RansomHouse Claims Data Breach at Major Apple Contractor Luxshare
A ransomware and extortion group called RansomHouse claims to have breached Luxshare Precision Industry, a China-based key manufacturing partner and contractor of Apple Inc. The group published a victim profile on its dark web leak site, naming Luxshare and listing several of its major clients. The group’s post outlines Luxshare’s scale, revenue, and role across consumer electronics, communications, and automotive sectors. Apple is highlighted as a major client, alongside names like Nvidia, Meta, Qualcomm, and others. The post goes on to claim access to sensitive engineering data, including 3D CAD models, PCB design files, and internal documentation. These kinds of files would be serious for any hardware manufacturer.
Source: Hackread

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
On December 8, 2025, Koi.ai published their findings about a campaign specifically targeting software developers through weaponized Visual Studio Code extensions. Here, we’ll provide a more in-depth analysis of the multistage delivery of the Evelyn information stealer. Evelyn implements multiple anti-analysis techniques to evade detection in research and sandbox environments. It collects system information and harvests browser credentials through DLL injection as well as files and information such as clipboard and Wi-Fi credentials . It can also capture screenshots and steal cryptocurrency wallet. The malware communicates with its command-and-control (C&C) server over FTP.
Source: Trend Micro

Weaponizing Calendar Invites: A Semantic Attack on Google Gemini
Our team recently discovered a vulnerability in Google’s ecosystem that allowed us to bypass Google Calendar’s privacy controls using a dormant payload hidden inside a standard calendar invite. This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. This is a powerful example of Indirect Prompt Injection leading to a critical Authorization Bypass. We responsibly disclosed the issue to Google’s security team, who confirmed the findings and mitigated the vulnerability. What makes this discovery notable isn’t simply the exploit itself. The vulnerability shows a structural limitation in how AI-integrated products reason about intent. Google has already deployed a separate language model to detect malicious prompts, and yet the path still existed, driven solely through natural language.
Source: Miggo

Pro-Russia Hacktivist Activity Continues to Target UK Organisations
Russian-aligned hacktivist groups continue to target the UK and global organisations by attempting to disrupt operations, take websites offline and disable services. In December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors. In particular, the group NoName057(16) has been active since March 2022, and have been conducting attacks against government and private sector entities in NATO member states and other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent DDoS attempts against UK local government.
Source: UK NCSC

New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs
A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp, can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). It impacts AMD Zen 1 through Zen 5 processors. AMD, which is tracking the vulnerability as CVE-2025-29943 (CVSS v4 score: 4.6), characterized it as a medium-severity, improper access control bug that could allow an admin-privileged attacker to alter the configuration of the CPU pipeline, causing the stack pointer to be corrupted inside an SEV-SNP guest.
Source: The Hacker News

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard’s threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository. What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found.
Source: Red Asgard

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni. “This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the company said in an advisory released Monday.
Source: The Hacker News

Cisco Fixes AsyncOS Zero-Day Exploited since November
Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.
Source: BleepingComputer

LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE. The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive (“US now deciding what’s next for Venezuela.zip”) containing a malicious DLL that’s launched using DLL side-loading techniques. It’s not known if the campaign managed to successfully compromise any of the targets.
Source: The Hacker News

WhisperPair Attack Leaves Millions of Audio Accessories Open to Hijacking
A vulnerability in the Google Fast Pair implementation of Bluetooth audio accessories can be exploited to force connections to attacker-controlled devices, academic researchers warn. The critical-severity issue is tracked as CVE-2025-36911 and exists due to a logic error in the key-based pairing code, where devices fail to check if they are in pairing mode. Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap. The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.
Source: SecurityWeek

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Threat hunting often begins with a single indicator, such as a suspicious IP address, a beaconing domain, or a known malware family. Looking at those indicators individually makes the underlying infrastructure easy to miss. While analyzing malicious activity across Chinese hosting environments, we repeatedly observed the same networks and providers appearing across unrelated campaigns. Commodity malware, phishing operations, and state-linked tooling were often hosted side by side within the same infrastructure, even as individual IPs and domains changed.
Source: Hunt.io

Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations
Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.
Source: Microsoft Security Blog

UAT-8837 Targets Critical Infrastructure Sectors in North America
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors. Based on UAT-8837’s TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations. Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.
Source: Cisco Talos

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
Security experts have disclosed details of an active malware campaign that’s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. “Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,” Trellix said in a report shared with The Hacker News. “This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.” The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Source: The Hacker News

New ‘Reprompt’ Attack Silently Siphons Microsoft Copilot Data
Security researchers at Varonis have discovered a new attack that allowed them to exfiltrate user data from Microsoft Copilot using a single malicious link. Dubbed Reprompt, the attack bypassed the LLMs data leak protections and allowed for persistent session exfiltration even after the Copilot was closed, Varonis says. The attack leverages a Parameter 2 Prompt (P2P) injection, a double-request technique, and a chain-request technique to enable continuous, undetectable data exfiltration. The Reprompt Copilot attack starts with the exploitation of the ‘q’ parameter, which is used on AI platforms to deliver a user’s query or prompt via a URL. All it takes is for the user to click on the link.
Source: SecurityWeek

Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database’s default port to trigger it.
Source: Palo Alto Networks Unit 42

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. “An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.
Source: The Hacker News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow
Node.js has released updates to fix what it described as a critical security issue impacting “virtually every production Node.js app” that, if successfully exploited, could trigger a denial-of-service (DoS) condition. “Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability,” Node.js’s Matteo Collina and Joyee Cheung said in a Tuesday bulletin.
Source: The Hacker News

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed
Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important. For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.
Source: Hackread

“Untrustworthy Fund”: Targeted UAC-0190 Cyberattacks Against SOU Using PLUGGYAPE
During October-December 2025, the National Cyber Incident Response Team, Cyber Attacks, and Cyber Threats CERT-UA, in cooperation with the Cyber Incident Response Team of the Armed Forces of Ukraine (military unit A0334), took measures to investigate a number of targeted cyber attacks against representatives of the Defense Forces of Ukraine, carried out under the guise of charitable foundation activities using the PLUGGYAPE software tool. Based on certain characteristics, the activity is associated with a medium level of confidence with the activities of a group known as Void Blizzard (Laundry Bear), for tracking which the identifier UAC-0190 is used. To implement the malicious plan, the target of the cyberattack is encouraged via instant messengers to visit a website that imitates the webpage of a supposedly charitable foundation, from which it is proposed to download “documents” – executable files, which are usually located in a password-protected archive.
Source: CERT-UA

Hidden Telegram Proxy Links Can Reveal Your IP Address in One Click
A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram tells BleepingComputer it will now add warnings to proxy links after researchers demonstrated that specially crafted links could be used to reveal a Telegram user’s real IP address without any further confirmation.
Source: BleepingComputer

Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen
The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer. The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents. Based on the leaked screenshots published by the Everest ransomware group, the material appears to include directory structures and internal records allegedly linked to Nissan.
Source: Hackread

Target’s Dev Server Offline After Hackers Claim to Steal Source Code
Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target’s internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel.
Source: BleepingComputer

CISA Orders Feds to Patch Gogs RCE Flaw Exploited in Zero-Day Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks. Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration. Tracked as CVE-2025-8110, this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Source: BleepingComputer

Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use. The framework, internally referred to by its original developers as VoidLink, is a cloud-first implant written in Zig and designed to operate in modern infrastructure. It can recognize major cloud environments and detect when it is running inside Kubernetes or Docker, then tailor its behavior accordingly. VoidLink also harvests credentials associated with cloud environments and standard source code version control systems, such as Git, indicating that software engineers may be a potential target, either for espionage activities or possible future supply-chain-based attacks.
Source: Check Point Research

Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed “Ni8mare.” n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm. Since n8n serves as a central automation hub, it often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it an attractive target for threat actors.
Source: BleepingComputer

In-Depth Analysis Report on LockBit 5.0: Operation and Countermeasures
Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment. The group also uses the Stealbit tool to exfiltrate data. From August 2021 to August 2022, LockBit accounted for 30.25% of known ransomware attacks, and in 2023, it made up around 21% of the attacks. The group’s extortion demands and recovery costs have resulted in billions of dollars in losses. Despite the efforts of law enforcement agencies, LockBit continues to pose a serious threat to cybersecurity worldwide. The LockBit 5.0 ransomware group operates the DLS website, which lists the companies that have been successfully breached by the group. While no South Korean companies are included on the list, many foreign companies have been identified as victims. The group has launched ransomware attacks against companies in a wide range of industries, including IT, electronics, law firms, and churches.
Source: AhnLab ASEC

Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments. GreyNoise customers have received an Executive Situation Report (SITREP) including IOCs and other valuable intelligence from this investigation. Customers, please check your inbox. The first campaign exploited server-side request forgery vulnerabilities—tricks that force your server to make outbound connections to attacker-controlled infrastructure. The campaign ran from October 2025 through January 2026, with a dramatic spike over Christmas—1,688 sessions in 48 hours. Attackers used ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure to confirm successful SSRF exploitation via callback validation.
Source: GreyNoise

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files
Developers relying on the popular React Router library are being urged to patch their applications immediately following the disclosure of multiple high-severity vulnerabilities. The flaws, ranging from unauthorized file access to Cross-Site Scripting (XSS), threaten the integrity of web applications using both the react-router and @remix-run ecosystems. The most critical of the bunch, tracked as CVE-2025-61686, carries a devastating CVSS score of 9.1. This vulnerability strikes at the heart of session management, potentially allowing attackers to breach the server’s file system.
Source: SecurityOnline

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.
Source: CloudSEK

WebRAT Malware Spread via Fake Vulnerability Exploits on GitHub
The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed vulnerabilities. Previously spread via pirated software and game cheats, WebRAT is a backdoor with information-stealing capabilities, including credential theft for messaging platforms and cryptocurrency wallets, webcam spying, and screenshot capture.
Source: BleepingComputer

Operation PCPcat: Hunting a Next.js Credential Stealer That’s Already Compromised 59K Servers
Researchers monitoring a Docker honeypot uncovered a large-scale attack campaign exploiting vulnerabilities in Next.js and React to achieve remote code execution, credential theft, and persistent command-and-control access. The campaign, attributed to a group identifying as “PCP,” has already compromised over 59,000 servers in less than 48 hours, demonstrating industrial-scale exploitation and data exfiltration.
Source: Beelzebub AI

APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
A targeted malware campaign attributed to APT36 uses social engineering and malicious shortcut files disguised as government advisory PDFs. The attack chain delivers a hidden MSI payload that deploys a .NET loader, malicious DLLs, and registry-based persistence while displaying a decoy document to evade detection and maintain long-term access.
Source: CYFIRMA

UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
SEQRITE Labs has been tracking a persistent threat cluster, UNG0801, primarily targeting Israeli organizations through phishing campaigns written in Hebrew. The attackers heavily rely on antivirus icon spoofing, abusing trusted security vendor branding in malicious documents to increase user trust and drive follow-on compromise.
Source: Seqrite

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Researchers identified an APT37 campaign dubbed “Artemis” that embeds malicious OLE objects inside HWP documents. The multi-stage attack leverages masquerading techniques and DLL side-loading within legitimate processes to evade signature-based detection and execute malicious payloads.
Source: Genians

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a “multi-location network speed test plug-in” and, once users subscribe, route traffic from more than 170 domains through attacker-controlled infrastructure, enabling large-scale data exfiltration.
Source: The Hacker News

Microsoft Teams Strengthens Messaging Security by Default in January
Microsoft announced that Teams will automatically enable messaging safety features by default starting January 12, 2026, for tenants using default configurations. The update activates protections against weaponizable file types, malicious URLs, and introduces a system for reporting false positives, improving defenses against malicious content shared in chats.
Source: BleepingComputer

Ransomware Hits Romanian Water Authority, 1000 Systems Knocked Offline
Romania’s national water authority is recovering from a ransomware attack that began on December 20, 2025, impacting approximately 1,000 systems, including workstations, email services, and web servers. Authorities classify the incident as a national security concern due to the critical infrastructure role of water management.
Source: Hackread

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances
A critical vulnerability tracked as CVE-2025-68613 has been disclosed in the n8n workflow automation platform. Under specific conditions, expressions supplied during workflow configuration may be evaluated in an insufficiently isolated execution context, potentially leading to arbitrary code execution.
Source: The Hacker News

Zero-Day Alert: Linksys Auth Bypass Lets Hackers Hijack Routers Without Passwords
Researchers disclosed a zero-day vulnerability (CVE-2025-52692) in the Linksys E9450-SG router that allows attackers on the local network to bypass authentication and gain full control of the device. The flaw enables activation of a hidden Telnet service without requiring a password, highlighting ongoing risks in consumer router security.
Source: Security Online

ATM Hackers Using ‘Ploutus’ Malware Charged in US
The US Department of Justice has charged 54 individuals for their involvement in a large-scale ATM jackpotting campaign using the Ploutus malware family. The suspects are linked to the Venezuelan crime syndicate Tren de Aragua and face severe penalties, including decades-long prison sentences, for bank fraud, computer hacking, and money laundering.
Source: SecurityWeek

Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan
Researchers discovered that the open-source monitoring tool Nezha is being repurposed as a Remote Access Trojan (RAT). Because Nezha is legitimate software widely used by administrators and shows zero antivirus detections, attackers are exploiting it to gain persistent, stealthy access to compromised systems.
Source: Hackread

MacSync macOS Malware Distributed via Signed Swift Application
Jamf reports that MacSync Stealer, a macOS information-stealing malware, is now being distributed through a signed Swift application, removing the need for terminal-based execution. The malware has evolved from the earlier Mac.c stealer and now includes full backdoor functionality via a Go-based agent.
Source: SecurityWeek

Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
More than 115,000 internet-exposed WatchGuard Firebox devices remain vulnerable to an actively exploited remote code execution flaw (CVE-2025-14733). Successful exploitation allows unauthenticated attackers to execute arbitrary code, particularly on devices configured with IKEv2 VPN services.
Source: BleepingComputer

ClickFix Used to Deploy Stealc and Qilin Ransomware
Sophos researchers detail how the ClickFix social-engineering technique is being used to deploy Stealc infostealers and facilitate Qilin ransomware attacks. Victims are tricked into following fake human-verification steps on compromised websites, leading to malware installation and later ransomware deployment.
Source: Sophos

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been linked to cyber espionage attacks noted in Southeast Asia and Japan. According to ESET, the group leverages Windows Group Policy to deploy malware across compromised networks and abuses cloud services such as Microsoft OneDrive and Google Drive for command-and-control operations.
Source: The Hacker News

Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect. The activity consists of large-scale scripted login attempts rather than vulnerability exploitation and appears to be a single campaign pivoting across multiple VPN platforms.
Source: GreyNoise

Lazarus Group Embed New BeaverTail Variant in Developer Tools
Darktrace research has identified a new variant of the JavaScript-based BeaverTail infostealer linked to North Korea’s Lazarus Group. The malware is distributed through fake job offers that lure developers into downloading tools supposedly required for technical interviews, which instead compromise victim systems.
Source: Hackread

Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks
The Clop ransomware gang is targeting internet-exposed Gladinet CentreStack file servers as part of a new data theft extortion campaign. Attackers are actively scanning for exposed servers, breaching them, and leaving ransom notes, despite previous security updates released by Gladinet to address exploited vulnerabilities.
Source: BleepingComputer

Rust’s First Breach: CVE-2025-68260 Marks the First Rust Vulnerability in the Linux Kernel
A vulnerability tracked as CVE-2025-68260 has been fixed in the Linux kernel, marking the first officially assigned CVE for Rust code in the mainline kernel. The issue affects the Rust-based Android Binder driver and could lead to system crashes due to unsafe concurrent manipulation of linked list elements.
Source: Security Online