In May 2026, ANY.RUN observed a surge in sophisticated phishing and malware campaigns utilizing fileless execution, browser-based credential theft, and legitimate workflow abuse. Key threats included Agent Tesla credential harvesting, ClickFix fileless malware, BlobPhish in-memory page generation, and phishing-to-RMM chains bypassing traditional MFA via real-time OTP interception.
Software Supply Chain and AI Exploitation Dominate Threat Landscape
The software supply chain has become the primary battlefield for attackers because compromising a single developer tool can cascade into thousands of enterprise networks. Campaigns like Mini Shai-Hulud and TrapDoor are stealing credentials and injecting backdoors across major code registries, while the Laravel Lang Compromise and the Coruna Exploit Kit show how malicious code can automatically execute to steal secrets or exploit end users. As a result, organizations must treat developer environments as high-value targets, because a single compromised package or malicious VS Code extension can lead to catastrophic breaches like the GitHub internal repository theft by TeamPCP.
In parallel, artificial intelligence is simultaneously accelerating attacks and creating dangerous new attack surfaces. Threat actors are using AI to automate influence campaigns like Patriot Bait and crack passwords, while also impersonating AI tools like Gemini CLI and Claude Code to deliver infostealers. Furthermore, attackers are directly targeting exposed AI infrastructure, such as Ollama AI endpoints, and manipulating AI coding assistants via hidden prompt injections in campaigns like TrapDoor, which means AI systems are both the weapon and the target.
These trends together suggest that traditional perimeter defenses are failing against supply chain and AI-driven threats. Managers should immediately enforce strict vetting of open-source packages, restrict developer access to unverified extensions, and ensure AI infrastructure is not exposed to the public internet.
Threat actors are leveraging image steganography hosted on legitimate file-sharing platforms to deliver remote access trojans and information stealers. The attack chain utilizes a JavaScript dropper to extract a Base64-encoded DotNET loader from a seemingly benign image, which then injects the final payload into memory to evade endpoint detection.
An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
Threat actors are increasingly weaponizing the legitimate Telegram Bot API to establish Command and Control (C2) channels and exfiltrate stolen data. This technique is widely adopted across credential phishing campaigns and malware families like Agent Tesla and Pure Logs Stealer, allowing attackers to bypass traditional network defenses by blending malicious traffic with legitimate Telegram communications.