TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – January 21st, 2026

2026-01-21 · Read original ↗

ATT&CK techniques detected

19 predictions
T1555.003Credentials from Web Browsers
98%
“of malvertising, phishing, and downloading cracked software, and teaches them not to save passwords in web browsers. - implement a corporate - approved password manager and create a policy requiring its use to discourage saving passwords in browsers and promote strong, unique pas…”
T1055.012Process Hollowing
97%
“code and ci / cd pipelines. threat details and iocs mitigation advice - scan all developer workstations for the visual studio code extensions named ' bitcoin black ' and ' codo ai '. if found, isolate the affected machines and uninstall the extensions immediately. - use your endp…”
T1176.001Browser Extensions
93%
“in right click " ( 522, 398 installs ), " translate selected text with google " ( 159, 645 installs ), and " ads block ultimate " ( 48, 078 installs ), among others. threat details and iocs mitigation advice - audit all company workstations to identify and immediately remove the …”
T1055.001Dynamic-link Library Injection
93%
“and injecting it into the legitimate process to evade detection. once active, evelyn stealer performs extensive environment checks, including virtual machine and debugger detection, before establishing a working directory in appdata. it focuses on browser - centric data theft and…”
T1176.001Browser Extensions
92%
“detailed by browser security platform layerx, these extensions hid malicious javascript code within their logo images, monitoring browser activity, hijacking affiliate links on e - commerce platforms, and injecting invisible iframes for ad and click fraud. the code fetched a heav…”
T1059.001PowerShell
88%
“weekly threat bulletin – january 21st, 2026 evelyn stealer abuses visual studio code extensions in multistage attacks a sophisticated multistage malware campaign, dubbed " evelyn stealer, " is exploiting the visual studio code ( vsc ) extension ecosystem to compromise software de…”
T1190Exploit Public-Facing Application
86%
“##ositories, build servers, and cloud infrastructure. - enable advanced powershell logging capabilities, including script block logging and module logging, across all workstations and servers, and ensure these logs are forwarded to a centralized siem for analysis and retention. -…”
T1176Software Extensions
74%
“- contact your cloud service providers to inquire about their patching and mitigation status for the stackwarp vulnerability ( cve - 2025 - 29943 ) on their amd - based instances. compliance best practices - incorporate the amd microcode and agesa firmware updates for cve - 2025 …”
T1555.003Credentials from Web Browsers
73%
“paths, and behavioral analysis of processes exhibiting initial minimal data uploads followed by aggressive harvesting or suspicious child process creation. associated mitre att & ck techniques include t1071. 001, t1555, and t1140. effective mitigation strategies involve implement…”
T1176.001Browser Extensions
66%
“create detection rules for anomalous browser process behavior, such as a browser extension reading and executing code hidden within image files. - establish a continuous security awareness training program that specifically educates employees on the risks of browser extensions, h…”
T1176Software Extensions
61%
“in right click " ( 522, 398 installs ), " translate selected text with google " ( 159, 645 installs ), and " ads block ultimate " ( 48, 078 installs ), among others. threat details and iocs mitigation advice - audit all company workstations to identify and immediately remove the …”
T1176Software Extensions
60%
“detailed by browser security platform layerx, these extensions hid malicious javascript code within their logo images, monitoring browser activity, hijacking affiliate links on e - commerce platforms, and injecting invisible iframes for ad and click fraud. the code fetched a heav…”
T1176.001Browser Extensions
58%
“- contact your cloud service providers to inquire about their patching and mitigation status for the stackwarp vulnerability ( cve - 2025 - 29943 ) on their amd - based instances. compliance best practices - incorporate the amd microcode and agesa firmware updates for cve - 2025 …”
T1055.001Dynamic-link Library Injection
58%
“weekly threat bulletin – january 21st, 2026 evelyn stealer abuses visual studio code extensions in multistage attacks a sophisticated multistage malware campaign, dubbed " evelyn stealer, " is exploiting the visual studio code ( vsc ) extension ecosystem to compromise software de…”
T1555.003Credentials from Web Browsers
54%
“and injecting it into the legitimate process to evade detection. once active, evelyn stealer performs extensive environment checks, including virtual machine and debugger detection, before establishing a working directory in appdata. it focuses on browser - centric data theft and…”
T1204.002Malicious File
46%
“` has been executed, making the ` storage / app / public ` directory publicly accessible, the uploaded malicious file can then be executed via its url under ` / storage `. this allows for arbitrary code execution on the server with the web server ' s privileges, potentially leadi…”
T1176.002IDE Extensions
44%
“- contact your cloud service providers to inquire about their patching and mitigation status for the stackwarp vulnerability ( cve - 2025 - 29943 ) on their amd - based instances. compliance best practices - incorporate the amd microcode and agesa firmware updates for cve - 2025 …”
T1176Software Extensions
37%
“create detection rules for anomalous browser process behavior, such as a browser extension reading and executing code hidden within image files. - establish a continuous security awareness training program that specifically educates employees on the risks of browser extensions, h…”
T1055.001Dynamic-link Library Injection
37%
“arguments that include ' - - headless = new ' or ' - - no - sandbox '. - review network logs for outbound ftp traffic from workstations. configure the perimeter firewall to block all outbound ftp connections except to pre - approved, legitimate servers. compliance best practices …”

Summary

These are the top threats you should know about this week.