A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises.

Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

Attackers have built convincing fake websites impersonating popular open-source and freeware tools, engineering them to rank highly in Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that profiles them before delivering tailored malware, including credential stealers and session hijacking frameworks. The campaign is notable for its scale and the quality of the spoofed sites, making it easy for developers and engineers to be deceived.

Architect’s Take: Enforce approved software procurement channels and block unapproved download sources at the network or endpoint level. Mandate that developers and engineers source open-source tooling exclusively from verified repositories such as official GitHub pages or package managers, and consider deploying DNS filtering to flag newly registered or lookalike domains.

Original advisory: Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Attackers have created convincing fake websites impersonating popular open-source tools, optimising them to rank highly on Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that delivers malware including credential stealers and session hijacking frameworks. This is a supply chain-adjacent threat targeting developers and technical users who search for and download software directly from the web.

Architect’s Take: Enforce organisational policies requiring software to be sourced only from verified package managers (npm, PyPI, etc.) or official repositories, and block direct binary downloads from unvetted sites via web proxy or CASB controls. Consider adding developer workstations to your threat model and ensure EDR coverage extends to engineering endpoints.

Original advisory: Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

A one-click attack targeting Microsoft VS Code’s GitHub.dev feature allows an attacker to steal a victim’s GitHub OAuth token simply by tricking them into clicking a crafted link. The stolen token grants read and write access to all repositories the victim can access, including private ones. This poses a significant supply chain risk, as compromised tokens could be used to inject malicious code into codebases.

Architect’s Take: Enforce short-lived, scoped OAuth tokens across your organisation and audit any GitHub Apps or integrations permitted in VS Code. Consider restricting or monitoring use of GitHub.dev in your developer environment policy, and enable GitHub token scanning and push protection to limit the blast radius of any token compromise.

Original advisory: One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

An unpatched vulnerability in Windows’ ‘search:’ URI handler can be exploited to leak a user’s NTLMv2 credential hash to an attacker, similar to a recently disclosed flaw in the Windows Snipping Tool (CVE-2026-33829). NTLMv2 hashes can be cracked offline or used in relay attacks to authenticate as the victim. The vulnerability remains unpatched, making it an active risk for any Windows environment, including cloud-connected hybrid setups.

Architect’s Take: Block or restrict outbound SMB traffic (TCP 445) at the network perimeter and enforce NTLM restrictions via Group Policy or Azure AD Conditional Access to reduce relay attack exposure. Additionally, consider deploying Defender for Endpoint or equivalent EDR rules to flag suspicious search: URI handler invocations until a patch is available.

Original advisory: Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

A malware-as-a-service campaign dubbed Weedhack has been targeting Minecraft players since January 2026, distributing malicious software disguised as game clients and mods via YouTube. The operation has already compromised approximately 86,000 systems and includes components such as CountLoader and cryptocurrency miners. The campaign highlights how gaming communities remain a significant vector for delivering credential-stealing and system-control malware at scale.

Architect’s Take: If your organisation permits personal devices or BYOD access to cloud workloads, ensure endpoint detection controls can identify MaaS-delivered loaders such as CountLoader, and audit whether compromised personal credentials could pivot into corporate cloud environments via SSO or reused passwords.

Original advisory: Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content