Weekly Summary Cyberattacks january 15-21

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun  

The first clearly documented case of a highly sophisticated malware framework developed predominantly through artificial intelligence was detected, tracked as VoidLink. Researchers state that VoidLink marks a turning point in the evolution of malicious development, demonstrating how AI can materially accelerate the creation of advanced offensive tooling when used by a capable individual rather than inexperienced actors or commodity malware authors. VoidLink initially drew attention due to its high engineering maturity, modular design, and flexible operational model, including support for technologies such as eBPF, Linux kernel module (LKM) rootkits, cloud enumeration capabilities, and post-exploitation modules for containerized environments.

In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers  

An in-depth analysis of an active malware campaign targeting software developers through weaponized Visual Studio Code (VSC) extensions was published, delivering a multistage information stealer known as Evelyn Stealer. The campaign abuses the trusted VSC extension ecosystem to gain initial execution on developer systems, where a malicious extension drops a first-stage DLL masquerading as a legitimate Lightshot component. This DLL is loaded by the genuine Lightshot executable and immediately executes a hidden PowerShell command to download and run a second-stage payload. The downloader implements mutex-based execution control and exports legitimate-looking functions to avoid suspicion. The second-stage payload acts as a process-hollowing injector that decrypts and injects the final Evelyn Stealer payload into a legitimate Windows process, grpconv.exe, using AES-256-CBC encryption.

5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR and ERP Systems  

Security researchers discovered a coordinated campaign involving five malicious Google Chrome extensions designed to enable session hijacking and suppress security controls across enterprise HR and ERP platforms. The extensions, collectively installed by more than 2,300 users, operate in a complementary manner to exfiltrate authentication cookies, block access to administrative and incident response interfaces, and directly hijack authenticated sessions. Four of the extensions are published under the same developer identity, databycloud1104, while a fifth uses separate branding under “Software Access,” yet all share identical infrastructure patterns, API paths, code structures, and security-tool detection logic, indicating a single coordinated operation rather than independent activity. 

Undocumented anti-analysis techniques in iOS spyware "Predator"  

Research into the Predator commercial spyware has revealed previously undocumented anti-analysis and error-reporting techniques built into its iOS implant. Predator, developed by Intellexa and observed in mobile spying campaigns, goes beyond basic stealth: when its deployment fails on a target device, it doesn’t simply stop, instead it sends detailed error codes back to a command-and-control (C2) infrastructure that describe exactly why the attempt aborted, such as the presence of security tools, HTTP proxies, or other hostile environmental conditions on the device. axonomy turns each unsuccessful intrusion into actionable intelligence for the operator, potentially increasing the success of future campaigns. The research, building on earlier analyses by organisations like Google’s Threat Intelligence Group and Citizen Lab, shows that these error codes are part of a broader anti-analysis system that helps Predator recognize when it is being observed or thwarted by defensive tools, including some security or debugging utilities.

Cyberattack Forces Belgian Hospital to Transfer Critical Care Patients  

A cyberattack affecting a major hospital group Belgium caused a severe disruption to healthcare operations and forced the transfer of critically ill patients to other medical facilities. The incident, later described by authorities and local media as a ransomware attack, led the hospital to proactively shut down all IT systems and servers across its campuses as a precautionary measure to contain the threat and prevent potential compromise of patient data. As a direct consequence of the shutdown, all scheduled surgeries were canceled, the emergency department began operating at reduced capacity, and mobile emergency services were rendered temporarily non-operational.