Ankura
Subscribe

Social Media Links

Insights

 | 4 minute read

Ankura CTIX FLASH Update – February 2, 2026

Malware Activity

How Hacking Groups Are Evolving to Steal Data and Evade Detection

Recent reports reveal that cybercriminal groups like TA584 and Mustang Panda are becoming more advanced and targeted in their operations. TA584 has increased its activity since 2020, using clever methods such as compromised emails and malicious links to install malware like Tsundere Bot and XWorm, which can spy on systems, move within networks, and prepare for ransomware attacks. Tsundere Bot is particularly tricky because it communicates via the Ethereum blockchain, making it hard to detect. Meanwhile, Mustang Panda, a cyber-espionage group attributed to China by multiple cybersecurity firms, has upgraded its malware tools, especially its CoolClient backdoor, to steal login info, monitor screens, and control infected devices covertly. They often hide their malware inside legitimate software and use cloud services to exfiltrate data, making detection more difficult. Overall, these groups are continuously refining their techniques to spy on governments and steal sensitive information, demonstrating a growing sophistication and determination to stay ahead of security defenses. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

FBI Seizes RAMP Cybercrime Forum, Disrupting Ransomware Operations

The FBI has seized the RAMP (Russian Anonymous Marketplace) cybercrime forum, a notorious platform for advertising malware and hacking services, notably allowing the promotion of ransomware operations. Both the forum’s Tor site and clearnet domain,

ramp4u.io
, now display a seizure notice, attributing the action to the FBI, the US Attorney’s Office for the Southern District of Florida, and the Department of Justice’s Computer Crime and Intellectual Property Section. The domain’s DNS records confirm the FBI’s control, providing access to user data that could lead to arrests of threat actors with weak operational security. Launched in July 2021 by a threat actor known as Orange, RAMP served as a marketplace for ransomware gangs after Russian-speaking forums banned such promotions. Orange, identified as Russian national Mikhail Matveev, repurposed Babuk’s infrastructure to create RAMP. Despite constant DDoS attacks and lack of profit, RAMP became popular. Matveev was later indicted by the US Department of Justice for involvement in ransomware operations targeting critical infrastructure. The seizure disrupts a key hub for cybercriminals, forcing them to migrate to other platforms, such as Rehub. This transition can cause chaos, risking operational exposure, and infiltration. Law enforcement seizures offer opportunities for network defenders to gain insights into criminal networks and operational failures. Despite the takedown, cybercrime forums are expected to reemerge elsewhere, as users scatter to new platforms. CTIX Analysts will continue to provide the most recent news related to threat actor activities and operations.

Vulnerabilities

Persistent Exploitation of WinRAR Vulnerability Exploited by State-Sponsored and Criminal Threat Actors

Google’s Threat Intelligence Group (GTIG) has documented sustained and widespread exploitation of a high-severity WinRAR path traversal vulnerability months after it was patched in WinRAR 7.13 in July 2025, underscoring the enduring risk posed by widely weaponized n-day flaws. The vulnerability, tracked as

CVE-2025-8088
(CVSS 8.8), allows arbitrary code execution, and is exploited through specially crafted RAR archives that abuse Windows Alternate Data Streams (ADS) to conceal malicious files and write them to arbitrary locations (most commonly the Windows Startup folder) to achieve persistence and automatic execution upon user login. The flaw was initially exploited as a zero-day by the Russia-linked dual-use espionage and cybercrime group RomCom and has since been adopted across disparate operations by multiple Russian state-aligned APTs, including Sandworm, Gamaredon, and Turla, primarily targeting Ukrainian government, military, and technology organizations using tailored geopolitical lures. GTIG has also observed a China-based state-sponsored actor leveraging the same technique to deploy the Poison Ivy RAT, while financially motivated cybercriminals worldwide have rapidly operationalized the exploit to distribute commodity RATs and information stealers such as AsyncRAT and XWorm, targeting sectors including hospitality, travel, online banking, and commercial enterprises in regions like Latin America, Brazil, and Southeast Asia. The scale, longevity, and diversity of exploitation are attributed to a mature underground exploit economy, where sellers such as “zeroplayer” marketed ready-to-use WinRAR exploits. These were exploited alongside high-priced Office, Windows, VPN, and AV-bypass zero-days, lowering technical barriers and enabling both espionage-driven and financially motivated threat actors to continue abusing
CVE-2025-8088
long after patch availability. CTIX analysts urge all administrators to ensure they have patched this flaw to prevent future exploitation.

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in
I need help with