Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.

According to Socket, the extensions (complete list here) are published under five distinct publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt – and have collectively amassed about 20,000 installs in the Chrome Web Store.

“All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,” security researcher Kush Pandya said in an analysis.

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default.

RDP files are commonly used in enterprise environments to connect to remote systems because admins can preconfigure them to automatically redirect local resources to the remote host.

Threat actors have increasingly abused this functionality in phishing campaigns. The Russian state-sponsored APT29 hacking group has previously used rogue RDP files to remotely steal data and credentials from victims.

Rockstar Games has suffered a data breach linked to a recent security incident at Anodot, with the ShinyHunters extortion gang now leaking the stolen data on its data leak site.

The threat actors claim the data was taken from Snowflake environments using authentication tokens stolen during a recent Anodot security incident.

They have now published what they say is Rockstar Games data containing more than 78.6 million records.

A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan.

Cisco Talos researchers attribute the malware to a threat group tracked internally as UAT-10362, who they describe as a capable adversary “with mature operational tradecraft.”

LucidRook was observed in attacks in October 2025 that relied on phishing emails carrying password-protected archives.

Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called “VENOM” are targeting credentials of C-suite executives across multiple industries.

The operation has been active since at least last November and appears to target specific individuals who serve as CEOs, CFOs, or VPs at their companies.

VENOM also seems to be closed access, as it has not been promoted on public channels and underground forums, thus reducing its exposure to researchers.