Threat actors are leveraging image steganography hosted on legitimate file-sharing platforms to deliver remote access trojans and information stealers. The attack chain utilizes a JavaScript dropper to extract a Base64-encoded DotNET loader from a seemingly benign image, which then injects the final payload into memory to evade endpoint detection.
Threat actors are exploiting the OpenClaw AI agent framework by publishing a deceptive 'DeepSeek-Claw' skill that distributes malware. The campaign utilizes malicious installation instructions to deploy Remcos RAT on Windows via DLL sideloading and GhostLoader on macOS/Linux via obfuscated Node.js scripts, enabling persistent access and data exfiltration.
A sophisticated phishing campaign is abusing Google Cloud Storage to host fake Google Drive login pages, harvesting credentials before delivering the Remcos RAT. The attack employs a complex, multi-stage execution chain using JavaScript, VBScript, and PowerShell to perform process hollowing on the legitimate RegSvcs.exe binary, allowing the malware to operate stealthily in memory.
Threat actors are increasingly abusing legitimate Git repository platforms like GitHub and GitLab to host malware and credential phishing pages. By leveraging the inherent trust organizations place in these domains, attackers successfully bypass secure email gateways (SEGs) to deliver dual-threat campaigns involving remote access trojans (RATs), infostealers, and credential harvesting.
Cybercriminals are increasingly abusing the Keitaro adtech platform to optimize the distribution of malware, phishing, and scams. By leveraging Keitaro's built-in tracking, cloaking, and traffic distribution capabilities, actors can efficiently target victims, evade detection, and scale operations across multiple threat types including wallet drainers and infostealers.
In 2025, Insikt Group observed the continued dominance of Cobalt Strike, AsyncRAT, and infostealers like Vidar, alongside the rise of new offensive tools such as RedGuard, Ligolo, and CastleLoader. The report highlights the critical role of Threat Activity Enablers (TAEs) and the abuse of legitimate infrastructure services, such as CDNs, in sustaining cybercriminal and APT operations.
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing
The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks.
In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust.
Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.