Category: Cybersecurity

Ravie LakshmananJan 27, 2026Mobile Security / Spyware

Meta on Tuesday announced it’s adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do.

The feature, similar to Lockdown Mode in Apple iOS and Advanced Protection in Android, aims to protect individuals, such as journalists or public-facing figures, from sophisticated spyware by trading some functionality for enhanced security.

Once this security mode is enabled, some of the account settings will be locked to the most restrictive options, while simultaneously blocking attachments and media from people not in a user’s contacts.

“This lockdown-style feature bolsters your security on WhatsApp even further with just a few taps by locking your account to the most restrictive settings like automatically blocking attachments and media from unknown senders, silencing calls from people you don’t know, and restricting other settings that may limit how the app works,” Meta said.

The feature can be enabled by navigating to Settings > Privacy > Advanced. Meta said the feature is rolling out gradually over the coming weeks.

In tandem, the social media giant said it’s adopting the use of the Rust programming language in its media sharing functionality to help keep users’ photos, videos, and messages safe from spyware attacks. It described the development as the “largest rollout globally of any library written in Rust.”

The company also said the use of Rust made it possible to develop a secure, high-performance, cross-platform library (“wamedia”) for media sharing in WhatsApp across devices, adding it’s investing in a three-pronged approach to combat memory safety issues –

• Design the product to minimize unnecessary attack surface exposure
• Invest in security assurance for the remaining C and C++ code
• By default, the choice of memory-safe languages for new code

“WhatsApp has added protections like CFI, hardened memory allocators, safer buffer handling APIs, and more,” the company said. “This is an important step forward in adding additional security behind the scenes for users and part of our ongoing defense-in-depth approach.”

Ravie LakshmananJan 27, 2026Web Security / Malware

Cybersecurity researchers have discovered a JScript-based command-and-control (C2) framework called PeckBirdy that has been put to use by China-aligned APT actors since 2023 to target multiple environments.

The flexible framework has been put to use against Chinese gambling industries and malicious activities targeting Asian government entities and private organizations, according to Trend Micro.

“PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language,” researchers Ted Lee and Joseph C Chen said. “This is to ensure that the framework could be launched across different execution environments via LOLBins (living-off-the-land binaries).”

The cybersecurity company said it identified the PeckBirdy script framework in 2023 after it observed multiple Chinese gambling websites being injected with malicious scripts, which are designed to download and execute the primary payload in order to facilitate the remote delivery and execution of JavaScript.

The end goal of this routine is to serve fake software update web pages for Google Chrome so as to trick users into downloading and running bogus update files, thereby infecting the machines with malware in the process. This activity cluster is being tracked as SHADOW-VOID-044.

SHADOW-VOID-044 is one of the two temporary intrusion sets detected using PeckBirdy. The second campaign, observed first in July 2024 and referred to as SHADOW-EARTH-045, involves targeting Asian government entities and private organizations — including a Philippine educational institution — injecting PeckBirdy links into government websites to likely serve scripts for credential harvesting on the website.

“In one case, the injection was on a login page of a government system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization,” Trend Micro said. “The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with ScriptControl. These findings demonstrate the versatility of PeckBirdy’s design, which enables it to serve multiple purposes.”

After a connection has been initiated with the remote server, passing along the ATTACK ID and victim ID values, the server responds with a second-stage script, one of which is capable of stealing website cookies. One of PeckBirdy’s servers associated with the SHADOW-VOID-044 campaign has been found to host additional scripts –

• An exploitation script for a Google Chrome flaw in the V8 engine (CVE-2020-16040, CVSS score: 6.5) that was patched in December 2020
• Scripts for social engineering pop-ups that are designed to trick victims into downloading and executing malicious files
• Scripts for delivering backdoors that are executed via Electron JS
• Scripts to establish reverse shells via TCP sockets

Further infrastructure analysis has led to the identification of two backdoors dubbed HOLODONUT and MKDOOR –

• HOLODONUT, a .NET-based modular backdoor that’s launched using a simple downloader named NEXLOAD and is capable of loading, running, or removing different plugins received from the server
• MKDOOR, a modular backdoor that’s capable of loading, running, or uninstalling different modules received from the server

It’s suspected that SHADOW-VOID-044 and SHADOW-EARTH-045 could be linked to different China-aligned nation-state actors. This assessment is based on the following clues –

• The presence of GRAYRABBIT, a backdoor previously deployed by UNC3569 alongside DRAFTGRAPH and Crosswalk following the exploitation of N-day security flaws, on a server operated by SHADOW-VOID-044
• HOLODONUT is said to share links to another backdoor, WizardNet, which is attributed to TheWizards
• A Cobalt Strike artifact hosted on the SHADOW-VOID-044 server that’s signed using a certificate that was also used in a 2021 BIOPASS RAT campaign aimed at online gambling companies in China via a watering hole attack
• Similarities between BIOPASS RAT and MKDOOR, both of which open an HTTP server on a high-numbered port on the local host to listen (The BIOPASS RAT is attributed to a threat actor known as Earth Lusca, aka Aquatic Panda or RedHotel)
• SHADOW-EARTH-045’s use of 47.238.184[.]9 – an IP address previously linked to Earth Baxia and APT41 – to downloaded files

“These campaigns make use of a dynamic JavaScript framework, PickBirdy, to abuse living-off-the-land binaries and deliver modular backdoors such as MKDOOR and HOLODONUT,” Trend Micro concluded. “Detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts, enabling them to evade traditional endpoint security controls.”

Ravie LakshmananJan 27, 2026Vulnerability / Cloud Security

A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution.

The vulnerability, tracked as CVE-2026-24002 (CVSS score: 9.1), has been codenamed Cellbreak by Cyera Research Labs.

“One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead,” security researcher Vladimir Tokarev, who discovered the flaw, said. “This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between ‘cell logic’ and host execution.”

Cellbreak is categorized as a case of Pyodide sandbox escape, the same kind of vulnerability that also recently impacted n8n (CVE-2025-68668, CVSS score: 9.9, aka N8scape). The vulnerability has been addressed in version 1.7.9, released on January 9, 2026.

“A security review identified a vulnerability in the ‘pyodide’ sandboxing method that is available in Grist,” the project maintainers said. “You can check if you are affected in the sandboxing section of the Admin Panel of your instance. If you see ‘gvisor’ there, then you are not affected. If you see ‘pyodide,’ then it is important to update to this version of Grist or later.”

In a nutshell, the problem is rooted in Grist’s Python formula execution, which allows untrusted formulas to be run inside Pyodide, a Python distribution that enables regular Python code to be executed directly in a web browser within the confines of a WebAssembly (WASM) sandbox.

While the idea behind this thought process is to ensure that Python formula code is run in an isolated environment, the fact that Grist uses a blocklist-style approach makes it possible to escape the sandbox and ultimately achieve command execution on the underlying host.

“The sandbox’s design allows traversal through Python’s class hierarchy and leaves ctypes available, which together open access to Emscripten runtime functions that should never be reachable from a formula cell,” Tokarev explained. “That combination enables host command execution and JavaScript execution in the host runtime, with practical outcomes like filesystem access and secret exposure.”

According to Grist, when a user has set GRIST_SANDBOX_FLAVOR to Pyodide and opens a malicious document, that document could be used to run arbitrary processes on the server hosting Grist. Armed with this capability to execute commands or JavaScript via a formula, an attacker can leverage this behavior to access database credentials and API keys, read sensitive files, and present lateral movement opportunities.

Grist has addressed the problem by moving Pyodide formula execution under the Deno JavaScript runtime by default. However, it’s worth noting that the risk rears its head once again if an operator explicitly chooses to set GRIST_PYODIDE_SKIP_DENO to the value “1.” The setting should be avoided in scenarios where untrusted or semi‑trusted formulas are likely to be run.

Users are recommended to update to the latest version as soon as possible to mitigate potential risks. To temporarily mitigate the issue, it’s advised to set the GRIST_SANDBOX_FLAVOR environment variable to “gvisor.”

“This mirrors the systemic risk found in other automation platforms: a single execution surface with privileged access can collapse organizational trust boundaries when its sandbox fails,” Tokarev said.

“When formula execution relies on a permissive sandbox, a single escape can turn ‘data logic’ into ‘host execution.’ The Grist-Core findings show why sandboxing needs to be capability-based and defense-in-depth, not a fragile blocklist. The cost of failure is not just a bug – it is a data-plane breach.”

The Hacker NewsJan 27, 2026Attack Surface Management / Cyber Risk

Cybersecurity teams increasingly want to move beyond looking at threats and vulnerabilities in isolation. It’s not only about what could go wrong (vulnerabilities) or who might attack (threats), but where they intersect in your actual environment to create real, exploitable exposure.

Which exposures truly matter? Can attackers exploit them? Are our defenses effective?

Continuous Threat Exposure Management (CTEM) can provide a useful approach to the cybersecurity teams in their journey towards unified threat/vulnerability or exposure management.

What CTEM Really Means

CTEM, as defined by Gartner, emphasizes a ‘continuous’ cycle of identifying, prioritizing, and remediating exploitable exposures across your attack surface, which improves your overall security posture as an outcome. It’s not a one-off scan and a result delivered via a tool; it’s an operational model built on five steps:

1. Scoping – assess your threats and vulnerabilities and identify what’s most important: assets, processes, and adversaries.
2. Discovery – Map exposures and attack paths across your environment to anticipate an adversary’s actions.
3. Prioritization – Focus on what attackers can realistically exploit, and what you need to fix.
4. Validation – Test assumptions with safe, controlled attack simulations.
5. Mobilization – Drive remediation and process improvements based on evidence

What is the Real Benefit of CTEM

CTEM shifts the focus to risk-based exposure management, integrating lots of sub-processes and tools like vulnerability assessment, vulnerability management, attack surface management, testing, and simulation. CTEM unifies exposure assessment and exposure validation, with the ultimate objective for security teams to be able to record and report potential impact to cyber risk reduction. Technology or tools have never been an issue; in fact, we have a problem of plenty in the cybersecurity space. At the same time, with more tools, we have created more siloes, and this is exactly what CTEM sets out to challenge – can we unify our view into threats/vulnerabilities/attack surfaces and take action against truly exploitable exposure to reduce overall cyber risk?

For more resources on exposure management, threat intelligence, and validation practices, visit Filigran.

Ravie LakshmananJan 27, 2026Zero-Day / Vulnerability

Microsoft on Monday issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office.

“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory.

“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.”

Successful exploitation of the flaw relies on an attacker sending a specially crafted Office file and convincing recipients to open it. It also noted that the Preview Pane is not an attack vector.

The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect. For those running Office 2016 and 2019, it’s required to install the following updates –

• Microsoft Office 2019 (32-bit edition) – 16.0.10417.20095
• Microsoft Office 2019 (64-bit edition) – 16.0.10417.20095
• Microsoft Office 2016 (32-bit edition) – 16.0.5539.1001
• Microsoft Office 2016 (64-bit edition) – 16.0.5539.1001

As mitigation, the company is urging that customers make a Windows Registry change by following the steps outlined below –

• Take a backup of the Registry
• Exit all Microsoft Office applications
• Start the Registry Editor
• Locate the proper registry subkey –
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows
  • HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit MSI Office on 64-bit Windows
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility for 64-bit Click2Run Office or 32-bit Click2Run Office on 32-bit Windows
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit Click2Run Office on 64-bit Windows
• Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
  • Within that subkey, add new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value
  • Add a REG_DWORD hexadecimal value called ”Compatibility Flags” with a value of 400
• Exit Registry Editor and start the Office application

Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509. It credited the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team for discovering the issue.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.

Ravie LakshmananJan 26, 2026AI Security / Vulnerability

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers.

The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below –

• ChatGPT – 中文版 (ID: whensunset.chatgpt-china) – 1,340,869 installs
• ChatGPT – ChatMoss（CodeMoss）(ID: zhukunpeng.chat-moss) – 151,751 installs

Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users’ knowledge or consent. The campaign has been codenamed MaliciousCorgi.

“Both contain identical malicious code — the same spyware infrastructure running under different publisher names,” security researcher Tuval Admoni said.

What makes the activity particularly dangerous is that the extensions work exactly as advertised, providing autocomplete suggestions and explaining coding errors, thereby avoiding raising any red flags and lowering the users’ suspicion.

At the same time, the embedded malicious code is designed to read all of the contents of every file being opened, encode it in Base64 format, and send it to a server located in China (“aihao123[.]cn”). The process is triggered for every edit.

The extensions also incorporate a real-time monitoring feature that can be remotely triggered by the server, causing up to 50 files in the workspace to be exfiltrated. Also present in the extension’s web view is a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and create extensive user profiles.

The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major data analytics platforms based in China.

PackageGate Flaws Affect JavaScript Package Managers

The disclosure comes as the supply chain security company said it identified six zero-day vulnerabilities in JavaScript package managers like npm, pnpm, vlt, and Bun that could be exploited to defeat security controls put in place to skip the automatic execution of lifecycle scripts during package installation. The flaws have been collectively named PackageGate.

Defenses such as disabling lifecycle scripts (“–ignore-scripts”) and committing lockfiles (“package-lock.json”) have become crucial mechanisms to confronting supply chain attacks, especially in the aftermath of Shai-Hulud, which leverages postinstall scripts to spread in a worm-like manner to hijack npm tokens and publish malicious versions of the packages to the registry.

However, Koi found that it’s possible to bypass script execution and lockfile integrity checks in the four package managers. Following responsible disclosure, the issues have been addressed in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking the two vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5).

Npm, however, has opted not to fix the vulnerability, stating “users are responsible for vetting the content of packages that they choose to install.” When reached for comment, a GitHub spokesperson told The Hacker News that’s working actively to address the new issue as npm actively scans for malware in the registry.

“If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. As we shared when the ticket was filed, this is an intentional design and works as expected,” the company said. “When users install a git dependency, they are trusting the entire contents of that repository, including its configuration files.”

The Microsoft-owned subsidiary has also urged projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication (2FA) to secure the software supply chain. As of September 2025, GitHub has deprecated legacy classic tokens, limited granular tokens with publishing permissions to a shorter expiration, and removed the option to bypass 2FA for local package publishing.

“The standard advice, disable scripts and commit your lockfiles, is still worth following,” security researcher Oren Yomtov said. “But it’s not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.”

(The story was updated after publication to include a response from GitHub.)

Ravie LakshmananJan 26, 2026Cyber Espionage / Malware

Cybersecurity researchers have discovered an ongoing campaign that’s targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.

The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.

The end goal of the sophisticated attack is to deploy a variant of a known banking trojan called Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) that’s developed by Nanjing Zhongke Huasai Technology Co., Ltd, a Chinese company. The campaign has not been attributed to any known threat actor or group.

“While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework,” eSentire said. “By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.”

The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt to gain administrative privileges. It also modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows “explorer.exe” process to fly under the radar.

On top of that, it retrieves the next stage “180.exe” from the “eaxwwyr[.]cn” domain, a 32-bit Inno Setup installer that adjusts its behavior based on whether the Avast Free Antivirus process (“AvastUI.exe”) is running on the compromised host.

If the security program is detected, the malware uses automated mouse simulation to navigate Avast’s interface and add malicious files to its exclusion list without disabling the antivirus engine to bypass detection. This is achieved by means of a DLL that’s assessed to be a variant of the Blackmoon malware family, which is known for targeting businesses in South Korea, the U.S., and Canada. It first surfaced in September 2015.

The file added to the exclusion list is an executable named “Setup.exe,” which is a utility from SyncFutureTec Company Limited and is designed to write “mysetup.exe” to disk. The latter is assessed to be SyncFuture TSM, a commercial tool with remote monitoring and management (RMM) capabilities.

In abusing a legitimate offering, the threat actors behind the campaign gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest. Also deployed following the execution of the executable are other files –

• Batch scripts that create custom directories and modify their Access Control Lists (ACLs) to grant permissions to all users
• Batch scripts that manipulate user permissions on Desktop folders
• A batch script performs cleanup and restoration operations
• An executable called “MANC.exe” that orchestrates different services and enables extensive logging

“It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real-time, and ensure their own persistence,” eSentire said. “By blending anti‑analysis, privilege escalation, DLL sideloading, commercial‑tool repurposing, and security‑software evasion, the threat actor demonstrates both capability and intent.”

Ravie LakshmananJan 26, 2026Malware / Endpoint Security

The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector.

The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary’s expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check Point Research said in a technical report published last week.

Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It’s also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.

In November 2025, the Genians Security Center (GSC) detailed the hacking group’s targeting of Android devices by exploiting Google’s asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft.

As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver’s advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT.

The campaign has been codenamed Operation Poseidon by the GSC, with the attacks impersonating North Korean human rights organizations and financial institutions in South Korea. The attacks are also characterized by the use of improperly secured WordPress websites to distribute malware and for command-and-control (C2) infrastructure.

The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that’s designed to execute an AutoIt script disguised as a PDF document. The AutoIt script is a known Konni malware called EndRAT (aka EndClient RAT).

“This attack is analyzed as a case that effectively bypassed email security filtering and user vigilance through a spear-phishing attack vector that exploited the ad click redirection mechanism used within the Google advertising ecosystem,” the South Korean security outfit said.

The latest campaign documented by Check Point leverages ZIP files mimicking project requirements-themed documents and hosted on Discord’s content delivery network (CDN) to unleash a multi-stage attack chain that performs the following sequence of actions. The exact initial access vector used in the attacks is unknown.

• The ZIP archive contains a PDF decoy and an LNK file
• The shortcut file launches an embedded PowerShell loader which extracts two additional files, a Microsoft Word lure document and a CAB archive, and displays as the Word document as a distraction mechanism
• The shortcut file extracts the contents of the CAB archive, which contains a PowerShell Backdoor, two batch scripts, and an executable used for User Account Control (UAC) bypass
• The first batch script is used to prepare the environment, establish persistence using a scheduled task, stage the backdoor and execute it, following which it deletes itself from disk to reduce forensic visibility
• The PowerShell backdoor carries out a string of anti-analysis and sandbox-evasion checks, and then proceeds to profile the system and attempts to elevate privileges using the FodHelper UAC bypass technique
• The backdoor performs cleanup of the previously dropped UAC bypass executable, configures Microsoft Defender exclusion for “C:ProgramData,” and runs the second batch script to replace the previously created scheduled task with a new one that’s capable of running with elevated privileges
• The backdoor proceeds to drop SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool for persistent remote access, and communicates with a C2 server that’s safeguarded by an encryption gate intended to block non-browser traffic to periodically send host metadata and execute PowerShell code returned by the server

The cybersecurity company said there are indications that the PowerShell backdoor was created with the assistance of an AI tool, citing its modular structure, human-readable documentation, and the presence of source code comments like “# <– your permanent project UUID.”

“Instead of focusing on individual end-users, the campaign goal seems to be to establish a foothold in development environments, where compromise can provide broader downstream access across multiple projects and services,” Check Point said. “The introduction of AI-assisted tooling suggests an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering.”

The findings coincide with the discovery of multiple North Korea-led campaigns that facilitate remote control and data theft –

• A spear-phishing campaign that uses JavaScript Encoded (JSE) scripts mimicking Hangul Word Processor (HWPX) documents and government-themed decoy files to deploy a Visual Studio Code (VS Code) tunnel to establish remote access
• A phishing campaign that distributes LNK files masquerading as PDF documents to launch a PowerShell script that detects virtual and malware analysis environments and delivers a remote access trojan called MoonPeak
• A set of two cyber attacks, assessed to be conducted by Andariel in 2025, that targeted an unnamed European entity belonging to the legal sector to deliver TigerRAT, as well as compromised a South Korean Enterprise Resource Planning (ERP) software vendor’s update mechanism to distribute three new trojans to downstream victims, including StarshellRAT, JelusRAT, and GopherRAT

According to Finnish cybersecurity company WithSecure, the ERP vendor’s software has been the target of similar supply chain compromises twice in the past – in 2017 and again in 2024 – to deploy malware families like HotCroissant and Xctdoor.

While JelusRAT is written in C++ and supports capabilities to retrieve plugins from the C2 server, StarshellRAT is developed in C# and supports command execution, file upload/download, and screenshot capture. GopherRAT, on the other hand, is based on Golang and features the ability to run commands or binaries, exfiltrate files, and enumerate the file system.

“Their targeting and objectives have varied over time; some campaigns have pursued financial gain, while others have focused on stealing information aligned with the regime’s priority intelligence needs,” WithSecure researcher Mohammad Kazem Hassan Nejad said. “This variability underscores the group’s flexibility and its ability to support broader strategic goals as those priorities change over time.”

The Hacker NewsJan 26, 2026Endpoint Security / Artificial Intelligence

If there’s a constant in cybersecurity, it’s that adversaries are always innovating. The rise of offensive AI is transforming attack strategies and making them harder to detect. Google’s Threat Intelligence Group, recently reported on adversaries using Large Language Models (LLMs) to both conceal code and generate malicious scripts on the fly, letting malware shape-shift in real-time to evade conventional defenses. A deeper look at these novel attacks reveals both unprecedented sophistication and deception.

In November 2025, Anthropic reported on what it described as the first known “AI-orchestrated cyber espionage campaign.” This operation featured AI integrated throughout the stages of attack, from initial access to exfiltration, which was executed largely autonomously by the AI itself.

Another recent trend concerns ClickFix-related attacks using steganography techniques (hiding malware within image files) that slipped past signature-based scans. Skillfully disguised as legitimate software update screens or CAPTCHAs, these attacks deceived users into deploying remote access trojans (RATs), info-stealers, and other malware payloads on their own devices.

Adversaries are also exploiting ways to trigger and then compromise anti-virus (AV) exclusion rules by using a combination of social engineering, attack-in-the-middle, and SIM swapping techniques. Based on research from Microsoft’s threat team from October 2025, the threat actor they call Octo Tempest convinced its victims to disable various security products and automatically delete email notifications. These steps allowed their malware to spread across an enterprise network without tripping endpoint alerts. Actors are also easily deploying dynamic and adaptive tools that specialize in detecting and disabling AV software on endpoints.

All these techniques share a common thread: the ability to evade legacy defenses such as endpoint detection and response (EDR), exposing the limitations of relying solely on EDR. Their success illustrates where EDR, acting alone and without additional defensive measures, can be vulnerable. These are new attacks in every sense of the word, using AI automation and intelligence to subvert digital defenses. This moment signals a fundamental shift in the cyber threat landscape, and it’s rapidly driving a change in defensive strategy.

Network detection and response (NDR) and EDR both bring different protective benefits. EDR, by its nature, is focused on what is happening inside each specific endpoint, whereas NDR continuously monitors the network environment, detecting threats as they traverse the organization. It excels at picking up what EDR does not, identifying behavioral anomalies and deviations from typical network patterns.

In the age of AI-based threats, there is a need for both kinds of systems to work together, especially as these attacks can operate at higher speeds and greater scale. Some EDR systems weren’t designed for the speed and scale of AI-fueled attacks. NDR can pick up these network anomalies and strengthen defenses and gain deeper insights from this network data, leveraging the additional protection this complementary technology can provide.

Compounding the challenge is that today’s attack surface is expanding and growing more complex. Sophisticated threat actors now combine threats that move across a variety of domains, compromising identity, endpoint, cloud and on-premises infrastructure in a lethal mix. This means the corresponding security systems in each of these focus areas need to work together, sharing metadata and other signals, to find and stop these threats. The bad actors hide behind this complexity so as to maximize their reach, increase their blast radius, and provide cover while they use different hacking tools to assume various roles and focus on different intermediate targets.

Blockade Spider, a group active since April 2024, uses these mixed domains for ransomware attacks. After gaining access through finding unmanaged systems, they move laterally across a network, searching for a file collection to encrypt to try to extract a ransom. The full breadth of their approach was discovered by using NDR to obtain visibility into the virtual systems and cloud properties, and then using EDR as soon as the attack moved across the network into managed endpoints.

One of the more infamous variants is what was used in the Volt Typhoon attack observed by Microsoft in 2023. It’s attributed to Chinese state-sponsored actors using living off the land (LoTL) techniques that helped them avoid endpoint detection. Its targets were unmanaged network edge devices, such as SOHO routers and other Internet of Things (IoT) hardware. The actors were able to alter the originating packets to appear to be coming from a cable modem in Texas, rather than a direct link to a Chinese IP address. What gave the game away was the network traffic. While they were successful in avoiding EDR, variations in network traffic volume detected by NDR indicated the originating cable modem traffic was actually hiding something far more nefarious. In this case, NDR served as a security safety net by detecting malicious activity that slipped past EDR systems.

Rising remote work also adds vulnerability. As VPNs have become more widely used to support remote workforces, they pose new opportunities for exploitation. A lack of visibility on remote networks means a compromised endpoint on a trusted connection can introduce damage to the organization’s environment. If an EDR doesn’t detect that a local machine running the VPN is already infected with malware, it can easily spread across an enterprise once the machine connects to the corporate network. Compromised VPNs can also hide lateral network movement that disguises itself amongst typical network operations and management tools. For example, two recent breaches of Salesforce supply chains were accomplished by using AI to harvest OAuth credentials to gain unauthorized access to various customer accounts. NDR can identify weak entry and transit points, helping identify the riskiest areas to fix first, and EDR can share the evidence of a compromised account being used as a pivot point.

These and other exploits highlight the benefits of continuous monitoring with EDR and NDR working in tandem, enabling defenders to spot innovative adversary techniques and respond quickly and decisively to emerging threats. Adversaries will grow more capable as AI evolves, making this combined approach essential for reducing risk and improving your organization’s ability to respond quickly and decisively.

Corelight’s Open NDR Platform enables SOCs to detect novel attack types, including those leveraging AI techniques. Its multi-layered detection approach includes behavioral and anomaly detections that can identify a range of unique and unusual network activity. As adversaries develop new methods of evading EDR systems, security teams that deploy NDR can strengthen their enterprise’s defensive game. Visit corelight.com/elitedefense to learn more.

Ravie LakshmananJan 26, 2026Hacking News / Cybersecurity

Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week’s recap shows that pattern clearly.

Attackers are moving faster than defenses, mixing old tricks with new paths. “Patched” no longer means safe, and every day, software keeps becoming the entry point.

What follows is a set of small but telling signals. Short updates that, together, show how quickly risk is shifting and why details can’t be ignored.

⚡ Threat of the Week

Improperly Patched Flaw Exploited Again in Fortinet Firewalls — Fortinet confirmed that it’s working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. “We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” the company said. The activity has been found to exploit an incomplete patch for CVE-2025-59718 and CVE-2025-59719, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices. In the absence of a fix, users are advised to restrict administrative access of edge network devices and turn off FortiCloud SSO logins by disabling the “admin-forticloud-sso-login” setting.

• TikTok Forms New U.S. Entity to Avoid Federal Ban — TikTok officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok’s Chinese parent company, ByteDance, selling the majority of its stake to a group of majority-American investors, while it will retain a 19.9% stake in the business. The Chinese government hasn’t commented publicly on the agreement. The deal ends years of regulatory uncertainty that began in August 2020, when President Trump announced plans to ban the app, citing national security concerns.
• VoidLink Generated Almost Entirely Using AI — VoidLink, the recently discovered Linux malware which targets Linux-based cloud servers, was likely generated almost entirely by artificial intelligence (AI), signaling a significant evolution in the use of the technology to develop advanced malware. What was significant in alerting researchers to AI involvement in building VoidLink was a development plan that accompanied the project and was accidentally left exposed by its author. The developer also utilized regular checkpoints to ensure that the model was developing as instructed and that the code worked. The result was a malware which the researchers who first detailed VoidLink described as “sophisticated, modern and feature-rich.” The discovery is a watershed moment for malware development, underscoring a shift in how AI can be used to design advanced malicious programs. “The security community has long anticipated that AI would be a force multiplier for malicious actors. Until now, however, the clearest evidence of AI-driven activity has largely surfaced in lower-sophistication operations, often tied to less experienced threat actors, and has not meaningfully raised the risk beyond regular attacks,” Check Point said. “VoidLink shifts that baseline: its level of sophistication shows that when AI is in the hands of capable developers, it can materially amplify both the speed and the scale at which serious offensive capability can be produced.” From a defensive point of view, the use of AI also complicates attribution, as the generated code removes a lot of usual clues and makes it harder to determine who’s really behind an attack.
• Critical GNU InetUtils telnetd Flaw Detailed — A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 (CVSS score: 9.8), affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. The vulnerability was introduced as part of a code change in March 2015. The flaw allows an attacker to establish a Telnet session without providing valid credentials, granting unauthorized access to the target system. SafeBreach Labs, in a root cause analysis of CVE-2026-24061, described it as easy to exploit and that an attacker can supply a “-f” flag for the “/usr/bin/login” executable, effectively skipping the interactive authentication and giving them a root shell. It has also released a public proof-of-concept (PoC) exploit for the flaw.
• Vishing Attacks Target Identity Providers — Threat actors who specialize in voice phishing (aka vishing) have started using bespoke phishing kits that can intercept targets’ login credentials while also allowing attackers to control the authentication flow in a targeted user’s browser in real-time. “Where threat actors could once pay for access to a kit with basic features that targeted all popular Identity Providers (Google, Microsoft Entra, Okta, etc.) and cryptocurrency platforms, a new generation of fraudsters are attempting to sell access to bespoke panels for each targeted service,” Okta said. The ShinyHunters extortion gang has claimed responsibility for some of the attacks, Bleeping Computer reported.
• CrashFix Crashes Browsers to Deliver Malware — A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser as a precursor to ClickFix attacks. Unlike typical ClickFix schemes that use non-existent security alerts or CAPTCHAs to lure users into executing malicious commands, the new CrashFix variant leverages a malicious extension that first intentionally crashes the victim’s browser and then delivers a fraudulent fix. When the browser is restarted, the extension displays a deceptive pop-up that shows a fake warning and suggests scanning the system to identify the problem. Doing so opens a new window with a bogus warning about detected security issues, along with instructions on how to fix the problem, which involve executing malicious commands in the Windows Run prompt, in a typical ClickFix fashion. While the extension has since been removed, the attacks are designed to deliver a new Python-based remote access tool called ModeloRAT. The findings show that browser extensions are a high-risk attack vector for enterprises, allowing threat actors to bypass traditional security controls and gain a foothold on corporate endpoints.
• Contagious Interview Evolves to Deliver Backdoor via VS Code — The North Korean threat actors behind the Contagious Interview campaign are employing a new mechanism that uses Microsoft Visual Studio Code (VS Code) to deliver a previously unseen backdoor that enables remote code execution on developer systems. The attack chain starts when targets are asked to clone and open malicious repositories hosted on GitHub, GitLab, or Bitbucket, typically framed as part of a technical assignment or code review exercise related to the hiring process. “The most important facilitator for this attack vector is the configuration’s runOptions property, which supports a runOn value of folderOpen, causing the defined task to execute automatically when a workspace is opened,” Abstract Security said. “Contagious Interview actors exploit this by including malicious shell commands in tasks.json files. When a victim clones a repository to their local machine and opens it in VS Code, the malicious task executes and kicks off the infection chain leading to malware installation.” The malicious payloads are mostly hosted on Vercel domains, but other domains like vscodeconfig[.]com and vscode-load.onrender[.]com have also been identified. In at least one case, the “tasks.json” file is used to install a malicious npm package named “jsonwebauth.” Contagious Interview has been active since 2022, primarily targeting software developers and IT professionals, especially in the blockchain and cryptocurrency sectors. As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified between August 2024 and September 2025, most of which are concentrated around South Asia and North America.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2026-24061 (GNU InetUtils telnetd), CVE-2026-23760 (SmarterMail), CVE-2026-20045 (Cisco Unified Communications and Webex Calling Dedicated Instance), CVE-2026-22218, CVE-2026-22219 (Chainlit), CVE-2026-1245 (binary-parser), CVE-2025-68143, CVE-2025-68144, CVE-2025-68145 (Anthropic mcp-server-git), CVE-2026-22844 (Zoom), CVE-2025-13927, CVE-2025-13928, CVE-2026-0723 (GitLab CE/EE), CVE-2026-0629 (TP-Link), CVE-2025-49758 (Microsoft SQL Server), CVE-2025-47179 (Microsoft Configuration Manager), CVE-2025-60021 (Apache bRPC), CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118 (AVEVA Process Optimization), CVE-2025-14369 (dr_flac), CVE-2026-0828 (Safetica ProcessMonitorDriver.sys), CVE-2026-0685 (Genshi template engine), CVE-2025-68675 (Apache Airflow), CVE-2025-14533 (Advanced Custom Fields: Extended plugin), CVE-2025-13151 (GNU libtasn1), CVE-2026-0622 (Open5GS WebUI component), CVE-2025-65586 (libheif), CVE-2025-33206 (NVIDIA NSIGHT Graphics for Linux), CVE-2026-1220 (Google Chrome), CVE-2025-66516, CVE-2026-21962, CVE-2025-66516, CVE-2025-54988, CVE-2025-4949, CVE-2025-54874, CVE-2025-49796, CVE-2025-23048 (Oracle), CVE-2026-23744 (@mcpjam/inspector), CVE-2025-13878 (ISC BIND 9), CVE-2025-12383 (Atlassian Bamboo Data Center and Server), CVE-2025-66516 (Atlassian Confluence Data Center and Server), CVE-2026-22755 (Vivotek legacy camera models), CVE-2026-22794 (AppSmith), CVE-2025-67968 (RealHomes CRM plugin), CVE-2026-23594 (HPE Alletra 6000, Alletra 5000 and Nimble Storage), CVE-2026-0920 (LA-Studio Element Kit for Elementor plugin), and CVE-2026-22200 (osTicket).

📰 Around the Cyber World

• 1Password Adds Warnings for Phishing Sites — Password manager 1Password has added a new security feature that warns users when they’re on a phishing or spoofed site, and they’re prompted to enter their credentials. “When a 1Password user clicks a link where the URL doesn’t match their saved login, 1Password won’t autofill their credentials,” it said. “When a user attempts to paste their credentials, the 1Password browser extension displays a pop-up warning, prompting them to pause and exercise caution before proceeding.”
• Malicious Chrome Extensions Steal OpenAI API Keys and User Prompts — A malicious Google Chrome extension named H-Chat Assistant (ID: dcbcnpnaccfjoikaofjgcipcfbmfkpmj) with over 10,000 users has been found to steal users’ OpenAI API keys at scale. It’s estimated to have exfiltrated at least 459 unique API keys to an attacker-controlled Telegram channel. “Once the extension is installed, users are prompted to add an OpenAI API key to interface with the chatbot,” Obsidian Security said. “The API key exfiltration occurs once a user deletes a chat or chooses to log out of the application.” While the extension works as advertised, compromised keys could enable unauthorized access to affected users’ OpenAI instances. The extension is still available for download as of writing. Obsidian Security said it has since uncovered dozens of Chrome extensions that are sending user prompts and other data to third-party/external servers. “Several of the extensions impersonate ChatGPT, creating a false sense of trust that conversations and data are only being transmitted to OpenAI,” it added.
• PasteReady Extension Pushes Malware After Purchase — In more extension-related news, the PasteReady browser extension has been used to push malware after it was put up for sale. Secure Annex’s John Tuckner said the PasteReady was made available for sale on extensionhub[.]io May 7, 2025, and the ownership transfer happened on December 27, 2025. “Version 3.4 with malware was pushed December 30, 2025,” Tuckner said in a post on X. “It was removed from the Chrome Web Store for malware January 14, 2026.”
• Microsoft Complies with Court Order to Hand Over a BitLocker Encryption Key in Fraud Case — Microsoft gave the U.S. Federal Bureau of Investigation (FBI) BitLocker keys to unlock encrypted data stored on three laptops of Windows users charged in a fraud indictment, Forbes reported. The development marks the first publicly known instance of Microsoft providing BitLocker keys. Microsoft backs up BitLocker keys to its servers when the service is set up from an active Microsoft account. While Microsoft does offer the ability to stash the keys elsewhere, such as a file or to a USB flash drive, customers are encouraged to store it on its cloud for easy key recovery. The company has since confirmed that it provides BitLocker recovery keys for encrypted data if it receives a valid legal order and the user has stored the keys on its servers, and that it’s legally required to produce the keys stored on its servers. Apple also provides a similar service, but with two tiers: Standard data protection and Advanced Data Protection for iCloud. According to Microsoft’s most recent Government Requests for Customer Data Report, covering July 2024 through December 2024, the company received a total of 128 requests from law enforcement organizations around the world. Of these, only four of them, three in Brazil and one in Canada, led to the disclosure of content.
• Ilya Lichtenstein Wants a Cybersecurity Job — Ilya Lichtenstein, who was behind the massive hack of cryptocurrency exchange Bitfinex in 2016, said he has changed his ways. “Ten years ago, I decided that I would hack the largest cryptocurrency exchange in the world,” Lichtenstein wrote on LinkedIn. “This was a terrible idea. It was the worst thing I had ever done,” he added. “It upended my life, the lives of people close to me, and affected thousands of users of the exchange. I know I disappointed a lot of people who believed in me and grossly misused my talents.” Lichtenstein was arrested in 2022 for the hack, and was released to home confinement earlier this month after serving nearly four years in prison. In the post, Lichtenstein said he has “always been motivated by technical challenges rather than material wealth” and that mathematics became his “escape from the hard realities of the prison world.” Lichtenstein concluded by saying he wants to work in cybersecurity. “I think like an adversary,” he said. “I’ve been an adversary. Now I can use those same skills to stop the next billion-dollar hack.”
• Anthropic Details Assistant Axis — AI company Anthropic has detailed what it describes as the “Assistant Axis,” a pattern of neural activity in large language models that governs their default identity and helpful behavior. The axis is believed to be created during post-training, when models are taught to play the role of an “Assistant,” or it’s likely that it already exists in pre-trained models. “By monitoring models’ activity along this axis, we can detect when they begin to drift away from the Assistant and toward another character,” Anthropic said. “And by constraining their neural activity (‘activation capping’) to prevent this drift, we can stabilize model behavior in situations that would otherwise lead to harmful outputs.”
• China Blames Taiwan for 1000s of Cyber Attacks — The Chinese government said it investigated nearly 4,000 cyber attacks in 2025 that originated from Taiwan. The figure represents a 25% increase year-over-year. The attacks sought to steal classified information from critical mainland sectors, including transportation, finance, science and technology, and energy. Some of the operations were allegedly carried out by the Taiwanese military.
• Romania Dismantles Murder-for-Hire Operation — Romanian authorities dismantled an organized criminal group that operated a murder-for-hire operation. The group ran a website that allowed anonymous users to pay for assassinations using cryptocurrencies through an escrow system. Authorities executed three search warrants in the municipalities of Bucharest and Râmnicu Vâlcea and questioned two individuals behind the scheme. They also seized more than $750,000 in digital assets and cash worth 292,890 lei, $650,000, and €48,600 from their homes.
• Ireland Proposes New Law Allowing Police to Use Spyware — The Irish government plans to draft legislation that would make it legal for law enforcement to use spyware. The Minister for Justice, Home Affairs and Migration, Jim O’Callaghan, said the government has approved proposals for an “updated and comprehensive legal framework for lawful interception” that will also “include robust legal safeguards to provide continued assurance that the use of such powers is necessary and proportionate.” The ministry also noted there is an urgent need for a new legal framework for lawful interception to counter serious crime and security threats.
• Microsoft Emerges as the Most Impersonated Brand in Q4 2025 — Microsoft has emerged as the most commonly impersonated brand in phishing attacks during the fourth quarter of 2025. Microsoft was followed by Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase. “Scammers ramped up brand impersonation attacks throughout Q4 2025, timing their campaigns around when people are busiest online, shopping for deals, renewing subscriptions, or looking for jobs,” Guardio said. “Attackers weaponize brand recognition, betting that a Microsoft billing alert or Facebook security notification will bypass skepticism when it arrives during year-end account reviews, holiday coordination chaos, or gift card purchase rushes.”
• Germany Expels Russian Diplomat Accused of Spying — Germany expelled a Russian diplomat accused of spying, further escalating geopolitical tensions between Berlin and Moscow over intelligence activity linked to the war in Ukraine. “We do not accept espionage in Germany – and particularly not under the cover of diplomatic status. We summoned the Russian Ambassador to the Federal Foreign Office today and informed him that the individual who spied on behalf of Russia is to be expelled,” the German Foreign Office said. German outlet Der Spiegel and Russian independent media organization The Insider identified the expelled diplomat as Andrei Mayorov, Russia’s deputy military attache in Germany. Mayorov reportedly holds the rank of colonel in Russia’s military intelligence agency, the GRU. He is alleged to have acted as the handler for Ilona Kopylova, a dual Ukrainian-German citizen who was arrested in Berlin on suspicion of spying for Russia.
• Bad Actors Hijack Snap Publisher Domains for Malware Delivery — Scammers are hijacking legitimate Canonical Snap Store publisher accounts by registering expired domains associated with those accounts to trigger password resets. Once in control, these attackers push malicious updates to established, trustworthy applications to deploy cryptocurrency wallet-draining malware. The domain resurrection attack has hijacked accounts associated with two Linux packages storewise.tech and vagueentertainment.com. The threat actors behind this campaign are believed to be located in Croatia.
• Handala Group Uses Starlink For Attacks — The Iranian hacktivist group known as Handala has been observed carrying out attacks via Starlink connections. According to Check Point, activity from the group ceased when the Iranian regime cut off the internet across the country, but has since resumed as of January 17, 2026, from Starlink IP ranges and hitting targets across the Middle East.

• 884 Flaw Exploited for the First Time in 2025 — As many as 884 vulnerabilities were exploited for the first time in 2025, up from 768 CVEs in 2024. According to vulnerability management company VulnCheck, 28.96% of Known Exploited Vulnerabilities (KEVs) were weaponized on or before the day their CVE was published, an increase from the 23.6% observed in 2024. Network edge devices, including firewalls, VPNs, and proxies, were the most frequently targeted technologies, followed by content management systems and open source software. “This reinforces the urgency for organizations to act quickly on newly disclosed vulnerabilities while continuing to reduce long-standing vulnerability backlogs,” VulnCheck said.
• 2 Venezuelans Convicted in U.S. for Using Malware to Hack ATMs — Two Venezuelan nationals, Luz Granados, 34, and Johan Gonzalez-Jimenez, 40, are set to be deported after being convicted of conspiracy and computer crimes in an ATM jackpotting scheme. “Jimenez and Granados targeted older model Automated Teller Machines (ATM) throughout the southeastern United States to steal money after business hours,” the U.S. Justice Department said. “The defendants would approach an ATM at nighttime and remove the outer casing of the machine and then connect a laptop computer to install malware that overcame the ATM’s security protocols. Once installed, the ATMs dispersed cash to the perpetrators until the ATM’s funds are exhausted.” Granados has been sentenced to time served and has been ordered to pay $126,340 in restitution. Gonzalez-Jimenez was sentenced to 18 months in federal prison and was ordered to pay $285,100 in restitution.
• Russian National Pleads Guilty to Ransomware Spree — A Russian national has pleaded guilty to leading the Zeppelin ransomware group that targeted at least 50 victims during a four-year period ending between May 2018 and August 2022. Ianis Aleksandrovich Antropenko faces up to 25 years in jail and fines up to $750,000, CyberScoop reported. He has also been ordered to pay restitution to his victims and forfeit property, CyberScoop reported. In August 2025, the U.S. Justice Department unsealed six warrants authorizing the seizure of over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle. The cryptocurrency was seized from a wallet controlled by Antropenko.
• Critical Security Flaws in OpenKM — Multiple zero-day vulnerabilities have been disclosed in OpenKM that could result in remote code execution, unrestricted SQL execution, and file disclosure. The flaws remain unpatched, according to Terra System Labs. “The discovered issues allow a single authenticated administrator to fully compromise the OpenKM server, backend database, and sensitive stored documents,” the Indian cybersecurity company said. “The findings highlight systemic security design weaknesses in trusted administrative interfaces and demonstrate how these flaws can be chained to achieve complete system takeover.”
• Command Injection Flaw in Vivotek Legacy Firmware — Akamai has disclosed details of a new vulnerability within Vivotek legacy firmware that allows remote users to inject arbitrary code into the filename supplied to upload_map.cgi. The security issue has been assigned the CVE identifier CVE-2026-22755 (CVSS score: 9.3). “This exploit affects a wide range of legacy older camera models, allowing attackers to execute malicious commands as the root user without requiring authentication,” security researcher Larry Cashdollar said. “It enables attackers to upload files with filenames that, when processed by the server, execute system commands and result in root access.”
• Mamba PhaaS Kit Detailed — Cybersecurity researchers have shed light on a phishing-as-a-service (PhaaS) kit named Mamba that first emerged in 2023 coinciding with the emergency of adversary-in-the-middle (AiTM) phishing. “Campaigns associated with Mamba phishing operations are most commonly delivered through email-based lures designed to drive the victim directly to the phishing URL,” CYFIRMA said. “These lures typically impersonate routine business or security-related communications to create urgency and legitimacy. Mamba’s design reflects a growing reliance on service-based phishing tooling, where operational efficiency and repeatability are prioritized over bespoke attack development.”
• New Stanley Kit Guarantees Chrome Web Store Approval — A threat actor is selling access to a toolkit dubbed Stanley that can build malicious Chrome extensions that pass the Web Store verification process. “For $2,000 to $6,000, Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley said. The toolkit is being sold on a Russian-speaking hacking forum for prices ranging from $2,000 to $6,000. It comes with a C2 panel that allows customers to target individual infections for specific actions. “Once a target is selected, attackers configure URL hijacking rules specific to that user,” Varonis said. “Beyond passive hijacking, operators can actively lure users to targeted pages through real-time notification delivery. The notifications come from Chrome itself, not a website, so they carry more implicit trust.”
• EmEditor Supply Chain Compromise Analyzed — The December 2025 supply chain attack targeting EmEditor allowed unknown threat actors to distribute a multi-stage malware capable of credential theft, data exfiltration, and follow-on intrusion through lateral movement, while also taking steps to evade detection by disabling event tracing for Windows. “EmEditor has longstanding recognition within Japanese developer communities as a recommended Windows-based editor,” Trend Micro said. “This suggests that the attackers are targeting this specific user base, or that they have a particular target among EmEditor users and used the compromised download page as a delivery mechanism.” The malware has been found to exclude systems located in Armenia, Belarus, Georgia, Kazakhstan, and Kyrgyzstan, suggesting that they could be of Russian origin or from the Commonwealth of Independent States (CIS).
• Abusing Azure Private Link to Access Azure Resources — New research has found that certain configurations of Microsoft Azure’s Private Endpoint architecture could be exploited to stage denial-of-service (DoS) attacks against Azure resources. Palo Alto Networks Unit 42 said over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. “For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail,” the cybersecurity company said. “In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.” To counter the attacks, it’s advised to enable fallback to public DNS resolution and manually add DNS records for affected resources.

🎥 Cybersecurity Webinars

• Cloud Forensics Is Broken. This Is What Works Now → Cloud attacks move fast and often leave little evidence behind. This webinar explains how modern cloud forensics uses host-level data and AI to help security teams understand what happened, how it happened, and respond faster in today’s cloud environments.
• How to Build a Smarter SOC Without Adding More Tools → Security teams are stretched thin, with too many tools and too little clarity. This webinar breaks down how modern SOCs really work, focusing on practical choices around what to build, buy, and automate—without hype. It’s for teams looking to make smarter decisions with the tools and resources they already have.
• When Today’s Encryption Won’t Be Enough Tomorrow → Quantum computing is moving from theory to reality, and it will change how data security works. Information that is encrypted today may be broken in the future using more powerful systems. This webinar helps security leaders understand what that risk means in practical terms and how to start preparing now, using clear, real-world approaches that protect data without disrupting existing systems.

🔧 Cybersecurity Tools

• NetAlertX – It is a simple tool that helps you see what devices are connected to your network. It keeps a live list of computers, phones, servers, and other hardware, and shows when something new appears or changes. This makes it useful for spotting unknown devices, tracking assets, and staying aware of what’s happening across your network without using heavy or complex security tools.
• RzWeb – It is a simple way to look inside software files without installing any tools. It runs fully in your web browser, so you can open a file and start examining how it works right away. Everything happens on your own machine, which makes it useful for quick checks, learning, or analysis when you don’t want to set up a full reverse-engineering environment.

Disclaimer: These tools are for learning and research only and have not been fully security-tested. Review the code carefully, use it only in safe environments, and follow all applicable rules and laws.

Conclusion

This edition makes one thing clear: risk now sits in everyday tools and normal choices. Small gaps are all it takes.

None of these stories stands alone. They point to a wider pattern where speed matters and delays cost real damage. Treat this list as a snapshot. The details will change. The pressure will not.