SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

With the Milan-Cortina Winter Olympics just hours from opening, Russian cyberattacks have forced Italian authorities into a full-scale security response that blends digital defence with boots on the ground. Italy confirmed this week that it successfully thwarted a coordinated wave of cyber incidents targeting government infrastructure and Olympic-linked sites, exposing how global sporting events are now frontline targets in geopolitical conflict. Italian Foreign Minister Antonio Tajani revealed that the Russian cyberattacks hit around 120 websites, including Italy’s foreign ministry offices abroad and several Winter Olympics-related locations, such as hotels in Cortina d’Ampezzo. While officials insist the attacks were “effectively neutralised,” the timing sends a clear message: cyber operations are now as much a part of Olympic security planning as physical threats.

Russian Cyberattacks and the Olympics: A Political Signal

According to Tajani, the attacks began with foreign ministry offices, including Italy’s embassy in Washington, before spreading to Olympic-linked infrastructure. A Russian hacker group known as Noname057 claimed responsibility, framing the Russian cyberattacks as retaliation for Italy’s political support for Ukraine. In a statement shared on Telegram, the group warned that Italy’s “pro-Ukrainian course” would be met with DDoS attacks—described provocatively as “missiles”—against Italian websites. While AFP could not independently verify the group’s identity, cybersecurity analysts noted that the tactics and messaging align with previous operations attributed to the same network. DDoS attacks may seem unsophisticated compared to advanced espionage campaigns, but their impact during high-profile events like the Olympics is strategic. Disrupting hotel websites, travel systems, or government portals creates confusion, undermines confidence, and grabs headlines—all without crossing into kinetic conflict.

Digital Threats Meet Physical Security Lockdown

Italy’s response to the Russian cyberattacks has been layered and aggressive. More than 6,000 police officers and nearly 2,000 military personnel have been deployed across Olympic venues stretching from Milan to the Dolomites. Snipers, bomb disposal units, counterterrorism teams, and even skiing police are now part of the security landscape. The defence ministry has added drones, radars, aircraft, and over 170 vehicles, underlining how cyber threats are now treated as triggers for broader security escalation. Milan, hosting the opening ceremony at San Siro stadium, is under particular scrutiny, with global leaders—including US Vice President JD Vance—expected to attend. The International Olympic Committee, however, stuck to its long-standing position. “We don’t comment on security,” IOC communications director Mark Adams said, a response that feels increasingly outdated in an era where Russian cyberattacks are openly claimed and politically framed.

ICE Controversy Adds Fuel to a Tense Atmosphere

Cybersecurity is not the only issue complicating Winter Olympic 2026 preparations. The presence of US Immigration and Customs Enforcement (ICE) officials in Italy has sparked political backlash and public protests. Milan Mayor Giuseppe Sala went as far as to say ICE agents were “not welcome,” calling the agency “a militia that kills.” Italy’s interior minister Matteo Piantedosi pushed back hard, clarifying that ICE’s Homeland Security Investigations unit would operate strictly within US diplomatic missions and have no enforcement powers. Still, the optics matter—especially as Russian cyberattacks amplify fears of foreign interference and sovereignty breaches. Even symbolic gestures have changed. A US hospitality venue originally called “Ice House” was quietly renamed “Winter House,” highlighting how sensitive the political climate has become.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. The new report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities. CERT Polska attributed the campaign to Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago. The Polish report notes that the DynoWiper malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.” The attackers’ activities began between March and May 2025, months before the December 29 attack.

Polish Energy Grid Attack Could Have Been Worse

The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system. “It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.” Dragos noted that in its incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.” “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.” “An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.”

Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack

In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA. The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a firewall. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said. The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used,” CERT Polska said. The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.” In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.” After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials. The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify security settings, which were executed weekly. The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations. In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.” The attackers also pivoted to cloud services, the report said.

As January 2026 comes to a close, The Cyber Express takes a comprehensive look at the events defining the global cybersecurity landscape. Over the past week, organizations worldwide faced high-profile cyberattacks, emerging threats in AI and ad fraud, critical software vulnerabilities, and intensifying regulatory scrutiny affecting both public and private sectors. This week’s coverage highlights significant attacks on Russian and U.S. companies, the discovery of advanced post-exploitation frameworks, trends in EU data breach reporting, and actionable guidance for brands to enhance privacy, security, and compliance in an increasingly complex digital ecosystem.

The Cyber Express Weekly Roundup 

Cyberattack Hits Russian Security Firm Delta 

On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more... 

Ad Fraud and Data Privacy: Brands Must Act Now 

Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more… 

Ivanti Patches Critical Mobile Manager Zero-Days 

Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more... 

Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework 

Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more... 

EU Data Breach Notifications Rise Amid GDPR Reform Talks 

Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more... 

New Cyberattacks Target U.S. Companies 

Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more... 

Weekly Takeaway 

The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.  

A new wave of cyberattacks has recently struck several prominent U.S. companies, including Bumble Inc., Panera Bread Co., Match Group Inc., and CrunchBase. Bumble Inc., the parent company of dating apps Bumble, Badoo, and BFF, reported that one of its contractor accounts was compromised in a phishing incident.   Similarly, it has been reported that Bumble confirmed a similar intrusion, stating that the breach allowed the hacker “brief unauthorized access to a small portion of our network.” However, the company noted that member databases, Bumble accounts, direct messages, profiles, and the Bumble application itself were not accessed. Bumble has engaged law enforcement to investigate the incident. 

Bumble, Panera Bread, Match Group, and CrunchBase Reports Cyberattacks 

Panera Bread also reported a cybersecurity incident affecting one of its software applications used to store data. A company spokesperson confirmed that law enforcement had been notified and that steps were taken to secure the system. The affected data primarily included contact information, although Panera did not provide additional specifics about the scope of the breach.  Similarly, Match Group reported on Wednesday that it had experienced a cybersecurity incident impacting a “limited amount of user data.” According to Bloomberg, a spokesperson for Match reassured users that there was no evidence of compromised login credentials, financial information, or private communications. The match’s system was breached on January 16, although the exact timing of the other incidents affecting Bumble, Panera Bread, and CrunchBase remains unclear.  CrunchBase, the business information platform, confirmed that documents on its corporate network were affected by cyberattacks but stated that the company had successfully contained the incident. No details were provided about whether any sensitive user or company data was accessed. 

Limited Data Exposure but Extortion Demands Reported 

A hacking group known as ShinyHunters has claimed responsibility for the attacks on Bumble, Panera Bread, Match, and CrunchBase. While these claims could not be independently verified at this time, their posts noted that they are using innovative vishing techniques. Voice phishing aimed at tricking employees into revealing credentials for single sign-on systems.   Additionally, it has been reported that hackers associated with the ShinyHunters group have reached out to some of the victims requesting payment. Despite these reports, none of the affected companies, including Bumble, Panera Bread, Match, or CrunchBase, have publicly commented on the extortion claims. 

Experts Warn of Rising Social Engineering Threats 

The recent incidents underline the growing threat of cyberattacks targeting U.S. businesses, particularly those handling large volumes of user data and corporate information. In most of these attacks, social engineering campaigns target unsuspecting victims, combining phishing, vishing, and exploitation of cloud-based systems to gain access.  The Cyber Express has reached out to Bumble, Panera Bread, CrunchBase, and Match Group for further comments. As of now, no additional information or updates on the extortion demands have been provided. Cybersecurity analysts and industry observers are closely monitoring the situation, noting that this series of attacks could signal a broader trend in high-profile cyber threats affecting both technology and consumer-facing companies.  This story is ongoing, and The Cyber Express will continue to provide updates as more details emerge about the scope of the cyberattacks and any responses from the affected organizations. 

Malicious open source software packages have become a critical problem threatening the software supply chain. That’s one of the major takeaways of a new report titled “State of the Software Supply Chain” by open source software security company Sonatype. Sonatype said its researchers identified more than 454,600 new malicious packages last year across npm, PyPI, Maven Central, NuGet, and Hugging Face, repositories which together combined for 9.8 trillion downloads. Open source malware has evolved “from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” the researchers said. “What stands out most about 2025 is not just the scale of the threat, but also the sophistication,” the report said. “Where 2024’s XZ Utils incident was groundbreaking, demonstrating how a single compromised maintainer could imperil global infrastructure, 2025 saw software supply chain risk evolve dramatically.”

npm Leads in Malicious Open Source Software Packages

More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically. Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain. IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.” “Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said.

Open Source Malware Exploits Developer Processes

Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines. “Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.” The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell ... and Shai-Hulud to have ecosystem-wide impact.” “The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact. “Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.” Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted. “AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”

The DOJ indicted 31 people accused of participating in an ATM jackpotting scheme in which the venerable Ploutus malware was used to help steal more than $5 million from machines around the United States. In total, 87 people have been charged, with many connected to the Tren de Aragua Venezuelan crime syndicate.

The post 31 More Charged in Massive ATM Jackpotting Scheme Linked to Tren de Aragua Gang appeared first on Security Boulevard.

Healthcare organizations in the United States face threats, ranging from public health emergencies to cyberattacks. To support hospitals and health systems in enhancing their preparedness and resilience, the American Hospital Association (AHA) has released two comprehensive resources for cyber preparedness in healthcare. The two guides, includes, Strategies for Medical Surge Management During Public Emergencies and Strategies for Cyber Preparedness in Health Care.   These guides are part of the AHA’s Convening Leaders for Emergency and Response initiative and are intended to increase cyber preparedness in healthcare, support staff, and sustain care delivery during crises.  The medical surge management guide is structured around the “four S’s”: staffing, supply, space, and systems. This framework provides hospitals with a methodical approach to anticipating and managing sudden increases in patient demand during pandemics, natural disasters, or other public health emergencies. 

Staffing: Building a Flexible, Resilient Workforce 

Staffing is critical for hospitals to respond effectively to medical surges. Adequate personnel, prepared for high-pressure scenarios, are necessary to safely expand capacity and maintain quality care. Public health crises often place prolonged stress on healthcare workers, highlighting the importance of workforce resilience and flexibility.  The AHA recommends tiered staffing models, which allow experienced clinicians, such as ICU nurses or physicians, to lead teams composed of redeployed personnel or float staff. This approach maintains high-acuity supervision while maximizing workforce capacity and reducing burnout.  A competency matrix is another key tool. By mapping staff skills, certifications, and cross-training, leaders can make rapid, informed staffing decisions during emergencies. When integrated into digital staffing platforms, these matrices enable real-time redeployment and highlight areas requiring pre-event training. Dedicated float pools also contribute to surge readiness. Cross-trained personnel can be deployed to high-demand areas without overburdening core teams, guided by activation protocols and experienced float leaders. Centralized capacity command centers further support staffing decisions, using real-time data on patient volume, acuity, and bed availability to coordinate response efforts. 

Supply: Maintaining Access to Critical Resources 

Reliable access to medical supplies, equipment, and medications is vital during surge events. Sudden spikes in demand can strain supply chains, making proactive inventory management and planning essential.  Hospitals are encouraged to use digital tracking systems such as barcode scanners, RFID technology, and real-time dashboards to monitor supply use and prevent shortages. Emergency stockpiles organized into modular kits, based on functions like infection control or airway management, can streamline deployment during high-pressure scenarios.   Predictive tools, including the CDC’s PPE Burn Rate Calculator and the DASH model, allow healthcare organizations to forecast needs and stay ahead of demand. Strategic stockpiles and multisource vendor contracts further strengthen supply resilience. 

Space: Expanding and Adapting Care Environments 

Managing a medical surge also requires adaptable physical space. Hospitals must be able to expand or repurpose care areas while maintaining infection control, safety, and operational efficiency.  Predesignating surge zones, including inpatient units, recovery areas, or off-site facilities, ensures rapid activation. Infrastructure readiness, such as Wi-Fi connectivity, electronic health record access, and medical gas availability, must be assessed in advance. Regulatory considerations, including emergency waivers and accessibility standards, should also be addressed. Regular drills and simulations familiarize staff with alternate care setups and help identify operational gaps. 

Systems: Coordination, Communication, and Cybersecurity 

Strong organizational systems underpin effective surge response, enabling clear governance, communication, and resource management. The companion AHA guide on cybersecurity highlights that resilient systems are equally critical for protecting healthcare organizations from increasing cyber threats. Cyber incidents, much like public health emergencies, can disrupt operations and require coordinated response plans to maintain patient safety and continuity of care. 

Cyber Preparedness in Healthcare

The AHA emphasizes that cyber preparedness in healthcare must be treated as an enterprise-wide priority rather than a purely technical challenge. Hospitals and health systems should embed cyber risk into governance frameworks, cultivate a cyber-aware workforce, and plan for clinical continuity during incidents. This includes cross-functional incident response plans, realistic drills, and robust backup and communication systems.  Third-party risk management is a critical component, requiring ongoing assessment of vendors and subcontractors. Additionally, hospitals are encouraged to collaborate regionally with healthcare coalitions and public health agencies to align cyber response efforts and strengthen collective resilience.  By adopting structured approaches across staffing, supply, space, and systems, and by integrating cybersecurity readiness into core operations, healthcare organizations can better anticipate challenges, respond effectively to emergencies, and recover quickly from disruptions. 

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five enterprise software flaws to its Known Exploited Vulnerabilities (KEV) Catalog in an 18-hour span. On January 22, CISA added vulnerabilities from Versa and Zimbra to the KEV catalog, along with flaws affecting Vite and Prettier developer tools. Today, CISA added a VMware vCenter Server vulnerability to the KEV catalog, the tenth exploited vulnerability added to the catalog this year. Per typical practice, CISA didn’t name the threat actors exploiting the vulnerabilities or say how the flaws are being exploited, noting only that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” None of the vulnerabilities were marked as known to be exploited by ransomware groups.

Versa, Zimbra and VMware Enterprise Software Flaws

The Versa Concerto vulnerability is CVE-2025-34026, a 9.2-severity Improper Authentication vulnerability in the SD-WAN orchestration platform’s Traefik reverse proxy configuration that could allow an attacker to access administrative endpoints, including the internal Actuator endpoint, for access to heap dumps and trace logs. The issue affects Concerto from 12.1.2 through 12.2.0, although the National Vulnerability Database (NVD) notes that “Additional versions may be vulnerable.” Project Discovery revealed the vulnerability and two others last year. CVE-2024-37079 is a 9.8-rated Broadcom VMware vCenter Server out-of-bounds write/heap-overflow vulnerability in the implementation of the DCERPC protocol. “A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the NVD entry says. The Cyber Express noted in a June 2024 article on CVE-2024-37079 and two other vCenter vulnerabilities, “With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors to leverage these critical vulnerabilities also.” CVE-2025-68645 is an 8.8-rated Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 that allows improper handling of user-supplied request parameters in the RestFilter servlet. “An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory,” says the NVD database.

Vite and Prettier Code Tool Vulnerabilities

CVE-2025-54313 is a high-severity embedded malicious code vulnerability affecting the eslint-config-prettier package for the Prettier code formatting tool that stems from a supply chain attack last July. The embedded malicious code in eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 can execute an install.js file that launches the node-gyp.dll malware on Windows, NVD notes. CVE-2025-31125 is a medium-to-high severity Improper Access Control vulnerability affecting Vite ViteJS, a frontend tooling framework for JavaScript. The vulnerability can expose the content of non-allowed files when apps explicitly expose the Vite dev server to the network. Th vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Ransomware and supply chain attacks set records in 2025, with ransomware attacks up more than 50% and supply chain attacks nearly doubling – trends that suggest further trouble ahead in 2026. Those are some of the data points from a new blog and annual threat landscape report from threat intelligence company Cyble. There were 6,604 ransomware attacks in 2025, 52% higher than the 4,346 attacks claimed by ransomware groups in 2024, according to Cyble data. And the year ended on an upswing for threat groups, with a near-record 731 ransomware attacks in December, behind only February 2025’s record totals (chart below). [caption id="attachment_108784" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] Ransomware groups remained resilient and decentralized in 2025, and ransomware affiliates were quick to gravitate toward new leaders like Qilin in the wake of law enforcement disruptions.

Supply Chain Attacks Soared in 2025

Supply chain attacks soared by 93% in 2025, according to Cyble dark web researchers, as supply chain attacks claimed by threat groups surged from 154 incidents in 2024 to 297 in 2025 (chart below). [caption id="attachment_108785" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption] “As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked,” Cyble noted. Supply chain attacks have declined since setting a record in October, but Cyble noted that “they remain above even the elevated trend that began in April 2025.” Every industry and sector tracked by Cyble was hit by a software supply chain attack in 2025, but the IT and Technology sectors were by far the most frequently hit because of the potential for expanding attacks into downstream customer environments. The sophistication of those attacks also grew. Supply chain attacks in 2025 “expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines,” Cyble said. “Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale.” Attacks on Salesforce through third-party integrations is one such example, as attackers “weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised.”

Qilin Dominated Following RansomHub’s Decline

Qilin emerged as the leading ransomware group in April after RansomHub was hit by a possible act of sabotage by rival Dragonforce. Qilin claimed another 190 victims in December, besting a resurgent Lockbit and other leaders such as newcomer Sinobi. Qilin claimed 17% of all ransomware victims in 2025, well ahead of Akira, CL0P, Play and SafePay (chart below). Cyble noted that of the top five ransomware groups in 2025, only Akira and Play also made the list in 2024, as RansomHub and Lockbit declined and Hunters apparently rebranded as World Leaks. [caption id="attachment_108788" align="aligncenter" width="936"] 2025's top ransomware groups (Cyble)[/caption] Cyble documented 57 new ransomware groups, 27 new extortion groups and more than 350 new ransomware strains in 2025. Those new strains were “largely based on the MedusaLocker, Chaos, and Makop ransomware families,” Cyble said. Among new groups, Devman, Sinobi, Warlock and Gunra have targeted critical infrastructure, particularly in Government & Law Enforcement and Energy & Utilities, at an above-average rate. RALord/Nova, Warlock, Sinobi, The Gentlemen and BlackNevas have focused on the IT, Technology, and Transportation & Logistics sectors. The U.S. was by far the most attacked country, suffering 55% of all ransomware attacks in 2025. Canada, Germany, the UK, Italy and France rounded out the top six (chart below). [caption id="attachment_108789" align="aligncenter" width="936"] 2025 ransomware attacks by country (Cyble)[/caption] Construction, professional services and manufacturing were the industries most targeted by ransomware groups, followed by healthcare and IT (chart below). [caption id="attachment_108791" align="aligncenter" width="936"] 2025 ransomware attacks by sector (Cyble)[/caption] “The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats,” Cyble concluded, listing best practices such as segmentation and strong access control and vulnerability management.

Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws. In all, the Patch Tuesday January 2026 update includes fixes for 112 Microsoft CVEs and three non-Microsoft CVEs, doubling December’s 57 vulnerabilities. The actively exploited zero day is CVE-2026-20805, a 5.5-rated Information Disclosure vulnerability affecting Desktop Window Manager (DWM). The vulnerability find is credited to Microsoft’s own Threat Intelligence Center and Security Response Center (MSRC). Microsoft says of the vulnerability, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after Microsoft’s announcement. Other vendors issuing updates this week include Fortinet, SAP, ServiceNow, and Adobe, among others.

Patch Tuesday January 2026 High-Risk Vulnerabilities

Microsoft judged eight vulnerabilities as “exploitation more likely.” They include: CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find. CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges. CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally. CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally. CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.

Highest-Rated Vulnerabilities in the Patch Tuesday Update

The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include:

• CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
• CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
• CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability

 

A new Android banking malware can launch ransomware attacks in addition to more typical activities like credential theft and user surveillance. The “deVixor” remote access trojan (RAT) was detailed by Cyble researchers in a new blog post. While focused on Iranian banking users for now, the malware developer’s active Telegram channel suggests that the malware could eventually find wider use. As Cyble noted, “The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation.” “DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse,” the researchers added.

Android Banking Malware DeVixor’s Many Capabilities

The deVixor campaign has been active since October, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses promising deep discounts to lure users into downloading malicious APK files. Cyble said its analysis of more than 700 samples “indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.” DeVixor has evolved from basic SMS harvesting into a full-featured RAT that offers bank fraud, credential theft, ransomware, and device surveillance from a single platform. The Android banking malware uses Firebase for command delivery and a Telegram-based bot infrastructure for administration, “allowing attackers to manage infections at scale and evade traditional detection mechanisms.” Evolving from early versions that primarily focused on collecting PII and harvesting banking-related SMS messages, the malware has evolved rapidly, adding banking-related overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and exploitation of Android’s Accessibility Service. The RAT uses a Telegram bot–based admin panel for issuing commands, and each APK deployed is assigned a unique Bot ID stored in a local port.json file, allowing the operator to monitor and control individual devices. Cyble listed nearly 50 commands that the malware can execute. DeVixor can harvest OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges. It captures banking credentials by loading legitimate banking pages inside a WebView-based JavaScript injection. The malware can also collect all device notifications, capture keystrokes, prevent uninstallation, hide its presence, harvest contacts, and take screenshots. “Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations,” the researchers said. “The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service,” Cyble said.

Android Ransomware

The Android banking malware also includes “a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments,” the researchers said. After the RANSOMWARE command is issued, the malware receives the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the ransom demand. Details are stored locally in a file called LockTouch.json, which retains the ransomware infection across device reboots. Based on screenshots posted on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays the ransom message “Your device is locked. Deposit to unlock,” along with the attacker’s TRON wallet address. The malware also sends device identifiers and ransom-related details to the command and control (C&C) server to track victim status and compliance with demands.

Threat actors are targeting LLMs in a widespread reconnaissance campaign that could be the first step in cyberattacks on exposed AI models, according to security researchers. The attackers scanned for every major large language model (LLM) family, including OpenAI-compatible and Google Gemini API formats, looking for “misconfigured proxy servers that might leak access to commercial APIs,” according to research from GreyNoise, whose honeypots picked up 80,000 of the enumeration requests from the threat actors. “Threat actors don't map infrastructure at this scale without plans to use that map,” the researchers said. “If you're running exposed LLM endpoints, you're likely already on someone's list.”

LLM Reconnaissance Targets ‘Every Major Model Family’

The researchers said the threat actors were probing “every major model family,” including:

• OpenAI (GPT-4o and variants)
• Anthropic (Claude Sonnet, Opus, Haiku)
• Meta (Llama 3.x)
• DeepSeek (DeepSeek-R1)
• Google (Gemini)
• Mistral
• Alibaba (Qwen)
• xAI (Grok)

The campaign began on December 28, when two IPs “launched a methodical probe of 73+ LLM model endpoints,” the researchers said. In a span of 11 days, they generated 80,469 sessions, “systematic reconnaissance hunting for misconfigured proxy servers that might leak access to commercial APIs.” Test queries were “deliberately innocuous with the likely goal to fingerprint which model actually responds without triggering security alerts” (image below). [caption id="attachment_108529" align="aligncenter" width="908"] Test queries used by attackers targeting LLMs (GreyNoise)[/caption] The two IPs behind the reconnaissance campaign were: 45.88.186.70 (AS210558, 1337 Services GmbH) and 204.76.203.125 (AS51396, Pfcloud UG). GreyNoise said both IPs have “histories of CVE exploitation,” including attacks on the “React2Shell” vulnerability CVE-2025-55182, TP-Link Archer vulnerability CVE-2023-1389, and more than 200 other vulnerabilities. The researchers concluded that the campaign was a professional threat actor conducting reconnaissance operations to discover cyberattack targets. “The infrastructure overlap with established CVE scanning operations suggests this enumeration feeds into a larger exploitation pipeline,” the researchers said. “They're building target lists.”

Second LLM Campaign Targets SSRF Vulnerabilities

The researchers also detected a second campaign targeting server-side request forgery (SSRF) vulnerabilities, which “force your server to make outbound connections to attacker-controlled infrastructure.” The attackers targeted the honeypot infrastructure’s model pull functionality by injecting malicious registry URLs to force servers to make HTTP requests to the attacker’s infrastructure, and they also targeted Twilio SMS webhook integrations by manipulating MediaUrl parameters to trigger outbound connections. The attackers used ProjectDiscovery's Out-of-band Application Security Testing (OAST) infrastructure to confirm successful SSRF exploitation through callback validation. A single JA4H signature appeared in almost all of the attacks, “pointing to shared automation tooling—likely Nuclei.” 62 source IPs were spread across 27 countries, “but consistent fingerprints indicate VPS-based infrastructure, not a botnet.” The researchers concluded that the second campaign was likely security researchers or bug bounty hunters, but they added that “the scale and Christmas timing suggest grey-hat operations pushing boundaries.” The researchers noted that the two campaigns “reveal how threat actors are systematically mapping the expanding surface area of AI deployments.”

LLM Security Recommendations

The researchers recommended that organizations “Lock down model pulls ... to accept models only from trusted registries. Egress filtering prevents SSRF callbacks from reaching attacker infrastructure.” Organizations should also detect enumeration patterns and “alert on rapid-fire requests hitting multiple model endpoints,” watching for fingerprinting queries such as "How many states are there in the United States?" and "How many letter r..." They should also block OAST at DNS to “cut off the callback channel that confirms successful exploitation.” Organizations should also rate-limit suspicious ASNs, noting that AS152194, AS210558 and AS51396 “all appeared prominently in attack traffic,” and they should also monitor JA4 fingerprints. ‍

The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.” The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said.

FBI Details Kimsuky QR Spearphishing Incidents

The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns. In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire. Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive. Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.” In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.” It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations.

FBI Defines Quishing Tactics and Procedures

The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.” QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.” Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks.

Protecting Against QR and Quishing Attacks

The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include:

• Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.”
• Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts.
• QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.”
• Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources.
• Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented.
• All credential entry and network activity following QR code scans should be logged and monitored for possible compromises.
• Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions.

The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.

A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025.

CISA KEV Addition Follows CVE-2025-37164 PoC

CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164.

CVE-2009-0556 PowerPoint Flaw First Attacked in 2009

The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

Taiwan faced a surge in Chinese cyberattacks in 2025, with government data showing that the island’s critical infrastructure was targeted an average of 2.6 million times per day. According to Taiwan’s National Security Bureau, the scale, frequency, and coordination of these Taiwan cyberattacks suggest a sustained and deliberate campaign that intensified alongside military and political pressure from Beijing.  The bureau reported that Chinese cyberattacks against Taiwan’s key infrastructure rose 6% compared with the previous year. Sectors experiencing the most severe impact included energy systems, hospitals, banks, emergency rescue services, and telecommunications networks. The agency said the average number of daily attacks reached approximately 2.63 million in 2025, marking an 113% increase from 2023, when the bureau first began publishing such figures.  “These attacks indicate a deliberate attempt by China to compromise Taiwan’s crucial infrastructure comprehensively and to disrupt or paralyze Taiwanese government and social functions,” the report stated. 

Chinese Cyberattacks Timed With Military Drills and Political Events 

Taiwanese authorities said many of the Chinese cyberattacks were closely synchronized with Chinese military exercises and politically sensitive moments, reinforcing concerns over what Taipei describes as “hybrid warfare.” The bureau documented that China conducted 40 “joint combat readiness patrols” in 2025, involving military aircraft and naval vessels operating near Taiwan. Cyber activity escalated during 23 of those patrols.  The report cited specific incidents in which Taiwan cyberattacks intensified during major political events. In May, cyber activity spiked when President Lai Ching-te delivered a speech marking his first year in office. Another escalation occurred in November when Vice President Hsiao Bi-khim spoke at a meeting with lawmakers at the European Parliament.  “China’s moves align with its strategic need to employ hybrid threats against Taiwan during both peacetime and wartime,” the report said.  Taiwan has repeatedly accused China of using a combination of daily military drills, disinformation campaigns, and cyber operations to weaken the island’s defenses and morale. Beijing claims Taiwan as its own territory and has not ruled out the use of force to bring the island under its control. Taipei rejects China’s sovereignty claims, stating that only Taiwan’s people can decide the island’s future, reported The Japan Times.

Hospitals, Energy Systems, and Banks Among Primary Targets 

The National Security Bureau said the Chinese cyberattacks employed a wide range of techniques designed to disrupt daily life and undermine public trust. These included distributed denial-of-service (DDoS) attacks aimed at overwhelming networks and halting services, as well as man-in-the-middle attacks used to intercept communications, steal sensitive data, and penetrate telecommunications infrastructure.  Hospitals, emergency services, and energy providers experienced some of the sharpest year-on-year increases in attack volume. Banks and financial systems were also repeatedly targeted, raising concerns about broader economic disruption.  Science parks anchoring Taiwan’s semiconductor industry were identified as another major focus. Facilities linked to advanced chip manufacturing, including firms such as TSMC, were subjected to repeated cyber intrusions. According to the report, attackers used various methods to steal advanced technologies and proprietary information. 

Technology Competition and Beijing’s Strategic Goals 

The bureau linked the cyber campaign to China’s broader economic and technological ambitions. The report said the attacks were “an attempt to support China’s self-reliance in technology and economic development and prevent China from being put in a disadvantaged position in the U.S.-China technology competition.”  Despite the detailed findings, China has consistently denied involvement. The Chinese government routinely rejects accusations related to hacking or cyber espionage. China’s Taiwan Affairs Office did not respond to a request for comment on the report.  Taiwanese officials argue that the sheer scale, timing, and coordination of the attacks point to an organized effort rather than isolated incidents. With Chinese cyberattacks and Taiwan cyberattacks continuing to rise in volume, the bureau warned that protecting digital infrastructure has become as critical as traditional military defense. 

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today.

Crimson Collective Details Brightspeed Claims

Crimson Collective claims to possess a wide range of data on Brightspeed customers, including:

• Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status
• Network type, consent flags, billing system, service instance, network assignment, and site IDs
• Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags
• User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons”
• Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status
• Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps
• Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types.

Potential Risk for Brightspeed Users

In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

Victims of the CL0P ransomware group’s August campaign targeting Oracle E-Business Suite vulnerabilities are still coping with the aftermath of the cyberattacks, as Korean Air and the University of Phoenix have become the latest to reveal details of the breach. The University of Phoenix reported earlier this month in an SEC filing that it was among the Oracle EBS victims, after the company was named as a victim by CL0P on the threat group’s dark web data leak site. In a new filing with the Maine Attorney General’s office, the University of Phoenix revealed the extent of the breach – nearly 3.5 million people may have had their personal data compromised, including names, dates of birth, Social Security numbers, and bank account and routing numbers. The sample notification letter provided by the university offered victims complimentary identity protection services. including a year of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services. Oracle EBS victims continue to grapple with the aftermath of the attacks even as CL0P has reportedly moved on to a new extortion campaign targeting internet-facing Gladinet CentreStack file servers.

Korean Air Among Oracle EBS Victims

Korean Air also reported a cyberattack that appears linked to the Oracle EBS campaign. According to news reports, KC&D Service – the former in-flight catering subsidiary of the airline that’s now owned by a private equity firm – informed Korean Air of a leak that involved personal data belonging to the airline’s employees. The compromised data involved 30,000 records and included names and bank account numbers. The breach was revealed in an “internal notice,” according to the reports. The airline said no customer data appears to have been compromised by the breach. According to Korea JoongAng Daily, Woo Kee-hong, vice chairman of Korean Air, said in a message to employees, “Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.” While the reports didn’t specifically mention the Oracle EBS campaign, “Korean Air Catering” was one of more than 100 victims listed by CL0P on its data leak site. Other confirmed victims in the Oracle campaign have included The Washington Post, Harvard University, Dartmouth College, the University of Pennsylvania, American Airlines’ Envoy Air, Logitech, Cox, Mazda, Canon, and Hitachi’s GlobalLogic.

CL0P’s File Services Exploits

CL0P’s ability to exploit file sharing and transfer services at scale has made it a top five ransomware group over its six-year history, with more than 1,000 known victims to date, according to Cyble threat intelligence data. Other CL0P campaigns have targeted Cleo MFT, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere, among others. CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. Some reports have linked the Oracle EBS campaign to the FIN11 threat group, with CL0P acting as the public face of the campaign.

The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident. The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said. Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said. Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.

Coupang Breach Smaller than Feared

Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared. While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.” The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said. Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.

Perpetrator ‘Confessed Everything’

Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said. The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes. The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims. “The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section. “The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.” The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).

The University of Sydney has confirmed a major cybersecurity incident that resulted in the exposure of personal information belonging to thousands of current and former staff members, as well as smaller groups of students, alumni, and supporters. The University of Sydney cyberattack was formally disclosed to the university community on December 18, 2025, after the institution detected unauthorized access to an internal online IT code library.  University officials said the suspicious activity was identified last week during monitoring of the platform, which is primarily used for software development and code storage. While the system was never intended to house personal records, investigators found that historical data files had been stored within the library, largely for testing purposes. These files were accessed and downloaded by an unauthorized party before the university intervened.  Upon discovering the University of Sydney cyberattack, the university immediately blocked unauthorized access and secured the affected environment. Officials also clarified that the cyberattack on University of Sydney was unrelated to a separate incident involving student results reported earlier. 

Decoding the University of Sydney Cyberattack

According to the university’s investigation to date, the data breach at the University of Sydney affected a wide range of individuals. The compromised files included a historical dataset from a retired system containing personal information about staff employed at the university as of September 4, 2018. Exposed details included names, dates of birth, phone numbers, home addresses, and basic employment information such as job titles and dates of employment.  In total, personal information belonging to around 10,000 current staff and affiliates and approximately 12,500 former staff and affiliates from that period was accessed. In addition, a collection of historical datasets, primarily from 2010 to 2019, contained personal information relating to about 5,000 students and alumni, along with data belonging to six supporters.  Vice President for Operations Nicole Gower addressed staff in a written message confirming the scope of the University of Sydney cyberattack and offering an apology. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” Gower wrote. “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.” 

Investigation, Notifications, and Official Response

The University of Sydney has reported the incident to multiple government authorities, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW. The university is also working with external cybersecurity partners to assess whether any of the accessed data has been disclosed online.  At this stage, the university believes the unauthorized access was confined to a single platform and did not compromise other university systems. However, the investigation remains ongoing and is expected to continue into the new year due to its complexity.  Notifications to affected individuals began on December 18, 2025. The university expects to complete this process by January 2026, once file reviews are finalized, and contact details for all impacted individuals are confirmed. Updates and responses to frequently asked questions are being published on the university’s website as the situation evolves. 

Support Services and Advice for Affected Individuals

In response to the University of Sydney data breach, a range of support services has been made available to staff, students, alumni, and affiliates. A dedicated cyber incident support service has been established to handle inquiries and will remain operational during the university’s closedown period from December 20, 2025, to January 5, 2026, excluding public holidays.  Staff members have access to counseling and wellbeing services through Converge International, while students can seek free and confidential support through Student Wellbeing services, which are available 24/7. Additional assistance is available through external organizations such as ID Support NSW, IDCARE, Beyond Blue, and Lifeline.  The university has also issued guidance urging affected individuals to remain vigilant by monitoring accounts for unusual activity, changing passwords, enabling multi-factor authentication, and being cautious of phishing attempts. Officials advised sharing details of the incident on social media to reduce the risk of scams.  University leadership reiterated that cybersecurity remains a priority and noted that an extensive program to strengthen data management practices has been underway for the past three years. Further updates will be provided as the investigation into the cyberattack on University of Sydney progresses and additional findings become available. 

Japan is set to hold its first public-private sector tabletop exercise to prepare for large-scale cyberattacks, particularly targeting critical infrastructure. The drill, scheduled for December 18th, will involve the central government, the Tokyo metropolitan government, and major infrastructure operators across the capital region.  The exercise comes during multiple cyberattacks in Japan, which have increasingly targeted sectors essential to daily life and economic activity. By simulating infrastructure disruptions, officials aim to identify vulnerabilities and establish a coordinated public-private response framework.  The exercise is designed around a scenario in which a sudden, large-scale power outage of unknown origin hits the Tokyo metropolitan area. Participants will simulate cascading disruptions affecting water supply, telecommunications, internet services, traffic networks, and railway operations. The goal is to replicate the chain reactions that could occur if Japan's cyberattacks multiple systems simultaneously.  If power outages are prolonged, healthcare facilities could face urgent challenges, including the care of patients dependent on ventilators or dialysis machines. Similarly, persistent traffic congestion could delay fuel deliveries, including gasoline and diesel, with serious repercussions for everyday life and commercial activity. 

Collaboration Between Public and Private Sectors 

The cybersecurity drill will involve key infrastructure sectors in Tokyo, including electricity, gas, telecommunications, healthcare, and finance. The National Security Secretariat and the Tokyo metropolitan government are leading the exercise, with participation from major private-sector operators. Officials hope the exercise will clarify existing coordination challenges and strengthen preparedness for real-world incidents.  By conducting its first public-private cyber drill, Japan seeks not only to test operational readiness but also to reinforce collaboration between government agencies and private infrastructure operators. The simulation emphasizes the need for real-time communication, rapid decision-making, and coordinated measures to mitigate the impact of cyber incidents. 

Strengthening Japan’s Cyber Resilience 

This marks an important step in Japan’s response to cyberattacks, particularly as the country has faced a series of incidents targeting critical infrastructure in recent years. Experts note that Japan, with its highly interconnected urban infrastructure, is particularly vulnerable to cyberattacks that can trigger cascading failures.   Disruptions in one sector, such as electricity, can quickly affect water distribution, transportation networks, healthcare facilities, and financial services. The Tokyo metropolitan area, as the nation’s economic and political center, is especially critical in this context.  As Japan faces new cyber threats from highly skilled cyber actors, exercises such as this one in Tokyo are expected to become a regular component of national cybersecurity strategy. Officials believe that repeated drills will help identify gaps, improve response protocols, and enhance resilience against future cyberattacks on Japan’s essential infrastructure. 

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-replicating worm, and more than 25,000 compromised repositories labeled “Sha1-Hulud: The Second Coming” have been created containing sensitive information like passwords, API keys, cloud tokens, and GitHub or npm credentials. “The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks,” Aikido’s Charlie Eriksen said. “With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline.”

Shai-Hulud Attack Affects Packages from Zapier, AsyncAPI and Others

Shai-Hulud, named after the giant sandworms from Dune, is a self-replicating npm worm built to spread quickly through compromised developer environments. The latest attack has hit major npm packages from the likes of Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. “Once it infects a system, it searches for exposed secrets such as API keys and tokens using TruffleHog and publishes anything it finds to a public GitHub repository,” Eriksen said. “It then attempts to push new copies of itself to npm, helping it propagate across the ecosystem, while exfiltrating data back to the attacker.” If a developer installs one of these malcicious packages, the malware runs quietly during installation before anything even finishes installing, giving the malware access to the developer’s machine, build systems, or cloud environment, he said. If stolen secrets include access to code repositories or package registries, attackers can use those secrets to break into additional accounts and publish more malicious packages, spreading the attack even further. “Because trusted ecosystems were involved and millions of downloads are affected, any team using NPM should immediately check whether they were impacted and rotate any credentials that may have leaked,” Eriksen said.

Shai-Hulud Worm Details

Ashish Kurmi of Step Security noted that the latest evolution of the malware “disguises the entire payload as a helpful Bun installer.” The core payload - bun_environment.js - is 10MB and uses “extreme obfuscation techniques,” Kurmi added. These include “a massive hex-encoded string array containing thousands of entries,” an anti-analysis loop “that performs millions of arithmetic operations,” and every string in the code is retrieved through an obfuscated function. The malware delays full execution on developer machines by “forking itself into the background,” Kurmi said. “The user’s terminal returns instantly, giving the illusion of a normal install, while seconds later a completely detached process begins exfiltration.” “It executes a sophisticated, multi-stage pre-install attack that targets both CI/CD runners and developer workstations with equal effectiveness,” Kurmi said. Wiz noted that the malware targets AWS, Azure and Google Cloud Platform (GCP) by “bundling official SDKs to operate independently of host tools.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw. CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle. Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post. Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update.

Oracle Identity Manager Vulnerability CVE-2025-61757 Explained

CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager. The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587. In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code. “Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE. “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters. “Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”

Oracle EBS Victims Climb Past 100

Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week. Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.

Two alleged members of the Scattered Spider threat group pled not guilty today to charges related to a cyberattack on Transport for London in August 2024. Thalha Jubair, 19, of east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested in the UK in September. They appeared before Southwark Crown Court today and entered not guilty pleas to charges of conspiring to commit unauthorized acts against computer systems belonging to Transport for London (TfL), according to news reports. Sky News reported that the two “stood in the dock together and spoke only to confirm their names and enter not guilty pleas.” The charge states in part that the two are accused of "causing, or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused. Flowers is also accused of unauthorized acts against computer systems belonging to SSM Health, and attempting to commit unauthorized acts against computer systems belonging to Sutter Health. Jubair is also accused of failing to disclose the pin or passwords for devices seized from him in March 2025, and Jubair also faces substantial charges in the U.S. Both men continue to be held on remand, the BBC reported.

Scattered Spider Trial Date Set

A provisional trial date has been set for June 8, 2026, at Southwark Crown Court, with a pre-trial hearing scheduled for February 13. The cyberattack allegedly caused £39m of damage and disrupted TfL services for three months. While transport itself was unaffected, many TfL online services and information boards were knocked offline as part of the attack. Traffic cameras and "dial a ride" bookings were some of the affected services, and some payment systems were also affected. Personal data including names, emails and home addresses were accessed, and TfL was forced to inform thousands of customers that there may have been unauthorized access to personal information that may have included bank account numbers and sort codes.

Jubair Faces U.S. Charges Too

Jubair has also been charged by the U.S. Department of Justice (DoJ) for conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities. The unsealed U.S. complaint alleged that Jubair’s victims paid at least $115 million in ransom payments. The U.S. claims Jubair could face up to 95 years in prison on the charges. Scattered Spider recently joined with ShinyHunters and LAPSUS$ to form the Scattered LAPSUS$ Hunters threat collective, which remains active, that Recent attacks by the group have targeted Salesforce data, including one involving the Gainsight customer success platform this week. Scattered LAPSUS$ Hunters also claims to have been behind an insider attack at security vendor CrowdStrike, according to Bleeping Computer, although CrowdStrike says its systems and customer data were not affected by the incident.

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”