2026-01-23 AI创业新闻

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said. It’s worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It’s currently not known who the developers of the locker are, or if it’s advertised as a ransomware-as-a-service (RaaS).

However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble). “A wide range of living off the land and dual-use tools were used in this attack, as was a malicious POORTRY driver, which was likely used as part of a bring your own vulnerable driver (BYOVD) attack to disable security software,” the company said in a report shared with The Hacker News. “The exfiltration of data by the attackers to Wasabi buckets, and the use of a version of Mimikatz that was previously used, with the same filename (kaz.exe), by attackers deploying the INC ransomware, point to potential links between this attack and some attacks involving INC.” Described as an “effective encryption payload” that’s likely wielded by experienced attackers, Osiris makes use of a hybrid encryption scheme and a unique encryption key for each file. It’s also flexible in that it can stop services, specify which folders and extensions need to be encrypted, terminate processes, and drop a ransom note.

By default, it’s designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, and Veeam, among others. First signs of malicious activity on the target’s network involved the exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment. Also utilized in the attack were a number of dual-use tools like Netscan, Netexec, and MeshAgent, as well as a custom version of the Rustdesk remote desktop software. POORTRY is a little different from traditional BYOVD attacks in that it uses a bespoke driver expressly designed for elevating privileges and terminating security tools, as opposed to deploying a legitimate-but-vulnerable driver to the target network.

“KillAV, which is a tool used to deploy vulnerable drivers for terminating security processes, was also deployed on the target’s network,” the Symantec and Carbon Black Threat Hunter Team noted. “RDP was also enabled on the network, likely to provide the attackers with remote access.” The development comes as ransomware remains a significant enterprise threat, with the landscape constantly shifting as some groups close their doors and others quickly rise from their ashes or move in to take their place. According to an analysis of data leak sites by Symantec and Carbon Black, ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024, a 0.8% increase. The most active players during the past year were Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS.

Some of the other notable developments in the space are listed below - Threat actors using the Akira ransomware have leveraged a vulnerable Throttlestop driver , along with the Windows CardSpace User Interface Agent and Microsoft Media Foundation Protected Pipeline, to sideload the Bumblebee loader in attacks observed in mid-to-late 2025. Akira ransomware campaigns have also exploited SonicWall SSL VPNs to breach small- to medium-sized business environments during mergers and acquisitions and ultimately obtain access to the bigger, acquiring enterprises. Another Akira attack has been found to leverage ClickFix -style CAPTCHA verification lures to drop a .NET remote access trojan called SectopRAT , which serves as a conduit for remote control and ransomware delivery. LockBit (aka Syrphid), which partnered with DragonForce and Qilin in October 2025, has continued to maintain its infrastructure despite a law enforcement operation to shut down its operations in early 2024.

It has also released variants of LockBit 5.0 targeting multiple operating systems and virtualization platforms. A significant update to LockBit 5.0 is the introduction of a two-stage ransomware deployment model that separates the loader from the main payload, while simultaneously maximizing evasion, modularity, and destructive impact. A new RaaS operation dubbed Sicarii has claimed only one victim since it first surfaced in late 2025. While the group explicitly identifies itself as Israeli/Jewish, analysis has uncovered that underground online activity is primarily carried out in Russian and that the Hebrew content shared by the threat actor contains grammatical and semantic errors.

This has raised the possibility of a false flag operation. Sicarii’s primary Sicarii operator uses the Telegram account “@Skibcum.” The threat actor known as Storm-2603 (aka CL-CRI-1040 or Gold Salem) has been observed leveraging the legitimate Velociraptor digital forensics and incident response (DFIR) tool as part of precursor activity leading to the deployment of Warlock, LockBit, and Babuk ransomware. The attacks have also utilized two drivers (“rsndispot.sys” and “kl.sys”) along with “vmtools.exe” to disable security solutions using a BYOVD attack. Entities in India, Brazil, and Germany have been targeted by Makop ransomware attacks that exploit exposed and insecure RDP systems to stage tools for network scanning, privilege escalation, disabling security software, credential dumping, and ransomware deployment.

The attacks, besides using “hlpdrv.sys” and “ThrottleStop.sys” drivers for BYOVD attacks, also deploy GuLoader to deliver the ransomware payload. This is the first documented case of Makop being distributed via a loader. Ransomware attacks have also obtained initial access using already-compromised RDP credentials to perform reconnaissance, privilege escalation, lateral movement via RDP, followed by exfiltrating data to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later. A security flaw in the encryption process associated with the Obscura ransomware has been found to render large files unrecoverable.

“When it encrypts large files, it fails to write the encrypted temporary key to the file’s footer,” Coveware said. “For files over 1GB, that footer is never created at all — which means the key needed for decryption is lost. These files are permanently unrecoverable.” A new ransomware family named 01flip has targeted a limited set of victims in the Asia-Pacific region. Written in Rust, the ransomware can target both Windows and Linux systems.

Attack chains involve the exploitation of known security vulnerabilities (e.g., CVE-2019-11580) to obtain a foothold into target networks. It has been attributed to a financially motivated threat actor known as CL-CRI-1036. To protect against targeted attacks, organizations are advised to monitor the use of dual-use tools, restrict access to RDP services, enforce multi-factor authentication (2FA), use application allowlisting where applicable, and implement off-site storage of backup copies. “While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk, creating a wider extortion ecosystem of which ransomware may become just one component,” Symantec and Carbon Black said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

A critical security flaw has been disclosed in the GNU InetUtils telnet daemon ( telnetd ) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 , is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. “Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

In a post on the oss-security mailing list, GNU contributor Simon Josefsson said the vulnerability can be exploited to gain root access to a target system - The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply [sic] a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or –login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes. This happens because the telnetd server do [sic] not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication. Josefsson also noted that the vulnerability was introduced as part of a source code commit made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015.

Security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026. As mitigations, it’s advised to apply the latest patches and restrict network access to the telnet port to trusted clients. As temporary workarounds, users can disable telnetd server, or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the ‘-f’ parameter, Josefsson added. Data gathered by threat intelligence firm GreyNoise shows that 21 unique IP addresses have been observed attempting to execute a remote authentication bypass attack by leveraging the flaw over the past 24 hours.

All the IP addresses, which originate from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Pixel Zero-Click, Redis RCE, China C2s, RAT Ads, Crypto Scams & 15+ Stories

Most of this week’s threats didn’t rely on new tricks. They relied on familiar systems behaving exactly as designed, just in the wrong hands. Ordinary files, routine services, and trusted workflows were enough to open doors without forcing them. What stands out is how little friction attackers now need.

Some activity focused on quiet reach and coverage, others on timing and reuse. The emphasis wasn’t speed or spectacle, but control gained through scale, patience, and misplaced trust. The stories below trace where that trust bent, not how it broke. Each item is a small signal of a larger shift, best seen when viewed together.

Spear-phishing delivers custom backdoor Operation Nomad Leopard Targets Afghanistan Government entities in Afghanistan have been at the receiving end of a spear-phishing campaign dubbed Operation Nomad Leopard that employs bogus administrative documents as decoys to distribute a backdoor named FALSECUB by means of a GitHub-hosted ISO image file. The campaign was first detected in late December 2025. “The ISO file contains three files,” Seqrite Lab said . “The LNK file, Doc.pdf.lnk, is responsible for displaying the PDF to the victim and executing the payload.

The PDF file, doc.pdf, contains the government-themed lure.” The final payload is a C++ executable that’s capable of receiving commands from an external server. The activity has not been attributed to any specific country or known hacker group. “The campaign appears to be conducted by a regionally focused threat actor with a low-to-moderate sophistication level,” the Indian cybersecurity company added. DoS attacks hit UK services U.K.

Warns of Malicious Activity from Russia-Aligned Hacktivists The U.K. government is warning of continued malicious activity from Russian-aligned hacktivist groups like NoName057(16) targeting critical infrastructure and local government organizations in the country with denial-of-service (DoS) attacks. The end goal of these attacks is to take websites offline and disable access to essential services. “Although DoS attacks are typically low in sophistication, a successful attack can disrupt entire systems, costing organisations significant time, money, and operational resilience by having to analyse, defend against, and recover from them,” the U.K.

National Cyber Security Centre (NCSC) said . Trusted apps load malicious DLLs New Stealer Campaign Uses DLL Side-Loading Trick Google-owned VirusTotal has disclosed details of an information stealer campaign that relies on a trusted executable to trick the operating system into loading a malicious DLL (“CoreMessaging.dll”) payload – a technique called DLL side-loading – leading to the execution of secondary-stage infostealers designed to exfiltrate sensitive data. Both the executable and the DLL are distributed via ZIP archives that mimic installers for legitimate applications like Malwarebytes (e.g., “malwarebytes-windows-github-io-6.98.5.zip”) and other programs. WSL abused without process spawn Windows Subsystem for Linux Beacon Object File Released SpecterOps researcher Daniel Mayer has released a beacon object file ( BOF ) – a compiled C program designed to run within the memory of a post-exploitation agent like Cobalt Strike Beacon – that interacts with the Windows Subsystem for Linux (WSL) by directly invoking the WSL COM service, avoiding process creation for “wsl.exe” entirely and allowing operators to list all installed WSL distributions and execute arbitrary commands on any WSL distribution that the BOF finds.

Ads push covert RAT installers Malicious Ads for File Converters Lead to RATs Cybersecurity researchers have disclosed an active malicious campaign that uses advertisements placed on legitimate websites to lure users into downloading “converter” tools for converting images or documents. These services share a similar website template and go by names like Easy2Convert, ConvertyFile, Infinite Docs, and PowerDoc. Should a user end up attempt to download the program, they are redirected to another domain that actually hosts the C# dropper files. “In the foreground, these tools usually work as promised, so users do not become suspicious,” Nextron Systems said .

“In the background, however, they behave almost identically: they install persistent remote access trojans (RATs) that give the threat actor continuous access to the victim system.” Specifically, the executable is designed to establish persistence using a scheduled task, which points to the main payload, a .NET application that initiates communication with a remote server, executes .NET assemblies received from the server, and sends the results back via an HTTP POST request. Short-lived TLS certs roll out Let’s Encrypt Makes 6-Day Certificates Available Let’s Encrypt said its short-lived TLS certificates with a 6-day lifetime are now generally available. Each certificate is valid for a period of 160 hours from the time it is issued. “Short-lived certificates are opt-in and we have no plan to make them the default at this time.

Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime,” Let’s Encrypt said . To request one, operators must select the “shortlived” profile in their ACME client. Short-lived certificates are opt-in and there are no plans to make them the default at this time, the non-profit certificate authority added. Support tickets abused for spam Zendesk Warns of Spam Campaigns Abusing Support Systems Zendesk has revealed that unsecured support systems are being used to send spam emails .

The attacks take advantage of Zendesk’s ability to allow unverified users to submit support tickets, which then automatically generate confirmation emails that are sent to the email address entered by the attacker. This automated response system is being weaponized to turn the support platform into a delivery vehicle for spam by creating fake tickets. “These emails look like legitimate contacts from companies that use Zendesk to communicate with their customers, and are a spam tactic known as relay spam,” the customer relationship management (CRM) vendor said in an advisory. The company described it as a “potential side effect” that arises when Zendesk is set to allow unverified users to submit requests, adding that it’s actively working to reduce spam and prevent new spam campaigns.

It has also urged customers to remove specific placeholders from first-reply triggers and permit only added users to submit tickets. EU targets high-risk suppliers E.U. Proposes Cybersecurity Rules to Secure Tech Supply Chain The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthen defenses against state-backed and cybercrime groups targeting critical infrastructure. “The new Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns,” the Commission said .

“It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the E.U. and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors, considering also economic impacts and market supply.” The revised Cybersecurity Act is also expected to ensure that products and services reaching E.S. consumers are tested for security in a more efficient way through a renewed European Cybersecurity Certification Framework (ECCF).

The amended act will take effect immediately upon approval by the European Parliament and the Council of the E.U. Once adopted, member states have one year to implement the directive into national law. Mass scans probe plugin exposure Large-Scale WordPress Plugin Reconnaissance Activity Spotted Threat intelligence firm GreyNoise has uncovered a large-scale WordPress plugin reconnaissance activity aimed at enumerating potentially vulnerable sites. The mass scanning, observed between October 20, 2025, and January 19, 2026, involved 994 unique IP addresses across 145 ASNs targeting 706 distinct WordPress plugins in over 40,000 unique enumeration events.

The most targeted plugins are Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator. The activity touched a new high on December 7, 2025, when 6,550 unique sessions were recorded. More than 95% of the spike was driven by a single IP address: 112.134.208[.]214. Users of the aforementioned plugins are advised to keep them up-to-date.

Crate vulnerabilities surface early Rust Adds “Security” Tab to Crates.io The Rust project has updated Crates.io to include a “Security” tab on individual crate pages. The tab displays security advisories drawn from the RustSec database and lists which versions of a crate may have known vulnerabilities. This change gives developers an easy way to view relevant security information before adding the crate as a dependency. “The tab shows known vulnerabilities for the crate along with the affected version ranges,” the maintainers said .

Other improvements include expanded Trusted Publishing support, which now works with GitLab CI/CD in addition to GitHub Actions, and a new Trusted Publishing mode that, when enabled, turns off traditional API token-based publishing so as to reduce the risk of unauthorized publishes from leaked API tokens. Trusted Publishing has also been updated to block pull_request_target and workflow_run GitHub Actions triggers. “These triggers have been responsible for multiple security incidents in the GitHub Actions ecosystem and are not worth the risk,” the Crates.io team said. China hosts vast C2 footprint Chinese Internet Space Hosts Over 18K C2 Servers A new analysis from Hunt.io has revealed that the Chinese internet space is hosting more than 18,000 active command-and-control (C2 or C&C) servers across 48 different providers in the last three months.

China Unicom hosts nearly half of all observed servers, with Alibaba Cloud and Tencent following suit. More than half of the C2 servers (about 9,427 unique C2 IPs) are used to control an IoT botnet known as Mozi . A chunk of the remaining C2 servers is used for activity related to Cobalt Strike (1,204), Vshell (830), and Mirai (703). “Across Chinese hosting environments, a small number of large telecom and cloud providers account for the majority of observed command-and-control activity, supporting everything from commodity malware and IoT botnets to phishing operations and state-linked tooling,” Hunt.io said.

Military-linked espionage probe Ex-Military IT Consultant Detained in Sweden for Allegedly Spying for Russia A 33-year-old former IT consultant for Sweden’s Armed Forces has been detained on suspicion of passing information to Russia’s intelligence service, according to the Swedish Prosecution Authority. The suspected criminal activity took place throughout 2025 and until January 4, 2026, but Swedish authorities suspect the espionage may have been ongoing since 2022, when Russia launched its full-scale invasion of Ukraine. The suspect, who has denied any wrongdoing, worked as an IT consultant for the Swedish military from 2018 to 2022, per the AFP . The investigation is said to be still in early stages.

In February 2021, a 47-year-old Swedish tech consultant was charged with espionage for allegedly selling information about truckmaker Scania and Volvo Cars to a Russian diplomat for several years. He was sentenced to three years in prison later that September. Supply-chain platform fully exposed Security Flaws in Bluvoyix Critical vulnerabilities (from CVE-2026-22236 through CVE-2026-22240) have been disclosed in the Bluvoyix platform of Bluspark Global, a cloud-based solution that’s used to help shippers manage their supply chain data, which could have allowed a bad actor to gain full control of the platform and access customer and shipment data. They could have enabled access to customer accounts and track freight and component shipments, as well as enabled complete access to the platform’s API without the need for authentication.

This loophole could have been weaponized to create administrator accounts for follow-on exploitation. The vulnerabilities have since been patched, but not before a protracted disclosure process . Security researcher Eaton Zveare, who has previously uncovered security holes in platforms used by automotive firms, said the “admin access made it possible to view, modify, and even cancel customer shipments going back to 2007.” Crypto scams hit record scale $17B Estimated Stolen in Crypto Scams and Fraud in 2025 Cryptocurrency scams received at least $14 billion worth of cryptocurrency in 2025, a jump from $12 billion reported in the year prior. The average scam payment extracted from victims also increased from $782 to $2,764.

High-yield investment and pig butchering remained the most dominant categories by volume, even as impersonation scams – which involve fraudsters posing as legitimate organizations such as E-ZPass to manipulate victims into transferring funds – surged 1,400%. Based on historical trends, the 2025 figure is projected to exceed $17 billion as more illicit wallet addresses are identified in the coming months, Chainalysis said. Scammers have been found increasingly leveraging deepfake technology and AI-generated content to create convincing impersonations in romance and investment scams. “Major scam operations became increasingly industrialized, with sophisticated infrastructure, including phishing-as-a-service tools, AI-generated deepfakes, and professional money laundering networks,” the company said.

“Pig-butchering networks across Southeast Asia, drawing heavily on CMLNs [Chinese money laundering networks], generate billions of dollars annually and rely on layered wallet structures, exchanges, shell companies, and informal banking channels to launder funds and convert crypto into real-world assets, including real estate and luxury goods.” ATM malware ring dismantled 5 Venezuelan Nationals Plead Guilty to ATM Jackpotting Attacks A group of five Venezuelan nationals has pleaded guilty or been sentenced for their involvement in a multi-state ATM jackpotting thefts between September 14 and 16, 2024, that used sophisticated malware to steal thousands of dollars across Georgia, Florida, and Kentucky. The group, Hector Alejandro Alvarado Alvarez (20), Cesar Augusto Gil Sanchez (22), Javier Alejandro Suarez-Godoy (20), David Josfrangel Suarez-Sanchez (24), and Giobriel Alexander Valera-Astudillo (26), targeted various financial institutions by deploying malware or accessing the ATM’s supervisor mode to trigger cash withdrawals. Members of the group were caught on camera carrying out the attacks and were identified based on fingerprints left behind on the ATM machines. They face up to 30 years in prison, followed by immediate deportation.

Zero-click chain hits Pixel Google Details Pixel 9 Zero-Click Exploit Google Project Zero has released a zero-click exploit ( Part 1 , Part 2 , and Part 3 ) that can compromise Android smartphones via the Dolby audio decoder. The exploit is made possible because the Google Messages application automatically processes incoming audio attachments in the background for transcription purposes and decodes them without requiring user interaction. The exploit leverages CVE-2025-54957 to gain arbitrary code execution in the mediacodec context of a Google Pixel 9, and then makes use of CVE-2025-36934 , a use-after-free in the BigWave driver, to escalate privileges from mediacodec to kernel on the device. “The time investment required to find the necessary vulnerabilities was small compared to the impact of this exploit, especially for the privilege escalation stage,” researcher Natalie Silvanovich said.

“The time needed to find the bugs for a 0-click exploit chain on Android can almost certainly be measured in person-weeks for a well-resourced attacker.” While Dolby patched the flaw in October 2025, Samsung was the first mobile vendor to patch the vulnerability the next month. Pixel devices did not get the patch until January 5, 2026. A patch for the BigWave driver flaw was shipped to Pixel devices on January 6, 2026. Malicious ads seed infostealer Malvertising Used to Drop TamperedChef Infostealer A malvertising campaign detected by Sophos in September 2025 used Google Ads to redirect victims to deceptive sites that promoted a trojanized PDF editing application called AppSuite PDF Editor.

The application, once installed, appeared legitimate to users, but stealthily delivered an information stealer dubbed TamperedChef targeting Windows devices. The actively evolving threat cluster is known to employ tactics like delayed execution, staying dormant for about 56 days before activating the infostealer behavior to ensure persistence. The time period aligns with the typical 30-60-day cycle of paid advertising campaigns. TamperedChef is assessed to be a part of a wider campaign known as EvilAI.

According to telemetry data gathered by the cybersecurity company, over 100 systems were affected by the campaign, with the majority of the victims located in Germany (~15%), the U.K. (~14%), and France (~9%). “Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment – possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software,” the company said. PNG files hide JS stealer Fake Pharma Invoices Distribute PureLogs Stealer A new phishing campaign has been observed using phony pharmaceutical invoices to trick recipients into opening ZIP archives containing JavaScript that, upon execution, uses PowerShell to download a malicious PNG image hosted on the Internet Archive.

“But this isn’t actually a standard PNG. Well, it is, but with extras,” Swiss Post Cybersecurity said . “The attackers embedded a Base64-encoded payload after the IEND chunk of the PNG, which marks the official end of the image data. The file still renders as a valid image in any viewer.

The actual malware sits between two custom markers, BaseStart- and -BaseEnd.” The extracted payload between these markers is used to launch a malware loader known as VMDetectLoader, which is responsible for persistence, environment checks, and launching PureLogs Stealer , a commodity stealer developed by a threat actor known as PureCoder. It’s worth noting that VMDetectLoader has been previously used to deliver DCRat in attacks targeting Colombia. Loan lures harvest bank data Fake Loan Scams in Peru A large-scale loan phishing operation in Peru has been discovered abusing fake loan offers to harvest sensitive personal and banking information (bank card details, online banking password, and a 6-digit PIN code) from unsuspecting users. The campaign is propagated via social media advertisements.

The threat actors behind the operation have created approximately 370 unique domains impersonating banks in Peru, Colombia, El Salvador, Chile, and Ecuador since 2024. “This particular phishing targets individuals through a seemingly legitimate loan application process, designed to harvest valid card credentials and corresponding PIN codes,” Group-IB said. “These credentials are then either sold on the black market or used in further phishing activities.” As soon as the details are entered on the fake sites, a script running in the background on the web page validates the information using the Luhn algorithm to ensure that the entered credit card details and government identification number are genuine. Fake installer sells bandwidth Proxyware Mimics Notepad++ A threat actor tracked as Larva-25012 is making use of a fake Notepad++ installer as a lure to distribute proxyware in attacks targeting South Korea.

The installers, written in C++ and hosted on GitHub, are promoted through advertisement pages on websites posing as download portals for cracked or otherwise illegal software. “These installers drop the downloader malware DPLoader. Once registered in the Windows Task Scheduler, DPLoader executes persistently and retrieves commands from its C&C server. All PowerShell scripts observed to date have included logic to install various Proxyware tools,” AhnLab said .

“In addition, the attacker is actively changing techniques to evade detection – such as injecting Proxyware into the Windows Explorer process or leveraging Python-based loaders.” The objective of these attacks is to install proxyware on the victim’s machine without their knowledge, and monetize their unused internet bandwidth by selling it to third parties. Larva-25012 is assessed to be active since at least 2024, distributing multiple types of proxyware, including DigitalPulse, Honeygain, and Infatica. Taken together, these incidents show how quickly the “background layer” of technology has become the front line. The weakest points weren’t exotic exploits, but the spaces people stop watching once systems feel stable.

The takeaway isn’t a single threat or fix. It’s the pattern: exposure accumulates quietly, then surfaces all at once. The full list makes that pattern hard to ignore. Found this article interesting?

Filling the Most Common Gaps in Google Workspace Security

Security teams at agile, fast-growing companies often have the same mandate: secure the business without slowing it down. Most teams inherit a tech stack optimized for breakneck growth, not resilience. In these environments, the security team is the helpdesk, the compliance expert, and the incident response team all rolled into one. Securing the cloud office in this scenario is all about finding leverage: identifying the strategic control points that drive the most resilience without adding operational overhead.

Google Workspace provides an excellent security foundation, but its native tooling has inherent limitations, and relying on the default configurations can cause headaches. To build a truly resilient program, there are some common-sense first steps teams can take to secure Workspace natively, before intelligently augmenting the platform where its capabilities fall short. Secure email, the primary attack vector and largest archive Email remains the most reliable target for attackers, as an initial attack method, as a vector to other connected apps and systems, and as a target for sensitive data. While Gmail’s default security is solid at catching some threats, it often struggles with targeted threats and sophisticated social engineering and payload-less attacks.

The gaps in native protection
BEC and Targeted spear phishing:
business email compromise (BEC) attacks often contain no malicious links or attachments, instead relying on social engineering that bypasses traditional defenses. Environmental context: Google doesn’t know who your VIPs are, which partners you work with, or how frequently you receive invoices from vendors, making it difficult to flag subtle anomalies worth scrutinizing. Data archive at rest: for most companies, email is the largest repository of sensitive data. If an account is compromised, the attacker has access to years of confidential conversations, attachments, contracts, and more.

How to improve Gmail’s security today While Google can’t provide all the capabilities of a modern email security platform, there are steps you can take to ensure your core Gmail configurations are as secure as possible. Turn on advanced scanning: enable Google’s enhanced pre-delivery message scanning and malware protection to ensure you’re making the most of Google’s capabilities. Implement basic email hygiene: configure SPF, DKIM, and DMARC. These protocols prove your emails are actually from you, and are critical for preventing domain spoofing.

Automate future settings: ensure the “Apply future recommended settings automatically” option is checked to stay current as Google rolls out more security updates. Move beyond authentication to manage access Multi-factor authentication (MFA) is the single most important control you can implement today, but it’s not a magic bullet. Your access control can’t stop at the login page. Too many windows and side doors Malicious OAuth access: compromised tokens, illicit consent grants, man-in-the-middle attacks, or simple misconfigurations can allow attackers access that appears perfectly legitimate to security tooling.

Legacy access: protocols like IMAP and POP don’t natively support MFA, and App Passwords can be circumvented. Detection gaps: Google can alert on suspicious sign-ins, but connecting that signal to other suspicious activity across the environment is a manual, time-consuming process. Harden your access control immediately Enforce strong MFA: not all MFA is created equal. At the very least, disable SMS or phone calls as MFA authentication methods.

Ideally, adopt phishing-resistant methods like physical security keys or Yubikeys. Disable legacy protocols: turn off POP and IMAP access for all users within the Gmail settings. Deny by default for OAuth: require users to request access to unconfigured third-party apps rather than granting access by default. The next steps to proactive, modern security A properly-configured Google Workspace offers a solid foundation for securing a fast-growing company.

But as your company grows, your attack surface grows with it. For lean security teams who need to maximize their efficiency and their effectiveness, the end goal isn’t just to have the right settings; it’s to have visibility across all of Google Workspace, with detection and response capabilities to detect subtle signs of compromise if an account is breached. Material Security builds on Google’s foundation, providing visibility and context that Workspace lacks natively across the emails, files, and accounts within your environment. Advanced email protection Material’s inbound protection combines threat research with AI, user report automation, and custom detection rules to provide multi-layered coverage to catch and remediate sophisticated threats.

Granular automated remediations protect the entire organization from the first detection or user report, and automatically triage and respond to user-reported phishing. Material is also the only platform on the market that protects sensitive email content, automatically detecting, classifying, and securing sensitive emails and attachments behind an MFA prompt, protecting critical information even in a breach. Context-aware account security A richer set of signals across the entire cloud office enables Material to detect and stop account takeovers early. Material monitors all activity across the cloud office, including suspicious logins, unusual data retrieval patterns and file-sharing behavior, password resets, out-of-policy forwarding rules, and much more.

This enables organizations to understand their risks and threats holistically and take action faster than with native tools alone. Data discovery and protection Material fills in the gaps in Google’s native data protection capabilities. Material automatically detects and classifies sensitive and confidential data in Google Drive, and enforces file-sharing and data access policies without slowing down collaboration. Risky sharing of sensitive files is flagged, and the system works with each user to self-heal or justify potentially risky sharing before revoking risky access and, when needed, updating labels.

How secure is your Workspace? Google Workspace security spans so many domains that it can be difficult to maintain a complete picture of your posture, and this only gets harder as your organization scales and your Workspace evolves. That’s why Material built our free Google Workspace Security Scorecard. Whether you’re a security engineer on a small security team scrambling to manage the day-to-day security of your organization, a CISO looking to better understand and report on your posture, or an IT leader responsible for Workspace administration, our quick, 5-minute assessment will not only provide a solid baseline but also actionable recommendations to improve your posture.

Check out the Google Workspace self-assessment now to find out where your gaps are. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev , mimics SymPy , replicating the latter’s project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a “development version” of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026. Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign.

The package remains available for download as of writing. According to Socket , the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar. “When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” security researcher Kirill Boychenko said in a Wednesday analysis.

The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from “63.250.56[.]54,” and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This technique has been previously adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo . The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts. “Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses,” Socket said.

“Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Most AI Risk Isn’t in Models, It’s in Your SaaS Stack

SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release

A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001 . It was patched by SmarterTools on January 15, 2026, with Build 9511 , following responsible disclosure by the exposure management platform on January 8, 2026. It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the “/api/v1/auth/force-reset-password” endpoint.

“The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said. The problem is rooted in the function “SmarterMail.Web.Api.AuthenticationController.ForceResetPassword,” which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named “IsSysAdmin” to handle the incoming request depending on whether the user is a system administrator or not. In case the flag is set to “true” (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions - Obtain the configuration corresponding to the username passed as input in the HTTP request Create a new system administrator item with the new password Update the administrator account with the new password In other words, the privileged path is configured such that it can trivially update an administrator user’s password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.

It doesn’t end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell. This can be accomplished by navigating to the Settings page, creating a new volume , and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host’s operating system. The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same “force-reset-password” endpoint to change the password on January 17, 2026, two days after the release of the patch. This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw.

To make matters worse, it doesn’t help that SmarterMail’s release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions “IMPORTANT: Critical security fixes.” In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue. “In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references,” Uzzanti said in response to transparency concerns raised by its customers. “We appreciate the feedback that encouraged this change in policy moving forward.” It’s currently not clear whether such an email was sent to SmarterMail administrators this time around.

The Hacker News has reached out to SmarterTools for comment, and we will update the story if we hear back. The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution. Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: N/A), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution. The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.

“Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection,” it added . (The story was updated after publication to include details of the CVE and insights from Huntress.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719. Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” Arctic Wolf said of the developing threat cluster. Specifically, this entails carrying out malicious SSO logins against a malicious account “cloud-init@mail.io” from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below - 104.28.244[.]115 104.28.212[.]114 217.119.139[.]50 37.1.209[.]19 In addition, the threat actors have been observed creating secondary accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” for persistence. “All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.

The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.” The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it’s advised to disable the “admin-forticloud-sso-login” setting. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Cisco has released fresh patches to address what it described as a “critical” security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device. “This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.

A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.” The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products - Unified CM Unified CM Session Management Edition (SME) Unified CM IM & Presence Service (IM&P) Unity Connection Webex Calling Dedicated Instance It has been addressed in the following versions - Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance - Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 Cisco Unity Connection Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 The networking equipment major also said it’s “aware of attempted exploitation of this vulnerability in the wild,” urging customers to upgrade to a fixed software release to address the issue. There are currently no workarounds. An anonymous external researcher has been credited with discovering and reporting the bug.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026. The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager ( CVE-2025-20393 , CVSS score: 10.0) that could permit an attacker to execute arbitrary commands with root privileges. Found this article interesting?

North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews

As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. The new findings come from Recorded Future’s Insikt Group, which is tracking the North Korean threat activity cluster under the moniker PurpleBravo . First documented in late 2023, the campaign is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. The 3,136 individual IP addresses, primarily concentrated around South Asia and North America, are assessed to have been targeted by the adversary from August 2024 to September 2025.

The 20 victim companies are said to be based in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates (U.A.E.), and Vietnam. “In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” the threat intelligence firm said in a new report shared with The Hacker News. The disclosure comes a day after Jamf Threat Labs detailed a significant iteration of the Contagious Interview campaign wherein the attackers abuse malicious Microsoft Visual Studio Code (VS Code) projects as an attack vector to distribute a backdoor, underscoring continued exploitation of trusted developer workflows to achieve their twin goals of cyber espionage and financial theft. The Mastercard-owned company said it detected four LinkedIn personas potentially associated with PurpleBravo that masqueraded as developers and recruiters and claimed to be from the Ukrainian city of Odesa, along with several malicious GitHub repositories that are designed to deliver known malware families like BeaverTail.

PurpleBravo has also been observed managing two distinct sets of command-and-control (C2) servers for BeaverTail, a JavaScript infostealer and loader, and a Go-based backdoor known as GolangGhost (aka FlexibleFerret or WeaselStore) that is based on the HackBrowserData open-source tool. The C2 servers, hosted across 17 different providers, are administered via Astrill VPN and from IP ranges in China. North Korean threat actors’ use of Astrill VPN in cyber attacks has been well-documented over the years. It’s worth pointing out that Contagious Interview complements a second, separate campaign referred to as Wagemole (aka PurpleDelta), where IT workers from the Hermit Kingdom actors seek unauthorized employment under fraudulent or stolen identities with organizations based in the U.S.

and other parts of the world for both financial gain and espionage. While the two clusters are treated as disparate sets of activities, there are significant tactical and infrastructure overlaps between them despite the fact that the IT worker threat has been ongoing since 2017. “This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity,” Recorded Future said. To make matters worse, candidates who are approached by PurpleBravo with fictitious job offers have been found to take the coding assessment on company-issued devices, effectively compromising their employers in the process.

This highlights that the IT software supply chain is “just as vulnerable” to infiltration from North Korean adversaries other than the IT workers. “Many of these [potential victim] organizations advertise large customer bases, presenting an acute supply-chain risk to companies outsourcing work in these regions,” the company noted. “While the North Korean IT worker employment threat has been widely publicized, the PurpleBravo supply-chain risk deserves equal attention so organizations can prepare, defend, and prevent sensitive data leakage to North Korean threat actors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution. The most severe of the lot is a critical security flaw impacting Zoom Node Multimedia Routers (MMRs) that could permit a meeting participant to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844 and discovered internally by its Offensive Security team, carries a CVSS score of 9.9 out of 10.0. “A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access,” the company noted in a Tuesday alert.

Zoom is recommending that customers using Zoom Node Meetings, Hybrid, or Meeting Connector deployments update to the latest available MMR version to safeguard against any potential threat. There is no evidence that the security flaw has been exploited in the wild. The vulnerability affects the following versions - Zoom Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0 Zoom Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0 GitLab Releases Patches for Severe Flaws The disclosure comes as GitLab released fixes for multiple high-severity flaws affecting its Community Edition (CE) and Enterprise Edition (EE) that could result in DoS and a bypass of two-factor authentication (2FA) protections. The shortcomings are listed below - CVE-2025-13927 (CVSS score: 7.5) - A vulnerability that could allow an unauthenticated user to create a DoS condition by sending crafted requests with malformed authentication data (Affects all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2) CVE-2025-13928 (CVSS score: 7.5) - An incorrect authorization vulnerability in the Releases API that could allow an unauthenticated user to cause a DoS condition (Affects all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2) CVE-2026-0723 (CVSS score: 7.4) - A vulnerability that could allow an individual with existing knowledge of a victim’s credential ID to bypass 2FA by submitting forged device responses (Affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 ) Also remediated by GitLab are two other medium-severity bugs that could also trigger a DoS condition (CVE-2025-13335, CVSS score: 6.5, and CVE-2026-1102, CVSS score: 5.3) by configuring malformed Wiki documents that bypass cycle detection and sending repeated malformed SSH authentication requests, respectively.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Webinar: How Smart MSSPs Using AI to Boost Margins with Half the Staff

Every managed security provider is chasing the same problem in 2026 — too many alerts, too few analysts, and clients demanding “CISO-level protection” at SMB budgets. The truth? Most MSSPs are running harder, not smarter. And it’s breaking their margins.

That’s where the quiet revolution is happening: AI isn’t just writing reports or surfacing risks — it’s rebuilding how security services are delivered . The Shift Until now, MSSPs scaled by adding people. Each new client meant another analyst, another spreadsheet, another late-night ticket queue. AI automation flips that model.

It handles assessments, benchmarking, and reporting in minutes — freeing your team to focus on strategy, not data entry. Early adopters are already seeing double-digit margin gains and faster onboarding cycles — without increasing headcount. Real Proof — Not Theory When Chad Robinson , CISO at Secure Cyber Defense, applied Cynomi’s AI platform, his team stopped drowning in manual checklists. He didn’t just automate reports; he turned junior analysts into “virtual CISOs,” expanding coverage and growing revenue from advisory services — all by standardizing delivery through AI.

Secure your spot for the live session ➜ What You’ll Learn In this session, Cynomi CEO David Primor and Chad Robinson unpack the real operating blueprint: How AI eliminates the grunt work that eats profit How to tier and package cybersecurity services for steady MRR What actually moved the needle for a growing MSSP — and how you can copy it How AI enables consistent, CISO-grade service at scale If you’re still hiring your way out of the workload crisis, you’re already behind. The MSSPs winning 2026 aren’t bigger — they’re smarter . Join the live session to see how AI can scale your security business without scaling your payroll. Register for the Webinar ➜ Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Exposure Assessment Platforms Signal a Shift in Focus

Gartner® doesn’t create new categories lightly. Generally speaking, a new acronym only emerges when the industry’s collective “to-do list” has become mathematically impossible to complete. And so it seems that the introduction of the Exposure Assessment Platforms (EAP) category is a formal admission that traditional Vulnerability Management (VM) is no longer a viable way to secure a modern enterprise. The shift from the traditional Market Guide for Vulnerability Assessment to the new Magic Quadrant for EAPs represents a move away from the “vulnerability hose”, i.e., the endless stream of CVEs, and toward a model of Continuous Threat Exposure Management (CTEM) .

To us, this is more than just a change in terminology; it is an attempt to solve the “Dead End” paradox that has plagued security teams for a decade. In the inaugural Magic Quadrant report of this category, Gartner evaluated 20 vendors for their ability to support continuous discovery, risk-informed prioritization, and integrated visibility across cloud, on-prem, and identity layers. In this article, we’ll take a deep dive into the key findings of the report, the drivers behind the new category, the features that define it, and what we see as the takeaways for security teams. Why Exposure Assessment Is Gaining Ground Security tools have always promised risk reduction, but they’ve mostly delivered noise.

One product would reveal a misconfiguration. Another would log a privilege drift. A third would flag vulnerable external-facing assets. The result is a crisis of volume that has led to chronic alert fatigue in the SOC.

Each tool provided a piece of the puzzle, yet none were able to put all the pieces together and explain how exposure forms…or what to fix first to avoid it. The skepticism toward legacy VM tools is well-earned. Data from over 15,000 environments shows that 74% of identified exposures are “dead ends”, existing on assets that have no viable path to a critical system. In the old model, a security team might spend 90% of its remediation effort fixing these dead ends, yielding effectively zero reduction in risk to business processes.

This is what EAPs are designed to address. They pull all those pieces into a unified view that tracks how systems, identities, and vulnerabilities interact in real environments and show how an attacker could actually use it to move from a low-risk dev environment to critical assets. This model is gaining traction because it reflects how attackers operate. Threat actors don’t limit themselves to a single flaw.

They have weak controls, misaligned privileges, and blind spots in detection. The EAP model tracks how exposures accumulate across environments and lead attackers to reachable assets. Platforms in this category are built to show where risk originates, how it spreads, and which conditions support attacker movement. Gartner projects that organizations using this approach will reduce unplanned downtime by 30% by 2027 .

That kind of dramatic outcome is based on an equally dramatic change in how exposure is defined, modeled, and operationalized across environments. The shift touches every layer of the security workflow - from how signals are connected to how teams decide what to fix first. Drill Down: From Static Lists to Exposure in Motion That shift in workflow begins with how EAPs detect and connect the conditions that lead to risk. Exposure assessment platforms take a different approach than traditional vulnerability tools.

They’re built around a distinct set of capabilities: They consolidate discovery across environments. EAPs continuously scan internal networks, cloud workloads, and user-facing systems to identify both known and untracked assets, alongside unmanaged identities, misconfigured roles, and legacy systems that may not appear in standard inventories. They prioritize based on context, not just severity. Exposure is ranked using multiple parameters - asset importance, access paths, exploitability, and control coverage.

This allows teams to see which issues are reachable, which are isolated, and which enable lateral movement. They integrate exposure data into operational workflows. EAP output is designed to support action. Platforms connect with IT and security tools so findings can be assigned, tracked, and resolved through existing systems - without waiting for a quarterly audit or manual review.

They support lifecycle tracking. Once exposures are identified, EAPs monitor them across remediation steps, configuration changes, and policy updates. That visibility helps teams understand what’s been fixed, what remains, and how each adjustment affects risk posture. What the Quadrant Reveals About Market Maturity The new Magic Quadrant highlights a split in the market.

On one side, you have legacy incumbents attempting to “bolt on” exposure features to their existing scanning engines. On the other, you have native Exposure Management players who have been modeling attacker behavior for years. The maturity of the category is evidenced by a shift in the “definition of done.” Success is no longer measured by how many vulnerabilities were patched, but by how many critical attack paths were eliminated. Platforms like XM Cyber, which were built on attack graph-based modeling, are now leading the way for this approach.

What Security Teams Should Be Watching Exposure assessment now stands as its own category, with defined capabilities, evaluation criteria, and a growing role in enterprise workflows. The platforms in the Magic Quadrant are identifying connected exposures, mapping which assets can be reached, and guiding remediation based on attacker movement. For the practitioner, the immediate value is efficiency. These platforms are making decisions about what to fix first, how to assign ownership, and where risk reduction will have the most impact.

Exposure assessment is now positioned as a core layer in how environments are secured, maintained, and understood. If you can mathematically prove that 74% of your alerts can be safely ignored, you aren’t just “improving security” – you’re returning time and resources to a team that is likely already at its breaking point. The EAP category is finally aligning security metrics with business reality. The question is no longer “How many vulnerabilities do we have?” but “Are we safe from the attack paths that matter?” To learn more about why XM Cyber was named a challenger in the 2025 Magic Quadrant for exposure assessment platforms, grab your copy of the report here .

Note : This article was expertly written and contributed by Maya Malevich, Head of Product Marketing at XM Cyber. Gartner Disclaimer: Gartner, Magic Quadrant for Exposure Assessment Platforms, By Mitchell Schneider, Dhivya Poole, and Jonathan Nunez, November 10, 2025. GARTNER is a registered trademark and service mark of Gartner, and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S.

and internationally, and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact.

Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.