MSP cybersecurity news digest, January 5, 2026

MSP cybersecurity news digest, January 5, 2026

https://www.acronis.com/en/tru/posts/msp-cybersecurity-news-digest-january-5-2026/

Publish Date: 2026-01-15 16:55:00

Source Domain: www.acronis.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. ToneShell backdoor delivered through signed kernel driver in Mustang Panda
activityResearchers observed activity linked to Mustang Panda delivered an updated ToneShell backdoor via a kernel-mode loader, targeting government
organizations. The intrusion chain used a signed
kernel driver / rootkit-style component to load or mask malicious activity, a
technique that can reduce the effectiveness of signature-only controls. The broader implication is an
ongoing trend toward blending malicious implants with trusted components (signed
drivers, LOLBins, stealth loaders) to improve persistence and evasion.  Fake KMSAuto
activators spread malware tied to large-scale crypto lossesAuthorities linked a large-scale campaign to malware disguised as KMSAuto, with reporting citing 2.8 million distributed copies
and theft via clipboard / crypto-address manipulation. The tactic centers on user-initiated execution of “utility” software
that then performs credential / asset theft behavior consistent with
opportunistic, high-volume tradecraft. The broader implication is that pirated software ecosystems
function as malware distribution infrastructure, impacting MSP environments
through unmanaged endpoints and user-driven installs.  Trust Wallet browser
extension breach fuels multi-million-dollar crypto theftTrust Wallet reported a security incident affecting Chrome
extension v2.68 and advised updates to a fixed version, with follow-on
reporting tying impact to 2,596 wallets and ~$7 million in losses. The compromise reflects malicious code introduced into a
browser extension distribution path, enabling theft from users via
extension-level access. The broader implication is that browser extensions are a
high-trust execution layer where a single compromised release can scale quickly
across both consumer and enterprise endpoints. Zoom-themed browser
extensions steal corporate meeting data at scaleResearchers described a campaign using 18 browser extensions
across Chrome / Edge / Firefox to collect meeting-related data (including
meeting URLs, IDs, topics, and embedded passwords). The extensions were positioned as legitimate
productivity/meeting tools while performing background collection and exfiltration consistent with corporate intelligence gathering. The broader implication is an expansion of “steal-data-without-dropping-a-binary”
tradecraft, where the browser becomes the collection platform and traditional
malware controls may miss early signals. GlassWorm campaign
targets macOS users with trojanized crypto walletsA new wave of GlassWorm malware is targeting macOS developers via malicious VS Code / OpenVSX extensions, marking a shift from prior Windows-focused campaigns and broadening the malware’s
ecosystem impact. Researchers observed AES-256-CBC–encrypted payloads embedded in
JavaScript within infected extensions, using AppleScript and LaunchAgents for
persistence and attempting to steal credentials, developer tokens, browser data
and cryptowallet information. This evolution highlights that self-propagating malware
campaigns are expanding operational scope to include macOS and developer
environments, emphasizing supply chain risks for code repositories and
extension marketplaces.