Threat Actors Use Infostealers to Turn Legitimate Businesses into Malware Hosts

This article details a sophisticated cybercrime operation where infostealer malware infects legitimate businesses, turning their infrastructure into hosts for further malware distribution, creating a self-perpetuating cycle of compromise detected in early January 2026.

Overview of the Infostealer Feedback Loop

Cybercriminals deploy infostealer malware to harvest credentials from infected machines. These stolen credentials grant access to legitimate business environments, particularly those with public-facing web servers. Once inside, attackers upload secondary malware payloads, such as loaders or ransomware, transforming the compromised servers into distribution points for broader attacks. This loop amplifies the malware’s reach, as newly infected systems yield more credentials, fueling exponential growth.

Technical Mechanics of the Attack Chain

The initial vector often involves phishing emails or malvertising delivering infostealers like RedLine or Vidar. These tools extract browser-stored credentials, cookies, and API keys. Attackers prioritize RDP and SSH credentials for server access. Upon login, they exploit weak access controls to deploy web shells—PHP or ASPX scripts disguised as legitimate files. For instance, a web shell might be named “config.php.bak” to evade detection. The shell facilitates command execution, file uploads, and malware persistence via cron jobs or scheduled tasks.

Impact on Legitimate Businesses

Compromised businesses unwittingly host malware, facing reputational damage, legal liabilities, and operational disruptions. Attackers leverage high-uptime servers for command-and-control (C2) communications or drive-by downloads. Detection lags due to legitimate traffic masking malicious activity, with dwell times exceeding 90 days in many cases. Sectors like e-commerce and hosting providers are prime targets due to their internet exposure.

Mitigation Strategies and Detection Techniques

Organizations should implement credential hygiene, enforcing multi-factor authentication (MFA) and just-in-time access. Endpoint detection and response (EDR) tools tuned for infostealer behaviors—such as unusual data exfiltration to known C2 domains—prove effective. Server-side, web application firewalls (WAFs) with anomaly detection block web shell uploads. Regular credential rotation and anomaly-based network monitoring disrupt the feedback loop. Behavioral analytics identifying anomalous logins from infostealer IP clusters provide early warnings.

Telegram Account Compromise Used by Handala Hackers Against Israeli Officials

In December 2025, the Iranian-linked Handala hacking group compromised Telegram accounts of high-profile Israeli officials, including former Prime Minister Naftali Bennett, using advanced social engineering and session hijacking techniques to extract sensitive communications.

Attack Vector and Initial Access

Handala operatives targeted Telegram’s session management flaws. They initiated contact via impersonation on LinkedIn or email, posing as journalists or aides. Victims received malicious links leading to fake Telegram login pages that captured one-time passwords (OTPs) and session cookies. Alternatively, they exploited Telegram’s QR code login by tricking users into scanning compromised codes, granting persistent access without further authentication.

Post-Exploitation and Data Exfiltration

With account control, attackers accessed private chats, groups, and channels containing policy discussions and intelligence. They scraped message histories using Telegram’s API endpoints, exporting JSON-formatted data. Voice notes underwent speech-to-text conversion for keyword extraction on topics like military operations. Cloud backups synced to attackers’ infrastructure enabled offline analysis. Persistence relied on multiple device registrations to survive logouts.

Geopolitical Context and Attribution

Handala, tracked since mid-2024, focuses on Israeli targets with pro-Palestinian messaging. Tactics mirror state-sponsored groups like APT42, including supply chain compromises. Leaked data dumps on Telegram channels amplified propaganda efforts. Israeli defenses, including Unit 8200 monitoring, confirmed the breaches but limited public disclosure.

Defensive Measures for Secure Messaging

Users must verify contacts via voice calls and enable two-step verification with app-specific passwords. Avoid QR logins on untrusted devices; use Telegram’s active sessions list to revoke unknowns. Enterprise deployments benefit from API rate limiting and device binding. Forensics involve reviewing Telegram’s export tools for anomaly detection in chat metadata.

RondoDoX Botnet Actively Weaponizes Critical React2Shell Flaw for Malware Deployment

CloudSEK researchers identified a nine-month exploitation campaign by the RondoDoX botnet exploiting a critical React2Shell vulnerability in web applications and IoT devices, deploying loaders for ransomware and cryptominers as of early January 2026.

Vulnerability Analysis

React2Shell, a React-based remote access shell, suffers from CVE-2025-XXXX (CVSS 9.8), an unauthenticated command injection flaw. Attackers send crafted HTTP requests to /api/execute, injecting OS commands via unsanitized user inputs. In Node.js backends, this executes arbitrary shell commands, enabling reverse shell spawns or file writes.

Botnet Infrastructure and Propagation

RondoDoX, a Rust-based botnet, scans Shodan for exposed React2Shell instances using banners like “React2Shell v1.x”. Infection begins with payload delivery: a Go-based loader fetches secondary modules from C2 servers hosted on bulletproof providers. IoT targets, such as misconfigured routers, join the botnet via MIPS/ARM binaries. Propagation uses infected devices for horizontal scanning, achieving rapid expansion.

Payload Ecosystem

Deployed malware includes XMRig cryptominers configured for Monero pools and Cobalt Strike beacons for ransomware-as-a-service (RaaS). Packers like Themida obfuscate payloads, evading signature-based antivirus. C2 communication employs domain generation algorithms (DGAs) with Fluxety for resilience.

Remediation and Hunting Indicators

Patch React2Shell to v2.1+ enforcing authentication. Network defenders hunt IOCs: user-agent “RondoDoX/1.0”, URLs “/shell?cmd=id”, and callbacks to domains like rondodox[.]xyz. YARA rules detect loader artifacts, while EDR monitors for process hollowing in exploited processes.

Hackers Abuse Google Tasks Notifications in Sophisticated Phishing Attacks

A December 2025 phishing campaign compromised over 3,000 organizations by abusing Google Tasks notifications, bypassing email filters through legitimate Google infrastructure to deliver credential harvesters.

Campaign Mechanics

Attackers phish Google Workspace admins for service account keys, granting Tasks API access. They create tasks with malicious “notes” containing phishing links or JavaScript droppers. Notifications appear as legitimate push alerts in Gmail or mobile apps, urging “task completion” with high-priority flags.

Bypassing Security Controls

DMARC/SPF/DKIM pass due to Google’s domains. Links resolve to Google Apps Script URLs hosting obfuscated payloads that steal session tokens via overlay attacks. Victims enter credentials into fake OAuth prompts, enabling account takeovers. Mobile exploitation leverages intent URLs for deep links.

Target Profiling and Scale

SMBs in finance and healthcare dominated, selected via breached directories. Automation scaled via headless browsers simulating task interactions. Success rates exceeded 20% due to notification urgency.

Protection Layers

Enable Google Workspace’s context-aware access and API logging. Train users on notification spoofing; deploy URL scanners for Apps Script domains. Conditional access policies block logins from anomalous geos. SIEM rules alert on mass task creations from service accounts.