New Yurei Ransomware Campaign Leverages *Stranger Things*-Themed Tools in Aggressive Extortion Attacks Researchers at Team Cymru have uncovered a sophisticated extortion campaign tied to the Yurei ransomware toolkit, operated by a threat group first observed in September 2025. The attackers stand out for their use of pop-culture references, naming malicious tools after characters and themes from Stranger Things including a PowerShell script dubbed Vecna.ps1 and the ransomware payload StrangerThings.exe. Unlike traditional ransomware groups that develop custom malware, the Yurei operators assemble modular toolkits from readily available resources, lowering the barrier to entry for cybercrime. Their attack chain begins with stolen credentials purchased from criminal marketplaces, followed by network reconnaissance using tools like SoftPerfect NetScan and NetExec. To escalate privileges, they deploy Rubeus, a tool that exploits Windows authentication systems to gain administrator-level access. Once inside, the group maintains persistence by installing AnyDesk, a legitimate remote-desktop application often overlooked by security software. The Vecna.ps1 script then lies dormant, waiting for a user login to trigger the execution of StrangerThings.exe, the ransomware payload. Notably, Yurei is not an original creation but a repurposed version of Prince Ransomware, an open-source strain written in Go, allowing the attackers to operate without advanced development skills. Before encrypting files, the group disables security defenses using FixingIssues2.ps1, which neutralizes Windows Defender and other protections. They also employ SDelete to permanently erase evidence and delete shadow copies, eliminating recovery options for victims. Between December 2025 and January 2026, Team Cymru tracked the group’s activity via NetFlow analysis, observing their lateral movement through networks using tools like PsExec. While their public leak site currently lists only three confirmed victims, the ease of deploying these attacks has raised concerns among experts about the growing accessibility of ransomware operations. The campaign highlights how low-skill threat actors can now launch high-impact attacks with minimal effort.

React2Shell Exploits Target Insurance, E-Commerce, and IT Sectors in Rapid Cyberattacks Threat actors are actively exploiting CVE-2025-55182 (React2Shell), a critical vulnerability in React Server Components, to compromise organizations in the insurance, e-commerce, and IT sectors. The flaw stems from insecure deserialization in the Flight protocol, enabling attackers to execute unauthorized code on vulnerable servers. Exploitation campaigns have moved swiftly, with adversaries weaponizing the vulnerability within hours of disclosure. While many critical flaws never see real-world use, React2Shell has become a prime target, delivering XMRig cryptocurrency miners, botnets, and remote access tools. ### Attack Scope and Malware Payloads - Russian entities faced attacks deploying RustoBot and Kaiji botnets, which conduct DDoS attacks and establish persistence via systemd services, crontab tasks, and modified system utilities. - Global campaigns distributed a broader range of malware, including: - CrossC2 implants (Cobalt Strike payloads with AES-128-CBC encryption) - Tactical RMM (remote management tool abuse) - VShell backdoors - EtherRAT (JavaScript-based malware retrieving C2 addresses from Ethereum smart contracts) ### Affected Systems and Patches React2Shell impacts multiple React Server Component packages, including: - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, 19.2.0) Patches are available in versions 19.0.1, 19.1.2, and 19.2.1, but security experts warn that patching alone is insufficient. Organizations must also scan for post-exploitation activity, as attackers often deploy multiple malicious tools in a single breach. ### Infection Mechanism 1. Initial Access: Attackers exploit React2Shell to execute commands in compromised containers. 2. Malware Deployment: Bash scripts (e.g., wocaosinm.sh, setup2.sh) download architecture-specific payloads, including: - Kaiji botnet (DDoS attacks, persistence via systemd/crontab) - XMRig miner (version 6.24.0, with CPU throttling to evade detection) 3. Data Exfiltration: Attackers use DNS tunneling (nslookup) to encode and transmit stolen data via subdomain queries. 4. Persistence Techniques: - CrossC2 payloads disguise themselves as "Rsyslo AV Agent Service" via systemd. - EtherRAT employs five persistence methods, including XDG Autostart, .bashrc, and .profile modifications. ### Mitigation Recommendations Beyond patching, organizations should: - Verify Next.js versions and dependencies - Rebuild projects after updates - Check lock files to ensure vulnerable packages are removed - Restrict experimental React Server Components in production unless fully patched The attacks highlight the speed and sophistication of modern cyber threats, with adversaries rapidly adapting to newly disclosed vulnerabilities.

US Leveraged Cyberattacks in Operation to Extract Venezuelan President Maduro In January, the US reportedly used cyberattacks as part of a covert operation to extract Venezuelan President Nicolás Maduro, according to The New York Times. Officials briefed on the mission, dubbed Operation Absolute Resolve, confirmed that US hackers disabled power grids and air defense radars in Caracas. President Donald Trump later hinted at the involvement of US cyber capabilities, stating that "the lights of Caracas were largely turned off due to a certain expertise that we have." While Trump did not explicitly confirm a cyberattack, experts like Robert Lee, CEO of industrial cybersecurity firm Dragos, suggested that such an operation was technically feasible, citing past incidents like the 2016–2017 Ukraine power grid attacks. Initial reports speculated that a "blackout bomb" (a graphite bomb causing short circuits) or physical sabotage may have caused the outages, as Venezuela’s Energy Minister shared footage of damaged power infrastructure. However, The New York Times later reported that cyber weapons were indeed used, allowing US operatives to cut power in targeted areas including near the military base where Maduro was captured and restore it within minutes. Some neighborhoods experienced outages lasting up to 36 hours. The operation also involved cyberattacks to disrupt Venezuela’s air defense radar systems. A recent analysis by the Royal United Services Institute (RUSI) suggested that the mission relied on a "layered effects" strategy, combining cyber tools with kinetic attacks like jamming and graphite bombs. Venezuela’s deteriorating power grid, weakened by years of neglect, was identified as a key vulnerability. While cyberattacks played a role, RUSI concluded that the operation’s success depended on a multi-domain approach, with kinetic methods providing more reliable results than hacking alone.