Cybersec Sentinel - Cybersec Sentinel

Cybersec Sentinel

Cybersec Sentinel: 30+ years of IT expertise, delivering clear, actionable cyber security insights.

Evelyn Stealer and the rising risk of developer tool supply chain attacks

Evelyn Stealer and the rising risk of developer tool supply chain attacks

Threat Group: Unknown cybercriminal operators leveraging developer tooling supply chains Threat Type: Information stealer malware delivered via malicious development extensions Exploited Vulnerabilities: Abuse of the Visual Studio Code extension trust model, DLL side loading, PowerShell execution policy misuse, Windows process hollowing Malware Used: Evelyn Stealer, Lightshot.dll downloader, iknowyou.model

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

Threat Group – Unattributed, activity consistent with an initial access broker model Threat Type – Multi stage loader chain delivering remote access capability Exploited Vulnerabilities – None publicly confirmed, primary access relies on user execution and script based lures Malware Used – Remcos RAT delivered via SHADOW#REACTOR staging and loader framework Threat Score

VVS Stealer highlights the rising danger of Discord focused infostealers

VVS Stealer highlights the rising danger of Discord focused infostealers

Threat Group – Unknown Threat Type – Information Stealer Exploited Vulnerabilities – None publicly identified Malware Used – VVS Stealer Threat Score – 7.3 🔴 High Last Threat Observation – 6 January 2026 Overview The cybersecurity environment of late 2025 and early 2026 has been shaped by the rapid commoditisation of advanced evasion techniques. VVS Stealer

React2Shell exploited to deploy EtherRAT across cloud servers

React2Shell exploited to deploy EtherRAT across cloud servers

Threat Group – DPRK linked operators with overlaps to earlier blockchain focused campaigns and China nexus groups exploiting React2Shell in parallel for other payloads Threat Type – Remote access trojan deployed through a critical web application remote code execution vulnerability Exploited Vulnerabilities – CVE-2025-55182 React2Shell unsafe deserialisation in the React Server Components Flight

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins

Threat Group – Financially motivated cyber crime cluster operating within a malware as a service ecosystem and using Discord communities, gaming groups and social platforms for distribution Threat Type – Cross platform information stealer family with native C plus plus and legacy Python variants that focus on credential, cookie and wallet theft

Browser Notification Hijack via Matrix Push C2

Browser Notification Hijack via Matrix Push C2

Threat Group – Crimeware cluster similar to UNC5142 access brokers and web compromise crews using Matrix Push C2 Threat Type – Browser based C2 platform, phishing delivery system and malware loader sold as a MaaS service Exploited Vulnerabilities – Abuse of W3C Push API, Service Workers, notification prompts, clipboard and Run dialog through

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Threat Group – Xillen Killers Threat Type – Information stealer and loader operating under a Malware as a Service model Exploited Vulnerabilities – Social engineering and opportunistic scanning for unpatched versions of Cisco AnyConnect, OpenVPN, FortiClient and Pulse Secure in order to access cached credentials Malware Used – Xillen Stealer version five using a

GootLoader New Evasion Methods Target Search Driven Workflows

GootLoader New Evasion Methods Target Search Driven Workflows

Threat Group – UNC2565 (also tracked as Storm-0494) Threat Type – Malware Loader and Initial Access Platform Exploited Vulnerabilities – No specific CVE confirmed. Campaign relies on SEO poisoning, compromised WordPress sites, archive format inconsistencies, Windows Script Host execution, and legacy filename behaviour. Malware Used – GootLoader, GootBot, secondary payloads such as Cobalt Strike

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Threat Group – Unknown actor likely a financially motivated Malware as a Service operator Threat Type – Remote Access Trojan and Malware as a Service Exploited Vulnerabilities – No specific CVEs publicly linked at time of writing. Built in UAC bypass and a Local Vulnerability Scanner enable dynamic post infection exploitation Malware Used

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

Threat Group – Unknown (no confirmed attribution) Threat Type – Self-propagating software supply chain malware targeting VS Code and OpenVSX ecosystems Exploited Vulnerabilities – Abuse of trusted publisher credentials and the automated extension update pipeline; no CVE assigned for the platform itself Malware Used – GlassWorm loader and final-stage ZOMBI module (RAT with SOCKS