Malware Activity
Exploiting Internet Infrastructure and Advanced Hacking Techniques
Cybercriminals are increasingly exploiting core internet functions, such as the “.arpa” domain and IPv6 reverse DNS features, to conduct stealthy and sophisticated phishing attacks. These attackers hijack DNS zones by controlling large IPv6 address blocks and creating fake but convincing hostnames that appear legitimate, often using trusted providers to mask their activities. This tactic leverages the inherent trust in reverse DNS lookups to bypass security filters, making it harder for traditional defenses to detect malicious links, which are often designed to be temporary. Meanwhile, a notorious hacking group known as Velvet Tempest is employing advanced social engineering methods, such as the ClickFix technique, to infiltrate organizations. They trick users into executing malicious commands via online ads, then use these to establish backdoors, steal credentials, and deploy malware like DonutLoader and CastleRAT. While they usually carry out ransomware attacks, in recent simulated scenarios, their focus has been on creating persistent access points for future intrusions. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Hackers Abuse .arpa DNS and IPV6 To Evade Phishing Defenses article
- BleepingComputer: Termite Ransomware Breaches Linked to ClickFix CastleRAT Attacks article
Threat Actor Activity
Microsoft Reports AI’s Role is Becoming Amplified in Cyberattacks
A recent report by Microsoft Threat Intelligence highlights the increasing use of artificial intelligence (AI) by threat actors to enhance and scale cyberattacks. Attackers leverage generative AI tools for tasks like reconnaissance, phishing, infrastructure development, malware creation, and post-compromise activities. AI aids in drafting phishing emails, translating content, summarizing data, debugging malware, and configuring infrastructure, acting as a force multiplier that reduces technical barriers and accelerates attacks. Specific groups like North Korean actors Jasper Sleet and Coral Sleet use AI to develop realistic identities and resumes for gaining employment at Western companies, maintaining access post-hire. Jasper Sleet uses AI to create fraudulent digital personas, while Coral Sleet generates fake company sites and infrastructure. Threat actors also use AI for malware development, generating and refining malicious code, and employing AI-enabled malware that dynamically adjusts its behavior. Despite AI safeguards, actors use jailbreaking techniques to circumvent restrictions and generate malicious content. Microsoft notes that AI is currently used more for decision-making rather than autonomous attacks. CTIX Analysts advise organizations to treat these AI-driven schemes as insider risks and focus on detecting abnormal credential use, securing identity systems, and protecting AI systems. Microsoft’s observations align with reports from Google and Amazon, indicating a broader trend of AI being used to lower entry barriers for cybercriminals and enhance attack capabilities. Microsoft Defender detection rules for these activities can be found in the Microsoft report listed below.
Vulnerabilities
OpenAI Launches Codex Security AI Agent to Detect and Remediate Software Vulnerabilities
OpenAI introduced Codex Security, an AI-powered security agent designed to automatically identify, validate, and propose fixes for vulnerabilities in software codebases. Released in a research preview to ChatGPT Pro, Enterprise, Business, and Edu users via the Codex web interface, the tool builds deep contextual understanding of a project to uncover complex security issues that traditional automated scanners may miss while reducing noise from insignificant findings. Codex Security evolved from OpenAI’s earlier Aardvark project introduced in private beta in October 2025 and combines advanced model reasoning with automated validation workflows. During the past month of beta testing, the system analyzed over 1.2 million commits across external repositories, identifying 792 critical and 10,561 high-severity vulnerabilities in widely used open-source projects such as OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium, including issues tracked as CVE-2026-24881, CVE-2026-24882, and CVE-2025-32988. The platform operates through a three-stage process. First, it analyzes repository structure to generate a security-focused threat model, then detects and classifies vulnerabilities based on real-world impact, and finally validating them in a sandboxed environment to reduce false positives and potentially generate proof-of-concept exploits. Once verified, the agent proposes fixes aligned with system behavior to minimize regressions and streamline remediation. OpenAI reports that repeated scans have improved precision significantly, cutting false positives by more than half, positioning Codex Security as part of the emerging class of AI-driven application security tools alongside offerings like Anthropic’s Claude Code Security. CTIX analysts will continue to report on novel vulnerabilities and the ways in which they can be defended against.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
