The Cyber Byte - 2 February 2026

Written By Heather Perez

Sophisticated social engineering campaigns are actively targeting corporate environments through voice phishing (vishing) to steal SSO credentials and exfiltrate data from SaaS applications for extortion [7]. State-aligned actors are leveraging AI to accelerate the development of multi-stage malware for politically motivated attacks, as seen in a new campaign targeting Iranian interests [6]. Furthermore, threat actors are increasingly abusing legitimate cloud and development platforms—including Hugging Face, Google Drive, Firebase, and Telegram—for payload delivery, command-and-control, and data exfiltration, complicating detection efforts across desktop and mobile platforms [1, 3, 5, 6].

Significant Cyber Incidents and Articles of Interest

  • ShinyHunters-Branded Vishing Campaign Expands to More SaaS Platforms: Financially motivated threat clusters, tracked as UNC6661 and UNC6671, are conducting sophisticated voice phishing (vishing) campaigns to steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes from employees [7]. The actors impersonate IT staff and direct targets to credential harvesting sites to gain initial access, subsequently targeting a growing list of SaaS platforms including SharePoint, Salesforce, and DocuSign for data exfiltration [7]. Following the data theft, the UNC6240 cluster, associated with the ShinyHunters brand, engages in aggressive extortion, including harassing victim personnel and launching DDoS attacks [7]. This activity, which has targeted Okta customers among others, demonstrates the effectiveness of social engineering against weaker forms of MFA and the actors' intent to maximize extortion leverage by stealing sensitive data from multiple cloud sources [7].

  • RedKitten Campaign Uses AI-Generated Malware to Target Iranian Interests: A new campaign dubbed RedKitten is targeting Iranian interests, likely including NGOs and individuals documenting human rights abuses related to the Dey 1404 protests [6]. The infection begins with weaponized Excel (XLSM) files containing forged lists of casualties, designed as a high-shock lure to entice victims into enabling macros [6]. The macro deploys a C# implant called SloppyMIO, which uses GitHub as a dead-drop resolver, retrieves its configuration from images using LSB steganography, and uses Telegram for command-and-control [6]. Researchers assess with medium confidence that the campaign originates from a Farsi-speaking actor aligned with Iranian state interests, noting that the malware and VBA dropper code show signs of being at least partially generated by AI, allowing for rapid development and deployment [6].

  • "ClawdBot Agent" VS Code Extension Deploys ScreenConnect RAT: A malicious Visual Studio Code extension named "ClawdBot Agent" was discovered masquerading as a popular AI coding assistant to deploy a Remote Access Trojan (RAT) on developers' machines [2]. The extension is fully functional, providing the advertised AI features to avoid suspicion, while silently installing a weaponized version of the legitimate ConnectWise ScreenConnect remote access tool [2]. This technique, known as "Bring Your Own ScreenConnect," abuses trusted IT software to evade security tools [2]. The malware establishes persistence and uses multiple layers of redundancy for payload delivery, including a Rust-based DLL loader that can fetch the payload from a Dropbox URL disguised as a Zoom update if the primary C2 server fails [2].

  • Arsink Android RAT Campaign Reaches Global Scale: A large-scale Android RAT campaign, named Arsink, has been observed distributing malware that impersonates over 50 popular brands like Google, WhatsApp, and TikTok [5]. The malware is spread via social-engineered links on platforms such as Telegram, Discord, and MediaFire [5]. With over 1,200 unique APK samples and 45,000 victim IPs identified across 143 countries, the campaign demonstrates significant global reach [5]. Arsink variants use a combination of Firebase Realtime Database, Firebase Storage, Google Apps Script, Google Drive, and Telegram for command-and-control and data exfiltration, highlighting a trend of abusing legitimate cloud infrastructure to conduct surveillance and steal data, including SMS messages, call logs, contacts, and media files [5].

  • TrustBastion Android Trojan Abuses Hugging Face for Payload Delivery: A new Android RAT campaign is leveraging the Hugging Face platform, a popular online service for hosting machine learning models, to distribute malicious payloads [1]. The infection starts with a dropper application called TrustBastion, which uses deceptive update prompts to trick users into installing a second-stage RAT [1]. The dropper contacts a C2 server which redirects it to a Hugging Face repository to download the final APK, thereby abusing the reputation of a legitimate service to evade detection [1]. The threat actors use server-side polymorphism, generating new, slightly varied payloads approximately every 15 minutes to evade hash-based detection [1]. Once installed, the RAT abuses Android's Accessibility Services to gain persistent control, capture screen content, and steal credentials using fake financial interfaces [1].

  • Pulsar RAT and Infostealer Campaign Leverages In-Memory Execution: A multi-stage Windows malware campaign is using living-off-the-land techniques to deliver the Pulsar RAT and a comprehensive infostealer module named Stealerv37 [3]. The attack begins with an obfuscated batch file that uses a registry Run key for persistence and extracts a PowerShell loader [3]. This loader decrypts and injects shellcode generated by the Donut tool directly into legitimate processes like explorer.exe to achieve in-memory execution and evade disk-based antivirus [3]. The final .NET payload is heavily obfuscated and includes numerous anti-analysis features, extensive credential harvesting capabilities for dozens of applications (including VPNs, FTP clients, messaging apps, and crypto wallets), and uses Discord webhooks and Telegram bots for data exfiltration [3].

  • Malicious Chrome Extension Network Performs Affiliate Hijacking: A Chrome extension named Amazon Ads Blocker, and at least 28 others in a network operated under the "10xprofit" brand, was found to be conducting hidden affiliate hijacking [8]. While the extension provides its advertised ad-blocking functionality, it secretly rewrites Amazon product links to replace any existing affiliate tags with the developer's own tag (10xprofit-20), thereby stealing commissions from content creators [8]. The extension uses a misleading affiliate disclosure that violates Chrome Web Store policies updated in June 2025 and operates automatically without user interaction [8]. The broader network targets multiple e-commerce platforms, including Amazon, AliExpress, and Shopify, with some extensions also scraping product data or using deceptive UI elements to create fake urgency for purchases [8].

  • Former Google Engineer Convicted of Stealing AI Trade Secrets for China: A former Google software engineer, Linwei "Leon" Ding, was convicted of economic espionage and theft of trade secrets for stealing over 2,000 pages of confidential data related to Google's AI infrastructure [4]. Between May 2022 and April 2023, Ding exfiltrated sensitive information about Google's custom Tensor Processing Units (TPUs) and supercomputing data centers while secretly acting as the CEO of his own AI company in China [4]. The conviction highlights the significant national security and economic risks posed by insider threats, particularly in the highly competitive field of artificial intelligence [4].

Threat Actor Activity

Tactics, Techniques, and Procedures (TTPs):

  • Social Engineering: Voice phishing (vishing) used to impersonate IT staff and convince employees to divulge SSO credentials and MFA codes [7]. Crisis-driven lures related to political protests are used to trick users into opening malicious documents [6]. Brand impersonation is used on a massive scale to distribute mobile malware [5].

  • Abuse of Legitimate Services: Threat actors are heavily relying on public cloud and development platforms to evade detection. This includes using Hugging Face to host RATs [1], GitHub as a dead-drop resolver [6], Google Drive for module hosting [6], Firebase for C2 and storage [5], Dropbox for redundant payload delivery [2], and Telegram/Discord for C2 and data exfiltration [3, 5, 6].

  • Initial Access: Malicious documents (XLSM) with VBA droppers [6], trojanized applications in third-party marketplaces (VS Code, Chrome Web Store) [2, 8], and direct links to malicious APKs on file-hosting sites [5].

  • Execution & Evasion: Multi-stage infection chains using living-off-the-land binaries (PowerShell) [3], AppDomainManager injection to load .NET implants [6], Donut-obfuscated shellcode to evade static analysis [3], server-side polymorphism to change payload hashes frequently [1], and abuse of legitimate remote access software (ScreenConnect) to bypass security controls [2].

  • Persistence & Defense Evasion: Use of registry Run keys and scheduled tasks for persistence [3, 6], hiding launcher icons on mobile devices [5], and implementing extensive anti-VM, anti-debugging, and anti-sandbox checks [3].

Affiliations:

  • ShinyHunters-branded (UNC6661, UNC6671, UNC6240): Financially motivated extortion groups conducting sophisticated vishing and data theft operations [7].

  • RedKitten: A Farsi-speaking threat actor assessed with medium confidence to be aligned with Iranian state interests, focused on surveillance of dissidents and NGOs [6].

  • Pulsar RAT / Stealerv37 Operators: A sophisticated, financially motivated group using the handles @aesxor and "dead artis" [3].

  • 10xprofit: A financially motivated actor or group operating a large network of malicious browser extensions for affiliate fraud [8].

Targets of Interest:

  • Corporate employees at large organizations for SSO credential theft [7].

  • SaaS platforms, including Okta, Salesforce, SharePoint, M365, and DocuSign [7].

  • Iranian dissidents, human rights organizations, and NGOs [6].

  • Android users worldwide through mass distribution campaigns [1, 5].

  • Software developers using VS Code [2].

  • Google (via insider threat for economic espionage) [4].

Geographic Focus & Campaign Expansion:

  • The Arsink RAT campaign has a global footprint, with major victim concentrations in Egypt, Indonesia, Iraq, Yemen, and Türkiye [5].

  • The RedKitten campaign is focused on Iranian interests [6].

  • The ShinyHunters-branded activity appears to target organizations globally [7].

Indicators to Watch

New Malware Variants:

  • SloppyMIO: A modular C# implant using Telegram for C2 and steganography for configuration [6].

  • Pulsar RAT / Stealerv37: A .NET-based RAT and infostealer combination delivered via a Donut loader for in-memory execution [3].

  • Arsink RAT: A widespread Android RAT that abuses Firebase, Google Apps Script, and Telegram for C2 and data exfiltration [5].

  • TrustBastion: An Android dropper that uses Hugging Face repositories to deliver a second-stage RAT [1].

Suspicious Campaigns and Phishing Trends:

  • Be alert for vishing attempts where callers claiming to be from IT support direct users to external websites to "update" MFA settings or SSO credentials [7]. Phishing domains often follow patterns like <companyname>sso.com or <companyname>internal.com [7].

  • Monitor the VS Code Marketplace and other developer extension repositories for tools that impersonate popular brands, especially those that are new or have few reviews [2].

  • Watch for malicious Excel documents related to the Iranian Dey 1404 protests, which serve as lures for the RedKitten campaign [6].

  • Scrutinize Chrome extensions that bundle ad-blocking or utility features with affiliate link monetization, especially if their disclosures do not match their behavior [8].

Suspicious Infrastructure and Behavior Patterns:

  • Network traffic to Hugging Face, Firebase, or Google Apps Script from non-standard Android applications could indicate an Arsink or TrustBastion infection [1, 5].

    1. Outbound connections to meeting.bulletmailer[.]net:8041, the C2 for the weaponized ScreenConnect RAT [2].

    2. PowerShell processes with a User-Agent of WindowsPowerShell accessing or downloading a high volume of files from SharePoint [7].

    3. The creation of scheduled tasks named MediaSyncTask[100-999] or Enterprise Workstation Health Monitoring on Windows systems [6].

    4. The installation of the ToogleBox Recall add-on in Google Workspace, which may be used to hide malicious activity by deleting notification emails [7].

Key Indicators of Compromise (IOCs):

  • Domains: trustbastion[.]com, clawdbot.getintwopc[.]site, darkgptprivate[.]com, meeting.bulletmailer[.]net, au-club[.]top, 10xprofit[.]io [1, 2, 8].

  • IP Addresses: 154.198.48.57 (TrustBastion C2), 178.16.54[.]253 (Clawdbot C2), 185[.]132[.]53[.]17:7800 (Pulsar RAT C2), 76.64.54[.]159 (UNC6671 IP) [1, 2, 3, 7].

File Hashes (SHA256):

  • e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2 (Weaponized ScreenConnect / Code.exe) [2].

  • d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea (Rust-based loader / DWrite.dll) [2].

  • d3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192 (RedKitten XLSM Dropper) [6].

  • Affiliate Tag: 10xprofit-20 injected into Amazon URLs [8].

Heather Perez
Previous

The Cyber Byte - 5 February 2026