Malware

The threat actor, identified as Brazilian cybercrime group Augmented Marauder and Water Saci, employs a unique delivery mechanism involving WhatsApp, ClickFix techniques, and email-based phishing.

Attackers are leveraging tools like Process Hacker and IOBit Unlocker, which possess deep operating system access.

Attackers continue to evade defenders by using legitimate platforms like AWS and Microsoft utilities.

Attacks involving the .NET-based Phantom Stealer, which has been bundled with a crypter and a remote access tool under the Phantom Project cybercrime kit, have been aimed at manufacturing, technology, and logistics organizations in Europe as part of a multi-wave phishing operation between November 2025 and January 2026, reports Infosecurity Magazine.

The stealer persists on the victim’s machine and immediately exfiltrates data with no local staging.

Windows environments are at risk of significant compromise with the new, advanced CrySome remote access trojan, which integrates antivirus-killing and hidden virtual desktop control capabilities with post-exploitation tooling, GBHackers News reports.

Enterprise business IT environments have been subjected to the DeepLoad credential-stealing malware campaign that ensured stealth via AI abuse and ClickFix attack techniques, according to CyberScoop.