2026-01-13 AI创业新闻

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers’ OAuth credentials. One such package, named “n8n-nodes-hfgjf-irtuinvcm-lasdqewriit,” mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon it to servers under the attackers’ control. “The attack represents a new escalation in supply chain threats,” Endor Labs said in a report published last week. “Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location.” The complete list of identified packages, which have since been removed, is as follows - n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (4,241 downloads, author: kakashi-hatake) n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (1,657 downloads, author: kakashi-hatake) n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (1,493 downloads, author: kakashi-hatake) n8n-nodes-performance-metrics (752 downloads, author: hezi109) n8n-nodes-gasdhgfuy-rejerw-ytjsadx (8,385 downloads, author: zabuza-momochi) n8n-nodes-danev (5,525 downloads, author: dan_even_segler) n8n-nodes-rooyai-model (1,731 downloads, author: haggags) n8n-nodes-zalo-vietts (4,241 downloads, authors: vietts_code and diendh) The users “zabuza-momochi,” “dan_even_segler,” and “diendh” have also been linked to other libraries that are still available for download as of writing - n8n-nodes-gg-udhasudsh-hgjkhg-official (2,863 downloads) n8n-nodes-danev-test-project (1,259 downloads) @diendh/n8n-nodes-tiktok-v2 (218 downloads) n8n-nodes-zl-vietts (6,357 downloads) It’s not clear if they harbor similar malicious functionality.

However, an assessment of the first three packages on ReversingLabs Spectra Assure has uncovered no security issues. In the case of “n8n-nodes-zl-vietts,” the analysis has flagged the library as containing a component with malware history. Interestingly, an updated version of the package “n8n-nodes-gg-udhasudsh-hgjkhg-official” was published to npm just three hours ago, suggesting that the campaign is possibly ongoing. The malicious package, once installed as a community node , behaves like any other n8n integration, displaying configuration screens and saving the Google Ads account OAuth tokens in encrypted format to the n8n credential store.

When the workflow is executed, it runs code to decrypt the stored tokens using n8n’s master key and exfiltrates them to a remote server. The development marks the first time a supply chain threat has explicitly targeted the n8n ecosystem, with bad actors weaponizing the trust in community integrations to achieve their goals. The findings highlight the security issues that come with integrating untrusted workflows, which can expand the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.

N8n has also warned about the security risk arising from the use of community nodes from npm, which it said can execute malicious actions on the machine that the service runs on. On self-hosted n8n instances, it’s advised to disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false. “Community nodes run with the same level of access as n8n itself. They can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution,” researchers Kiran Raj and Henrik Plate said.

“There is no sandboxing or isolation between node code and the n8n runtime.” “Because of this, a single malicious npm package is enough to gain deep visibility into workflows, steal credentials, and communicate externally without raising immediate suspicion. For attackers, the npm supply chain offers a quiet and highly effective entry point into n8n environments.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: AI Automation Exploits, Telecom Espionage, Prompt Poaching & More

This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn’t need novel tricks. They used what was already exposed and moved in without resistance.

Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior.

Different victims, same playbook: look normal, move quickly, spread before alarms go off. For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle.

Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward. ⚡ Threat of the Week Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability in the n8n workflow automation platform permits unauthenticated remote code execution and potential full system compromise. The flaw, referred to as Ni8mare and tracked as CVE‑2026‑21858, affects locally deployed instances running versions prior to 1.121.0.

The issue stems from how n8n handles incoming data, offering a direct path from an external, unauthenticated request to compromise the automation environment. The disclosure of CVE‑2026‑21858 follows several other high‑impact vulnerabilities publicized over the past two weeks, including CVE‑2026‑21877, CVE‑2025‑68613, and CVE‑2025‑68668. The problem appears in Form-based workflows where file-handling functions are executed without first validating that the request was actually processed as “multipart/form-data.” This loophole allows an attacker to send a specially crafted request using a non-file content type while crafting the request body to mimic the internal structure expected for uploaded files. Because the parsing logic does not verify the format of the incoming data, it enables an attacker to access arbitrary file paths on the n8n host and even escalate it to code execution.

“The impact extends to any organization using n8n to automate workflows that interact with sensitive systems,” Field Effect said . “The worst‑case scenario involves full system compromise and unauthorized access to connected services.” However, Horizon3.ai noted that successful exploitation requires a combination of pre-requisites that are unlikely to be found in most real-world deployments: An n8n form component workflow that’s publicly accessible without authentication and a mechanism to retrieve the local files from the n8n server. As of January 11, 2026, there are about 59,500 internet-exposed hosts that are still vulnerable to CVE-2026-21858. More than 27,000 IP addresses are located in the U.S.

and over 21,200 in Europe. Protect Critical Data in AI Workflows Stop data breaches before they happen. Airia offers advanced solutions to ensure your AI models remain secure, reliable, and compliant in today’s fast-evolving landscape. Discover More ➝ 🔔 Top News Kimwolf Botnet Infects 2M Android Devices — The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks.

Kimwolf’s rapid growth is largely fueled by its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client. Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222. The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices.

When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices. When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution. China-Linked Hackers Likely Developed Exploit for Trio of VMware Flaws in 2024 — Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed more than a year before a set of three flaws it relied on were made public. The attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1).

Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process. The attackers disabled VMware’s own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have allowed the attackers to hit a broad range of environments. Huntress, which observed the activity in December 2025, said there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner.

China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. The campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors. Two Malicious Chrome Extensions Caught Prompt Poaching — Two new malicious extensions on the Chrome Web Store, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, and AI Sidebar with DeepSeek, ChatGPT, Claude, and more, were found to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers’ control.

The technique of browser extensions to stealthily capture AI conversations has been codenamed Prompt Poaching. The extensions, which were collectively installed 900,000 times, have since been removed by Google. PHALT#BLYX Targets Hospitality Sector in Europe — A new multi-stage malware campaign targeting hospitality organizations in Europe using social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death (BSoD) errors to trick users into manually executing malicious code under the guise of reservation-cancellation lures. Dubbed PHALT#BLYX, the campaign represents an evolution from earlier, less evasive techniques.

Previous versions relied on HTML Application files and mshta.exe. The latest iteration, detected in late December 2025, instead abuses MSBuild.exe, a trusted Microsoft utility, to compile and execute a malicious project file. This living-off-the-land (LotL) approach enables the malware to bypass many endpoint security controls and deliver a heavily obfuscated variant of DCRat. The activity is assessed to be the work of Russian-speaking threat actors.

The attacks leverage a social engineering tactic called ClickFix, where users are tricked into manually executing seemingly harmless commands that actually install malware. It operates by deceiving users into taking an action to “fix” a non-existent issue by either automatically or manually copying and pasting a malicious command into their terminal or Run dialog. ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours.

One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2026-21858 , CVE-2026-21877 , CVE-2025-68668 (n8n), CVE-2025-69258, CVE-2025-69259, CVE-2025-69260 (Trend Micro Apex Central), CVE-2026-20029 (Cisco Identity Services Engine), CVE-2025-66209, CVE-2025-66210, CVE-2025-66211, CVE-2025-66212, CVE-2025-66213, CVE-2025-64419, CVE-2025-64420, CVE-2025-64424, CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 (Coolify), CVE-2025-59470 (Veeam Backup & Replication), CVE-2026-0625 (D-Link DSL gateway routers), CVE-2025-65606 (TOTOLINK EX200), CVE-2026-21440 (@adonisjs/bodyparser), CVE-2025-68428 (jsPDF), CVE-2025-69194 (GNU Wget2), CVE-2025-43530 (Apple macOS Tahoe), CVE-2025-54957 (Google Android), CVE-2025-14026 (Forcepoint One DLP Client), CVE-2025-66398 (Signal K Server), CVE-2026-21483 (listmonk), CVE-2025-34468 (libcoap), CVE-2026-0628 (Google Chrome), CVE-2025-67859 (Linux TLP), CVE-2025-9222, CVE-2025-13761, CVE-2025-13772 (GitLab CE/EE), CVE-2025-12543 (Undertow HTTP server core), CVE-2025-14598 (BeeS Examination Tool), CVE-2026-21876 (OWASP Core Rule Set), CVE-2026-22688 (Tencent WeKnora), CVE-2025-61686 (@react-router/node, @remix-run/node, and @remix-run/deno), and CVE-2025-54322 (Xspeeder SXZOS).

📰 Around the Cyber World India Denies it Plans to Demand Smartphone Source Code — India’s Press Information Bureau (PIB) has refuted a report from Reuters that said the Indian government has proposed rules requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures to tackle online fraud and data breaches. Some of the key requirements mentioned in the report included preventing apps from accessing cameras, microphones or location services in the background when phones are inactive, periodically displaying warnings prompting users to review all app permissions, storing security audit logs, including app installations and login attempts, for 12 months, periodically scanning for malware and identify potentially harmful applications, making all pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, deletable, notifying a government organization before releasing any major updates or security patches, detecting if a device has been rooted or jailbroken, and blocking installation of older software versions. The PIB said , “The Government of India has NOT proposed any measure to force smartphone manufacturers to share their source code,” adding, “The Ministry of Electronics and Information Technology has started the process of stakeholders’ consultations to devise the most appropriate regulatory framework for mobile security. This is a part of regular and routine consultations with the industry for any safety or security standards.

Once a stakeholder consultation is done, then various aspects of security standards are discussed with the industry.” It also said no final regulations have been framed, adding the government has been engaging with the industry to better understand technical and compliance burden and best international practices, which are adopted by the smartphone manufacturers. Meta Says There was No Instagram Breach — Meta said it fixed an issue that “let an external party request password reset emails for some people.” It said there is no breach of its system and user accounts are secure. The development comes after security software vendor Malwarebytes claimed , “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.” This data is available for free on numerous hacking forums, with the poster claiming it was gathered through an unconfirmed 2024 Instagram API leak. However, the cybersecurity community has shared evidence suggesting the scraped data may have been collected in 2022.

8.1M Attack Sessions Related to React2Shell — Threat intelligence firm GreyNoise said it recorded over 8.1 million attack sessions since the initial disclosure of React2Shell last month, with “daily volumes stabilizing in the 300,000–400,000 range after peaking above 430,000 in late December.” As many as 8,163 unique source IPs across 1,071 ASNs spanning 101 countries have participated in the efforts. “The geographic and network distribution confirms broad adoption of this exploit across diverse threat actor ecosystems,” it said. “The campaign has produced over 70,000 unique payloads, indicating continued experimentation and iteration by attackers.” Salt Typhoon Linked to New U.S. Hacks — Chinese hacking group Salt Typhoon is alleged to have hacked the email systems used by congressional staff on multiple committees in the U.S.

House of Representatives, according to a report from Financial Times. “Chinese intelligence accessed email systems used by some staffers on the House China committee in addition to aides on the foreign affairs committee, intelligence committee, and armed services committee, according to people familiar with the attack,” it said. “The intrusions were detected in December.” Russian Basketball Player Accused of Ransomware Ties Freed in Prisoner Swap — A Russian basketball player accused of being involved in a ransomware gang was freed in a prisoner exchange between Russia and France. Daniil Kasatkin, 26, was arrested in July 2025 shortly after arriving in France with his fiancée.

He is alleged to have been involved in a ransomware group that allegedly targeted nearly 900 entities between 2020 and 2022. While the name of the ransomware gang was not revealed, it’s believed to be the now-defunct Conti group. Kasatkin’s lawyer said he was not involved in ransomware attacks and claimed the accusations related to a second-hand computer he purchased. Illicit Crypto Activity Reaches Record $158B in 2025 — Illicit cryptocurrency activity reached an all-time high of $158 billion in 2025, up nearly 145% from 2024, according to TRM Labs.

Despite this surge, the activity has continued to decline as a share of overall cryptocurrency activity, declining from 1.3% in 2024 to 1.2% in 2025. “Inflows to sanctioned entities and jurisdictions rose sharply in 2025, led by USD 72 billion received by the A757 token , followed by an additional USD 39 billion sent to the A7 wallet cluster,” the blockchain intelligence firm said . “This growth was highly concentrated: more than 80% of sanctions-linked volume was connected to Russia-linked entities, including Garantex, Grinex, and A7.” A7 is assessed to operate as a hub connecting Russia-linked actors with counterparties across China, Southeast Asia, and Iran-linked networks. “The spike in illicit volume doesn’t reflect a failure of enforcement — it reflects a maturing ecosystem and better visibility,” said Ari Redbord, Global Head of Policy at TRM Labs.

“Crypto has moved from novelty to durable financial infrastructure, and illicit actors — including geopolitical actors – are operating within it the same way they do in traditional finance: persistently, at scale, and increasingly exposed.” In a related report, Chainalysis said illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% increase year-over-year, with Chinese money laundering networks operated by criminal syndicates behind scam operations emerging as a prominent player in the illicit on-chain ecosystem. China Tightens Oversight of Personal Data Collection on Internet — China has issued draft regulations for the governance of personal information collection from the internet and its use, as part of its efforts to safeguard users’ rights and promote transparency. “The collection and use of personal information shall follow the principles of legality, legitimacy, necessity, and integrity, and shall not collect and use personal information through misleading, fraud, coercion, and other means,” the draft rules released by the Cyberspace Administration of China (CAC) on January 10, 2026, state. “The collection and use of personal information shall fully inform the subject of the collection and use of personal information and obtain the consent of the subject of the personal information; the collection and use of sensitive personal information shall obtain the separate consent of the subject of the personal information.” In addition, app developers are responsible for maintaining the security and compliance, and ensuring that camera and microphone permissions are accessed only when taking photos, or making video or audio recordings.

Security Flaw in Kiro GitLab Merge Request Helper — A high-severity vulnerability has been disclosed in Kiro’s GitLab Merge Request Helper (CVE-2026-0830, CVSS score: 8.4) that could result in arbitrary command injection when opening a maliciously crafted workspace in the agentic IDE. “This may occur if the workspace has specially crafted folder names within the workspace containing injected commands,” Amazon said . The issue has been addressed in version 0.6.18. Security researcher Dhiraj Mishra, who reported the flaw in October 2025, said it can be abused to run arbitrary commands on the developer’s machine by taking advantage of the fact that GitLab Merge Request Helper passes repository paths to a sub-process without enclosing them in quotes, enabling an attacker to incorporate shell meta-characters and achieve command execution.

Phishing Attacks Leverage WeChat in China-Linked Fraud Operations — KnowBe4 said it has observed a spike in phishing emails targeting the U.S. and EMEA that use WeChat “Add Contact” QR code lures, jumping from only 0.04% in 2024 to 5.1% by November 2025. “While the overall volume remains relatively low, this represents a 3,475% increase across these regions,” it said . “Additionally, 61.7% of these phishing emails were written in English, and a further 6.5% were in languages other than Chinese or English, indicating a growing and targeted diversification.” In these high-volume phishing schemes, emails centered around job opportunity themes urge recipients to scan an embedded QR code to add an HR representative on WeChat.

The emails are sent using a mass mailer toolkit that uses spoofed domains and Base64-encoding to evade spam filters. Should a victim fall for the bait and add them on WeChat, the threat actors build rapport with them before carrying out financially motivated scams. “These monetary transfers take place via WeChat Pay, which offers a fast payment service that’s difficult to trace and reverse,” KnowBe4 said. “The platform also provides a largely closed ecosystem.

Identity details and conversation histories exist inside Tencent’s environment, which can make cross-border investigation and recovery slow.” Phishing Campaign Delivers GuLoader — A new phishing campaign disguised as an employee performance report is being used to deliver a malware loader called GuLoader , which then deploys a known remote access trojan known as Remcos RAT . “It allows threat actors to perform malicious remote control behaviors such as keylogging, capturing screenshots, controlling webcams and microphones, as well as extracting browser histories and passwords from the installed system,” AhnLab said. The development comes as WebHards impersonating adult video games have been employed to propagate Quasar RAT (aka xRAT) in attacks targeting South Korea. Critical Vulnerability in zlib — A critical security flaw in zlib’s untgz utility ( CVE-2026-22184 , CVSS score: 9.3) could be exploited to achieve a buffer overflow, resulting in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, architecture, build flags, and memory layout.

The issue affects zlib versions up to and including 1.3.1.2. “A global buffer overflow vulnerability exists in the TGZfname() function of the zlib untgz utility due to the use of an unbounded strcpy() call on attacker-controlled input,” researcher Ronald Edgerson said . “The utility copies a user-supplied archive name (argv[arg]) into a fixed-size static global buffer of 1024 bytes without performing any length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write past the end of the global buffer, leading to memory corruption.” BreachForums Database Leaked — The website “shinyhunte[.]rs”, named after the ShinyHunters extortion gang, has been updated to leak a database containing all records of users associated with BreachForums , which emerged in 2022 as a replacement for RaidForums, and has since cycled through different iterations.

In April 2025, ShinyHunters shut down BreachForums, citing an alleged zero-day vulnerability in MyBB . Subsequently, the threat actor also claimed the site had been turned into a honeypot. The database includes metadata of 323,986 users. “The database could be acquired as a result of a web application vulnerability in a CMS or through possible misconfiguration,” Resecurity said .

“This incident proved that data breaches are possible not only with legitimate businesses but also with cybercriminal resources generating damage and operating on the dark web, which can have a much greater positive impact.” Accompanying the database is a lengthy manifesto written by “James,” who names several individuals and their aliases: Dorian Dali (Kams), Ojeda Nahyl (N/A, Indra), Ali Aboussi, Rémy Benhacer, Nassim Benhaddou, Gabriel Bildstein, and MANA (Mustapha Usman). An analysis of the data has revealed that the majority of actors were identified as originating from the U.S., Germany, the Netherlands, France, Turkey, the U.K., as well as the Middle East and North Africa, including Morocco, Jordan, and Egypt. In a statement posted on BreachForums website (“breachforums[.]bf”), its current administrator N/A described James as a former ShinyHunters member and that the data originates from a leak dating back to August 2025 when the forum was being restored from the “.hn” domain. In another message shared on “shinyhunte[.]rs” in December 2025, James was outed as a “Frenchman” and a “former associate who operated in the shadows to organize ransomware attacks, particularly the one targeting Salesforce without the approval of the other members.” 🎥 Cybersecurity Webinars Stop Guessing Your SOC Strategy: Learn What to Build, Buy, or Automate — Modern SOC teams are overloaded with tools, noise, and promises that don’t translate into results, making it hard to know what to build, buy, or automate.

In this session, AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cut through the clutter with a practical, vendor-neutral look at SOC operating models, maturity, and real-world decision frameworks—leaving teams with a clear, actionable path to simplify their stack and make their SOC work more effectively. How Top MSSPs Are Using AI to Grow in 2026: Learn Their Formula — By 2026, MSSPs are under pressure to do more with less, and AI is becoming the edge that separates those who scale from those who stall. This session explores how automation reduces manual work, improves margins, and enables growth without adding headcount, with real-world insights from Cynomi founder David Primor and Secure Cyber Defense CISO Chad Robinson on turning expertise into repeatable, high-value services. 🔧 Cybersecurity Tools ProKZee — It is a cross-platform desktop tool for capturing, inspecting, and modifying HTTP/HTTPS traffic.

Built with Go and React, it’s fast, clean, and runs on Windows, macOS, and Linux. It includes a built-in fuzzer, request replay, Interactsh support for out-of-band testing, and AI-assisted analysis via ChatGPT. Full Docker support keeps setup and development simple for security researchers and developers. Portmaster — It is a free, open-source firewall and privacy tool for Windows and Linux that shows and controls all system network connections.

Built by Safing in Austria, it blocks trackers, malware, and unwanted traffic at the packet level, routes DNS securely via DoH/DoT, and offers per-app rules, privacy filtering, and an optional multi-hop Safing Privacy Network, without relying on third-party clouds. STRIDE GPT — It is an open-source AI-based threat modeling framework that automates the STRIDE method to identify risks and attack paths in modern systems. It supports GenAI and agent-based applications, aligns with the OWASP LLM and Agentic Top 10, detects RAG and multi-agent architectures, and produces clear attack trees with mitigation guidance—connecting traditional threat modeling with AI-era security risks. Disclaimer: These tools are for learning and research only.

They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion Seen together, these updates show how quickly familiar systems turn risky when trust isn’t questioned.

Most of the damage didn’t begin with clever exploits. It began with ordinary tools quietly doing more than anyone expected. It rarely takes a dramatic failure. A missed patch.

An exposed service. A routine click that slips through. Multiply those small lapses, and the impact spreads faster than teams can contain it. The lesson is straightforward.

Today’s threats grow out of normal operations, moving at speed and scale. The advantage comes from spotting where that strain is building before it breaks. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials

A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet that’s capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. “The current wave of campaigns is driven by two factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose FTP and admin interfaces with minimal hardening,” Check Point Research said in an analysis published last week. GoBruteforcer, also called GoBrut, was first documented by Palo Alto Networks Unit 42 in March 2023, documenting its ability to target Unix-like platforms running x86, x64, and ARM architectures to deploy an Internet Relay Chat (IRC) bot and a web shell for remote access, along with fetching a brute-force module to scan for vulnerable systems and expand the botnet’s reach. A subsequent report from the Black Lotus Labs team at Lumen Technologies in September 2025 found that a chunk of the infected bots under the control of another malware family known as SystemBC were also part of the GoBruteforcer botnet.

Check Point said it identified a more sophisticated version of the Golang malware in mid-2025, packing in a heavily obfuscated IRC bot that’s rewritten in the cross-platform programming language, improved persistence mechanisms, process-masking techniques, and dynamic credential lists. The list of credentials includes a combination of common usernames and passwords (e.g., myuser:Abcd@123 or appeaser:admin123456) that can accept remote logins. The choice of these names is not happenstance, as they have been used in database tutorials and vendor documentation, all of which have been used to train Large language models (LLMs), causing them to produce code snippets with the same default usernames. Some of the other usernames in the list are cryptocurrency-focused (e.g., cryptouser, appcrypto, crypto_app, and crypto) or target phpMyAdmin panels (e.g., root, wordpress, and wpuser).

“The attackers reuse a small, stable password pool for each campaign, refresh per-task lists from that pool, and rotate usernames and niche additions several times a week to pursue different targets,” Check Point said. “Unlike the other services, FTP brute-force uses a small, hardcoded set of credentials embedded in the bruteforcer binary. That built-in set points to web-hosting stacks and default service accounts.” In the activity observed by Check Point, an internet-exposed FTP service on servers running XAMPP is used as an initial access vector to upload a PHP web shell , which is then used to download and execute an updated version of the IRC bot using a shell script based on the system architecture. Once a host is successfully infected, it can serve three different uses - Run the brute-force component to attempt password logins for FTP, MySQL, Postgres, and phpMyAdmin across the internet Host and serve payloads to other compromised systems, or Host IRC-style control endpoints or act as a backup command-and-control (C2) for resilience Further analysis of the campaign has determined that one of the compromised hosts has been used to stage a module that iterates through a list of TRON blockchain addresses and queries balances using the tronscanapi[.]com service to identify accounts with non-zero funds.

This indicates a concerted effort to target blockchain projects. “GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools,” Check Point said. “While the botnet itself is technically straightforward, its operators benefit from the vast number of misconfigured services that remain online.” The disclosure comes as GreyNoise revealed that threat actors are systematically scanning the internet for misconfigured proxy servers that could provide access to commercial LLM services. Of the two campaigns, one has leveraged server-side request forgery (SSRF) vulnerabilities to target Ollama’s model pull functionality and Twilio SMS webhook integrations between October 2025 and January 2026.

Based on the use of ProjectDiscovery’s OAST infrastructure, it’s posited that the activity likely originates from security researchers or bug bounty hunters. The second set of activity, starting December 28, 2025, is assessed to be a high-volume enumeration effort to identify exposed or misconfigured LLM endpoints associated with Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. The scanning originated from IP addresses 45.88.186[.]70 and 204.76.203[.]125. “Starting December 28, 2025, two IPs launched a methodical probe of 73+ LLM model endpoints,” the threat intelligence firm said .

“In eleven days, they generated 80,469 sessions – systematic reconnaissance hunting for misconfigured proxy servers that might leak access to commercial APIs.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Anthropic Launches Claude AI for Healthcare with Secure Health Record Access

Anthropic has become the latest Artificial intelligence (AI) company to announce a new suite of features that allows users of its Claude platform to better understand their health information. Under an initiative called Claude for Healthcare , the company said U.S. subscribers of Claude Pro and Max plans can opt to give Claude secure access to their lab results and health records by connecting to HealthEx and Function , with Apple Health and Android Health Connect integrations rolling out later this week via its iOS and Android apps. “When connected, Claude can summarize users’ medical history, explain test results in plain language, detect patterns across fitness and health metrics, and prepare questions for appointments,” Anthropic said .

“The aim is to make patients’ conversations with doctors more productive, and to help users stay well-informed about their health.” The development comes merely days after OpenAI unveiled ChatGPT Health as a dedicated experience for users to securely connect medical records and wellness apps and get personalized responses, lab insights, nutrition advice, and meal ideas. The company also pointed out that the integrations are private by design, and users can explicitly choose the kind of information they want to share with Claude and disconnect or edit Claude’s permissions at any time. As with OpenAI, the health data is not used to train its models. The expansion comes amid growing scrutiny over whether AI systems can avoid offering harmful or dangerous guidance.

Recently, Google stepped in to remove some of its AI summaries after they were found providing inaccurate health information. Both OpenAI and Anthropic have emphasized that their AI offerings can make mistakes and are not substitutes for professional healthcare advice. In the Acceptable Use Policy, Anthropic notes that a qualified professional in the field must review the generated outputs “prior to dissemination or finalization” in high-risk use cases related to healthcare decisions, medical diagnosis, patient care, therapy, mental health, or other medical guidance. “Claude is designed to include contextual disclaimers, acknowledge its uncertainty, and direct users to healthcare professionals for personalized guidance,” Anthropic said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud

Cybersecurity researchers have shed light on two service providers that supply online criminal networks with the necessary tools and infrastructure to fuel the pig butchering-as-a-service (PBaaS) economy. At least since 2016, Chinese-speaking criminal groups have erected industrial-scale scam centers across Southeast Asia, creating special economic zones that are devoted to fraudulent investment and impersonation operations. These compounds are host to thousands of people who are lured with the promise of high-paying jobs, only to have their passports and be forced to conduct scams under the threat of violence. INTERPOL has characterized these networks as human trafficking-fuelled fraud on an industrial scale.

One of the crucial drivers of the pig butchering (aka romance baiting) scams is service providers who supply the networks with all the tools to run and manage social engineering operations, as well as swiftly launder stolen funds and cryptocurrencies and move ill-gotten proceeds to accounts that cannot be reached by law enforcement. “Large scam compounds such as the Golden Triangle Economic Zone (GTSEZ) are now using ready-made applications and templates from PBaaS providers,” Infoblox said in a report published last week. “Compounding the situation further, what once required technical expertise, or an outlay for physical infrastructure, can now be purchased as an off-the-shelf service offering everything from stolen identities and front companies to turnkey scam platforms and mobile apps, dramatically lowering the barrier to entry.” These services have been found to offer full packages and fraud kits that set the groundwork for launching scalable online scam operations without much effort. One such threat actor is Penguin Account Store, which also goes by the names Heavenly Alliance and Overseas Alliance.

Penguin operates under a crimeware-as-a-service (CaaS) model, advertising fraud kits, scam templates, and “shè gōng kù” datasets comprising stolen personal information belonging to Chinese citizens. The group also peddles account data from various popular so-called media platforms like Twitter, Tinder, YouTube, Snapchat, Facebook, Instagram, Apple Music, OpenAI ChatGPT, Spotify, and Netflix, among others. It’s believed that these credentials are likely obtained through information-stealing logs sold on the dark web. But it’s presently not known if they operate the stealers themselves or whether they are merely acting as a broker of stolen data for other threat actors.

Prices for pre-registered social media accounts start from just $0.10 and go up in value depending on the date of registration and authenticity. Also provided by Penguin are bulk pre-registered SIM cards, stolen social media accounts, 4G or 5G routers, IMSI catchers, and packages of stolen pictures (aka character sets) that are used to entrap victims. Besides these, the threat actor has developed a Social Customer Relationship Management (SCRM) platform dubbed SCRM AI to allow scam operators to facilitate automated victim engagement on social media. “The threat actor also advertises BCD Pay, a payment processing platform.

BCD Pay, which links directly to the Bochuang Guarantee (博创担保自), is an anonymous peer-to-peer (P2P) solution à la HuiOne , with deep roots in the illegal online gambling space.” A second service category that’s central to the PBaaS economy is customer relationship management (CRM) platforms, which provide centralized control over several individual agents. UWORK, a seller of content and agent management tools, provides pre-made templates for creating investment scam websites. Many a scam offering also claims to have integration with legitimate trading platforms like MetaTrader to lend the sites a veneer of trust by displaying real-time financial information. These websites also come fitted with a Know Your Customer (KYC) panel that requires victims to upload proof of their identity.

The websites’ settings are configured by an administrator through a dedicated panel, granting them a high-level view of the entire operation, along with the ability to create profiles for agents, who likely interface with the victims. Panel to add a new victim account and assign them a direct agent “The admin panel offers everything needed to run a pig butchering operation. Multiple email templates, user management, agent management, profitability metrics, as well as chat and email records,” Infoblox said. “The management of agents is very complex, and agents can even be affiliates of one another.” PBaaS suppliers have also been found to provide mobile applications for Android and iOS by distributing them in the form of APK files and enrolling a limited number of Apple devices into a testing program in order to bypass app store controls.

Some threat actors have taken it a step further, opting to release such apps directly on app marketplaces while concealing their functionality by masquerading as seemingly harmless news apps. The trading panel is displayed only when a user enters a specific password in the search bar. Website templates that include hosting can cost as little as $50. A complete pack, including a website with admin access, VPS hosting, mobile app, access to a trading platform, front company incorporation in a tax haven to mask their activities, and registration with the relevant local financial regulator, can start at around $2,500.

“Sophisticated Asian crime syndicates have created a global shadow economy from their safe havens in Southeast Asia,” researchers Maël Le Touz and John Wòjcik said. “PBaaS provides the mechanisms to scale an operation with relatively little effort and cost.” Parked Domains as a Conduit for Scams and Malware The disclosure comes against the backdrop of a new study from the DNS threat intelligence firm, finding that the vast majority of parked domains – domain names that are mostly expired or dormant, or common misspellings of popular websites (aka typosquatting) – are being used to redirect visitors to sites that serve scams and malware. Infoblox revealed that visitors to a typosquat of the legitimate domain belonging to a financial institution from a virtual private network (VPN) are shown a normal parking page, but are redirected to scam or malware sites if they are visiting from a residential IP address. The parked pages, for their part, send visitors through a redirect chain, while simultaneously profiling their system using IP geolocation, device fingerprinting, and cookies to determine where to redirect them.

“In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party,” the company said . “None of this displayed content was related to the domain name we visited.” Malicious Evilginx AitM Infrastructure Drives Credential Harvesting In recent months, it has also emerged that threat actors are leveraging an adversary-in-the-middle (AitM) phishing toolkit named Evilginx in attacks targeting at least 18 universities and educational institutions across the U.S. since April 12, 2025, with an aim to steal login credentials and session cookies. As many as 67 domains have been identified as linked to the activity.

“The low detection rates across the cybersecurity community highlight how effective Evilginx’s evasion techniques have become,” Infoblox said . “Recent versions, such as Evilginx Pro, add features that make detection even harder.” “These include default use of wildcard TLS certificates, bot filtering through advanced fingerprinting like JA4, decoy web pages, improved integration with DNS providers (e.g., Cloudflare, DigitalOcean), multi-domain support for phishlets, and JavaScript obfuscation. As Evilginx continues to mature, identifying its phishing URLs will only become more challenging.” Fraudulent Gambling Network Shows Signs of APT Operation Last month, researchers from security firm Malanta disclosed details of a sprawling infrastructure spanning more than 328,000 domains and subdomains, including over 236,000 gambling-related domains, that has been active since at least 2011 and is likely a dual operation run by a nation-state-sponsored group targeting victims in the U.S., Europe, and Southeast Asia. The network, primarily used to target Indonesian-speaking visitors, is assessed to be part of a larger operation that includes thousands of gambling domains, malicious Android applications, hijacking of domains and subdomains hosted on cloud services, and stealth infrastructure embedded inside enterprise and government websites worldwide, researchers Yinon Azar, Noam Yitzhack, Tzur Leibovitz, and Assaf Morag said.

“Blending illegal gambling, SEO manipulation, malware distribution, and highly persistent takeover techniques, this campaign represents one of the largest and most complex Indonesian-speaking, well-funded, state-sponsored-level ecosystems observed to date,” Malanta said . The activity involves systematic exploitation of WordPress, PHP components, dangling DNS, and expired cloud assets to hijack and weaponize trusted domains. The infrastructure has also been found to power a massive Android malware ecosystem hosted on Amazon Web Services (AWS) S3 buckets to distribute APK droppers with command-and-control (C2) and data-theft capabilities. The threat actors behind the scheme rely on social media and instant messaging platforms to advertise the gambling sites and direct users to install the Android apps.

As many as 7,700 domains have been flagged containing links to at least 20 AWS S3 buckets staging the APK files (e.g., “jayaplay168.apk” or “1poker-32bit.apk”). Some aspects of the 14-year-old operation were previously highlighted by Imperva and Sucuri , with the latter tracking it as an online casino spam campaign dubbed Slot Gacor that was found hijacking existing pages on compromised WordPress websites by replacing them with casino spam pages. The longevity of the infrastructure, combined with the scale and sophistication, has raised the possibility that it’s maintained by an Advanced Persistent Threat (APT) that is deeply embedded in the Indonesian cybercrime ecosystem while actively exploiting governmental virtual assets worldwide. Found this article interesting?

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors

The Iranian threat actor known as MuddyWater has been attributed to a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater . “The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion,” CloudSEK resetter Prajwal Awasthi said in a report published this week. The latest development reflects continued evolution of MuddyWater’s tradecraft, which has gradually-but-steadily reduced its reliance on legitimate remote access software as a post-exploitation tool in favor of a diverse custom malware arsenal comprising tools like Phoenix, UDPGangster , BugSleep (aka MuddyRot), and MuddyViper . Also tracked as Mango Sandstorm, Static Kitten, and TA450, the hacking group is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

It’s been operational since at least 2017. Attack chains distributing RustyWater are fairly straightforward: spear-phishing emails masquerading as cybersecurity guidelines come attacked with a Microsoft Word document that, when opened, instructs the victim to “ Enable content “ so as to activate the execution of a malicious VBA macro that’s responsible for deploying the Rust implant binary. Also referred to as Archer RAT and RUSTRIC, RustyWater gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (“nomercys.it[.]com”) to facilitate file operations and command execution. It’s worth noting that use of RUSTRIC was flagged by Seqrite Labs late last month as part of attacks targeting Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel.

The activity is being tracked by the cybersecurity company under the names UNG0801 and Operation IconCat. “Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations,” CloudSEK said. “The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Europol Arrests 34 Black Axe Members in Spain Over €5.9M Fraud and Organized Crime

Europol on Friday announced the arrest of 34 individuals in Spain who are alleged to be part of an international criminal organization called Black Axe . As part of an operation conducted by the Spanish National Police, in coordination with the Bavarian State Criminal Police Office and Europol, 28 arrests were made in Seville, along with three others in Madrid, two in Málaga, and one in Barcelona. “The criminal network is known for its involvement in a wide range of criminal activities, including cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed robbery and fraudulent spiritual practices,” Europol said in a statement. It’s estimated that the criminal network is responsible for fraud resulting in damages exceeding €5.93 million ($6.9 million).

In addition to the arrests, authorities have frozen €119,352 ($138,935) in bank accounts and seized €66,403 ($77,290) in cash during house searches. Black Axe is assessed to be a hierarchical criminal group that had its origins in Nigeria in 1977 before spreading to dozens of countries across the world. The organization is said to have about 30,000 registered members, and other affiliates such as money mules and facilitators. In a report published in late 2022, INTERPOL announced the arrests of 75 individuals associated with the syndicate for defrauding victims of millions as part of a law enforcement effort codenamed Operation Jackal.

The “violent mafia-style gang” has been attributed to a laundry list of cyber-enabled activities, including business email compromise schemes, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams, and money laundering, that facilitate financial fraud. In July 2024, INTERPOL said it had confiscated more than $5 million in assets, cryptocurrencies, and luxury items in two subsequent operations . These efforts also led to over 400 arrests and the identification of thousands of additional suspects. “Black Axe is one of the most prominent West African transnational organized crime syndicates, with operations in cyber fraud, human trafficking, drug smuggling, and violent crimes both within Africa and globally,” the agency noted at the time.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack. Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. “The toolkit analyzed […] also includes simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (translated: ‘All version escape - delivery’), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware’s public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region,” researchers Anna Pham and Matt Anderson said. The assessment that the toolkit weaponizes the three VMware shortcomings is based on the exploit’s behavior, its use of Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel, the company added.

The toolkit involves multiple components, chief among them being “exploit.exe” (aka MAESTRO), which acts as the orchestrator for the entire virtual machine (VM) escape by making use of the following embedded binaries - devcon.exe, to disable VMware’s guest-side VMCI drivers MyDriver.sys, an unsigned kernel driver containing the exploit that’s loaded into kernel memory using an open-source tool called Kernel Driver Utility ( KDU ), following which the exploit status is monitored and the VMCI drivers are re-enabled VM Escape exploitation flow The driver’s main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX’s memory - Stage 1 shellcode, to prepare the environment for the VMX sandbox escape Stage 2 shellcode, to establish a foothold on the ESXi host VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000 “After writing the payloads, the exploit overwrites a function pointer inside VMX,” Huntress explained. “It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.” VSOCK communication protocol between client.exe and VSOCKpuppet “When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘escaping the sandbox.’” Because VSOCK offers a direct communication pathway between guest VMs and the hypervisor, the threat actors have been found to employ a “client.exe” (aka GetShell Plugin) that can be used from any guest Windows VM on the compromised host and send commands back up to the compromised ESXi and interact with the backdoor.

The PDB path embedded in the binary reveals it may have been developed in November 2023. The client supports the ability to download files from ESXi to the VM, upload files from the VM to ESXi, and execute shell commands on the hypervisor. Interestingly, the GetShell Plugin is dropped to the Windows VM in the form of a ZIP archive (“Binary.zip”), which also includes a README file with usage instructions, giving an insight into its file transfer and command execution features. It’s currently not clear who is behind the toolkit, but the use of simplified Chinese, coupled with the sophistication of the attack chain and the abuse of zero-day vulnerabilities months before public disclosure, likely points to a well-resourced developer operating in a Chinese-speaking region, theorized Huntress.

“This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor,” the company added. “By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM.” “The use of VSOCK for backdoor communication is particularly concerning, as it bypasses traditional network monitoring entirely, making detection significantly harder. The toolkit also prioritizes stealth over persistence.” Pham, a senior tactical response analyst at Huntress, told The Hacker News that there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner. “However, given the presence of a README file with operational instructions, the toolkit was clearly designed for distribution beyond the original developer,” Pham said.

“We assess with high confidence that the toolkit is being sold privately by a Chinese-speaking developer, likely through private channels or closed groups rather than public underground markets.” “The targeted nature of observed deployments suggests the toolkit may be distributed selectively to vetted buyers rather than broadly commercialized, consistent with higher-end offensive tooling that operators prefer to keep out of widespread propagation to avoid detection signature development.” (The story was updated after publication to include additional commentary from Huntress.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations

Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The activity has been attributed to APT28 (aka BlueDelta), which was tied to a “sustained” credential-harvesting campaign targeting users of UKR[.]net last month. APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). “The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences,” Recorded Future’s Insikt Group said .

“These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.” The cybersecurity company described the attacks as targeting a small but distinct set of victims in February and September 2025, with the campaign leveraging fake login pages that were styled to resemble popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. The efforts are noteworthy for the fact that unsuspecting users are redirected to the legitimate sites after the credentials are entered on the bogus landing pages, thereby avoiding raising any red flags. The campaigns have also been found to lean heavily on services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host the phishing pages, exfiltrate stolen data, and enable redirections. In a further attempt to lend them a veneer of legitimacy, the threat actors are said to have used legitimate PDF lure documents, including a publication from the Gulf Research Center related to the June 2025 Iran-Israel war and a July 2025 policy briefing calling for a new pact for the Mediterranean released by climate change think tank ECCO.

The attack chain starts with a phishing email containing a shortened link that, when clicked, redirects victims to another link hosted on webhook[.]site, which briefly displays the decoy document for about two seconds before redirecting to a second webhook[.]site that hosts a spoofed Microsoft OWA login page. Present within this page is a hidden HTML form element that stores the webhook[.]site URL and uses JavaScript to send a “page opened” beacon, transmit the submitted credentials to the webhook endpoint, and ultimately redirect back to the PDF hosted on the actual website. APT28 has also been observed conducting three other campaigns - A June 2025 campaign that deployed a credential-harvesting page mimicking a Sophos VPN password reset page hosted on infrastructure provided by InfinityFree to harvest credentials entered into the form and redirect victims to a legitimate Sophos VPN portal belonging to an unnamed E.U. think tank A September 2025 campaign that used credential-harvesting pages hosted on InfinityFree domains to falsely warn users of expired passwords to trick them into entering their credentials and redirect to a legitimate login page associated with a military organization in the Republic of North Macedonia and an IT integrator based in Uzbekistan An April 2025 campaign that used a fake Google password reset page hosted on Byet Internet Services to gather victims’ credentials and exfiltrate them to an ngrok URL “BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data,” the Mastercard-owned company said.

“These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybersecurity Predictions 2026: The Hype We Can Ignore (And the Risks We Can’t)

As organizations plan for 2026, cybersecurity predictions are everywhere. Yet many strategies are still shaped by headlines and speculation rather than evidence. The real challenge isn’t a lack of forecasts—it’s identifying which predictions reflect real, emerging risks and which can safely be ignored. An upcoming webinar hosted by Bitdefender aims to cut through the noise with a data-driven outlook on where organizations are already falling short, and what those failures signal for the year ahead.

Rather than speculative scenarios, the session focuses on threats that are actively reshaping the attack landscape today. The webinar examines the convergence of three major trends. First, ransomware is evolving beyond opportunistic attacks toward targeted disruptions designed to maximize operational and business impact. Second, the rapid and often uncontrolled adoption of AI within organizations is creating an internal security crisis, eroding traditional perimeter assumptions and expanding risk from within.

Third, the webinar covers a topic of significant concern and the focus of many media stories: are attackers using AI-orchestrated, adaptive attacks? Bitdefender experts will cover why there is still a good reason to be skeptical about this capability in the near-term. These developments highlight a growing gap between popular cybersecurity predictions and the risks that should genuinely influence security strategy. Backed by research and real-world data, the webinar helps security and IT leaders differentiate sensational headlines from actionable, evidence-based predictions .

Attendees will learn how informed predictions can justify security investment based on real risk, how to update defenses ahead of emerging attack techniques before they become widespread, and how to translate technical threat research into clear, business-relevant priorities. Register for the Bitdefender webinar to gain a practical, research-backed view of the cybersecurity predictions that should define your security strategy for 2026. Found this article interesting? This article is a contributed piece from one of our valued partners.

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258 , carries a CVSS score of 9.8 out of a maximum of 10.0. The vulnerability has been described as a case of remote code execution affecting LoadLibraryEX. “A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations,” the cybersecurity company said.

Also patched by Trend Micro are two other flaws - CVE-2025-69259 (CVSS score: 7.5) - A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote, unauthenticated attacker to create a denial-of-service condition on affected installations CVE-2025-69260 (CVSS score: 7.5) - A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote, unauthenticated attacker to create a denial-of-service condition on affected installations Tenable, which is credited with identifying and reporting all three flaws in August 2025, said an attacker can exploit CVE-2025-69258 by sending a message “0x0a8d” (“SC_INSTALL_HANDLER_REQUEST”) to the MsgReceiver.exe component, causing a DLL under their control to be loaded into the binary, resulting in code execution with elevated privileges. Similarly, CVE-2025-69259 and CVE-2025-69260 can also be triggered by sending a specially crafted message “0x1b5b” (“SC_CMD_CGI_LOG_REQUEST”) to the MsgReceiver.exe process, which listens on the default TCP port 20001. The issues impact Apex Central on-premise versions below Build 7190. Trend Micro noted that successful exploitation hinges on an attacker already having physical or remote access to a vulnerable endpoint.

“In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security are up-to-date,” it added. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday said it’s retiring 10 emergency directives (Eds) that were issued between 2019 and 2024. The list of the directives now considered closed is as follows - ED 19-01: Mitigate DNS Infrastructure Tampering ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday ED 21-01: Mitigate SolarWinds Orion Code Compromise ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities ED 21-04: Mitigate Windows Print Spooler Service Vulnerability ED 22-03: Mitigate VMware Vulnerabilities ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System Stating that these directives were issued with an intent to safeguard Federal Civilian Executive Branch (FCEB) agencies from potential risks, CISA said it worked closely with federal agencies to remediate them, incorporate best practices, and establish a more resilient digital infrastructure. CISA also said such directives are published to ensure that emerging threats are mitigated in a timely manner, adding required actions have been either successfully implemented or are now enforced through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities .

“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors,” said CISA Acting Director Madhu Gottumukkala. “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. “Every day, CISA’s exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments.” Found this article interesting?

FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing

The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. “As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns,” the FBI said in the flash alert.

“This type of spear-phishing attack is referred to as quishing.” The use of QR codes for phishing is a tactic that forces victims to shift from a machine that’s secured by enterprise policies to a mobile device that may not offer the same level of protection, effectively allowing threat actors to bypass traditional defenses. Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that’s assessed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB). It has a long history of orchestrating spear-phishing campaigns that are specifically designed to subvert email authentication protocols. In a bulletin released in May 2024, the U.S.

government called out the hacking crew for exploiting improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that look like they’ve come from a legitimate domain. The FBI said it observed the Kimsuky actors utilizing malicious QR codes as part of targeted phishing efforts several times in May and June 2025 - Spoofing a foreign advisor in emails requesting insight from a think tank leader regarding recent developments on the Korean Peninsula by scanning a QR code to access a questionnaire Spoofing an embassy employee in emails requesting input from a senior fellow at a think tank about North Korean human rights issues, along with a QR code that claimed to provide access to a secure drive Spoofing a think tank employee in emails with a QR code that’s designed to take the victim to infrastructure under their control for follow-on activity Sending emails to a strategic advisory firm, inviting them to a non-existent conference by urging the recipients to scan a QR code to redirect them to a registration landing page that’s designed to harvest their Google account credentials by using a fake login page The disclosure comes less than a month after ENKI revealed details of a QR code campaign conducted by Kimsuky to distribute a new variant of Android malware called DocSwap in phishing emails mimicking a Seoul-based logistics firm. “Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. “Adversaries then establish persistence in the organization and propagate secondary spear-phishing from the compromised mailbox.” “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.” Found this article interesting?

WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging

Cybersecurity researchers have disclosed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil. The campaign has been codenamed Boto Cor-de-Rosa by Acronis Threat Research Unit. “The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection,” the cybersecurity company said in a report shared with The Hacker News. “While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the threat actors’ growing use of multi-language modular components.” Astaroth, also called Guildma, is a banking malware that has been detected in the wild since 2015, primarily targeting users in Latin America, notably Brazil, to facilitate data theft.

In 2024, two different threat clusters tracked as PINEAPPLE and Water Makara were observed leveraging phishing emails to propagate the malware. The use of WhatsApp as a delivery vehicle for banking trojans is a new tactic that has gained traction among threat actors targeting Brazilian users, a move fueled by the widespread use of the messaging platform in the country. Last month, Trend Micro detailed Water Saci’s reliance on WhatsApp to spread Maverick and a variant of Casbaneiro. Sophos, in a report published in November 2025, said it’s tracking a multi-stage malware distribution campaign codenamed STAC3150 targeting WhatsApp users in Brazil with Astaroth.

More than 95% of the impacted devices were located in Brazil, with the remaining infections scattered across the U.S. and Austria. The activity, active since at least September 24, 2025, delivers ZIP archives containing a downloader script that retrieves a PowerShell or Python script to collect WhatsApp user data for further propagation, along with an MSI installer that deploys the trojan. The latest findings from Acronis is a continuation of this trend, where ZIP files distributed through WhatsApp messages act as a jumping-off point for the malware infection.

“When the victim extracts and opens the archive, they encounter a Visual Basic Script disguised as a benign file,” the cybersecurity company said. “Executing this script triggers the download of the next-stage components and marks the beginning of the compromise.” This includes two modules - A Python-based propagation module that gathers the victim’s WhatsApp contacts and automatically forwards a malicious ZIP file to each of them, effectively leading to the spread of the malware in a worm-like manner A banking module that operates in the background and continuously monitors a victim’s web browsing activity, and activates when banking-related URLs are visited to harvest credentials and enable financial gain “The malware author also implemented a built-in mechanism to track and report propagation metrics in real time,” Acronis said. “The code periodically logs statistics such as the number of messages successfully delivered, the number of failed attempts, and the sending rate measured in messages per minute.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.