Tag: Cyber Threats

Ravie LakshmananFeb 12, 2026Zero-Day / Vulnerability

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.

The vulnerability, tracked as CVE-2026-20700 (CVSS score: N/A), has been described as a memory corruption issue in dyld, Apple’s Dynamic Link Editor. Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” the company said in an advisory. “CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”

It’s worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in December 2025, with the former first disclosed by Google as having been exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) relates to an out-of-bounds memory access in ANGLE’s Metal renderer component. Metal is a high-performance hardware-accelerated graphics and compute API developed by Apple.

CVE-2025-43529 (CVSS score: 8.8), on the other hand, is a use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content.

The updates are available for the following devices and operating systems –

• iOS 26.3 and iPadOS 26.3 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.3 – Macs running macOS Tahoe
• tvOS 26.3 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.3 – Apple Watch Series 6 and later
• visionOS 26.3 – Apple Vision Pro (all models)

In addition, Apple has also released updates to resolve various vulnerabilities in older versions of iOS, iPadOs, macOS, and Safari –

With the latest development, Apple has moved to address its first actively exploited zero-day in 2026. Last year, the company patched nine zero-day vulnerabilities that were exploited in the wild.

Ravie LakshmananFeb 12, 2026Vulnerability / Network Security

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO.

Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts.

The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along with CVE-2026-1340 that could be exploited by an attacker to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged it’s aware of a “very limited number of customers” who were impacted following the zero-day exploitation of the issues.

Since then, multiple European agencies, including the Netherlands’ Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland’s Valtori, have disclosed that they were targeted by unknown threat actors using the vulnerabilities.

Further analysis has revealed that the same host has been simultaneously exploiting three other CVEs across unrelated software –

“The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants,” GreyNoise said. “This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling.”

It’s worth noting that PROSPERO is assessed to be linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.

GreyNoise also pointed out that 85% of the exploitation sessions beaconed home via the domain name system (DNS) to confirm “this target is exploitable” without deploying any malware or exfiltrating data.

The disclosure comes days after Defused Cyber reported a “sleeper shell” campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances at the path “/mifs/403.jsp.” The cybersecurity company said the activity is indicative of initial access broker tradecraft, where threat actors establish a foothold to sell or hand off access later for financial gain.

“That pattern is significant,” it noted. “OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later.”

Ivanti EPMM users are recommended to apply the patches, audit internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO’s autonomous system (AS200593) at the network perimeter level.

“EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation,” GreyNoise said. “Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure.”

Ravie LakshmananFeb 11, 2026Linux / Botnet

Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.

“The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of Linux 2.6.x-era exploits (2009–2010 CVEs),” cybersecurity company Flare said. “These are low value against modern stacks, but remain effective against ‘forgotten’ infrastructure and long-tail legacy environments.”

SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels.

SSHStalker is notable for blending mass compromise automation with a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way back to 2009. Some of the flaws used in the exploit module are CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.

Flare’s investigation of the staging infrastructure associated with the threat actor has uncovered an extensive repository of open-source offensive tooling and previously published malware samples. These include – 

• Rootkits to facilitate stealth and persistence
• Cryptocurrency miners 
• A Python script that executes a binary called “website grabber” to steal exposed Amazon Web Services (AWS) secrets from targeted websites
• EnergyMech, an IRC bot that provides C2 and remote command execution capabilities

It’s suspected that the threat actor behind the activity could be of Romanian origin, given the presence of “Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists.” What’s more, the operational fingerprint exhibits strong overlaps with that of a hacking group known as Outlaw (aka Dota).

“SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration, by primarily using C for core bot and low-level components, shell for orchestration and persistence, and limited Python and Perl usage mainly for utility or supporting automation tasks inside the attack chain and running the IRCbot,” Flare said.

“The threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.”

Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.

Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).

It’s worth noting that the patches are in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update, including a Moderate vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS score: 6.5) that could allow an unauthorized attacker to perform spoofing over a network by taking advantage of a “user interface misrepresentation of critical information.”

Topping the list of this month’s updates are six vulnerabilities that have been flagged as actively exploited –

• CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21514 (CVSS score: 7.8) – A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.
• CVE-2026-21519 (CVSS score: 7.8) – An access of resource using incompatible type (‘type confusion’) in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.
• CVE-2026-21525 (CVSS score: 6.2) – A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.
• CVE-2026-21533 (CVSS score: 7.8) – An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.

“CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” Jack Bicer, director of vulnerability research at Action1, said. “It is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”

Satnam Narang, senior staff research engineer at Tenable, said CVE-2026-21513 and CVE-2026-21514 bear a “lot of similarities” to CVE-2026-21510, the main difference being that CVE-2026-21513 can also be exploited using an HTML file, while CVE-2026-21514 can only be exploited using a Microsoft Office file.

As for CVE-2026-21525, it’s linked to a zero-day that ACROS Security’s 0patch service said it discovered in December 2025 while investigating another related flaw in the same component (CVE-2025-59230).

“These [CVE-2026-21519 and CVE-2026-21533] are local privilege escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host,” Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News via email. “This could occur through a malicious attachment, a remote code execution vulnerability, or lateral movement from another compromised system.”

“Once on the host, the attacker can use these escalation vulnerabilities to elevate privileges to SYSTEM. With this level of access, a threat actor could disable security tooling, deploy additional malware, or, in worst-case scenarios, access secrets or credentials that could lead to full domain compromise.”

Cybersecurity vendor CrowdStrike, which has been acknowledged for reporting CVE-2026-21533, said it does not attribute the exploitation activity to a specific adversary, but noted that threat actors in possession of the exploit binaries will likely ramp up their efforts to use or sell them in the near term.

“The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told The Hacker News in an emailed statement. 

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 3, 2026.

The update also coincides with Microsoft rolling out updated Secure Boot certificates to replace the original 2011 certificates that will expire in late June 2026. The new certificates will be installed through the regular monthly Windows update process without any additional action.

“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,” the tech giant said. “However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.”

“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”

In tandem, the company said it’s also strengthening default protections in Windows through two security initiatives, Windows Baseline Security Mode and User Transparency and Consent. The updates come under the purview of the Secure Future Initiative and Windows Resiliency Initiative.

“With Windows Baseline Security Mode, Windows will move toward operating with runtime integrity safeguards enabled by default,” it noted. “These safeguards ensure that only properly signed apps, services, and drivers are allowed to run, helping to protect the system from tampering or unauthorized changes.”

User Transparency and Consent, analogous to Apple macOS Transparency, Consent, and Control (TCC) framework, aims to introduce a consistent approach to handling security decisions. The operating system will prompt users when apps try to access sensitive resources, such as files, the camera, or the microphone, or when they attempt to install other unintended software.

“These prompts are designed to be clear and actionable, and you’ll always have the ability to review and change your choices later,” Logan Iyer, Distinguished Engineer at Microsoft, said. “Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors.”

Ravie LakshmananFeb 11, 2026Patch Tuesday / Vulnerability

It’s Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services.

Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition.

Elsewhere, Adobe released updates for Audition, After Effects, InDesign Desktop, Substance 3D, Bridge, Lightroom Classic, and DNG SDK. The company said it’s not aware of in-the-wild exploitation of any of the shortcomings.

SAP shipped fixes for two critical-severity vulnerabilities, including a code injection bug in SAP CRM and SAP S/4HANA (CVE-2026-0488, CVSS score: 9.9) that an authenticated attacker could use to run an arbitrary SQL statement and lead to a full database compromise.

The second critical vulnerability is a case of a missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (CVE-2026-0509, CVSS score: 9.6) that could permit an authenticated, low-privileged user to perform certain background Remote Function Calls without the required S_RFC authorization.

“To patch the vulnerability, customers must implement a kernel update and set a profile parameter,” Onapsis said. “Adjustments in user roles and UCON settings might be required to not interrupt business processes.”

Rounding off the list, Intel and Google said they teamed up to examine the security of Intel Trust Domain Extensions (TDX) 1.5, uncovering five vulnerabilities in the module (CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, and CVE-2025-32467), and nearly three dozen weaknesses, bugs, and improvement suggestions.

“Intel TDX 1.5 introduces new features and functionality that bring confidential computing significantly closer to feature parity with traditional virtualization solutions,” Google said. “At the same time, these features have increased the complexity of a highly privileged software component in the TCB [Trusted Computing Base].”

Software Patches from Other Vendors

Security updates have also been released by other vendors in recent weeks to rectify several vulnerabilities, including —

• ABB
• Amazon Web Services
• AMD
• AMI
• Apple
• ASUS
• AutomationDirect
• AVEVA
• Broadcom (including VMware)
• Canon
• Check Point
• Cisco
• Citrix
• Commvault
• ConnectWise
• D-Link
• Dassault Systèmes
• Dell
• Devolutions
• dormakaba
• Drupal
• F5
• Fortinet
• Foxit Software
• FUJIFILM
• Fujitsu
• Gigabyte
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Grafana
• Hikvision
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking and Juniper Networks)
• IBM
• Intel
• Ivanti
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Moxa
• Mozilla Firefox and Thunderbird
• n8n
• NVIDIA
• Phoenix Contact
• QNAP
• Qualcomm
• Ricoh
• Rockwell Automation
• Samsung
• Schneider Electric
• ServiceNow
• Siemens
• SolarWinds
• Splunk
• Spring Framework
• Supermicro
• Synology
• TP-Link
• WatchGuard
• Zoho ManageEngine
• Zoom, and
• Zyxel

The Hacker NewsFeb 11, 2026Identity Security / Threat Exposure

Intentionally vulnerable training applications are widely used for security education, internal testing, and product demonstrations. Tools such as OWASP Juice Shop, DVWA, Hackazon, and bWAPP are designed to be insecure by default, making them useful for learning how common attack techniques work in controlled environments.

The issue is not the applications themselves, but how they are often deployed and maintained in real-world cloud environments.

Pentera Labs examined how training and demo applications are being used across cloud infrastructures and identified a recurring pattern: applications intended for isolated lab use were frequently found exposed to the public internet, running inside active cloud accounts, and connected to cloud identities with broader access than required.

Deployment Patterns Observed in the Research

Pentera Labs research found that these applications were often deployed with default configurations, minimal isolation, and overly permissive cloud roles. The investigation uncovered that many of these exposed training environments were directly connected to active cloud identities and privileged roles, enabling attackers to move far beyond the vulnerable applications themselves and potentially into the customer’s broader cloud infrastructure.

Evidence of Active Exploitation

The exposed training environments identified during the research were not simply misconfigured. Pentera Labs observed clear evidence that attackers were actively exploiting this exposure in the wild.

Across the broader dataset of exposed training applications, approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms. These artifacts indicated prior compromise and ongoing abuse of exposed systems.

The presence of active crypto-mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.

Scope of Impact

The exposed and exploited environments identified during the research were not limited to small or isolated test systems. Pentera Labs observed this deployment pattern across cloud environments associated with Fortune 500 organizations and leading cybersecurity vendors, including Palo Alto, F5, and Cloudflare.

While individual environments varied, the underlying pattern remained consistent: a training or demo application deployed without sufficient isolation, left publicly accessible, and connected to privileged cloud identities.

Why This Matters

Training and demo environments are frequently treated as low-risk or temporary assets. As a result, they are often excluded from standard security monitoring, access reviews, and lifecycle management processes. Over time, these environments may remain exposed long after their original purpose has passed.

The research shows that exploitation does not require zero-day vulnerabilities or advanced attack techniques. Default credentials, known weaknesses, and public exposure were sufficient to turn training applications into an entry point for broader cloud access.

Labeling an environment as “training” or “test” does not reduce its risk. When exposed to the internet and connected to privileged cloud identities, these systems become part of the organization’s effective attack surface.

Refer to the full Pentera Labs research blog & join a live webinar on Feb 12th to learn more about the methodology, discovery process, and real-world exploitation observed during this research. 

This article was written by Noam Yaffe, Senior Security Researcher at Pentera Labs. For questions or discussion, contact labs@pentera.io

Ravie LakshmananFeb 11, 2026Cyber Espionage / Threat Intelligence

Indian defense sector and government-aligned organizations have been targeted by multiple campaigns that are designed to compromise Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continued access to infected machines.

The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (aka Transparent Tribe). SideCopy, active since at least 2019, is assessed to operate as a subdivision of Transparent Tribe.

“Taken together, these campaigns reinforce a familiar but evolving narrative,” Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka, said. “Transparent Tribe and SideCopy are not reinventing espionage – they are refining it.”

“By expanding cross-platform coverage, leaning into memory-resident techniques, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining strategic focus.”

Common to all the campaigns is the use of phishing emails containing malicious attachments or embedded download links that lead prospective targets to attacker-controlled infrastructure. These initial access mechanisms serve as a conduit for Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files that, when opened, launch a multi-stage process to drop the trojans.

The malware families are designed to provide persistent remote access, enable system reconnaissance, collect data, execute commands, and facilitate long-term post-compromise operations across both Windows and Linux environments.

One of the attack chains is as follows: a malicious LNK file invokes “mshta.exe” to execute an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript to decrypt an embedded DLL payload, which, in turn, processes an embedded data blob to write a decoy PDF to disk, connects to a hard-coded command-and-control (C2) server, and displays the saved decoy file.

After the lure document is displayed, the malware checks for installed security products and adapts its persistence method accordingly prior to deploying Geta RAT on the compromised host. It’s worth noting this attack chain was detailed by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025.

Geta RAT supports various commands to collect system information, enumerate running processes, terminate a specified process, list installed apps, gather credentials, retrieve and replace clipboard contents with attacker-supplied data, capture screenshots, perform file operations, run arbitrary shell commands, and harvest data from connected USB devices.

Running parallel to this Windows-focused campaign is a Linux variant that employs a Go binary as a starting point to drop a Python-based Ares RAT by means of a shell script downloaded from an external server. Like Geta RAT, Ares RAT can also run a wide range of commands to harvest sensitive data and run Python scripts or commands issued by the threat actor.

Aryaka said it also observed another campaign where the Golang malware, DeskRAT, is delivered via a rogue PowerPoint Add-In file that runs embedded macro to establish outbound communication with a remote server to fetch the malware. APT36’s use of DeskRAT was documented by Sekoia and QiAnXin XLab in October 2025.

“These campaigns demonstrate a well-resourced, espionage-focused threat actor deliberately targeting Indian defense, government, and strategic sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure,” the company said. “The activity extends beyond defense to policy, research, critical infrastructure, and defense-adjacent organizations operating within the same trusted ecosystem.”

“The deployment of DeskRAT, alongside Geta RAT and Ares RAT, underscores an evolving toolkit optimized for stealth, persistence, and long-term access.”

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.

“The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim,” Google Mandiant researchers Ross Inman and Adrian Hernandez said.

UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It’s also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN.

In a report published last November, Google Threat Intelligence Group (GTIG) pointed out the threat actor’s use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns.

The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).

The meeting link is designed to redirect the victim to a fake website masquerading as Zoom (“zoom.uswe05[.]us”). In certain cases, the meeting links are directly shared via messages on Telegram, often using Telegram’s hyperlink feature to hide the phishing URLs.

Regardless of the method used, as soon as the victim clicks the link, they are presented with a fake video call interface that mirrors Zoom, urging them to enable their camera and enter their name. Once the target joins the meeting, they are displayed a screen that resembles an actual Zoom meeting.

However, it’s suspected that videos are either deepfakes or real recordings stealthily captured from other victims who had previously fallen prey to the same scheme. It’s worth noting that Kaspersky is tracking the same campaign under the name GhostCall, which was documented in detail in October 2025.

“Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call,” the Russian security vendor noted at the time. “When the video replay ended, the page smoothly transitioned to showing that user’s profile image, maintaining the illusion of a live call.”

The attack proceeds to the next phase when the victim is shown a bogus error message about a purported audio issue, after which they are prompted to download and run a ClickFix-style troubleshooting command to address the problem. In the case of macOS, the commands lead to the delivery of an AppleScript that, in turn, drops a malicious Mach-O binary on the system.

Called WAVESHAPER, the malicious C++ executable is designed to gather system information and distribute a Go-based downloader codenamed HYPERCALL, which is then used to serve additional payloads –

• A follow-on Golang backdoor component known as HIDDENCALL, which provides hands-on keyboard access to the compromised system and deploys a Swift-based data miner called DEEPBREATH.
• A second C++ downloader called SUGARLOADER, which is used to deploy CHROMEPUSH.
• A minimalist C/C++ backdoor referred to as SILENCELIFT, which sends system information to a command-and-control (C2) server.

DEEPBREATH is equipped to manipulate macOS’s Transparency, Consent, and Control (TCC) database to gain file system access, enabling it to steal iCloud Keychain credentials, and data from Google Chrome, Brave, and Microsoft Edge, Telegram, and the Apple Notes application.

Like DEEPBREATH, CHROMEPUSH also acts as a data stealer, only it’s written in C++ and is deployed as a browser extension to Google Chrome and Brave browsers by masquerading as a tool for editing Google Docs offline. It also comes with the ability to record keystrokes, observe username and password inputs, and extract browser cookies.

“The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant said. “While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities.”

SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.

The incident took place on January 29, 2026, when a mail server that was not updated to the latest version was compromised, the company’s Chief Commercial Officer, Derek Curtis, said.

“Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” Curtis explained. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”

However, SmarterTools emphasized that the breach did not affect its website, shopping cart, My Account portal, and several other services, and that no business applications or account data were affected or compromised.

About 12 Windows servers on the company’s office network, as well as a secondary data center used for quality control (QC) tests, are confirmed to be affected. According to its CEO, Tim Uzzanti, the “attempted ransomware attack” also impacted hosted customers using SmarterTrack.

“Hosted customers using SmarterTrack were the most affected,” Uzzanti said in a different Community Portal threat. “This was not due to any issue within SmarterTrack itself, but rather because that environment was more easily accessible than others once they breached our network.”

Furthermore, SmarterTools acknowledged that the Warlock group waited for a couple of days after gaining initial access to take control of the Active Directory server and create new users, followed by dropping additional payloads like Velociraptor and the locker to encrypt files.

“Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action,” Curtis said. “This explains why some customers experienced a compromise even after updating — the initial breach occurred prior to the update, but malicious activity was triggered later.”

It’s currently not clear which SmarterMail vulnerability was weaponized by attackers, but it’s worth noting that multiple flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) – have come under active exploitation in the wild.

CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request. CVE-2026-24423, on the other hand, exploits a weakness in the ConnectToHub API method to achieve unauthenticated remote code execution (RCE).

The vulnerabilities were addressed by SmarterTools in build 9511. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that CVE-2026-24423 was being exploited in ransomware attacks.

In a report published Monday, cybersecurity company ReliaQuest said it identified activity likely linked to Warlock that involved the abuse of CVE-2026-23760 to bypass authentication and stage the ransomware payload on internet-facing systems. The attack also leverages the initial access to download a malicious MSI installer (“v4.msi”) from Supabase, a legitimate cloud-based backend platform, to install Velociraptor.

“While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in ‘Volume Mount’ feature to gain full system control,” security researcher Alexa Feminella said. “Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware.”

The security outfit also noted that the two vulnerabilities have the same net result: while CVE-2026-23760 grants unauthenticated administrative access via the password reset API, which can then be combined with the mounting logic to attain code execution, CVE-2026-24423 offers a more direct path to code execution through an API path.

The fact that the attackers are pursuing the former method is an indication that it likely allows the malicious activity to blend in with typical administrative workflows, helping them avoid detection.

“By abusing legitimate features (password resets and drive mounting) instead of relying solely on a single ‘noisy’ exploit primitive, operators may reduce the effectiveness of detections tuned specifically for known RCE patterns,” Feminella added. “This pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fixes and developing working tradecraft shortly after release.”

When reached for comment about the Warlock ransomware activity targeting SmarterTools, ReliaQuest told The Hacker News that it observed the attackers exploiting CVE-2026-23760 on unpatched systems running versions prior to Build 9511 shortly after the patch was released.

“We confirmed this specific vulnerability was used because we observed successful password reset requests containing specific input designed to take over the built-in system administrator account,” the company said in an emailed statement. “We also saw API calls consistent with probing for the second vulnerability, CVE-2026-24423, during the same window. However, the successful password reset activity confirms that CVE-2026-23760 was the method used to gain initial access.”

Users of SmarterMail are advised to upgrade to the latest version (Build 9526) with immediate effect for optimal protection, and isolate mail servers to block lateral movement attempts used to deploy ransomware.

(The story was updated after publication to include a response from ReliaQuest.)

The Hacker NewsFeb 10, 2026Application Security / Artificial Intelligence

January 5, 2026, Seattle, USA — ZAST.AI announced the completion of a $6 million Pre-A funding round. This investment came from the well-known investment firm Hillhouse Capital, bringing ZAST.AI’s total funding close to $10 million. This marks a recognition from leading capital markets of a new solution: ending the era of high false positive rates in security tools and making every alert genuinely actionable.

In 2025, ZAST.AI discovered hundreds of zero-day vulnerabilities across dozens of popular open-source projects. These findings were submitted through authoritative vulnerability platforms like VulDB, successfully resulting in 119 CVE assignments. These are not laboratory targets, but production-grade code supporting global businesses. Affected well-known projects include widely used components and frameworks such as Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, node-formidable, and others.

It was precisely within these widely adopted open-source projects that ZAST.AI discovered hundreds of real, exploitable vulnerabilities accompanied by executable Proof-of-Concept (PoC) evidence. Maintainers of these projects from top technology companies like Microsoft, Apache, and Alibaba have already patched their code based on the PoCs submitted by ZAST.AI.

“In the traditional field of code security analysis, high false positive rates have long been a core pain point plaguing enterprise security teams. Security engineers often spend significant time manually verifying alerts generated by tools, resulting in extremely low efficiency,” said Geng Yang, Co-founder of ZAST.AI. “‘Report is cheap, show me the POC!’ This was the original intention behind founding ZAST.AI — we believe only verified vulnerabilities are worth reporting.”

ZAST.AI’s core innovation lies in its “Automated POC Generation + Automated Validation” technical architecture. Unlike traditional static analysis tools, ZAST.AI leverages advanced AI technology to perform deep code analysis on applications. It can not only automatically generate Proof-of-Concept (PoC) code for exploiting vulnerabilities but also automatically execute and verify whether the PoC successfully triggers the vulnerability. The final report only presents real vulnerabilities that have been practically verified, achieving a breakthrough “zero false positive” effect.

“This isn’t an optimization—it’s a reconstruction,” said a representative from Hillhouse Capital. “ZAST.AI has redefined the standard for vulnerability validation, shifting from ‘potential risk’ to ‘confirmed vulnerability, here is the PoC.’ This changes the game.”

Regarding vulnerability coverage, ZAST.AI not only supports the detection of “syntax-level” vulnerabilities such as SQL Injection, XSS, Insecure Deserialization, and SSRF but also possesses the capability to identify semantic-level vulnerabilities. This includes complex business logic flaws like IDOR, privilege escalation, and payment logic vulnerabilities—areas long considered difficult for automated tools to reach. Imagine your security tool crying “wolf” every day, with a false positive rate above 60%. By the time the real “wolf” appears, the team might already be desensitized. This isn’t a people problem; it’s a tool defect—they can only speculate, not prove.

Currently, ZAST.AI already serves multiple enterprise clients, including Fortune Global 500 companies. By automatically discovering unknown vulnerabilities and directly providing runnable PoC vulnerability reports, ZAST.AI helps clients significantly shorten vulnerability remediation cycles, markedly reduce security operation costs, and has gained high recognition from customers. This round of funding will primarily be used for core technology R&D, product feature expansion, and global market development. CEO, Geng Yang stated: “Our vision is to build an end-to-end AI-driven security platform, enabling every development team to obtain the highest quality security assurance at the lowest cost. In the future, ZAST.AI will continue to deepen technological innovation in AI + Security, providing global customers with smarter, more precise, and more efficient code security solutions.”