UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Mandiant and Google Threat Intelligence Group identified active zero-day exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769 with a CVSS score of 10.0. The threat cluster UNC6201, assessed as PRC-linked, has exploited the flaw since at least mid-2024 to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor named GRIMBOLT.
Source: Google Cloud Blog

Spam Campaign Abuses Atlassian Jira Cloud to Target Government and Corporate Entities
Threat actors abused Atlassian Jira Cloud and its connected email system to conduct automated spam campaigns, bypassing traditional email security controls by leveraging the trusted domain reputation of Atlassian products. The campaign, active from late December 2025 through late January 2026, primarily targeted government and corporate entities and redirected victims to investment scams and online casino pages.
Source: Trend Micro

Vulnerabilities in Popular PDF Platforms Enabled Account Takeover and Data Exfiltration
Researchers uncovered more than a dozen vulnerabilities in PDF platforms developed by Foxit and Apryse that could have enabled account takeover, data exfiltration, and other attacks. The issues were responsibly disclosed, and both vendors have released patches addressing the reported flaws.
Source: SecurityWeek

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware
Notepad++ released version 8.9.2 to address abuse of its software update mechanism by an advanced threat actor. The updated release introduces additional verification controls for signed installers downloaded from GitHub and signed XML responses from the update server, strengthening the integrity of the update process.
Source: The Hacker News

Flaws in Popular VSCode Extensions Expose Developers to Attacks
High and critical severity vulnerabilities affecting widely used Visual Studio Code extensions, collectively downloaded more than 128 million times, could be exploited to steal local files and execute remote code. Affected extensions include Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers report that prior disclosure attempts did not receive a response from maintainers.
Source: BleepingComputer

BeyondTrust Patches Critical RCE Vulnerability
BeyondTrust has released patches for a critical vulnerability in Remote Support (RS) and Privileged Remote Access (PRA) that could allow unauthenticated remote code execution. Tracked as CVE-2026-1731 (CVSS 9.9), the flaw can be exploited via specially crafted requests to execute OS commands as the site user. Successful exploitation requires no authentication or user interaction and may result in system compromise, unauthorized access, data exfiltration, and service disruption. The issue affects RS versions 25.3.1 and earlier and PRA versions 24.3.4 and earlier. Approximately 8,500 internet-exposed on-prem RS deployments are believed to be potentially affected.
Source: SecurityWeek

Fortinet Patches Critical SQL Injection Flaw Allowing Unauthenticated Code Execution
Fortinet has issued security updates addressing CVE-2026-21643 (CVSS 9.1), a critical SQL injection vulnerability in FortiClientEMS. The flaw allows unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests. Improper neutralization of special elements in SQL commands enables remote exploitation without authentication. Organizations using vulnerable FortiClientEMS versions are advised to apply patches immediately to prevent system compromise.
Source: The Hacker News

Warlock Ransomware Breaches SmarterTools via Unpatched SmarterMail Server
SmarterTools confirmed that the Warlock (Storm-2603) ransomware group breached its network by exploiting an unpatched SmarterMail instance. The compromised server had not been updated to the latest version and was reportedly set up outside standard patch management oversight. Although approximately 30 SmarterMail servers were deployed across the network, one unmaintained VM enabled initial access. SmarterTools stated that core business applications and customer account data were not affected.
Source: The Hacker News

Largest Multi-Agency Cyber Operation Targets APT UNC3886 in Singapore
Singapore authorities disclosed that Advanced Persistent Threat actor UNC3886 conducted a deliberate and targeted campaign against the country’s telecommunications sector. All four major telecom operators – M1, SIMBA Telecom, Singtel, and StarHub – were targeted. The campaign was identified in July 2025, with operational details withheld to preserve security. The coordinated response involved multiple agencies to contain and counter the threat posed to critical infrastructure.
Source: Cyber Security Agency of Singapore

New SSHStalker Linux Botnet Uses Legacy Exploits and IRC-Based Control
A newly identified Linux botnet dubbed SSHStalker relies on exploitation techniques dating back to 2009. The botnet uses IRC-based command and control, multiple Linux kernel exploits, cron-based persistence mechanisms, and watchdog relaunch models. It deploys scanners and additional malware across infected systems. While artifacts resemble Romanian-linked botnet campaigns such as Outlaw and Dota, researchers have not confirmed a direct link, suggesting a derivative or copycat operator may be responsible.
Source: SecurityWeek

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2019. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim.
Source: Google Cloud

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Cybersecurity researchers have called attention to a massive campaign that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as worm-driven, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce). TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.
Source: The Hacker News

Recent SolarWinds Flaws Potentially Exploited as Zero-Days
Attacks targeting internet-accessible SolarWinds Web Help Desk (WHD) instances for initial access may have exploited recently patched vulnerabilities as zero-days, Microsoft says. As part of a multi-stage intrusion in December 2025, hackers compromised the vulnerable WHD deployments to spawn PowerShell and download and execute additional payloads. However, Microsoft says it could not confirm whether the hackers exploited new or older SolarWinds vulnerabilities known to be exploited in the wild. The tech giant says the compromised product was vulnerable to CVE-2025-40551 and CVE-2025-40536, both patched in January 2026, but also to CVE-2025-26399, which was fixed in September 2025.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Germany Warns of Signal Account Hijacking Targeting Senior Figures
Germany’s domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). A defining characteristic of this attack campaign is that no malware is used, nor are technical vulnerabilities in the messaging services exploited, the two agencies said.
Source: BleepingComputer

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways
In reaction to the recent CVE-2026-25253, the research team analyzed how this vulnerability appears in real-world deployments and what could be identified at internet scale using Hunt[.]io. The analysis focused on internet-exposed browser automation frameworks affected by CVE-2026-25253, including OpenClaw and its forks Clawdbot and Moltbot, which expose web-based control interfaces that store API credentials for multiple AI services. When deployed without proper access controls, these interfaces are directly reachable from the public internet.
Source: Hunt.io

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser-based social engineering combined with living-off-the-land binaries and Python-based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour-based detection and user awareness critical.
Source: Microsoft Security Blog

Brew Hijack: Serving Malware Over Homebrew’s Core Tap
Most of the time, when software is installed, the download is assumed to be secure due to HTTPS and checksum verification. However, research revealed that within Homebrew’s core cask system, some packages are downloaded over plain HTTP without integrity verification. Twenty casks in the official tap were found vulnerable to trivial man-in-the-middle attacks, allowing attackers on the network path to replace legitimate payloads with malware.
Source: Koi.ai

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry shows that two IP addresses now account for 56% of observed exploitation attempts, down from more than a thousand unique sources. One source deploys cryptomining payloads, while the other opens reverse shells directly to the scanner IP, highlighting distinct post-exploitation behaviours.
Source: GreyNoise

Flickr Security Incident Tied to Third-Party Email System
Flickr has notified users of a security incident involving a third-party email service provider that exposed personal information. The company stated that a vulnerability in the provider’s system may have allowed unauthorized access to member data. Exposed information includes names, email addresses, usernames, account types, IP addresses, general location data, and Flickr activity details. Access to the affected system was shut down within hours of discovery.
Source: SecurityWeek

Critical Sandbox Escape Flaw Found In Popular vm2 NodeJS Library
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Source: BleepingComputer

Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
Source: BleepingComputer

CISA Adds Five Known Exploited Vulnerabilities To Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The newly added flaws include vulnerabilities affecting the Linux kernel, Microsoft Office, GNU InetUtils, and SmarterTools SmarterMail, underscoring continued exploitation of long-known and recently disclosed weaknesses across widely deployed software.
Source: CISA

Investigation Into International “ATM Jackpotting” Scheme Results In Additional Indictments
A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as ATM jackpotting. Fifty-six others had already been charged. The case involves Venezuelan and Colombian nationals, including members of the Tren de Aragua group, and includes charges related to bank fraud, bank burglary, computer fraud, and damage to protected computers.
Source: U.S. Department of Justice

SoundCloud Data Breach Exposes Email Addresses Of Millions Of Users
In December 2025, SoundCloud disclosed unauthorized activity that allowed attackers to map publicly available profile information to email addresses for approximately 20% of its users. The exposed data included tens of millions of email addresses, usernames, and related profile metadata. Attackers later attempted extortion before publicly releasing the dataset the following month.
Source: BleepingComputer

Critical CERT-In Advisories – January 2026: SAP, Microsoft, and Atlassian Vulnerabilities
January 2026 was a wake-up month for enterprise security teams. In a single week, CERT-In released three high-severity advisories exposing critical flaws across SAP, Microsoft, and Atlassian, the very platforms that run finance systems, identity layers, developer pipelines, and collaboration tools inside most enterprises. These weren’t theoretical bugs. One Windows vulnerability was already being exploited in the wild. While others enabled remote code execution, privilege escalation, data theft, and full system takeover. If your organization runs SAP S/4HANA, Windows, Azure, Jira, Confluence, or Bitbucket, this wasn’t a patch cycle you could afford to ignore. This article breaks down what was affected, how attackers could abuse these flaws, and exactly what security teams must do to stay ahead before these vulnerabilities turn into breaches.
Source: Security Boulevard

Hackers Targeting Cisco Unified CM Zero-Day
Cisco on Wednesday announced patches for yet another zero-day vulnerability targeted by threat actors. The flaw, tracked as CVE-2026-20045 and classified as critical, affects several of Cisco’s unified communications products, including Cisco Unified Communications Manager (CM) and its Session Management Edition (SME), Unified CM IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. According to Cisco, a remote, unauthenticated attacker can exploit CVE-2026-20045 to execute malicious commands on the underlying OS of the device.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Nova Ransomware Claims Breach of KPMG Netherlands
KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated. The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day. Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations. The group has established a reputation for targeting professional services firms and financial sector entities that manage high-value and confidential client information.
Source: Dig.watch

Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms
Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations. The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba’s Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card. Several types of vulnerabilities were identified, including hardcoded credentials and encryption keys, weak passwords, lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection issues.
Source: SecurityWeek

Microsoft zakrpa aktivno iskorištavanu zero-day ranjivost u Officeu
Microsoft je objavio hitne izvanredne sigurnosne zakrpe za ispravljanje zero-day ranjivosti visoke ozbiljnosti u Microsoft Officeu koja se aktivno iskorištava u napadima. Ranjivost zaobilaženja sigurnosne značajke, praćena pod oznakom CVE-2026-21509, pogađa više verzija Officea, uključujući Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024 i Microsoft 365 Apps for Enterprise (cloud pretplatničku uslugu). Kako je navedeno u današnjem sigurnosnom upozorenju, zakrpe za Microsoft Office 2016 i 2019 još nisu dostupne te će biti objavljene čim to bude moguće.
Izvor: BleepingComputer

Gotovo 800.000 Telnet poslužitelja izloženo udaljenim napadima
Internet sigurnosna organizacija Shadowserver prati gotovo 800.000 IP adresa s Telnet otiscima uslijed aktivnih napada koji iskorištavaju kritičnu ranjivost zaobilaženja autentikacije u GNU InetUtils telnetd poslužitelju. Sigurnosni propust (CVE-2026-24061) pogađa GNU InetUtils verzije od 1.9.3 do 2.7, a zakrpan je u verziji 2.8 objavljenoj 20. siječnja. Ranjivost omogućuje udaljenim napadačima zaobilaženje autentikacije zloupotrebom načina na koji telnetd prosljeđuje korisnički kontrolirane varijable okruženja procesu prijave.
Izvor: BleepingComputer

Posebno upozorenje: zlonamjerni “supergrupni” SLSH cilja više od 100 organizacija putem interaktivnog phishinga
Trenutačno je aktivna masovna kampanja krađe identiteta koja cilja Okta Single Sign-On (SSO) i druge SSO platforme u više od 100 visokovrijednih organizacija. Silent Push identificirao je infrastrukturu koja odgovara SLSH-u, savezu skupina Scattered Spider, LAPSUS$ i ShinyHunters. Kampanja se oslanja na ručno vođene vishing napade i interaktivne phishing panele kako bi se zaobišle čak i snažno utvrđene MFA zaštite.
Izvor: Silent Push

Supply chain kompromitacija eScan antivirusa isporučila digitalno potpisani malware
Kritična supply chain kompromitacija koja pogađa eScan antivirus tvrtke MicroWorld Technologies identificirana je 20. siječnja 2026., nakon što su zlonamjerne nadogradnje distribuirane putem legitimne infrastrukture za ažuriranje proizvođača. Zlonamjerni paketi navodno su bili digitalno potpisani kompromitiranim eScan certifikatom, čime su zaobiđeni standardni mehanizmi povjerenja. Nakon instalacije, malware je uspostavio perzistenciju, omogućio udaljeni pristup i spriječio daljnja ažuriranja sustava.
Izvor: Infosecurity Magazine

Nova Fake CAPTCHA kampanja isporučuje Amatera Stealer
Blackpoint SOC identificirao je novu Fake CAPTCHA kampanju koja zloupotrebljava potpisanu Microsoft Application Virtualization (App-V) skriptu kao living-off-the-land binary (LOLBIN) za posredno izvršavanje koda putem legitimne Windows komponente. Napad pažljivo provjerava ponašanje korisnika i redoslijed izvršavanja, a u slučaju neispunjenih uvjeta proces se neprimjetno zaustavlja. Ovaj lanac isporuke pokazuje kako je sam tijek izvršavanja postao ključni dio suvremenog malware pristupa.
Izvor: Blackpoint Cyber

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun
Check Point Research (CPR) believes a new era of AI-generated malware has begun. VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by artificial intelligence, likely under the direction of a single individual. Until now, solid evidence of AI-generated malware has primarily been linked to inexperienced threat actors, as in the case of FunkSec, or to malware that largely mirrored the functionality of existing open-source malware tools. VoidLink is the first evidence based case that shows how dangerous AI can become in the hands of more capable malware developers. Operational security (OPSEC) failures by the VoidLink developer exposed development artifacts. These materials provide clear evidence that the malware was produced predominantly through AI-driven development, reaching a first functional implant in under a week.
Source: Check Point Research

Dissecting and Exploiting CVE-2025-62507: Remote Code Execution in Redis
A recent stack buffer overflow vulnerability in Redis, assigned CVE-2025-62507, was fixed in version 8.3.2. The issue was published with a high severity rating and assigned a CVSS v3 score of 8.8. According to the official advisory, “a user can run the XACKDEL command with multiple IDs and trigger a stack buffer overflow, which may potentially lead to remote code execution”. Memory corruption vulnerabilities have become significantly harder to exploit due to the many security mitigations introduced over the years, but historically they easily led directly to remote code execution. Given that the vulnerability was rated as high severity but not classified as critical, the JFrog Security Research team decided to investigate the issue further and evaluate whether remote code execution is still easily achievable in 2026.
Source: JFrog

DNS OverDoS: Are Private Endpoints Too Private?
We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments. Our research indicates that over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. This issue has the potential to affect organizations in multiple ways. For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail. In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.
Source: Palo Alto Networks Unit 42

Everest Ransomware Claims McDonalds India Breach Involving Customer Data
The notorious Everest ransomware group is claiming to have breached McDonald’s India, the Indian subsidiary of the American fast-food giant. The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861 GB of customer data and internal company documents. As reviewed by Hackread.com, the group also published internal screenshots to support the authenticity of its claims. A closer look at these screenshots reveals financial reports from 2023 to 2026, audit trails, cost tracking sheets, ERP migration files, pricing data, and other sensitive internal communications.
Source: Hackread

ChainLeak: Critical AI Framework Vulnerabilities Expose Data, Enable Cloud Takeover
Zafran Labs identified two critical vulnerabilities in Chainlit, a widely used open source AI framework. These vulnerabilities affect internet-facing AI systems that are actively deployed across multiple industries, including large enterprises. The flaws allow attackers to leak cloud environment API keys and steal sensitive files (CVE-2026-22218), as well as perform Server-Side Request Forgery (SSRF) against servers hosting AI applications (CVE-2026-22219). These vulnerabilities can be triggered with no user interaction. Zafran confirmed the vulnerabilities in real world, internet-facing applications operated by major enterprises.
Source: Zafran Labs

RansomHouse Claims Data Breach at Major Apple Contractor Luxshare
A ransomware and extortion group called RansomHouse claims to have breached Luxshare Precision Industry, a China-based key manufacturing partner and contractor of Apple Inc. The group published a victim profile on its dark web leak site, naming Luxshare and listing several of its major clients. The group’s post outlines Luxshare’s scale, revenue, and role across consumer electronics, communications, and automotive sectors. Apple is highlighted as a major client, alongside names like Nvidia, Meta, Qualcomm, and others. The post goes on to claim access to sensitive engineering data, including 3D CAD models, PCB design files, and internal documentation. These kinds of files would be serious for any hardware manufacturer.
Source: Hackread

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
On December 8, 2025, Koi.ai published their findings about a campaign specifically targeting software developers through weaponized Visual Studio Code extensions. Here, we’ll provide a more in-depth analysis of the multistage delivery of the Evelyn information stealer. Evelyn implements multiple anti-analysis techniques to evade detection in research and sandbox environments. It collects system information and harvests browser credentials through DLL injection as well as files and information such as clipboard and Wi-Fi credentials . It can also capture screenshots and steal cryptocurrency wallet. The malware communicates with its command-and-control (C&C) server over FTP.
Source: Trend Micro

Weaponizing Calendar Invites: A Semantic Attack on Google Gemini
Our team recently discovered a vulnerability in Google’s ecosystem that allowed us to bypass Google Calendar’s privacy controls using a dormant payload hidden inside a standard calendar invite. This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. This is a powerful example of Indirect Prompt Injection leading to a critical Authorization Bypass. We responsibly disclosed the issue to Google’s security team, who confirmed the findings and mitigated the vulnerability. What makes this discovery notable isn’t simply the exploit itself. The vulnerability shows a structural limitation in how AI-integrated products reason about intent. Google has already deployed a separate language model to detect malicious prompts, and yet the path still existed, driven solely through natural language.
Source: Miggo

Pro-Russia Hacktivist Activity Continues to Target UK Organisations
Russian-aligned hacktivist groups continue to target the UK and global organisations by attempting to disrupt operations, take websites offline and disable services. In December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors. In particular, the group NoName057(16) has been active since March 2022, and have been conducting attacks against government and private sector entities in NATO member states and other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent DDoS attempts against UK local government.
Source: UK NCSC

New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs
A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp, can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). It impacts AMD Zen 1 through Zen 5 processors. AMD, which is tracking the vulnerability as CVE-2025-29943 (CVSS v4 score: 4.6), characterized it as a medium-severity, improper access control bug that could allow an admin-privileged attacker to alter the configuration of the CPU pipeline, causing the stack pointer to be corrupted inside an SEV-SNP guest.
Source: The Hacker News

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard’s threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository. What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found.
Source: Red Asgard

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni. “This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the company said in an advisory released Monday.
Source: The Hacker News

Cisco Fixes AsyncOS Zero-Day Exploited since November
Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.
Source: BleepingComputer

LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE. The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive (“US now deciding what’s next for Venezuela.zip”) containing a malicious DLL that’s launched using DLL side-loading techniques. It’s not known if the campaign managed to successfully compromise any of the targets.
Source: The Hacker News

WhisperPair Attack Leaves Millions of Audio Accessories Open to Hijacking
A vulnerability in the Google Fast Pair implementation of Bluetooth audio accessories can be exploited to force connections to attacker-controlled devices, academic researchers warn. The critical-severity issue is tracked as CVE-2025-36911 and exists due to a logic error in the key-based pairing code, where devices fail to check if they are in pairing mode. Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap. The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.
Source: SecurityWeek