News Week: February 2nd to February 8th, 2026

ShadowHS Signals a New Class of Fileless Linux Threats

Security researchers have uncovered ShadowHS, a stealth-focused Linux malware framework that operates entirely in memory, avoiding traditional disk-based detection. Instead of dropping executable files, the threat executes via anonymous file descriptors and disguises itself by spoofing legitimate process names. The infection chain relies on a heavily obfuscated, multi-stage loader protected with AES-256-CBC encryption, which reconstructs the payload only at runtime. Once active, ShadowHS emphasizes reconnaissance and environmental awareness, carefully profiling installed security tools and system defenses before enabling further actions. Analysts observed checks for common enterprise protection platforms, kernel safeguards, and signs of competing malware. The framework also includes covert data exfiltration mechanisms using GSocket tunnels, bypassing conventional network monitoring. When instructed by operators, dormant modules can activate cryptocurrency mining, credential theft, and lateral movement utilities. This campaign illustrates how modern Linux threats increasingly prioritize evasion, persistence, and operator control over noisy, immediately destructive behavior.

Vect RaaS Emerges with Speed-Focused Encryption and Strong OPSEC

Researchers have identified Vect, a newly surfaced ransomware-as-a-service operation already linked to attacks in Brazil and South Africa. Unlike many groups that recycle leaked builders, Vect claims its malware was developed in C++, leveraging ChaCha20-Poly1305 AEAD encryption and intermittent encryption to accelerate file locking while maximizing disruption. Analysts note signs of unusual maturity for a young campaign, including cross-platform targeting of Windows, Linux, and VMware ESXi, Safe Mode execution designed to weaken security controls, and a structured affiliate program. The group’s operational security reportedly relies on Monero payments, TOX-based communications, and TOR-only infrastructure, suggesting experienced operators or a rebrand. Initial access is believed to involve exposed RDP/VPN services, stolen credentials, phishing, or vulnerability exploitation. Defenders are advised to harden edge devices, segment critical networks, restrict administrative pathways, and monitor for Safe Mode abuse and rapid, selective encryption patterns indicative of ransomware activity.

Lotus Blossom Exploits Notepad++ Update Channel to Deploy Chrysalis Backdoor

Recent investigations by Kaspersky and Rapid7 uncovered a highly selective supply chain campaign in which Lotus Blossom abused Notepad++’s updater mechanism to distribute malware. Rather than exploiting a software flaw, the attackers manipulated infrastructure and forged update manifests, ensuring delivery only to carefully chosen targets. Across multiple waves between mid-2025 and October, victims received NSIS-based installers executed through the legitimate GUP.exe process. Analysts documented evolving infection chains involving Metasploit loaders, Cobalt Strike Beacons, Lua components, and ultimately DLL sideloading via a renamed Bitdefender binary. The final stage introduced Chrysalis, a stealthy custom backdoor featuring reflective loading, encrypted configuration storage, API hashing, and HTTPS command-and-control designed to mimic normal browser traffic. The campaign’s rotating domains, staged shellcode, and disciplined targeting profile align with Lotus Blossom’s long-standing espionage tradecraft. The incident reinforces how trusted update channels remain attractive vectors when attackers compromise delivery infrastructure instead of code.

Attackers Weaponize Trusted AI Infrastructure for Mobile Banking Theft

The Hugging Face abuse campaign demonstrates how threat actors increasingly exploit reputable platforms to distribute Android banking trojans while reducing the likelihood of detection. By hosting polymorphic malware variants on a well-known AI ecosystem, attackers capitalized on implicit trust in legitimate domains and content delivery channels. Victims were initially deceived into installing a fake security application, which then triggered a fraudulent update workflow designed to mimic Google Play. Instead of delivering payloads directly, the malware redirected devices to Hugging Face repositories, where thousands of rapidly changing samples evaded hash-based defenses through server-side polymorphism. Once deployed, the trojan abused Accessibility Services to capture credentials, intercept SMS-based two-factor authentication codes, and display convincing phishing overlays targeting financial apps such as Alipay and WeChat. This incident underscores a critical defensive challenge: traffic originating from trusted services may still conceal malicious intent, reinforcing the need for behavioral monitoring and permission-level anomaly detection.

SystemBC Resurgence Shows Scale, Stealth, and Linux Expansion

Silent Push researchers report that SystemBC infections now exceed 10,000 unique IP addresses worldwide, despite earlier disruption efforts under Operation Endgame. The malware continues to function as a multi-platform SOCKS5 proxy, enabling attackers to anonymize traffic, conceal lateral movement, and prepare networks for follow-on operations such as ransomware. A notable development is the discovery of a previously undocumented Perl-based variant targeting Linux systems, exhibiting zero detections across major antivirus engines. Delivered via a dropper that searches for writable directories, the variant deploys multiple embedded payloads, signaling active evolution and cross-platform ambitions. Analysts also identified infections tied to infrastructure hosting government websites, highlighting risks to sensitive environments. The findings emphasize that proxy malware like SystemBC often represents an early-stage intrusion component. Monitoring anomalous outbound connections, unusual proxy behavior, and known indicators of compromise remains essential for preventing deeper compromise and operational disruption.

Screensaver Files Abused to Deploy RMM-Based Remote Access

A recent spearphishing campaign highlights how attackers are repurposing Windows screensaver (.scr) files to establish stealthy persistence through legitimate remote monitoring and management (RMM) tools. Because .scr files are portable executables, they can run arbitrary code while often escaping policies that primarily restrict .exe or .msi formats. In the observed attacks, victims were lured via business-themed emails linking to cloud-hosted payloads disguised as invoices or documents. Once executed, the screensaver silently installed an RMM agent, enabling encrypted, reboot-surviving remote control that closely resembles authorized IT activity. This “living-off-the-land” technique reduces reliance on overt malware and delays detection by blending into normal administration workflows. Researchers warn that such tradecraft can quickly escalate into credential theft, lateral movement, data exfiltration, or ransomware deployment. Defenders are advised to treat .scr files as untrusted executables, restrict execution from user directories, and tightly govern RMM usage through allowlisting and behavioral monitoring.

Conclusion

In conclusion, today’s threat landscape continues to expand across platforms and attack vectors, from fileless Linux malware and proxy botnets to supply chain compromises and stealthy remote access techniques. These incidents reinforce a critical reality: prevention alone is not sufficient, and organizations must invest equally in detection, response, and recovery capabilities.

As experts in ransomware recovery and cybersecurity, we provide specialized support through Ransomware Recovery Services, including our advanced ransomware decryption service, alongside Ransomware Negotiation Services and a proactive Incident Response Retainer. If your organization needs expert guidance to recover from an attack or strengthen its cyber resilience, contact us today.