InfoSec Briefing - January 15, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. Yesterday's security developments from Wednesday, January 14, 2026, covering 5 articles. All attribution is by the article authors. All article analysis is automated.

Reuters reports that Beijing has ordered Chinese domestic companies to stop using cybersecurity software from over a dozen U.S. and Israeli firms including Palo Alto Networks, CrowdStrike, Fortinet, Check Point, and Mandiant. The directive cites national security concerns about potential data collection and transmission abroad, reflecting escalating geopolitical tensions and China's push to replace Western technology with domestic alternatives.

According to r136a1.dev, the Turla APT group has deployed Kazuar v3 loader, a sophisticated multi-stage malware using DLL sideloading, hardware breakpoint hooking, and COM subsystem abuse to evade detection. The loader bypasses ETW and AMSI, masquerades as legitimate Windows processes like explorer.exe and svchost.exe, and delivers final payloads for persistent infections through control flow redirection and COM-visible .NET assembly execution.

Microsoft reports the disruption of RedVDS, a virtual desktop provider operated by threat actor Storm-2470 that enabled widespread cybercriminal operations including business email compromise, phishing, and financial fraud. The cybercrime-as-a-service platform provided disposable virtual machines for $24 per month, facilitating anonymous criminal operations integrated with generative AI tools for sophisticated impersonations including deepfakes and voice cloning. RedVDS resulted in approximately $40 million in fraud losses in the United States and compromised over 191,000 organizations globally.

The UK's National Cyber Security Centre has published new guidance on secure connectivity principles for operational technology environments. The guidance provides eight core principles for designing secure OT connectivity, addressing risks from increased attack surfaces, legacy devices, and remote access requirements, targeting OT organizations, essential service operators, and system vendors.

That concludes today's briefing.

📰 Articles Covered

Exclusive: Beijing tells Chinese firms to stop using US and Israeli cybersecurity software, sources say - Reuters

Beijing has instructed Chinese domestic companies to stop using cybersecurity software from over a dozen U.S. and Israeli firms, citing national security concerns and a broader effort to replace Western technology with domestic alternatives. This directive is part of escalating trade and diplomatic tensions between China and Western nations.

**Who is affected:**
The ban impacts companies including **Palo Alto Networks, CrowdStrike, VMware, Fortinet, Check Point Software Technologies, Alphabet's Mandiant, Wiz, SentinelOne, Rapid7, Recorded Future, McAfee, Claroty, CyberArk, Orca Security, Cato Networks, and Imperva**. While some of these vendors have minimal or no business in China, others have a significant operational presence there.

**Security implications:**
China's primary stated concern is that this software could be used to **collect and transmit confidential information abroad**. This action is viewed within the context of a geopolitical struggle for technological supremacy, with underlying fears of Western equipment being compromised by foreign powers. Notably, some of the banned U.S. and Israeli firms have previously accused China of hacking operations.

**Technical details:**
The article does not delve into extensive technical specifics. However, the core issue is the **access that cybersecurity vendors have to sensitive data** within corporate networks and devices. The concern is that this deep access could theoretically be exploited for espionage or sabotage, particularly during periods of high geopolitical tension.

**What defenders should know:**
This situation highlights the critical importance of understanding the **geopolitical context of technology supply chains**. It signals a trend towards the nationalization of critical technologies and underscores the risks associated with relying on foreign-made cybersecurity solutions in an environment characterized by mistrust. Defenders should prioritize robust due diligence and maintain awareness of potential vulnerabilities, especially concerning technologies deemed vital for national security.
🇷🇺 COMmand & Evade: Turla's Kazuar v3 Loader - r136a1.dev

The cybersecurity article details **Turla's Kazuar v3 loader**, a sophisticated, multi-stage malware designed for stealthy and persistent infections.

**What Happened:**
The infection process begins with a VBScript that establishes directories and downloads necessary files, including a legitimate Hewlett-Packard printer driver installer (`hpbprndi.exe`) and a native loader (`hpbprndiLOC.dll`). The VBScript then executes the printer driver installer, which, in turn, sideloads the native loader. This loader employs advanced techniques to bypass security measures like ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) using hardware breakpoint hooking and vectored exception handlers. It also utilizes control flow redirection to execute a COM-visible .NET assembly (`jtjdypzmb.yqg`). This assembly is responsible for decrypting and loading the final Kazuar v3 payloads, identified as KERNEL, WORKER, and BRIDGE. The malware leverages the Windows COM subsystem to disguise its activities as legitimate system processes, such as `explorer.exe` and `svchost.exe` (via `dllhost.exe`), making it highly stealthy and resilient. Persistence is achieved through a registry Run key, and the malware collects system information to send to its operators.

**Who is Affected:**
While the article does not specify exact targets, it indicates that organizations or individuals targeted by **Turla**, a known advanced persistent threat (APT) group, are affected. The use of seemingly legitimate files and advanced evasion techniques suggests a broad targeting capability, likely focusing on environments where sophisticated stealth is required.

**Security Implications:**
The primary security implication is the malware's **high level of stealth and resilience**. Its deep integration with the Windows COM subsystem, allowing it to masquerade as legitimate processes, makes detection by traditional security tools and behavioral monitors extremely challenging. The multi-stage infection chain, complex bypass techniques, and in-memory execution of payloads further hinder analysis and increase the difficulty of detection.

**Technical Details:**
* **Initial Stage:** A VBScript (`8RWRLT.vbs`) downloads files from `185.126.255[.]132` to a specific directory and executes `hpbprndi.exe` for persistence.
* **Native Loader (`hpbprndiLOC.dll`):** This DLL is sideloaded using the MFC satellite DLL technique. It implements patchless ETW and AMSI bypasses, uses control flow redirection, suspends other threads to avoid detection, and creates a log file.
* **COM Integration:** The malware replicates `ADODB.Stream` COM object registration for stealthy file operations, uses WMI to interact with the 64-bit registry, and employs COM Shell Automation to hide its actions. It registers three COM objects to expose the .NET assembly to COM clients.
* **COM-Visible .NET Assembly (`jtjdypzmb.yqg`):** This acts as a bridge, implementing its own ETW/AMSI bypasses, decrypting final payloads using AES-CBC, and executing them within a `dllhost.exe` process.
* **Kazuar v3 Payloads (KERNEL, WORKER, BRIDGE):** These are obfuscated .NET assemblies with distinct roles: KERNEL for orchestration and keylogging, WORKER for surveillance and anti-defensive product tracking, and BRIDGE for communication and exfiltration. The agent label used is `AGN-RR-01`.

**What Defenders Should Know:**
Defenders should be aware of the **Indicators of Compromise (IOCs)**, including specific file hashes, IP addresses (`185.126.255[.]132`), DNS addresses (`esetcloud.com`), C2 URLs, and Windows directory/file paths associated with the malware. Detection strategies should focus on:
* Monitoring for the creation of specific directory structures and files.
* Analyzing network traffic for connections to known C2 servers.
* Detecting the execution of `hpbprndi.exe` and the subsequent loading of `hpbprndiLOC.dll`.
* Identifying COM registration activities in the registry.
* Utilizing Yara rules for detecting the various malware components.
* Being vigilant for anomalies in system calls or exception handling that might indicate bypass techniques.
* Monitoring for the unusual use of `dllhost.exe` as a COM surrogate for unexpected .NET assemblies.
Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations - Microsoft

A virtual dedicated server (VDS) provider named **RedVDS** has been identified as a significant enabler of worldwide cybercriminal operations, including business email compromise (BEC), mass phishing, account takeovers, and financial fraud. Microsoft's investigation, in collaboration with law enforcement, has led to the disruption of RedVDS infrastructure. The threat actor behind RedVDS is tracked as **Storm-2470** 【1】.

**What Happened:**
RedVDS operated as a marketplace selling illegal software and services, offering inexpensive Windows-based Remote Desktop Protocol (RDP) servers with full administrator control and no usage limits. This infrastructure was utilized by multiple financially motivated threat actors to conduct various cybercrimes 【1】.

**Who is Affected:**
RedVDS services targeted multiple sectors globally, including **legal, construction, manufacturing, real estate, healthcare, and education**. Geographically, attacks facilitated by RedVDS have impacted the **United States, Canada, United Kingdom, France, Germany, Australia**, and countries with significant banking infrastructure. While specific sectors are at higher risk, the attacks enabled by RedVDS are common and could affect any business or consumers, particularly those with high transaction volumes 【1】.

**Security Implications:**
RedVDS facilitated cybercrime on a massive scale, contributing to approximately **$40 million in reported fraud losses in the United States alone since March 2025**. The implications include widespread credential theft, account takeovers, mass phishing campaigns, and sophisticated business email compromise operations. The ease of access and scalability provided by RedVDS allowed cybercriminals to operate with minimal friction, resulting in substantial financial losses and data theft 【1】.

**Technical Details:**
RedVDS provided virtual Windows cloud servers generated from a single Windows Server 2022 image. A key technical indicator was the **reuse of a single cloned Windows host image** across the service, characterized by a consistent computer name (`_WIN-BUNS25TD77J_`) and identical OS installation IDs and product keys. The provisioning was automated using Quick Emulator (QEMU) and VirtIO drivers, enabling rapid cloning of the master VM image. To evade detection, servers were rented from third-party hosting providers across multiple countries, and customers paid using **cryptocurrency** (primarily Bitcoin and Litecoin) for anonymity. Common tools found on RedVDS hosts included mass mailer utilities, email address harvesters, privacy and VPN clients, remote access tools like AnyDesk, and scripting environments. **AI tools like ChatGPT** were also employed to overcome language barriers in crafting phishing lures 【1】.

**What Defenders Should Know:**
Defenders should recognize that RedVDS is an infrastructure provider, not malware itself, and its operations rely on social engineering and phishing. Key recommendations for defense include:
- **Preventing phishing attacks:** Implementing robust email and communication platform defenses (e.g., Exchange Online Protection, Microsoft Defender for Office 365), conducting user awareness training and phishing simulations, utilizing passwordless solutions, and enforcing Multi-Factor Authentication (MFA) with conditional access policies 【1】.
- **Preventing BEC:** Providing comprehensive social engineering training, increasing awareness of phishing tactics, securing device services, enabling MFA, promoting strong password protection, and using secure payment platforms 【1】.
- **Technical Measures:** Ensuring distinct admin and user accounts, avoiding suspicious emails, verifying sender identities, enforcing strong email security settings (like DMARC, Spoof intelligence), and using secure browsers. Microsoft Defender XDR offers detections for activities related to RedVDS, and tools like Microsoft Security Copilot can assist in investigations and response 【1】.
Microsoft disrupts global cybercrime subscription service responsible for millions in fraud losses - Microsoft

Microsoft, in collaboration with international law enforcement agencies, has successfully disrupted **RedVDS**, a global cybercrime subscription service. This operation involved seizing critical malicious infrastructure and taking the RedVDS marketplace offline, thereby hindering its operations. RedVDS provided cybercriminals with access to disposable virtual computers for a low monthly fee, which significantly contributed to the rise in cyber-enabled crimes.

**Who is affected:**
The activities facilitated by RedVDS have resulted in millions of dollars in fraud losses. Notable victims include **H2-Pharma**, an Alabama-based pharmaceutical company that lost over $7.3 million, and the **Gatehouse Dock Condominium Association** in Florida, which suffered a loss of nearly $500,000. The service impacts individuals, businesses, and communities globally, with reported fraud losses in the United States alone reaching approximately $40 million since March 2025. Worldwide, RedVDS-enabled attacks have compromised or provided fraudulent access to over 191,000 organizations since September 2025.

**Security implications:**
RedVDS is a component of the broader **cybercrime-as-a-service ecosystem**, enabling criminals to conduct attacks anonymously and affordably on a large scale. It fuels AI-driven fraud, including real estate scams, and is utilized for widespread phishing campaigns, hosting scam infrastructure, and executing sophisticated Business Email Compromise (BEC) schemes. The service is often combined with generative AI tools for identifying targets and creating realistic impersonations, such as face-swapping, video manipulation, and voice cloning, making deception more effective and harder to detect. The extensive volume of attacks enabled by RedVDS amplifies the scale and reach of cyber threats.

**Technical details:**
RedVDS offers disposable virtual computers running unlicensed software, including Windows, for a monthly fee as low as $24. These virtual machines allow criminals to operate anonymously and across international borders. The service is used to send millions of phishing messages daily and to host scam infrastructure. It is frequently integrated with generative AI tools to enhance phishing campaigns and impersonations. Common attack methods include payment diversion fraud (BEC), where attackers monitor email communications, impersonate trusted entities, and redirect funds, as well as real estate payment diversion scams targeting closing funds.

**What defenders should know:**
Defenders and organizations should be aware that cybercrime relies on shared infrastructure like RedVDS, and disruptions to these services are ongoing. Implementing simple security measures can significantly reduce risk. These include:
- **Slowing down and questioning urgency** in communications.
- **Verifying requests** by calling back using known contact information.
- **Enabling multifactor authentication**.
- **Watching for subtle changes** in email addresses.
- **Keeping software updated**.
- **Reporting suspicious activity** to law enforcement.
These actions contribute to dismantling criminal networks and protecting against sophisticated scams that exploit trust and timing.
Designing safer links: secure connectivity for operational technology - The National Cyber Security Centre (NCSC) controls the content posted at the provided URL. The NCSC is the UK's National technical authority for cyber threats and Information Assurance, and it is part of the UK Government.

The National Cyber Security Centre (NCSC) has released new guidance titled "Secure connectivity principles for operational technology" (OT) to help organizations design, review, and secure connectivity within their OT systems. This guidance builds upon previous advice regarding OT architecture.

**What happened:** The NCSC published new guidance on secure connectivity for OT environments.

**Who is affected:** This guidance is intended for **all individuals and organizations involved in operational technology**, including OT organizations, operators of essential services, and owners, operators, integrators, and vendors of OT systems.

**Security implications:** While connectivity in OT systems offers advantages such as remote monitoring and predictive maintenance, it also **increases the potential attack surface**. Risks are amplified by the presence of legacy devices, complex supply chains, and the necessity of remote access. These vulnerabilities can lead to significant disruptions, including operational downtime, safety incidents, and environmental damage. The guidance aims to ensure that future connectivity decisions are security-focused and risk-aware, incorporating resilience and encouraging improvements to existing setups.

**Technical details:** The guidance presents **eight core principles for designing secure OT connectivity**. These principles address key areas such as:
- Evaluating risks and opportunities before establishing connections.
- Minimizing exposure.
- Strengthening network boundaries.
- Implementing robust logging and monitoring.
The NCSC also references a practical example demonstrating safe data sharing from an OT environment, which is particularly useful for managing cybersecurity risks when exchanging data with external parties like Original Equipment Manufacturers (OEMs).

**What defenders should know:** Defenders in OT environments need to recognize that **secure connectivity is crucial for maintaining safety, resilience, and defense against cyber threats**. By consistently applying the outlined principles to all connections—whether new, modified, or existing—they can effectively reduce their attack surface, enhance their ability to respond to incidents, and safeguard the trust and safety of their operations. A well-designed connectivity infrastructure makes it more challenging for adversaries to disrupt data, processes, or critical services.