Attackers don’t always break in - they log in, blend in, and let trusted tools do the dirty work. From China-linked APTs leveraging the PeckBirdy JScript-based C2 framework to deliver malicious payloads, to phishing campaigns abusing trusted Vercel-hosted links to distribute remote access tools using financial urgency lures, adversaries are increasingly capitalizing on familiarity and trust. In parallel, a tax-themed phishing operation deploying the Blackmoon banking trojan has been observed weaponizing the legitimate SyncFuture TSM enterprise tool, reinforcing how modern campaigns blur the line between benign infrastructure and covert espionage. Keep reading further.
01
China-linked APTs have been using a JScript-based flexible C2 framework dubbed PeckBirdy since 2023 to deliver malicious scripts that download and execute payloads across multiple victim types, including Asian government and private sector targets.
02
A phishing campaign is abusing Vercel-hosted links to deliver RATs by exploiting trust in legitimate domains and using financial urgency lures to trick victims into clicking malicious links.
03
North Korean state-sponsored Lazarus Group is targeting software engineers in a supply chain attack dubbed “Fake Font,” abusing malicious VS Code task configuration files to execute JavaScript malware disguised as web font assets.
04
A novel Amatera Stealer malware infection chain is delivered via fake CAPTCHA web flows, using deceptive validation pages to trick users into downloading the stealer that harvests credentials and system data.
05
A new class of phishing kits dynamically adapts to real-time voice-based social engineering (“vishing”) to control authentication flows and defeat traditional MFA protections.
06
The Stanley malware toolkit, sold on Russian-language forums for ~$2,000-$6,000, embeds phishing and URL hijacking capabilities into Chrome extensions that can bypass store moderation and hijack sessions.
07
A sophisticated tax-themed phishing campaign deploying the Blackmoon banking trojan was found installing the legitimate SyncFuture TSM enterprise tool as a repurposed espionage framework.
08
Microsoft patched a recently discovered Office zero-day tracked as CVE-2026-21509, which has been exploited in the wild to bypass security features on Office documents, as part of urgent January 2026 updates.
09
Nearly 800,000 Telnet servers running GNU InetUtils telnetd are exposed to remote exploitation via a critical authentication bypass (CVE-2026-24061), allowing unauthorized root access and active attacks.
10
Two critical 0-day vulnerabilities in NetSupport Manager (CVE-2025-34164 and CVE-2025-34165) enable unauthenticated RCE in OT environments, allowing attackers to take control of systems before patching.
