Cybersec Sentinel

React2Shell exploited to deploy EtherRAT across cloud servers

React2Shell exploited to deploy EtherRAT across cloud servers

Threat Group – DPRK linked operators with overlaps to earlier blockchain focused campaigns and China nexus groups exploiting React2Shell in parallel for other payloads Threat Type – Remote access trojan deployed through a critical web application remote code execution vulnerability Exploited Vulnerabilities – CVE-2025-55182 React2Shell unsafe deserialisation in the React Server Components Flight

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Threat Group – Financially motivated cyber crime cluster operating within a malware as a service ecosystem and using Discord communities, gaming groups and social platforms for distribution Threat Type – Cross platform information stealer family with native C plus plus and legacy Python variants that focus on credential, cookie and wallet theft

Browser Notification Hijack via Matrix Push C2

Browser Notification Hijack via Matrix Push C2

Threat Group – Crimeware cluster similar to UNC5142 access brokers and web compromise crews using Matrix Push C2 Threat Type – Browser based C2 platform, phishing delivery system and malware loader sold as a MaaS service Exploited Vulnerabilities – Abuse of W3C Push API, Service Workers, notification prompts, clipboard and Run dialog through

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Threat Group – Xillen Killers Threat Type – Information stealer and loader operating under a Malware as a Service model Exploited Vulnerabilities – Social engineering and opportunistic scanning for unpatched versions of Cisco AnyConnect, OpenVPN, FortiClient and Pulse Secure in order to access cached credentials Malware Used – Xillen Stealer version five using a

GootLoader New Evasion Methods Target Search Driven Workflows

GootLoader New Evasion Methods Target Search Driven Workflows

Threat Group – UNC2565 (also tracked as Storm-0494) Threat Type – Malware Loader and Initial Access Platform Exploited Vulnerabilities – No specific CVE confirmed. Campaign relies on SEO poisoning, compromised WordPress sites, archive format inconsistencies, Windows Script Host execution, and legacy filename behaviour. Malware Used – GootLoader, GootBot, secondary payloads such as Cobalt Strike

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Threat Group – Unknown actor likely a financially motivated Malware as a Service operator Threat Type – Remote Access Trojan and Malware as a Service Exploited Vulnerabilities – No specific CVEs publicly linked at time of writing. Built in UAC bypass and a Local Vulnerability Scanner enable dynamic post infection exploitation Malware Used

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

Threat Group – Unknown (no confirmed attribution) Threat Type – Self-propagating software supply chain malware targeting VS Code and OpenVSX ecosystems Exploited Vulnerabilities – Abuse of trusted publisher credentials and the automated extension update pipeline; no CVE assigned for the platform itself Malware Used – GlassWorm loader and final-stage ZOMBI module (RAT with SOCKS

F5 Security Breach – Elevated Risk to Customers

Vulnerabilities

F5 Security Breach – Elevated Risk to Customers

Threat Group – Highly sophisticated nation state actor Threat Type – Data breach and supply chain compromise Exploited Vulnerabilities – Initial access vector undisclosed. CVE 2025 54500 is a separate HTTP2 data plane denial of service flaw, not the entry point for the breach. Malware Used – Not publicly disclosed Threat Score – 🔴 7.5

BatShadow launches Vampire Bot in fake job campaigns

BatShadow launches Vampire Bot in fake job campaigns

Threat Group – BatShadow Group Threat Type – Multi-stage info-stealer and remote access bot Exploited Vulnerabilities – Social engineering, Windows default “hide known file extensions,” LNK-launched encoded PowerShell, abuse of legitimate remote access software for persistence Malware Used – Vampire Bot (Go-compiled) Threat Score – 7.6 🔴 High — Multi-stage chain with LNK→PowerShell execution, behaviour-evasive