Cyber: Threatsday Bulletin: Codespaces Rce, Asyncrat C2, Byovd Abuse, Ai...

This week didn’t produce one big headline. It produced many small signals — the kind that quietly shape what attacks will look like next.

Researchers tracked intrusions that start in ordinary places: developer workflows, remote tools, cloud access, identity paths, and even routine user actions. Nothing looked dramatic on the surface. That’s the point. Entry is becoming less visible while impact scales later.

Several findings also show how attackers are industrializing their work — shared infrastructure, repeatable playbooks, rented access, and affiliate-style ecosystems. Operations are no longer isolated campaigns. They run more like services.

This edition pulls those fragments together — short, precise updates that show where techniques are maturing, where exposure is widening, and what patterns are forming behind the noise.

In a sign that the threat actor has moved beyond government targets, the Pakistan-aligned APT36 threat actor has been observed targeting India's startup ecosystem, using ISO files and malicious LNK shortcuts using sensitive, startup-themed lures to deliver Crimson RAT, enabling comprehensive surveillance, data exfiltration, and system reconnaissance. The initial access vector is a spear-phishing email carrying an ISO image. Once executed, the ISO contains a malicious shortcut file and a folder holding three files: a decoy document, a batch script that acts as the persistence mechanism, and the final Crimson RAT payload, disguised as an executable named Excel. "Despite this expansion, the campaign remains closely aligned with Transparent Tribe's historical focus on Indian government and defense-adjacent intelligence collection, with overlap suggesting that startup-linked individuals may be targeted for their proximity to government, law enforcement, or security operations," Acronis said.

The threat activity cluster known as ShadowSyndicate has been linked to two additional SSH markers that connect dozens of servers to the same cybercrime operator. These hosts are then used for a wide range of malicious activities by various threat clusters linked to Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta. A notable finding is that the threat actor tends to transfer servers between their SSH clusters. ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. "The threat actor tends to reuse previously employed infrastructure, sometimes rotating

Source: The Hacker News