nim, Rust, and most recently, Go, in addition to the original compiled Python binary.

The campaign has been in preparation since July-August 2024 and entered the active phase in November-December 2024. Recent malware samples and command-and-control (C2) infrastructure activity indicate that the operation remains active in recent days.

This campaign has been observed targeting various accounts such as U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.

HellCat emerged in mid-2024. The primary operators behind HellCat are high-ranking members of the BreachForums. Morpheus RaaS launched a data leaks site (DLS) in December 2024, though the group’s activity can be traced back to at least September.

The threat actors used a lateral movement capability indicative of the presence of a shared vendor or digital quartermaster maintaining and provisioning tooling within the Chinese APT ecosystem.

CyberVolk’s roots trace back to India, with its current form emerging in May 2024. Initially known by names such as GLORIAMIST India and Solntsevskaya Bratva, the group shifted to ransomware-as-a-service (RaaS) operations in June 2024.

SentinelLabs found a new type of malware being used by North Korean hackers to target businesses that deal with cryptocurrency. This malware is similar to attacks previously linked to BlueNoroff.

Mallox, known for targeting Windows systems, has expanded its operations to Linux by using a modified version of the Kryptina ransomware, named "Mallox Linux 1.0." The ransomware utilizes the same encryption algorithm as Kryptina.

It begins with a Discord user downloading a malicious Python application, Cross-Platform Bridges.zip. Initially, links to the malware were sent to targets via direct message with the malware hosted on Google Drive.

The activities of Sandman suggest espionage motivations, with a focus on telecommunications providers and a potential connection to a private contractor or mercenary group.