Major Stories of the Month

The 6-Month Notepad++ Supply Chain Compromise (Lotus Blossom)

• In a sophisticated supply chain attack, the China-linked APT group Lotus Blossom (also tracked as Lotus Panda or Billbug) hijacked the shared hosting update infrastructure for the Notepad++ text editor.
• This compromise remained active for six months, from June to December 2025.
• Rather than altering the source code, the attackers intercepted the server-side WinGUp update mechanism to selectively redirect traffic and deliver the previously undocumented "Chrysalis" backdoor.
• The threat actors initially targeted government, telecommunications, and critical infrastructure in Southeast Asia before expanding to cloud hosting, energy, and financial sectors across the US, Europe, and South America.

UNC3886 Compromises Singapore's Telecommunications Backbone

• In a severe breach of national critical infrastructure, the Chinese state-sponsored threat group UNC3886 successfully compromised the telecommunications sector of Singapore.
• The attackers breached all four of Singapore's major telecommunications providers.
• Operating throughout 2025, the threat actors achieved deep infrastructure compromise by deploying rootkits, kernel-level implants, and zero-day exploits specifically designed to target core network equipment.

18-Month Undetected Zero-Day Campaign Targeting Dell

• Chinese APT UNC6201 executed a massive, prolonged espionage campaign by exploiting a maximum-severity zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines.
• The group exploited this CVSS 10.0 vulnerability undetected for 18 months, from mid 2024 until February 2026.
• To maintain stealth while targeting disaster recovery and backup infrastructure, UNC6201 created "Ghost NICs" and manipulated iptables for Single Packet Authorization to pivot laterally into VMware environments.
• The severity of this breach prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a highly compressed 3-day emergency patching deadline for federal agencies.

Top Ransomware Groups

The following groups demonstrated the highest activity levels or operational innovation during the reporting period.

Note: The ecosystem experienced a record 5,246 victims in 2025 (a 30% YoY increase), with 711 attacks occurring in January 2026 alone (+8% month-over-month). However, ransomware encryption attacks dropped by 38% as threat actors increasingly pivot to a "silent residency" model, focusing purely on persistent access and data exfiltration to maximize extortion

1. Qilin - The highest-volume operator, executing 108 attacks in January 2026 alone. Heavily targets the education, legal, and healthcare sectors.Highly aggressive operations; claimed 7 new victims in a single week, including LaBaguette and Madison Services.
2. LockBit 5.0 - Focuses heavily on cloud and virtualization layers with explicit cross-platform support. High infrastructure disruption potential via dedicated builds specifically tailored for Windows, Linux, ESXi, and Proxmox.
3. Everest - A major player shifting heavily toward massive data theft and corporate disruption over traditional encryption, claimed theft of 72.7 million customer accounts from Under Armour and 1.4TB of data from Nike, alongside breaches of Polycom and Hosokawa Micron Group.
4. Black Basta - Highly technical operation incorporating advanced defense evasion mechanisms directly into payloads, Embeds a "BYOVD"(Bring Your Own Vulnerable Driver) via the NSecKrnl driver to disable EDR/AV at the kernel level.
5. INC Ransom - Conducts high-volume global campaigns against healthcare, technology, legal, and construction sectors. Massive operational damage; attacks forced the University of Mississippi Medical Center to close 35 clinics statewide.

Linux / Cloud / Identity Attacks: Top Threats

These threats were selected based on their severity scores (CVSS) and their specific impact on cloud infrastructure and identity management systems.

1. BeyondTrust Pre-Auth RCE (CVE-2026-1731)

• Type: Identity & Access / Remote Management
• A critical pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access products, which are used by 75% of the Fortune 100.
• Approximately 8,500 on-premises instances were exposed to the internet.
• CVSS 9.9 (Active exploitation confirmed in ransomware campaigns). Attackers deployed VShell and SparkRAT within 24 hours of the Proof-of-Concept release to execute network reconnaissance and data theft across the finance, legal, technology, and healthcare sectors.

2. OpenClaw AI Agent Framework Vulnerabilities (CVE-2026-25253)

• Type: Cloud / AI Platform
• A cluster of six high-to-critical vulnerabilities discovered in the OpenClaw AI framework, including Server-Side Request Forgery (SSRF) and a one-click RCE via malicious WebSockets 28-31.
• Over 21,639 internet-exposed AI agent instances were identified as vulnerable.
• A supply chain attack via a compromised npm token in the Cline CLI pushed malicious OpenClaw installations to over 4,000 developers, enabling authentication bypass and path traversal attacks.

Insights from Rubrik Zero Labs LLM Powered Advanced Analysis Systems

Top Threats Inside Backups: Our advanced analysis systems identify top and trending threats seen in the wild and compare that data with backup telemetry to detect stealthy malware. The following are the most prevalent families seen in the backup data that are potentially successful in bypassing first-line defenses.

Category 1: Remote Access Trojans (RATs) & InfoStealers

These tools are primarily designed to spy on users, steal sensitive data, and maintain control over a victim's machine.

• AgentTesla: A popular .NET-based spyware and RAT that specializes in stealing credentials from browsers and email clients, capturing screenshots, and logging keystrokes.
• XWorm: A feature-rich, commodity RAT sold on underground forums that provides extensive capabilities, including data theft, DDoS attacks, and even a module to deploy ransomware.
• SparkRAT: A cross-platform RAT (often written in Go) that allows attackers to remotely manage and execute commands on Windows, Linux, and macOS systems through a web interface.

Category 2: Web Shells / Backdoors

These are scripts uploaded to a server to maintain persistent access and execute commands.

• VShell: A malicious webshell (often associated with the APT32/OceanLotus group) used to establish a hidden backdoor on compromised servers for persistent remote execution.

Category 3: Ransomware

Malware designed to encrypt files and demand payment for the decryption key.

• LockBit: One of the most prolific Ransomware-as-a-Service (RaaS) operations, known for its extremely fast encryption speed and "double extortion" tactic of leaking stolen victim data.
• Medusa: A sophisticated ransomware strain that targets corporate environments, forcing victims to pay by threatening to publish their sensitive files on the dedicated "Medusa Blog" leak site.

Top Threats Analysed/flagged by our Advanced malware analysis systems

SHA256: 810af315a2c159185c74c048d82366a17b3e9356fa6c56bbac537b1b990eecdb(Linux Persistence Framework / Post-Exploitation Toolkit) 

Summary: PANIX is a highly sophisticated Linux persistence toolkit employing over 40 distinct mechanisms across bootloaders, init systems, and container escapes to maintain long-term access. It actively utilizes rootkits like Diamorphine and deploys LD_PRELOAD backdoors to deeply embed itself while evading detection. 

First_Seen: 2025-05-14

SHA256: 1096e35b5757e4014d578bbbdea096b53c465aee2c16bafaf590c6f83c500b9c(Remote Access Trojan (RAT) / Backdoor) 

Summary: This Linux backdoor relies on the UDP-based KCP protocol for reliable command and control communication while securing traffic with ARC4 encryption. It daemonizes upon execution to run silently in the background, offering operators full remote shell execution, anti-debugging defenses, and comprehensive file management access. 

First_Seen: 2024-09-08

SHA256: 8471257186db7db30d74816409fa09a09898ee099e7e0d1ad015546975e53a8f(Cryptocurrency Miner with Advanced Rootkit) 

Summary: This Monero miner uses an eBPF kernel rootkit for advanced stealth and anti-forensic capabilities. It functions as a self-propagating worm that aggressively scans for lateral movement opportunities via Redis, SSH, and SMB, while actively identifying and killing competitor mining processes. 

First_Seen: 2026-02-11

SHA256: 9e8e1692daed7c0c564fbac15c73c8ea3aab43bba183b179f36dec69a4d47ea3(Remote Access Trojan (RAT) / Backdoor) 

Summary: This Linux backdoor performs extensive local network reconnaissance and targets sensitive system files and credentials for theft. It ingeniously masks its HTTP C2 communications using steganography within GIF headers and custom XOR encryption, maintaining host persistence through injected bashrc scripts and cron jobs. 

First_Seen: 2026-02-13

SHA256: 312ff5a048a206808aa8d0958731e7758393efb4fa0ac1fd7faa708059baeb9f(Remote Access Trojan (RAT) with HVNC) 

Summary: This RAT variant leverages Hidden VNC to target Brazilian banking customers with elaborate full-screen overlays mimicking Windows updates and banking portals. Most notably, it features a specialized QR code hijacking system that actively monitors the victim's screen and replaces Pix payment codes in real-time to steal funds.

First_Seen: 2026-02-03