This month focuses on the Malware-as-a-Service toolkit “Stanley”, Meta’s new lockdown-style security feature for WhatsApp, Europols clampdown on Black Axe, and Google disrupting IPIDEA’s massive proxy network.

“Stanley” Malware-as-a-Service

Researchers disclosed “Stanley,” a malware-as-a-service toolkit sold on Russian cybercrime forums for $2,000–$6,000, enabling browser-based credential theft.

Summary

• The toolkit allows attackers to create malicious Chrome extensions that overlay phishing pages on legitimate websites while keeping the real URL visible in the address bar.
• Buyers receive a command-and-control (C2) panel to manage victims, configure redirects, and push fake browser notifications.
• Higher-tier versions guarantee Chrome Web Store approval, allowing malicious extensions to bypass Google’s review process.
• Stanley is packaged as a legitimate-looking note-taking and bookmarking extension (“Notely”), encouraging users to grant broad permissions.
• Once installed, the extension hijacks navigation to targeted sites (banks, crypto platforms, SaaS apps) and displays full-screen spoofed pages to harvest credentials.
• While the underlying techniques are not novel, the guaranteed store approval and ease of use make Stanley especially dangerous and accessible to low-skill attackers.
• The toolkit highlights a growing reality that the browser has become the new enterprise endpoint, especially in SaaS-first, BYOD, and remote-work environments.
• Malicious extensions create a defensive blind spot, as traditional endpoint and network controls assume the browser faithfully renders legitimate content.
• Experts recommend restricting and allow-listing browser extensions, closely reviewing permissions, and regularly auditing installed extensions, as URL checks and phishing-resistant authentication alone are no longer sufficient.

• Read more about it here

WhatsApp’s New Lockdown-Style Mode

Meta introduced Strict Account Settings on WhatsApp to better protect high-risk users from advanced cyber and spyware attacks.

Summary

• The feature is aimed at journalists, public figures, and other sensitive targets, similar to Apple’s Lockdown Mode and Android’s Advanced Protection.
• Enabling the mode locks accounts to the most restrictive security settings, trading some functionality for stronger protection.
• It blocks attachments and media from unknown senders, silences calls from non-contacts, and restricts other potentially risky features.
• Users can activate it via Settings → Privacy → Advanced, with a gradual global rollout underway.
• Alongside this, Meta announced a major shift to using the Rust programming language in WhatsApp’s media-sharing systems.
• Rust enables a secure, high-performance, cross-platform media library (“wamedia”), reducing risks from memory-safety vulnerabilities.
• Meta described this as part of a defense-in-depth strategy, combining reduced attack surface, hardened legacy code, and default use of memory-safe languages.
• Read more about it on the WhatsApp blog site.

Europol Goes After Black Axe

Europol announced the arrest of 34 suspected members of the Black Axe criminal network in Spain as part of a coordinated international operation.

Summary

• The arrests were led by the Spanish National Police, with support from Europol and the Bavarian State Criminal Police Office.
• Most arrests occurred in Seville (28 suspects), with others detained in Madrid, Málaga, and Barcelona.
• Europol described Black Axe as a violent, mafia-style organization involved in both cybercrime and traditional organized crime.
• The group is linked to cyber-enabled fraud, drug trafficking, human trafficking, prostitution, kidnapping, armed robbery, and fraudulent spiritual practices.
• Authorities estimate the syndicate caused over €5.93 million in fraud-related losses, alongside freezing bank accounts and seizing significant cash.
• Black Axe originated in Nigeria in 1977 and has since expanded globally, with an estimated 30,000 registered members and numerous facilitators.
• The group has been tied to business email compromise, romance scams, inheritance fraud, credit card and tax fraud, advance-fee scams, and money laundering.
• Previous INTERPOL operations have led to hundreds of arrests and millions of dollars in seized assets, highlighting the syndicate’s global scale and persistence.
• Read more about it on the Europol website

Google Disrupts Massive IPIDEA Proxy Network

Google’s Threat Intelligence Group (GTIG), alongside several of its partners, disrupted IPIDEA, believed to be one of the largest residential proxy networks globally, widely abused by cybercriminals and espionage actors.

Summary

• The arrests were led by the Spanish National Police, with support from Europol and the Bavarian State Criminal Police Office.
• Actions included legal takedowns of command-and-control (C2) domains, sharing intelligence with law enforcement and industry, and blocking IPIDEA SDK–based apps via Google Play Protect.
• IPIDEA operates by enrolling millions of consumer devices as proxy “exit nodes”, often without user awareness, allowing attackers to mask malicious activity behind residential IP addresses.
• Residential proxies are heavily misused for botnets, espionage, fraud, password spraying, SaaS intrusion, and infrastructure attacks, making detection and attribution difficult.
• In just one week (January 2026), Google observed 550+ tracked threat groups—including actors linked to China, Russia, Iran, and DPRK—using IPIDEA exit nodes.
• IPIDEA is tied to multiple botnets (BadBox 2.0, Aisuru, Kimwolf) and overlaps extensively with other proxy brands due to reseller and shared infrastructure agreements.
• The same operators control numerous proxy and VPN brands (e.g., IPIDEA, Luna Proxy, PIA S5, Cherry Proxy, Galleon VPN, Radish VPN) and monetization SDKs (PacketSDK, HexSDK, EarnSDK, CastarSDK).
• These SDKs are marketed to developers as monetization tools but silently turn devices into proxy nodes, often without clear disclosure or informed consent.
• IPIDEA uses a two-tier C2 architecture, with Tier One domains assigning Tier Two IP nodes that handle tasking and proxy traffic at scale.
• Analysis identified about 7,400 active Tier Two proxy servers worldwide, dynamically scaled based on demand and shared across all IPIDEA-branded services.
• IPIDEA expanded through trojanized Windows binaries, Android apps, free VPNs, and embedded SDKs, including fake OneDrive, Windows Update, and utility apps.
• Consumers whose devices become exit nodes face privacy, security, and legal risks, as attackers can route malicious traffic through their networks or access local devices.
• Google’s disruption significantly reduced IPIDEA’s device pool by millions, with likely downstream impact on affiliated proxy resellers.
• Google coordinated with partners like Cloudflare, Spur, and Lumen Black Lotus Labs to disrupt domain resolution and improve ecosystem-wide enforcement.
• Google called for greater accountability, transparent consent, stronger platform policies, industry collaboration, and consumer caution, warning that the residential proxy market has become a deceptive gray market fueling global cybercrime.
• Read more on Google’s blog here

Sources

• https://www.darkreading.com/remote-workforce/stanley-toolkit-chrome-undetectable-phishing
• https://blog.whatsapp.com/whatsapps-latest-privacy-protection-strict-account-settings
• https://www.europol.europa.eu/media-press/newsroom/news/34-arrests-in-spain-during-action-against-black-axe-criminal-organisation
• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
• https://www.gadgets360.com/mobiles/news/google-disrupts-ipidea-proxy-network-sdk-android-smartphones-windows-pcs-control-cyberattack-cybersecurity-10935797