Cybersec Sentinel

MoonPeak and the Growing Sophistication of DPRK Intrusions

MoonPeak and the Growing Sophistication of DPRK Intrusions

Threat Group UAT-5394 with strong tactical overlap to Kimsuky Threat Type Remote Access Trojan derived from XenoRAT delivered via weaponised LNK files and PowerShell droppers Exploited Vulnerabilities Windows LNK execution trust abuse, PowerShell execution policy bypass, LOTS and LOLBins abuse, trusted cloud and code hosting platforms Malware Used MoonPeak RAT

PeckBirdy Exposes a New Living off the Land Threat

PeckBirdy Exposes a New Living off the Land Threat

Threat Group China aligned APT operators tracked as SHADOW VOID 044 and SHADOW EARTH 045 Threat Type JScript based command and control framework abusing trusted Windows utilities Exploited Vulnerabilities Abuse of Windows Script Host trust model, mshta.exe execution, ScriptControl ActiveX usage, browser watering hole injection, legacy Chrome V8 flaws

Evelyn Stealer and the rising risk of developer tool supply chain attacks

Evelyn Stealer and the rising risk of developer tool supply chain attacks

Threat Group: Unknown cybercriminal operators leveraging developer tooling supply chains Threat Type: Information stealer malware delivered via malicious development extensions Exploited Vulnerabilities: Abuse of the Visual Studio Code extension trust model, DLL side loading, PowerShell execution policy misuse, Windows process hollowing Malware Used: Evelyn Stealer, Lightshot.dll downloader, iknowyou.model

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

Threat Group – Unattributed, activity consistent with an initial access broker model Threat Type – Multi stage loader chain delivering remote access capability Exploited Vulnerabilities – None publicly confirmed, primary access relies on user execution and script based lures Malware Used – Remcos RAT delivered via SHADOW#REACTOR staging and loader framework Threat Score

VVS Stealer highlights the rising danger of Discord focused infostealers

VVS Stealer highlights the rising danger of Discord focused infostealers

Threat Group – Unknown Threat Type – Information Stealer Exploited Vulnerabilities – None publicly identified Malware Used – VVS Stealer Threat Score – 7.3 🔴 High Last Threat Observation – 6 January 2026 Overview The cybersecurity environment of late 2025 and early 2026 has been shaped by the rapid commoditisation of advanced evasion techniques. VVS Stealer

React2Shell exploited to deploy EtherRAT across cloud servers

React2Shell exploited to deploy EtherRAT across cloud servers

Threat Group – DPRK linked operators with overlaps to earlier blockchain focused campaigns and China nexus groups exploiting React2Shell in parallel for other payloads Threat Type – Remote access trojan deployed through a critical web application remote code execution vulnerability Exploited Vulnerabilities – CVE-2025-55182 React2Shell unsafe deserialisation in the React Server Components Flight

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Threat Group – Financially motivated cyber crime cluster operating within a malware as a service ecosystem and using Discord communities, gaming groups and social platforms for distribution Threat Type – Cross platform information stealer family with native C plus plus and legacy Python variants that focus on credential, cookie and wallet theft

Browser Notification Hijack via Matrix Push C2

Browser Notification Hijack via Matrix Push C2

Threat Group – Crimeware cluster similar to UNC5142 access brokers and web compromise crews using Matrix Push C2 Threat Type – Browser based C2 platform, phishing delivery system and malware loader sold as a MaaS service Exploited Vulnerabilities – Abuse of W3C Push API, Service Workers, notification prompts, clipboard and Run dialog through

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Threat Group – Xillen Killers Threat Type – Information stealer and loader operating under a Malware as a Service model Exploited Vulnerabilities – Social engineering and opportunistic scanning for unpatched versions of Cisco AnyConnect, OpenVPN, FortiClient and Pulse Secure in order to access cached credentials Malware Used – Xillen Stealer version five using a

GootLoader New Evasion Methods Target Search Driven Workflows

GootLoader New Evasion Methods Target Search Driven Workflows

Threat Group – UNC2565 (also tracked as Storm-0494) Threat Type – Malware Loader and Initial Access Platform Exploited Vulnerabilities – No specific CVE confirmed. Campaign relies on SEO poisoning, compromised WordPress sites, archive format inconsistencies, Windows Script Host execution, and legacy filename behaviour. Malware Used – GootLoader, GootBot, secondary payloads such as Cobalt Strike