Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Threat hunting often begins with a single indicator, such as a suspicious IP address, a beaconing domain, or a known malware family. Looking at those indicators individually makes the underlying infrastructure easy to miss. While analyzing malicious activity across Chinese hosting environments, we repeatedly observed the same networks and providers appearing across unrelated campaigns. Commodity malware, phishing operations, and state-linked tooling were often hosted side by side within the same infrastructure, even as individual IPs and domains changed.
Source: Hunt.io

Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations
Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.
Source: Microsoft Security Blog

UAT-8837 Targets Critical Infrastructure Sectors in North America
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors. Based on UAT-8837’s TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations. Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.
Source: Cisco Talos

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
Security experts have disclosed details of an active malware campaign that’s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. “Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,” Trellix said in a report shared with The Hacker News. “This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.” The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Source: The Hacker News

New ‘Reprompt’ Attack Silently Siphons Microsoft Copilot Data
Security researchers at Varonis have discovered a new attack that allowed them to exfiltrate user data from Microsoft Copilot using a single malicious link. Dubbed Reprompt, the attack bypassed the LLMs data leak protections and allowed for persistent session exfiltration even after the Copilot was closed, Varonis says. The attack leverages a Parameter 2 Prompt (P2P) injection, a double-request technique, and a chain-request technique to enable continuous, undetectable data exfiltration. The Reprompt Copilot attack starts with the exploitation of the ‘q’ parameter, which is used on AI platforms to deliver a user’s query or prompt via a URL. All it takes is for the user to click on the link.
Source: SecurityWeek

Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database’s default port to trigger it.
Source: Palo Alto Networks Unit 42

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. “An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.
Source: The Hacker News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow
Node.js has released updates to fix what it described as a critical security issue impacting “virtually every production Node.js app” that, if successfully exploited, could trigger a denial-of-service (DoS) condition. “Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability,” Node.js’s Matteo Collina and Joyee Cheung said in a Tuesday bulletin.
Source: The Hacker News

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed
Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important. For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.
Source: Hackread

“Untrustworthy Fund”: Targeted UAC-0190 Cyberattacks Against SOU Using PLUGGYAPE
During October-December 2025, the National Cyber Incident Response Team, Cyber Attacks, and Cyber Threats CERT-UA, in cooperation with the Cyber Incident Response Team of the Armed Forces of Ukraine (military unit A0334), took measures to investigate a number of targeted cyber attacks against representatives of the Defense Forces of Ukraine, carried out under the guise of charitable foundation activities using the PLUGGYAPE software tool. Based on certain characteristics, the activity is associated with a medium level of confidence with the activities of a group known as Void Blizzard (Laundry Bear), for tracking which the identifier UAC-0190 is used. To implement the malicious plan, the target of the cyberattack is encouraged via instant messengers to visit a website that imitates the webpage of a supposedly charitable foundation, from which it is proposed to download “documents” – executable files, which are usually located in a password-protected archive.
Source: CERT-UA

Hidden Telegram Proxy Links Can Reveal Your IP Address in One Click
A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram tells BleepingComputer it will now add warnings to proxy links after researchers demonstrated that specially crafted links could be used to reveal a Telegram user’s real IP address without any further confirmation.
Source: BleepingComputer

Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen
The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer. The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents. Based on the leaked screenshots published by the Everest ransomware group, the material appears to include directory structures and internal records allegedly linked to Nissan.
Source: Hackread

Target’s Dev Server Offline After Hackers Claim to Steal Source Code
Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target’s internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel.
Source: BleepingComputer

CISA Orders Feds to Patch Gogs RCE Flaw Exploited in Zero-Day Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks. Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration. Tracked as CVE-2025-8110, this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Source: BleepingComputer

Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use. The framework, internally referred to by its original developers as VoidLink, is a cloud-first implant written in Zig and designed to operate in modern infrastructure. It can recognize major cloud environments and detect when it is running inside Kubernetes or Docker, then tailor its behavior accordingly. VoidLink also harvests credentials associated with cloud environments and standard source code version control systems, such as Git, indicating that software engineers may be a potential target, either for espionage activities or possible future supply-chain-based attacks.
Source: Check Point Research

Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed “Ni8mare.” n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm. Since n8n serves as a central automation hub, it often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it an attractive target for threat actors.
Source: BleepingComputer

In-Depth Analysis Report on LockBit 5.0: Operation and Countermeasures
Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment. The group also uses the Stealbit tool to exfiltrate data. From August 2021 to August 2022, LockBit accounted for 30.25% of known ransomware attacks, and in 2023, it made up around 21% of the attacks. The group’s extortion demands and recovery costs have resulted in billions of dollars in losses. Despite the efforts of law enforcement agencies, LockBit continues to pose a serious threat to cybersecurity worldwide. The LockBit 5.0 ransomware group operates the DLS website, which lists the companies that have been successfully breached by the group. While no South Korean companies are included on the list, many foreign companies have been identified as victims. The group has launched ransomware attacks against companies in a wide range of industries, including IT, electronics, law firms, and churches.
Source: AhnLab ASEC

Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments. GreyNoise customers have received an Executive Situation Report (SITREP) including IOCs and other valuable intelligence from this investigation. Customers, please check your inbox. The first campaign exploited server-side request forgery vulnerabilities—tricks that force your server to make outbound connections to attacker-controlled infrastructure. The campaign ran from October 2025 through January 2026, with a dramatic spike over Christmas—1,688 sessions in 48 hours. Attackers used ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure to confirm successful SSRF exploitation via callback validation.
Source: GreyNoise

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files
Developers relying on the popular React Router library are being urged to patch their applications immediately following the disclosure of multiple high-severity vulnerabilities. The flaws, ranging from unauthorized file access to Cross-Site Scripting (XSS), threaten the integrity of web applications using both the react-router and @remix-run ecosystems. The most critical of the bunch, tracked as CVE-2025-61686, carries a devastating CVSS score of 9.1. This vulnerability strikes at the heart of session management, potentially allowing attackers to breach the server’s file system.
Source: SecurityOnline

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.
Source: CloudSEK

WebRAT Malware Spread via Fake Vulnerability Exploits on GitHub
The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed vulnerabilities. Previously spread via pirated software and game cheats, WebRAT is a backdoor with information-stealing capabilities, including credential theft for messaging platforms and cryptocurrency wallets, webcam spying, and screenshot capture.
Source: BleepingComputer

Operation PCPcat: Hunting a Next.js Credential Stealer That’s Already Compromised 59K Servers
Researchers monitoring a Docker honeypot uncovered a large-scale attack campaign exploiting vulnerabilities in Next.js and React to achieve remote code execution, credential theft, and persistent command-and-control access. The campaign, attributed to a group identifying as “PCP,” has already compromised over 59,000 servers in less than 48 hours, demonstrating industrial-scale exploitation and data exfiltration.
Source: Beelzebub AI

APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
A targeted malware campaign attributed to APT36 uses social engineering and malicious shortcut files disguised as government advisory PDFs. The attack chain delivers a hidden MSI payload that deploys a .NET loader, malicious DLLs, and registry-based persistence while displaying a decoy document to evade detection and maintain long-term access.
Source: CYFIRMA

UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
SEQRITE Labs has been tracking a persistent threat cluster, UNG0801, primarily targeting Israeli organizations through phishing campaigns written in Hebrew. The attackers heavily rely on antivirus icon spoofing, abusing trusted security vendor branding in malicious documents to increase user trust and drive follow-on compromise.
Source: Seqrite

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Researchers identified an APT37 campaign dubbed “Artemis” that embeds malicious OLE objects inside HWP documents. The multi-stage attack leverages masquerading techniques and DLL side-loading within legitimate processes to evade signature-based detection and execute malicious payloads.
Source: Genians

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a “multi-location network speed test plug-in” and, once users subscribe, route traffic from more than 170 domains through attacker-controlled infrastructure, enabling large-scale data exfiltration.
Source: The Hacker News

Microsoft Teams Strengthens Messaging Security by Default in January
Microsoft announced that Teams will automatically enable messaging safety features by default starting January 12, 2026, for tenants using default configurations. The update activates protections against weaponizable file types, malicious URLs, and introduces a system for reporting false positives, improving defenses against malicious content shared in chats.
Source: BleepingComputer

Ransomware Hits Romanian Water Authority, 1000 Systems Knocked Offline
Romania’s national water authority is recovering from a ransomware attack that began on December 20, 2025, impacting approximately 1,000 systems, including workstations, email services, and web servers. Authorities classify the incident as a national security concern due to the critical infrastructure role of water management.
Source: Hackread

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances
A critical vulnerability tracked as CVE-2025-68613 has been disclosed in the n8n workflow automation platform. Under specific conditions, expressions supplied during workflow configuration may be evaluated in an insufficiently isolated execution context, potentially leading to arbitrary code execution.
Source: The Hacker News

Zero-Day Alert: Linksys Auth Bypass Lets Hackers Hijack Routers Without Passwords
Researchers disclosed a zero-day vulnerability (CVE-2025-52692) in the Linksys E9450-SG router that allows attackers on the local network to bypass authentication and gain full control of the device. The flaw enables activation of a hidden Telnet service without requiring a password, highlighting ongoing risks in consumer router security.
Source: Security Online

ATM Hackers Using ‘Ploutus’ Malware Charged in US
The US Department of Justice has charged 54 individuals for their involvement in a large-scale ATM jackpotting campaign using the Ploutus malware family. The suspects are linked to the Venezuelan crime syndicate Tren de Aragua and face severe penalties, including decades-long prison sentences, for bank fraud, computer hacking, and money laundering.
Source: SecurityWeek

Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan
Researchers discovered that the open-source monitoring tool Nezha is being repurposed as a Remote Access Trojan (RAT). Because Nezha is legitimate software widely used by administrators and shows zero antivirus detections, attackers are exploiting it to gain persistent, stealthy access to compromised systems.
Source: Hackread

MacSync macOS Malware Distributed via Signed Swift Application
Jamf reports that MacSync Stealer, a macOS information-stealing malware, is now being distributed through a signed Swift application, removing the need for terminal-based execution. The malware has evolved from the earlier Mac.c stealer and now includes full backdoor functionality via a Go-based agent.
Source: SecurityWeek

Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
More than 115,000 internet-exposed WatchGuard Firebox devices remain vulnerable to an actively exploited remote code execution flaw (CVE-2025-14733). Successful exploitation allows unauthenticated attackers to execute arbitrary code, particularly on devices configured with IKEv2 VPN services.
Source: BleepingComputer

ClickFix Used to Deploy Stealc and Qilin Ransomware
Sophos researchers detail how the ClickFix social-engineering technique is being used to deploy Stealc infostealers and facilitate Qilin ransomware attacks. Victims are tricked into following fake human-verification steps on compromised websites, leading to malware installation and later ransomware deployment.
Source: Sophos

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been linked to cyber espionage attacks noted in Southeast Asia and Japan. According to ESET, the group leverages Windows Group Policy to deploy malware across compromised networks and abuses cloud services such as Microsoft OneDrive and Google Drive for command-and-control operations.
Source: The Hacker News

Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect. The activity consists of large-scale scripted login attempts rather than vulnerability exploitation and appears to be a single campaign pivoting across multiple VPN platforms.
Source: GreyNoise

Lazarus Group Embed New BeaverTail Variant in Developer Tools
Darktrace research has identified a new variant of the JavaScript-based BeaverTail infostealer linked to North Korea’s Lazarus Group. The malware is distributed through fake job offers that lure developers into downloading tools supposedly required for technical interviews, which instead compromise victim systems.
Source: Hackread

Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks
The Clop ransomware gang is targeting internet-exposed Gladinet CentreStack file servers as part of a new data theft extortion campaign. Attackers are actively scanning for exposed servers, breaching them, and leaving ransom notes, despite previous security updates released by Gladinet to address exploited vulnerabilities.
Source: BleepingComputer

Rust’s First Breach: CVE-2025-68260 Marks the First Rust Vulnerability in the Linux Kernel
A vulnerability tracked as CVE-2025-68260 has been fixed in the Linux kernel, marking the first officially assigned CVE for Rust code in the mainline kernel. The issue affects the Rust-based Android Binder driver and could lead to system crashes due to unsafe concurrent manipulation of linked list elements.
Source: Security Online

New Wave of VPN Login Attempts Targets Palo Alto GlobalProtect Portals
A large campaign began on December 2, targeting Palo Alto GlobalProtect portals with brute-force attempts and later scanning SonicWall SonicOS API endpoints. The activity originated from over 7,000 IPs tied to hosting provider 3xK GmbH (AS200373), according to GreyNoise.
Source: BleepingComputer

AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
Trend Micro uncovered GhostPenguin, a multithreaded Linux backdoor using RC5-encrypted UDP communications, discovered via AI-driven automated threat hunting. The backdoor supports remote shell access, file operations, and resilient command delivery through synchronized threads.
Source: Trend Micro

China-Linked Warp Panda Targets North American Firms in Espionage Campaign
CrowdStrike reports that Warp Panda is conducting advanced cyber espionage against North American legal, tech and manufacturing firms. The actor demonstrates strong OPSEC and cloud/VM expertise, with observed targeting of VMware vCenter environments in 2025.
Source: Infosecurity Magazine

Over 70 Domains Used in Months-Long Phishing Spree Against US Universities
Infoblox uncovered a months-long phishing operation targeting at least 18 U.S. universities. Attackers used more than 70 domains and bypassed MFA using the Evilginx adversary-in-the-middle toolkit to steal login credentials.
Source: Hackread

Inside Shanya, a Packer-As-A-Service Fueling Modern Attacks
Sophos analyzed Shanya, a new packer-as-a-service tool now favored by ransomware groups, partially replacing HeartCrypt. Shanya supports complex obfuscation and has been used in targeted attacks observed during incident response operations.
Source: Sophos

‘Broadside’ Mirai Variant Targets Maritime Logistics Sector
Cydome researchers identified “Broadside,” a Mirai variant exploiting CVE-2024-3721 in maritime digital recording devices. The flaw enables remote command injection and persistent monitoring via Netlink, threatening global logistics operations.
Source: Dark Reading

Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE
Security researcher Ari Marzouk disclosed 30+ vulnerabilities in AI-powered IDEs like Cursor, Windsurf, GitHub Copilot, Roo Code, Zed.dev and others. The flaws, dubbed “IDEsaster,” combine prompt injection with legitimate features to enable data exfiltration and remote code execution.
Source: The Hacker News

Marquis Software Breach Affects Over 780,000 Nationwide
Marquis Software confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall vulnerability to access and exfiltrate sensitive files from its systems. The impacted data included financial and personal information from client institutions.
Source: Infosecurity Magazine

LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak
Researchers identified LockBit 5.0 infrastructure hosted on 205.185.116.233 and the domain karma0.xyz, both tied to PONYNET. The exposure reveals operational details amid LockBit’s resurgence with upgraded malware capabilities.
Source: Cybersecurity News

AWS: China-Linked Threat Actors Weaponized React2Shell Hours After Disclosure
AWS warns that China-linked threat actors began exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) within hours. Although AWS services are unaffected, the flaw impacts organizations running vulnerable React/Next.js deployments.
Source: Security Affairs