This will get you hacked: security research round-up

Malware, hacked, breach — Image by Shutterstock.

From insider recruitment and AI-powered investment scams to LLM reconnaissance and QR code phishing, Cybernews’s new security research round-up 'This will get you hacked' offers a clearer view of how attackers operate and where defenders can respond.

Cybersecurity research is often published in isolation – one report, one vendor, one threat at a time. Our new weekly round-up exists to do the opposite, bringing together research from across the security industry in one space to give defenders the chance to step back and see patterns that aren’t always obvious when reports are read individually.

Don't miss our latest stories on Google News

This week’s findings reveal a consistent shift in attacker behavior. Rather than relying on novel exploits, many of the most effective techniques focus on reconnaissance, trust-building, and bypassing assumptions, whether that means quietly mapping exposed LLMs, rendering QR codes in ways email scanners don’t expect, or recruiting insiders who already have legitimate access.

With that context in mind, here are this week’s research highlights.

Threat actors are quietly mapping exposed LLMs

GreyNoise researchers have reported a surge in activity targeting large language model (LLM) infrastructure, after their Ollama honeypot recorded more than 91,000 attack sessions between October 2025 and January 2026.

The data revealed two campaigns: one abusing server-side request forgery (SSRF) to force LLM servers to call attacker infrastructure, and a second, more concerning effort focused on systematic enumeration of exposed LLM APIs.

The reconnaissance targeted models from OpenAI, Anthropic, Meta, Google, Mistral, Alibaba, and xAI, using harmless prompts to fingerprint deployments. GreyNoise warns that the scale and automation suggest professional threat actors quietly building target lists for future exploitation.

The return of Scattered Lapsus$ hunters

A report from Cyfirma warns that loosely affiliated threat actors inspired by the Lapsus$ playbook are resurfacing, targeting organisations with opportunistic, high-impact attacks.

Rather than operating as a single group, these “scattered hunters” use social engineering, credential theft, SIM swapping, and insider access to breach companies quickly and publicly.

Scattered Lapsus$ Hunters — Threat actors inspired by the Lapsus$ playbook are back with a focus on extortion over stealth. Image by Cybernews.

The report notes a continued focus on extortion over stealth, with attackers prioritising speed, visibility, and reputational damage. Cyfirma’s findings show how fragmented, copycat threat actors can still cause outsized disruption, especially where identity controls and employee awareness are weak.

Discord malware that hides in plain sight

A report from Unit 42 details VVS stealer, a Python-based infostealer built to quietly drain Discord accounts and browser data. First sold on Telegram in 2025, the malware uses PyInstaller and heavy Pyarmor obfuscation to evade detection and frustrate analysis.

discord-stealer-intext — Discord stealer: Courtesy of Palo Alto Networks Unit 42.

Once active, it steals Discord tokens, hijacks live sessions via code injection, pulls payment and account data, and exfiltrates everything through Discord webhooks. It also harvests browser passwords and cookies, installs itself for persistence, and throws fake error messages to stay hidden.

Stealthy, cheap, and effective – exactly the kind of malware that thrives on distracted users.

The QR code your email scanner can’t see

Research by Jan Kopriva at the SANS Institute highlights a phishing technique designed specifically to evade modern email security tools.

qr code phishing — Scammers have created QR code that bypasses scanners, warns SANS researchers. Image by Cybernews.

While many defenses can now detect QR codes embedded as images, attackers have adapted by rendering QR codes using HTML tables instead.

To users, the emails look normal. To scanners, there’s no image to analyse. The campaign, observed in late December, demonstrates how attackers continue to exploit assumptions built into security controls and the limitations of purely technical defenses.

Malicious employees for hire

Cybercriminals are bypassing security controls by recruiting employees from the inside. New research from NordStellar reveals that dark web actors are actively seeking insiders from specific organizations, particularly those in social media and cryptocurrency firms.

Dark web post — Screen shot of dark web post. Image: NordStellar.

Researchers identified at least 25 recruitment posts, and the threat is far from theoretical. One of the report’s authors, Mantas Sabeckis (who used to work as a researcher here at Cybernews), describes being approached directly on LinkedIn and later WhatsApp, in a scheme framed as a “bug bounty” role.

Real-world cases, including bribery incidents at Coinbase, demonstrate how easily insider access can lead to serious breaches.

The AI investment scam that builds a fake reality

Researchers at Check Point are warning about a new generation of investment fraud they call the “Truman Show” scam, where victims are slowly immersed in a fully synthetic financial world.

complete-truman-scam-scheme — The new highly sophisticated investment scam, Truman Show, named for victims’ deep immersion into a fake reality. Image by Check Point.

Using AI, scammers create fake experts, enthusiastic peers, apps, news articles, and even regulatory references to make the scheme feel legitimate. Victims are drawn into WhatsApp or Telegram groups where trust is built over weeks before money is requested. By then, risk assessment is gone, replaced by social proof and familiarity.

It’s a long-game scam that shows how AI is making fraud harder to spot and easier to scale.

Unlock more exclusive Cybernews content on YouTube.

Share

Post