< Back
several hackers in front of their screens, looking at a world map of attacks

Tags:

Threat intelligence
14 January 2026

Weekly Summary Cyberattacks 08-14

Convincing LinkedIn Comment-Reply Tactic Used in New Phishing  

A new phishing campaign has been observed on LinkedIn, in which scammers flood public posts with fake reply comments that convincingly impersonate official LinkedIn communications. The fraudulent comments warn users of alleged policy violations or suspicious activity, claiming that access to their accounts has been “temporarily restricted” and urging them to click an external link to resolve the issue. The messages closely mimic LinkedIn branding, including the use of the LinkedIn logo, official-sounding language, and in some cases LinkedIn’s own lnkd.in URL shortener, making malicious links harder to distinguish from legitimate ones. The activity appears automated and is carried out by LinkedIn-themed profiles and fake company pages that use variations of LinkedIn’s name and branding. In documented cases, users who follow the links are taken first to phishing pages hosted on unrelated domains that elaborate on the false restriction notice, and are then redirected to secondary phishing sites where credential harvesting occurs. 

deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran  

deVixor is an actively developed Android banking Remote Access Trojan (RAT) that has evolved into a multi-purpose criminal platform combining banking fraud, credential theft, ransomware, and persistent device surveillance, with a clear focus on Iranian users. The malware is distributed as malicious APK files through phishing websites impersonating legitimate automotive businesses, where victims are lured with discounted vehicle offers and tricked into installing the application. Active since October 2025, analysis of more than 700 samples by Cyble Research and Intelligence Lab indicates a large-scale, ongoing campaign supported by centralized infrastructure and frequent feature updates.

“Boto Cor-de-Rosa”: Banking Malware Astaroth Pivots to WhatsApp in New Campaign  

The Boto Cor de Rosa campaign represents a new phase in the evolution of the Astaroth (Guildma) banking malware, which primarily targets Brazilian retail banking users. In this campaign, the malware has adapted to leverage WhatsApp as a propagation vector, sending malicious messages that encourage users to download attachments containing a Visual Basic Script downloader. Once executed, the malware installs the Astaroth payload, capable of harvesting banking credentials and sensitive financial information through browser-based injections during online banking sessions. The campaign uses a multi-language modular architecture, including Delphi for the core Astaroth payload and Python modules for automating propagation through WhatsApp, demonstrating a shift toward social-platform-driven malware distribution. 

GRU-Linked BlueDelta Evolves Credential Harvesting  

A multiple credential-harvesting campaigns conducted between February and September 2025 attributed to BlueDelta, a Russian state-sponsored threat group associated with the GRU, were identified. Insikt Group assessed the activity as an expansion of BlueDelta's credential-theft operations and reported that the campaigns targeted a small, distinct set of victims, including individuals linked to a Turkish energy and nuclear research agency, staff affiliated with a European think tank, and organizations in North Macedonia and Uzbekistan. The phishing infrastructure impersonated legitimate webmail and VPN login services by replicating authentic login interfaces and then redirecting victims to legitimate sites after credential submission to reduce suspicion. The campaigns relied heavily on legitimate, low-cost, disposable services while also embedding legitimate PDF lure documents to increase credibility and help evade automated detection.

Inside GoBruteForcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns 

According to information dated January 7, 2026, Check Point Research reported on GoBruteforcer (also called GoBrut), a modular Go botnet that compromises Linux servers and turns them into scanning and password-brute-force nodes. The botnet targets internet-exposed services, including FTP, MySQL, PostgreSQL, and phpMyAdmin, and typically spreads through a chained workflow. The report attributes the current wave of activity to two main drivers: the mass reuse of AI-generated server deployment examples that encourage common operational usernames and weak defaults (e.g., usernames like appuser and myuser), and continued exposure of legacy web stacks such as XAMPP, which can ship with an FTP server and default/weak credentials if not hardened. The analysis highlights that large portions of the attack surface remain broadly reachable on default ports and cites Shodan figures indicating roughly 5.7 million FTP, 2.23 million MySQL, and ~560,000 PostgreSQL servers exposed to the internet, plus tens of thousands of phpMyAdmin panels.