Ankura
Subscribe

Social Media Links

Insights

 | 4 minute read

Ankura CTIX FLASH Update – January 27, 2026

Malware Activity

Phishing Campaigns and Stealthy Remote Access Attacks

Recent cybersecurity investigations reveal sophisticated attacks targeting users in Russia, where hackers use social engineering to trick individuals into opening malicious documents that appear legitimate. These campaigns deliver ransomware and powerful remote access tools like Amnesia RAT, allowing attackers to take control of infected systems, steal sensitive data, and manipulate files or even cryptocurrency transactions. Notably, the hackers exploit legitimate Windows features to disable security defenses, making detection harder. Additionally, cybercriminals are increasingly using trusted remote management software, like LogMeIn and RMM tools, by stealing credentials through fake emails to install hidden remote-control programs without raising suspicion. These tactics highlight the need for organizations to strengthen their defenses by monitoring unusual remote activity and enabling security features such as Tamper Protection to prevent full system compromises. Overall, these methods demonstrate how modern attackers leverage legitimate tools and social engineering to maintain long-term access and cause significant harm. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

North Korean Konni Hacker Group’s Malware Code Appears to be Built with AI Assistance

The North Korean hacker group Konni, also known as Opal Sleet or TA406, has been observed by researchers deploying AI-generated PowerShell malware to target developers and engineers in the blockchain sector. Associated with APT37 and Kimsuky, Konni has been active since at least 2014, targeting regions such as South Korea, Russia, Ukraine, and Europe. Currently, their focus is on the Asia-Pacific region, with malware submissions coming from Japan, Australia, and India. The attack begins with victims receiving a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file. This shortcut runs a PowerShell loader, extracting a DOCX document and a CAB archive that includes a backdoor and other malicious files. The DOCX document aims to compromise development environments, potentially providing access to sensitive assets like infrastructure and cryptocurrency holdings. The PowerShell backdoor is heavily obfuscated and appears to be AI-assisted. Indicators of AI-generated code include structured documentation at the top of the script, a modular and clean layout, and specific comments like “# <– your permanent project UUID,” which suggests the use of large language models (LLMs) for generating code. These characteristics are typical of AI-produced scripts, where the model guides and instructs human customization of placeholder values. Before executing, the malware checks for analysis environments and generates a unique host ID. Once operational, it contacts a command-and-control (C2) server to send metadata and execute code asynchronously if instructed. Check Point researchers attribute these attacks to Konni due to similarities with previous campaigns, including launcher formats and execution chains. Indicators of compromise (IoCs) have been published to assist defenders in safeguarding their systems against this threat, which can be found in the Check Point report linked below.

Vulnerabilities

CISA Flags Actively Exploited VMware vCenter Vulnerability Amid Broader Exploit Chain Concerns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Broadcom VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild, mandating rapid remediation under Binding Operational Directive 22-01. The flaw, tracked as

CVE-2024-37079
(CVSS 9.8, patched in June 2024), is a heap overflow in the DCE/RPC protocol implementation that allows unauthenticated remote code execution (RCE) via specially crafted network packets when an attacker has network access to vCenter Server, with no user interaction or privileges required. Broadcom has confirmed in-the-wild exploitation and warned that no workarounds or mitigations exist beyond patching to the latest vCenter Server and Cloud Foundation releases. Research by QiAnXin LegendSec, later presented at Black Hat Asia, revealed that the vulnerability is part of a broader set of DCE/RPC vulnerabilities, including additional heap overflows and a privilege escalation flaw (
CVE-2024-38813
) that could be chained to gain remote root access and ultimately compromise ESXi hosts. While the threat actors behind current exploitation and the scale of attacks remain unknown, CISA emphasized that these types of vulnerabilities are a frequent and high-risk attack vector, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch affected systems by no later than February 13, 2026, and underscoring a broader pattern of sustained exploitation targeting VMware enterprise infrastructure. CTIX analysts urge all administrators to ensure that they are running the latest vCenter Server and Cloud Foundation to prevent exploitation.

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in
I need help with