Microsoft zakrpa aktivno iskorištavanu zero-day ranjivost u Officeu
Microsoft je objavio hitne izvanredne sigurnosne zakrpe za ispravljanje zero-day ranjivosti visoke ozbiljnosti u Microsoft Officeu koja se aktivno iskorištava u napadima. Ranjivost zaobilaženja sigurnosne značajke, praćena pod oznakom CVE-2026-21509, pogađa više verzija Officea, uključujući Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024 i Microsoft 365 Apps for Enterprise (cloud pretplatničku uslugu). Kako je navedeno u današnjem sigurnosnom upozorenju, zakrpe za Microsoft Office 2016 i 2019 još nisu dostupne te će biti objavljene čim to bude moguće.
Izvor: BleepingComputer

Gotovo 800.000 Telnet poslužitelja izloženo udaljenim napadima
Internet sigurnosna organizacija Shadowserver prati gotovo 800.000 IP adresa s Telnet otiscima uslijed aktivnih napada koji iskorištavaju kritičnu ranjivost zaobilaženja autentikacije u GNU InetUtils telnetd poslužitelju. Sigurnosni propust (CVE-2026-24061) pogađa GNU InetUtils verzije od 1.9.3 do 2.7, a zakrpan je u verziji 2.8 objavljenoj 20. siječnja. Ranjivost omogućuje udaljenim napadačima zaobilaženje autentikacije zloupotrebom načina na koji telnetd prosljeđuje korisnički kontrolirane varijable okruženja procesu prijave.
Izvor: BleepingComputer

Posebno upozorenje: zlonamjerni “supergrupni” SLSH cilja više od 100 organizacija putem interaktivnog phishinga
Trenutačno je aktivna masovna kampanja krađe identiteta koja cilja Okta Single Sign-On (SSO) i druge SSO platforme u više od 100 visokovrijednih organizacija. Silent Push identificirao je infrastrukturu koja odgovara SLSH-u, savezu skupina Scattered Spider, LAPSUS$ i ShinyHunters. Kampanja se oslanja na ručno vođene vishing napade i interaktivne phishing panele kako bi se zaobišle čak i snažno utvrđene MFA zaštite.
Izvor: Silent Push

Supply chain kompromitacija eScan antivirusa isporučila digitalno potpisani malware
Kritična supply chain kompromitacija koja pogađa eScan antivirus tvrtke MicroWorld Technologies identificirana je 20. siječnja 2026., nakon što su zlonamjerne nadogradnje distribuirane putem legitimne infrastrukture za ažuriranje proizvođača. Zlonamjerni paketi navodno su bili digitalno potpisani kompromitiranim eScan certifikatom, čime su zaobiđeni standardni mehanizmi povjerenja. Nakon instalacije, malware je uspostavio perzistenciju, omogućio udaljeni pristup i spriječio daljnja ažuriranja sustava.
Izvor: Infosecurity Magazine

Nova Fake CAPTCHA kampanja isporučuje Amatera Stealer
Blackpoint SOC identificirao je novu Fake CAPTCHA kampanju koja zloupotrebljava potpisanu Microsoft Application Virtualization (App-V) skriptu kao living-off-the-land binary (LOLBIN) za posredno izvršavanje koda putem legitimne Windows komponente. Napad pažljivo provjerava ponašanje korisnika i redoslijed izvršavanja, a u slučaju neispunjenih uvjeta proces se neprimjetno zaustavlja. Ovaj lanac isporuke pokazuje kako je sam tijek izvršavanja postao ključni dio suvremenog malware pristupa.
Izvor: Blackpoint Cyber

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun
Check Point Research (CPR) believes a new era of AI-generated malware has begun. VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by artificial intelligence, likely under the direction of a single individual. Until now, solid evidence of AI-generated malware has primarily been linked to inexperienced threat actors, as in the case of FunkSec, or to malware that largely mirrored the functionality of existing open-source malware tools. VoidLink is the first evidence based case that shows how dangerous AI can become in the hands of more capable malware developers. Operational security (OPSEC) failures by the VoidLink developer exposed development artifacts. These materials provide clear evidence that the malware was produced predominantly through AI-driven development, reaching a first functional implant in under a week.
Source: Check Point Research

Dissecting and Exploiting CVE-2025-62507: Remote Code Execution in Redis
A recent stack buffer overflow vulnerability in Redis, assigned CVE-2025-62507, was fixed in version 8.3.2. The issue was published with a high severity rating and assigned a CVSS v3 score of 8.8. According to the official advisory, “a user can run the XACKDEL command with multiple IDs and trigger a stack buffer overflow, which may potentially lead to remote code execution”. Memory corruption vulnerabilities have become significantly harder to exploit due to the many security mitigations introduced over the years, but historically they easily led directly to remote code execution. Given that the vulnerability was rated as high severity but not classified as critical, the JFrog Security Research team decided to investigate the issue further and evaluate whether remote code execution is still easily achievable in 2026.
Source: JFrog

DNS OverDoS: Are Private Endpoints Too Private?
We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments. Our research indicates that over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. This issue has the potential to affect organizations in multiple ways. For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail. In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.
Source: Palo Alto Networks Unit 42

Everest Ransomware Claims McDonalds India Breach Involving Customer Data
The notorious Everest ransomware group is claiming to have breached McDonald’s India, the Indian subsidiary of the American fast-food giant. The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861 GB of customer data and internal company documents. As reviewed by Hackread.com, the group also published internal screenshots to support the authenticity of its claims. A closer look at these screenshots reveals financial reports from 2023 to 2026, audit trails, cost tracking sheets, ERP migration files, pricing data, and other sensitive internal communications.
Source: Hackread

ChainLeak: Critical AI Framework Vulnerabilities Expose Data, Enable Cloud Takeover
Zafran Labs identified two critical vulnerabilities in Chainlit, a widely used open source AI framework. These vulnerabilities affect internet-facing AI systems that are actively deployed across multiple industries, including large enterprises. The flaws allow attackers to leak cloud environment API keys and steal sensitive files (CVE-2026-22218), as well as perform Server-Side Request Forgery (SSRF) against servers hosting AI applications (CVE-2026-22219). These vulnerabilities can be triggered with no user interaction. Zafran confirmed the vulnerabilities in real world, internet-facing applications operated by major enterprises.
Source: Zafran Labs

RansomHouse Claims Data Breach at Major Apple Contractor Luxshare
A ransomware and extortion group called RansomHouse claims to have breached Luxshare Precision Industry, a China-based key manufacturing partner and contractor of Apple Inc. The group published a victim profile on its dark web leak site, naming Luxshare and listing several of its major clients. The group’s post outlines Luxshare’s scale, revenue, and role across consumer electronics, communications, and automotive sectors. Apple is highlighted as a major client, alongside names like Nvidia, Meta, Qualcomm, and others. The post goes on to claim access to sensitive engineering data, including 3D CAD models, PCB design files, and internal documentation. These kinds of files would be serious for any hardware manufacturer.
Source: Hackread

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
On December 8, 2025, Koi.ai published their findings about a campaign specifically targeting software developers through weaponized Visual Studio Code extensions. Here, we’ll provide a more in-depth analysis of the multistage delivery of the Evelyn information stealer. Evelyn implements multiple anti-analysis techniques to evade detection in research and sandbox environments. It collects system information and harvests browser credentials through DLL injection as well as files and information such as clipboard and Wi-Fi credentials . It can also capture screenshots and steal cryptocurrency wallet. The malware communicates with its command-and-control (C&C) server over FTP.
Source: Trend Micro

Weaponizing Calendar Invites: A Semantic Attack on Google Gemini
Our team recently discovered a vulnerability in Google’s ecosystem that allowed us to bypass Google Calendar’s privacy controls using a dormant payload hidden inside a standard calendar invite. This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. This is a powerful example of Indirect Prompt Injection leading to a critical Authorization Bypass. We responsibly disclosed the issue to Google’s security team, who confirmed the findings and mitigated the vulnerability. What makes this discovery notable isn’t simply the exploit itself. The vulnerability shows a structural limitation in how AI-integrated products reason about intent. Google has already deployed a separate language model to detect malicious prompts, and yet the path still existed, driven solely through natural language.
Source: Miggo

Pro-Russia Hacktivist Activity Continues to Target UK Organisations
Russian-aligned hacktivist groups continue to target the UK and global organisations by attempting to disrupt operations, take websites offline and disable services. In December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors. In particular, the group NoName057(16) has been active since March 2022, and have been conducting attacks against government and private sector entities in NATO member states and other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent DDoS attempts against UK local government.
Source: UK NCSC

New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs
A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp, can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). It impacts AMD Zen 1 through Zen 5 processors. AMD, which is tracking the vulnerability as CVE-2025-29943 (CVSS v4 score: 4.6), characterized it as a medium-severity, improper access control bug that could allow an admin-privileged attacker to alter the configuration of the CPU pipeline, causing the stack pointer to be corrupted inside an SEV-SNP guest.
Source: The Hacker News

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard’s threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository. What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found.
Source: Red Asgard

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni. “This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the company said in an advisory released Monday.
Source: The Hacker News

Cisco Fixes AsyncOS Zero-Day Exploited since November
Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.
Source: BleepingComputer

LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE. The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive (“US now deciding what’s next for Venezuela.zip”) containing a malicious DLL that’s launched using DLL side-loading techniques. It’s not known if the campaign managed to successfully compromise any of the targets.
Source: The Hacker News

WhisperPair Attack Leaves Millions of Audio Accessories Open to Hijacking
A vulnerability in the Google Fast Pair implementation of Bluetooth audio accessories can be exploited to force connections to attacker-controlled devices, academic researchers warn. The critical-severity issue is tracked as CVE-2025-36911 and exists due to a logic error in the key-based pairing code, where devices fail to check if they are in pairing mode. Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap. The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.
Source: SecurityWeek

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Threat hunting often begins with a single indicator, such as a suspicious IP address, a beaconing domain, or a known malware family. Looking at those indicators individually makes the underlying infrastructure easy to miss. While analyzing malicious activity across Chinese hosting environments, we repeatedly observed the same networks and providers appearing across unrelated campaigns. Commodity malware, phishing operations, and state-linked tooling were often hosted side by side within the same infrastructure, even as individual IPs and domains changed.
Source: Hunt.io

Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations
Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.
Source: Microsoft Security Blog

UAT-8837 Targets Critical Infrastructure Sectors in North America
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors. Based on UAT-8837’s TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations. Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.
Source: Cisco Talos

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
Security experts have disclosed details of an active malware campaign that’s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. “Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,” Trellix said in a report shared with The Hacker News. “This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.” The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Source: The Hacker News

New ‘Reprompt’ Attack Silently Siphons Microsoft Copilot Data
Security researchers at Varonis have discovered a new attack that allowed them to exfiltrate user data from Microsoft Copilot using a single malicious link. Dubbed Reprompt, the attack bypassed the LLMs data leak protections and allowed for persistent session exfiltration even after the Copilot was closed, Varonis says. The attack leverages a Parameter 2 Prompt (P2P) injection, a double-request technique, and a chain-request technique to enable continuous, undetectable data exfiltration. The Reprompt Copilot attack starts with the exploitation of the ‘q’ parameter, which is used on AI platforms to deliver a user’s query or prompt via a URL. All it takes is for the user to click on the link.
Source: SecurityWeek

Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database’s default port to trigger it.
Source: Palo Alto Networks Unit 42

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. “An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.
Source: The Hacker News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow
Node.js has released updates to fix what it described as a critical security issue impacting “virtually every production Node.js app” that, if successfully exploited, could trigger a denial-of-service (DoS) condition. “Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability,” Node.js’s Matteo Collina and Joyee Cheung said in a Tuesday bulletin.
Source: The Hacker News

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed
Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important. For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.
Source: Hackread

“Untrustworthy Fund”: Targeted UAC-0190 Cyberattacks Against SOU Using PLUGGYAPE
During October-December 2025, the National Cyber Incident Response Team, Cyber Attacks, and Cyber Threats CERT-UA, in cooperation with the Cyber Incident Response Team of the Armed Forces of Ukraine (military unit A0334), took measures to investigate a number of targeted cyber attacks against representatives of the Defense Forces of Ukraine, carried out under the guise of charitable foundation activities using the PLUGGYAPE software tool. Based on certain characteristics, the activity is associated with a medium level of confidence with the activities of a group known as Void Blizzard (Laundry Bear), for tracking which the identifier UAC-0190 is used. To implement the malicious plan, the target of the cyberattack is encouraged via instant messengers to visit a website that imitates the webpage of a supposedly charitable foundation, from which it is proposed to download “documents” – executable files, which are usually located in a password-protected archive.
Source: CERT-UA

Hidden Telegram Proxy Links Can Reveal Your IP Address in One Click
A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram tells BleepingComputer it will now add warnings to proxy links after researchers demonstrated that specially crafted links could be used to reveal a Telegram user’s real IP address without any further confirmation.
Source: BleepingComputer

Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen
The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer. The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents. Based on the leaked screenshots published by the Everest ransomware group, the material appears to include directory structures and internal records allegedly linked to Nissan.
Source: Hackread

Target’s Dev Server Offline After Hackers Claim to Steal Source Code
Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target’s internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel.
Source: BleepingComputer

CISA Orders Feds to Patch Gogs RCE Flaw Exploited in Zero-Day Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks. Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration. Tracked as CVE-2025-8110, this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Source: BleepingComputer

Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use. The framework, internally referred to by its original developers as VoidLink, is a cloud-first implant written in Zig and designed to operate in modern infrastructure. It can recognize major cloud environments and detect when it is running inside Kubernetes or Docker, then tailor its behavior accordingly. VoidLink also harvests credentials associated with cloud environments and standard source code version control systems, such as Git, indicating that software engineers may be a potential target, either for espionage activities or possible future supply-chain-based attacks.
Source: Check Point Research

Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed “Ni8mare.” n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm. Since n8n serves as a central automation hub, it often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it an attractive target for threat actors.
Source: BleepingComputer

In-Depth Analysis Report on LockBit 5.0: Operation and Countermeasures
Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment. The group also uses the Stealbit tool to exfiltrate data. From August 2021 to August 2022, LockBit accounted for 30.25% of known ransomware attacks, and in 2023, it made up around 21% of the attacks. The group’s extortion demands and recovery costs have resulted in billions of dollars in losses. Despite the efforts of law enforcement agencies, LockBit continues to pose a serious threat to cybersecurity worldwide. The LockBit 5.0 ransomware group operates the DLS website, which lists the companies that have been successfully breached by the group. While no South Korean companies are included on the list, many foreign companies have been identified as victims. The group has launched ransomware attacks against companies in a wide range of industries, including IT, electronics, law firms, and churches.
Source: AhnLab ASEC

Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments. GreyNoise customers have received an Executive Situation Report (SITREP) including IOCs and other valuable intelligence from this investigation. Customers, please check your inbox. The first campaign exploited server-side request forgery vulnerabilities—tricks that force your server to make outbound connections to attacker-controlled infrastructure. The campaign ran from October 2025 through January 2026, with a dramatic spike over Christmas—1,688 sessions in 48 hours. Attackers used ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure to confirm successful SSRF exploitation via callback validation.
Source: GreyNoise

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files
Developers relying on the popular React Router library are being urged to patch their applications immediately following the disclosure of multiple high-severity vulnerabilities. The flaws, ranging from unauthorized file access to Cross-Site Scripting (XSS), threaten the integrity of web applications using both the react-router and @remix-run ecosystems. The most critical of the bunch, tracked as CVE-2025-61686, carries a devastating CVSS score of 9.1. This vulnerability strikes at the heart of session management, potentially allowing attackers to breach the server’s file system.
Source: SecurityOnline

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.
Source: CloudSEK

WebRAT Malware Spread via Fake Vulnerability Exploits on GitHub
The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed vulnerabilities. Previously spread via pirated software and game cheats, WebRAT is a backdoor with information-stealing capabilities, including credential theft for messaging platforms and cryptocurrency wallets, webcam spying, and screenshot capture.
Source: BleepingComputer

Operation PCPcat: Hunting a Next.js Credential Stealer That’s Already Compromised 59K Servers
Researchers monitoring a Docker honeypot uncovered a large-scale attack campaign exploiting vulnerabilities in Next.js and React to achieve remote code execution, credential theft, and persistent command-and-control access. The campaign, attributed to a group identifying as “PCP,” has already compromised over 59,000 servers in less than 48 hours, demonstrating industrial-scale exploitation and data exfiltration.
Source: Beelzebub AI

APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
A targeted malware campaign attributed to APT36 uses social engineering and malicious shortcut files disguised as government advisory PDFs. The attack chain delivers a hidden MSI payload that deploys a .NET loader, malicious DLLs, and registry-based persistence while displaying a decoy document to evade detection and maintain long-term access.
Source: CYFIRMA

UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
SEQRITE Labs has been tracking a persistent threat cluster, UNG0801, primarily targeting Israeli organizations through phishing campaigns written in Hebrew. The attackers heavily rely on antivirus icon spoofing, abusing trusted security vendor branding in malicious documents to increase user trust and drive follow-on compromise.
Source: Seqrite

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Researchers identified an APT37 campaign dubbed “Artemis” that embeds malicious OLE objects inside HWP documents. The multi-stage attack leverages masquerading techniques and DLL side-loading within legitimate processes to evade signature-based detection and execute malicious payloads.
Source: Genians