News Week: February 23rd to March 1st, 2026

Wormable Cryptojacking Campaign Combines BYOVD Exploits with Stealthy Propagation Techniques

A newly uncovered campaign demonstrates how modern cryptojacking operations are evolving through advanced evasion and persistence mechanisms. Centered around a customized XMRig miner, the attack spreads via pirated software bundles and USB devices, enabling worm-like propagation across systems. At its core is a multi-functional controller that manages different infection stages, supported by embedded payloads and a resilient watchdog structure. By leveraging a Bring Your Own Vulnerable Driver (BYOVD) technique, the malware gains kernel-level access to optimize mining performance, even modifying CPU behavior to increase efficiency. Additional stealth features include hidden file deployment, process manipulation, and a time-based kill switch that governs the campaign lifecycle. This combination of social engineering, kernel exploitation, and automated spread highlights how even non-ransomware threats are becoming increasingly sophisticated and difficult to detect.

Ransomware Evolves with Polymorphism and Stealthy Data Corruption Techniques

Recent research highlights a significant shift in ransomware tactics, with attackers increasingly adopting advanced methods designed to evade detection and complicate recovery. A growing number of variants now use polymorphic techniques, allowing them to alter their structure while maintaining functionality, making signature-based detection less effective. Additionally, shadow encryption has become more prevalent, enabling attackers to slowly and partially encrypt data to remain undetected for longer periods. Another emerging trend involves targeting entire directory structures instead of individual files, accelerating disruption across systems. Notably, some campaigns are beginning to resemble wiper attacks, prioritizing irreversible data destruction over financial gain. These developments demonstrate how ransomware is moving beyond traditional encryption models toward more stealthy and destructive approaches, reinforcing the need for advanced detection capabilities and resilient recovery strategies.

State-Backed Threat Actors Expand Ransomware Operations in Healthcare Sector

Recent threat intelligence indicates that North Korean-linked actors are increasingly leveraging Medusa ransomware to target organizations, particularly within the healthcare sector. Operating under a ransomware-as-a-service model, Medusa has seen growing adoption among affiliates, contributing to hundreds of reported incidents since its emergence. Analysts have linked recent activity to groups associated with Lazarus, highlighting a continued shift from traditional espionage toward financially motivated cybercrime. Campaigns involve a combination of backdoors, credential theft tools, and remote access utilities to establish persistence and facilitate data exfiltration before encryption. Notably, healthcare and non-profit organizations remain frequent targets, despite the heightened risks associated with such attacks. These developments underscore how state-aligned actors are increasingly blending cybercrime and espionage, reinforcing the need for robust defenses against advanced, multi-stage ransomware operations.

APT Campaign Deploys New Malware Families Targeting MENA Region

The Iranian threat group MuddyWater has launched a new operation targeting organizations across the Middle East and North Africa, leveraging phishing campaigns and newly developed malware. The attack chain begins with malicious Office documents that execute macros to deliver payloads, including tools such as GhostFetch and CHAR. These components enable further compromise through backdoor deployment, remote command execution, and file manipulation. Some variants also use legitimate remote access software to maintain persistence and expand control over infected systems. Researchers have identified signs of AI-assisted development within the malware, indicating a shift toward more efficient and adaptable tooling. Combined with the exploitation of known vulnerabilities on public-facing systems, the campaign highlights how advanced persistent threat groups continue to refine their techniques to achieve sustained access and operational flexibility in targeted environments.

Conclusion

In conclusion, today’s threat landscape continues to evolve across multiple fronts, from stealthy cryptojacking campaigns and advanced ransomware techniques to state-backed operations leveraging sophisticated malware. Attackers are increasingly combining persistence, evasion, and automation to maximize impact while minimizing detection, making both preventive measures and rapid response capabilities more critical than ever.

As experts in ransomware recovery and cybersecurity, we provide specialized support through our ransomware decryption service, Ransomware Negotiation Services, and a proactive Incident Response Retainer. If your organization needs assistance in recovering from an attack or strengthening its cyber resilience, contact us today.