Malware Activity
Hidden Threats in Everyday Tools and Emails Put Sensitive Data at Risk
These articles highlight how attackers are increasingly blending into normal business and development workflows to steal sensitive information without being easily detected. In one case, researchers discovered a malicious NuGet package disguised as a legitimate banking integration tool. The package quietly collected developer credentials, encrypted certificates, and even transaction data, then sent it to an external server. Thus, creating the risk of unauthorized access to financial systems and fraudulent activity. At the same time, a separate campaign uses realistic purchase order phishing emails with attached RAR files to lure employees into triggering a fileless malware infection known as PureLogs. Once opened, the malware runs silently in memory using trusted Windows tools, making it difficult for traditional security systems to detect. It then hides inside legitimate processes to gather browser credentials, session data, cryptocurrency wallets, and other sensitive information. Together, these incidents demonstrate a clear shift toward more subtle and sophisticated attacks that rely on trust, social engineering, and supply chain weaknesses. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets article
- HackRead: Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives article
Threat Actor Activity
Newly Documented GREYVIBE Using AI in Cyberattacks to Target Ukraine
GREYVIBE is a newly documented, Russian-speaking threat actor conducting persistent attacks against Ukraine and Ukraine-related targets since at least August 2025, as reported by WithSecure researchers. Its activity aligns with Kremlin intelligence interests, focusing on military, government, civilian, and business organizations. The group uses multiple delivery vectors, including spear-phishing emails, fake CAPTCHA pages, and fraudulent Ukrainian adult club and charity websites, to deploy custom obfuscators, loaders, and malware. Key attack chains include PhantomMail (phishing leading to JavaScript loaders and the PhantomRelay PowerShell RAT), PhantomClick (ClickFix-style CAPTCHA lures triggering PhantomRelay), and PrincessClub (fake adult sites delivering FallSpy Android spyware and LegionRelay/PhantomRelayV1 PowerShell RATs). These tools support file and browser data theft, screenshots, Telegram/WhatsApp exfiltration, and RDP setup. GREYVIBE heavily leverages GenAI and LLMs (e.g., ChatGPT, Gemini, Ideogram) to generate images, code, obfuscation, and backend tooling, speeding development and complicating attribution, but also introducing design flaws. WithSecure assesses the group as low-to-moderately sophisticated, sitting in a “grey area” between state-aligned espionage and cybercrime, with likely participation by current or former Russian cybercriminals.
Vulnerabilities
Critical IBM WebSphere Plug-In Vulnerability Enables Unauthenticated Remote Code Execution
IBM has disclosed a critical remote code execution (RCE) vulnerability affecting Web Server Plug-ins used with WebSphere Application Server and WebSphere Liberty deployments. The flaw, tracked as
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
