Malware Activity
Cloud and AI Security Threats Highlight the Need for Vigilance
Recent security research has revealed new threats targeting cloud systems and AI tools. The discovery of VoidLink, a sophisticated Linux malware framework, shows how cybercriminals are developing advanced tools to covertly control cloud environments like AWS, Azure, and Google Cloud. This malware is modular, stealthy, and capable of stealing credentials. Moving laterally, hiding its presence using rootkits and anti-debugging techniques. Although not yet observed in active attacks, experts warn it could be used for long-term espionage or commercial cyber operations. Separately, researchers uncovered a method called Reprompt that tricks Microsoft’s AI assistant, Copilot, into revealing sensitive user data through malicious links. While Microsoft has since fixed this flaw, these incidents highlight the increasing sophistication of cyber threats targeting critical digital infrastructure, emphasizing the importance of proactive security measures to safeguard cloud and AI environments from covert and persistent attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New VoidLink Malware Framework Targets Linux Cloud Servers article
- TheRegister: VoidLink Linux Malware article
- SecurityWeek: VoidLink Linux Malware Framework Targets Cloud Environments article
- SecurityWeek: New Reprompt Attack Silently Siphons Microsoft Copilot Data article
Threat Actor Activity
DeadLock Ransomware Group Using Blockchain Smart Contracts to Evade Detection
The DeadLock ransomware group, identified in July 2025, employs blockchain-based methods to evade detection, distinguishing it from typical ransomware operations. Unlike the common double extortion approach, DeadLock does not have a data leak site to threaten victims with public exposure. Instead, it claims to sell stolen data on underground markets if ransoms aren’t paid, a tactic some experts consider dubious. The group’s notable innovation is using Polygon smart contracts to obscure its command-and-control (C2) infrastructure. This method allows frequent rotation of proxy server URLs, making it challenging for defenders to block the infrastructure permanently. After encrypting a victim’s systems, DeadLock provides an HTML file as a wrapper for the decentralized messenger Session, guiding victims to communicate via this platform. This technique of using smart contracts is gaining traction, with North Korean state-sponsored attackers employing similar methods, described as “EtherHiding,” to conceal malware, according to Google’s Threat Intelligence Group (GTIG). These methods represent a new evolution in cybercriminal tradecraft, offering a kind of bulletproof hosting. While DeadLock’s smart contract usage is well-documented, details about its initial access methods remain unclear. However, it is suspected to use techniques like bring your own vulnerable driver (BYOVD) and exploiting vulnerabilities to disable endpoint detection and response (EDR) systems, as noted by Cisco Talos.
Vulnerabilities
Palo Alto Networks Patches Vulnerability as GlobalProtect Exposure and Scanning Activity Persist
Palo Alto Networks has released security updates for a high-severity denial-of-service (DoS) vulnerability, CVE-2026-0227 (CVSS 7.7/10), affecting PAN-OS firewalls and Prisma Access deployments when a GlobalProtect gateway or portal is enabled, stemming from an improper check for exceptional conditions (CWE-754) that allows unauthenticated attackers to repeatedly trigger maintenance mode and disrupt firewall protections. The company confirmed a proof-of-concept exploit exists but reported no evidence of in-the-wild exploitation to date, noting that Cloud NGFW is not impacted and that there are no viable workarounds beyond patching. Most cloud-hosted Prisma Access instances have already been upgraded, with remaining customers scheduled through standard maintenance windows, while on-premises administrators are urged to update across affected PAN-OS branches. Risk remains elevated given sustained reconnaissance and attack interest in GlobalProtect infrastructure. Shadowserver tracks nearly 6,000 Palo Alto Networks firewalls exposed online, and GreyNoise has recently warned of large-scale automated activity targeting GlobalProtect portals. Set against a backdrop of multiple PAN-OS zero-day and DoS incidents in recent years, CTIX analysts emphasize immediate patching to mitigate disruption risks to widely deployed environments across government, service providers, and large enterprises.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
