2026-01-24 AI创业新闻

CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2025-68645 (CVSS score: 8.8) - A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a remote attacker to craft requests to the “/h/rest” endpoint and allow inclusion of arbitrary files from the WebRoot directory without any authentication (Fixed in November 2025 with version 10.1.13 ) CVE-2025-34026 (CVSS score: 9.2) - An authentication bypass in the Versa Concerto SD-WAN orchestration platform that could allow an attacker to access administrative endpoints (Fixed in April 2025 with version 12.2.1 GA ) CVE-2025-31125 (CVSS score: 5.3) - An improper access control vulnerability in Vite Vitejs that could allow contents of arbitrary files to be returned to the browser using ?inline&import or ?raw?import (Fixed in March 2025 with versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11 ) CVE-2025-54313 (CVSS score: 7.5) - An embedded malicious code vulnerability in eslint-config-prettier that could allow for execution of a malicious DLL dubbed Scavenger Loader that’s designed to deliver an information stealer It’s worth noting that CVE-2025-54313 refers to a supply chain attack targeting eslint-config-prettier and six other npm packages, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is, that came to light in July 2025. The phishing campaign targeted the package maintainers with bogus links that harvested their credentials under the pretext of verifying their email address as part of regular account maintenance, allowing the threat actors to publish trojanized versions.

According to CrowdSec , exploitation efforts targeting CVE-2025-68645 have been ongoing since January 14, 2026. There are currently no details on how the other vulnerabilities are being exploited in the wild. Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by February 12, 2026, to secure their networks against active threats. Found this article interesting?

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Fortinet has officially confirmed that it’s working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. “In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” Fortinet Chief Information Security Officer (CISO) Carl Windsor said in a Thursday post. The activity essentially mounts to a bypass for patches put in place by the network security vendor to address CVE-2025-59718 and CVE-2025-59719 , which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices. The issues were originally addressed by Fortinet last month.

However, earlier this week, reports emerged of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities. The activity is similar to incidents observed in December, shortly after the disclosure of the CVE-2025-59718 and CVE-2025-59719. The activity involves the creation of generic accounts for persistence, making configuration changes granting VPN access to those accounts, and the exfiltration of firewall configurations to different IP addresses. The threat actor has been observed logging in with accounts named “cloud-noc@mail.io” and “cloud-init@mail.io.” As mitigations, the company is urging the following actions - Restrict administrative access of edge network device via the internet by applying a local-in policy Disable FortiCloud SSO logins by disabling “admin-forticloud-sso-login” “It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,” Fortinet said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

TikTok Forms U.S. Joint Venture to Continue Operations Under 2025 Executive Order

TikTok on Friday officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok’s Chinese parent company, ByteDance, selling the majority of its stake to a group of majority-American investors, while it will retain a 19.9% stake in the business.

The Chinese government hasn’t commented publicly on the agreement. “The majority American owned Joint Venture will operate under defined safeguards that protect national security through comprehensive data protections, algorithm security, content moderation, and software assurances for U.S. users,” it added. “It will safeguard the U.S.

content ecosystem through robust trust and safety policies and content moderation while ensuring continuous accountability through transparency reporting and third-party certifications.” To that end, U.S. users’ data will be protected with Oracle’s secure U.S. cloud environment, while also retraining and updating TikTok’s content recommendation algorithm specifically based on users in the country. The recommendation algorithm will be secured using Oracle’s cloud infrastructure as well.

In addition, the independent entity is expected to operate a comprehensive data privacy and cybersecurity program that it said will be audited and certified by third-party cybersecurity experts. “The program will adhere to major industry standards, including the National Institute of Standards and Technology (NIST) CSF and 800-53 and ISO 27001, as well as the Cybersecurity and Infrastructure Security Agency (CISA) Security Requirements for Restricted Transactions, the company said. The safeguards rolled out by the joint venture will also extend to CapCut, Lemon8, and TikTok’s other apps and websites in the U.S. TikTok is used by over 200 million Americans and 7.5 million businesses.

President Trump hailed the deal in a Truth Social post , stating that the company would now be owned by a “group of Great American Patriots and Investors, the Biggest in the World.” He also thanked Chinese President Xi Jinping for working with his administration, and “ultimately, approving the Deal.” The development comes a month after reports emerged that TikTok had signed an agreement to create a new U.S. joint venture. Under President Trump’s September 2025 executive order, the attorney general was blocked from enforcing the national security law for a 120-day period in order to “permit the contemplated divestiture to be completed,” allowing the deal to be finalized by January 23, 2026. TikTok was briefly banned a year ago after a federal law, signed by former President Joe Biden, went into effect.

The legislation, passed in April 2024, mandated that the service be made available either under American ownership or another entity, citing national security concerns over its Chinese owner, ByteDance. Lawmakers have argued that Beijing could force the firm to hand over U.S. users’ data, a claim that both TikTok and ByteDance have consistently denied. These fears have also led to an outright ban of TikTok in India in June 2020.

In late 2024, the Canadian government ordered TikTok to dissolve its operations in the country. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. “Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust,” KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said . “By stealing a ‘skeleton key’ to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor.” The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access. The bogus emails are disguised as an invitation from a legitimate platform called Greenvelope, and aim to trick recipients into clicking on a phishing URL that’s designed to harvest their Microsoft Outlook, Yahoo!, AOL.com login information.

Once this information is obtained, the attack moves to the next phase. Specifically, this involves the threat actor registering with LogMeIn using the compromised email to generate RMM access tokens, which are then deployed in a follow-on attack through an executable named “GreenVelopeCard.exe” to establish persistent remote access to victim systems. The binary, signed with a valid certificate, contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL without the victim’s knowledge. With the RMM tool now deployed, the threat actors weaponize the remote access to alter its service settings so that it runs with unrestricted access on Windows.

The attack also establishes hidden scheduled tasks to automatically launch the RMM program even if it’s manually terminated by the user. To counter the threat, it’s advised that organizations monitor for unauthorized RMM installations and usage patterns. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Flags Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms

Microsoft has warned of a multi‑stage adversary‑in‑the‑middle ( AitM ) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector. “The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness,” the Microsoft Defender Security Research Team said . “The attack transitioned into a series of AitM attacks and follow-on BEC activity spanning multiple organizations.” As part of post-exploitation activity following initial compromise, the unknown attackers have been found to leverage trusted internal identities from the victim to carry out large‑scale intra‑organizational and external phishing in an effort to cast a wide net and widen the scope of the campaign. The starting point of the attack is a phishing email likely sent from an email address belonging to a trusted organization, which was compromised beforehand.

Abusing this legitimate channel, the threat actors sent out messages masquerading as SharePoint document‑sharing workflows to give it a veneer of credibility and trick recipients into clicking on phishing URLs. Because services like SharePoint and OneDrive are widely used in enterprise environments and the emails originate from a legitimate address, they are unlikely to raise suspicion, allowing adversaries to deliver phishing links or stage malicious payloads. This approach is also called living-off-trusted-sites ( LOTS ), as it weaponizes the familiarity and ubiquity of such platforms to subvert email‑centric detection mechanisms. The URL, for its part, redirects users to a fake credential prompt to view the purported document.

Armed with access to the account using the stolen credentials and the session cookie, the attackers create inbox rules to delete all incoming emails and mark all emails as read. With this foundation in place, the compromised inbox is used to send phishing messages containing a fake URL designed to conduct credential theft using an AitM attack. In one case, Microsoft said the attacker initiated a large-scale phishing campaign involving more than 600 emails that were sent to the compromised user’s contacts, both within and outside of the organization. The threat actors have also been observed taking steps to delete undelivered and out of office emails, and assure message recipients of the email’s authenticity if they raised any concerns.

The correspondence is then deleted from the mailbox. “These techniques are common in any BEC attacks and are intended to keep the victim unaware of the attacker’s operations, thus helping in persistence,” the Windows maker noted. Microsoft said the attack highlights the “operational complexity” of AitM, stating password resets alone cannot remediate the threat, as impacted organizations must ensure that they have revoked active session cookies and removed attacker-created inbox rules used to evade detection. To that end, the company noted that it worked with customers to revoke multi-factor authentication (MFA) changes made by the attacker on the compromised user’s accounts and delete suspicious rules created on those accounts.

It’s currently not known how many organizations were compromised and if it’s the work of any known cybercrime group. Organizations are advised to work with their identity provider to make sure security controls like phishing-resistant MFA are in place, enable conditional access policies , implement continuous access evaluation , and use anti-phishing solutions that monitor and scan incoming emails and visited websites. The attack outlined by Microsoft highlights the ongoing trend among threat actors to abuse trusted services such as Google Drive, Amazon Web Services (AWS), and Atlassian’s Confluence wiki to redirect to credential harvesting sites and stage malware. This eliminates the need for attackers to build out their own infrastructure as well as makes malicious activity appear legitimate.

The disclosure comes as identity services provider Okta said it detected custom phishing kits that are designed specifically for use in voice phishing (aka vishing) campaigns targeting Google, Microsoft, Okta, and a wide range of cryptocurrency platforms. In these campaigns, the adversary, posing as tech support personnel, calls prospective targets using a spoofed support hotline or company phone number. The attacks aim to trick users into visiting a malicious URL and hand over their credentials, which are subsequently relayed to the threat actors in real-time via a Telegram channel, granting them unauthorized access to their accounts. The social engineering efforts are well planned, with the attackers conducting reconnaissance on the targets and crafting customized phishing pages.

The kits, sold on an as-a-service basis, come fitted with client-side scripts that make it possible for threat actors to control the authentication flow in the browser of a targeted user in real-time, as they provide verbal instructions and convince them to take actions (e.g., approve push notifications or enter one-time passwords) that would lead to an MFA bypass. “Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages,” said Moussa Diallo, threat researcher at Okta Threat Intelligence. “They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.” In recent weeks, phishing campaigns have exploited Basic Authentication URLs (i.e., “username:password@domain[.]com”) by placing a trusted domain in the username field, followed by an @ symbol and the actual malicious domain to visually mislead the victim.

“When a user sees a URL that begins with a familiar and trusted domain, they may assume the link is legitimate and safe to click,” Netcraft said . “However, the browser interprets everything before the @ symbol as authentication credentials, not as part of the destination. The real domain, or the one that the browser connects to, is included after the @ symbol.” Other campaigns have resorted to simple visual deception tricks like using “rn” in place of “m” to conceal malicious domains and deceive victims into thinking they are visiting a legitimate domain associated with companies like Microsoft (“rnicrosoft[.]com”), Mastercard (“rnastercard[.]de”), Marriott (“rnarriotthotels[.]com”), and Mitsubishi (“rnitsubishielectric[.]com”). This is called a homoglyph attack .

“While attackers often aim at brands that start with the letter M for this technique, some of the most convincing domains come from swapping an internal ‘m’ with ‘rn’ inside words,” Netcraft’s Ivan Khamenka said . “This technique becomes even more dangerous when it appears in words that organizations commonly use as part of their brand, subdomains, or service identifiers. Terms like email, message, member, confirmation, and communication all contain mid-word m’s that users barely process.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Most AI Risk Isn’t in Models, It’s in Your SaaS Stack

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said. It’s worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It’s currently not known who the developers of the locker are, or if it’s advertised as a ransomware-as-a-service (RaaS).

However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble). “A wide range of living off the land and dual-use tools were used in this attack, as was a malicious POORTRY driver, which was likely used as part of a bring your own vulnerable driver (BYOVD) attack to disable security software,” the company said in a report shared with The Hacker News. “The exfiltration of data by the attackers to Wasabi buckets, and the use of a version of Mimikatz that was previously used, with the same filename (kaz.exe), by attackers deploying the INC ransomware, point to potential links between this attack and some attacks involving INC.” Described as an “effective encryption payload” that’s likely wielded by experienced attackers, Osiris makes use of a hybrid encryption scheme and a unique encryption key for each file. It’s also flexible in that it can stop services, specify which folders and extensions need to be encrypted, terminate processes, and drop a ransom note.

By default, it’s designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, and Veeam, among others. First signs of malicious activity on the target’s network involved the exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment. Also utilized in the attack were a number of dual-use tools like Netscan, Netexec, and MeshAgent, as well as a custom version of the Rustdesk remote desktop software. POORTRY is a little different from traditional BYOVD attacks in that it uses a bespoke driver expressly designed for elevating privileges and terminating security tools, as opposed to deploying a legitimate-but-vulnerable driver to the target network.

“KillAV, which is a tool used to deploy vulnerable drivers for terminating security processes, was also deployed on the target’s network,” the Symantec and Carbon Black Threat Hunter Team noted. “RDP was also enabled on the network, likely to provide the attackers with remote access.” The development comes as ransomware remains a significant enterprise threat, with the landscape constantly shifting as some groups close their doors and others quickly rise from their ashes or move in to take their place. According to an analysis of data leak sites by Symantec and Carbon Black, ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024, a 0.8% increase. The most active players during the past year were Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS.

Some of the other notable developments in the space are listed below - Threat actors using the Akira ransomware have leveraged a vulnerable Throttlestop driver , along with the Windows CardSpace User Interface Agent and Microsoft Media Foundation Protected Pipeline, to sideload the Bumblebee loader in attacks observed in mid-to-late 2025. Akira ransomware campaigns have also exploited SonicWall SSL VPNs to breach small- to medium-sized business environments during mergers and acquisitions and ultimately obtain access to the bigger, acquiring enterprises. Another Akira attack has been found to leverage ClickFix -style CAPTCHA verification lures to drop a .NET remote access trojan called SectopRAT , which serves as a conduit for remote control and ransomware delivery. LockBit (aka Syrphid), which partnered with DragonForce and Qilin in October 2025, has continued to maintain its infrastructure despite a law enforcement operation to shut down its operations in early 2024.

It has also released variants of LockBit 5.0 targeting multiple operating systems and virtualization platforms. A significant update to LockBit 5.0 is the introduction of a two-stage ransomware deployment model that separates the loader from the main payload, while simultaneously maximizing evasion, modularity, and destructive impact. A new RaaS operation dubbed Sicarii has claimed only one victim since it first surfaced in late 2025. While the group explicitly identifies itself as Israeli/Jewish, analysis has uncovered that underground online activity is primarily carried out in Russian and that the Hebrew content shared by the threat actor contains grammatical and semantic errors.

This has raised the possibility of a false flag operation. Sicarii’s primary Sicarii operator uses the Telegram account “@Skibcum.” The threat actor known as Storm-2603 (aka CL-CRI-1040 or Gold Salem) has been observed leveraging the legitimate Velociraptor digital forensics and incident response (DFIR) tool as part of precursor activity leading to the deployment of Warlock, LockBit, and Babuk ransomware. The attacks have also utilized two drivers (“rsndispot.sys” and “kl.sys”) along with “vmtools.exe” to disable security solutions using a BYOVD attack. Entities in India, Brazil, and Germany have been targeted by Makop ransomware attacks that exploit exposed and insecure RDP systems to stage tools for network scanning, privilege escalation, disabling security software, credential dumping, and ransomware deployment.

The attacks, besides using “hlpdrv.sys” and “ThrottleStop.sys” drivers for BYOVD attacks, also deploy GuLoader to deliver the ransomware payload. This is the first documented case of Makop being distributed via a loader. Ransomware attacks have also obtained initial access using already-compromised RDP credentials to perform reconnaissance, privilege escalation, lateral movement via RDP, followed by exfiltrating data to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later. A security flaw in the encryption process associated with the Obscura ransomware has been found to render large files unrecoverable.

“When it encrypts large files, it fails to write the encrypted temporary key to the file’s footer,” Coveware said. “For files over 1GB, that footer is never created at all — which means the key needed for decryption is lost. These files are permanently unrecoverable.” A new ransomware family named 01flip has targeted a limited set of victims in the Asia-Pacific region. Written in Rust, the ransomware can target both Windows and Linux systems.

Attack chains involve the exploitation of known security vulnerabilities (e.g., CVE-2019-11580) to obtain a foothold into target networks. It has been attributed to a financially motivated threat actor known as CL-CRI-1036. To protect against targeted attacks, organizations are advised to monitor the use of dual-use tools, restrict access to RDP services, enforce multi-factor authentication (2FA), use application allowlisting where applicable, and implement off-site storage of backup copies. “While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk, creating a wider extortion ecosystem of which ransomware may become just one component,” Symantec and Carbon Black said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

A critical security flaw has been disclosed in the GNU InetUtils telnet daemon ( telnetd ) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 , is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. “Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

In a post on the oss-security mailing list, GNU contributor Simon Josefsson said the vulnerability can be exploited to gain root access to a target system - The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply [sic] a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or –login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes. This happens because the telnetd server do [sic] not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication. Josefsson also noted that the vulnerability was introduced as part of a source code commit made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015.

Security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026. As mitigations, it’s advised to apply the latest patches and restrict network access to the telnet port to trusted clients. As temporary workarounds, users can disable telnetd server, or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the ‘-f’ parameter, Josefsson added. Data gathered by threat intelligence firm GreyNoise shows that 21 unique IP addresses have been observed attempting to execute a remote authentication bypass attack by leveraging the flaw over the past 24 hours.

All the IP addresses, which originate from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Pixel Zero-Click, Redis RCE, China C2s, RAT Ads, Crypto Scams & 15+ Stories

Most of this week’s threats didn’t rely on new tricks. They relied on familiar systems behaving exactly as designed, just in the wrong hands. Ordinary files, routine services, and trusted workflows were enough to open doors without forcing them. What stands out is how little friction attackers now need.

Some activity focused on quiet reach and coverage, others on timing and reuse. The emphasis wasn’t speed or spectacle, but control gained through scale, patience, and misplaced trust. The stories below trace where that trust bent, not how it broke. Each item is a small signal of a larger shift, best seen when viewed together.

Spear-phishing delivers custom backdoor Operation Nomad Leopard Targets Afghanistan Government entities in Afghanistan have been at the receiving end of a spear-phishing campaign dubbed Operation Nomad Leopard that employs bogus administrative documents as decoys to distribute a backdoor named FALSECUB by means of a GitHub-hosted ISO image file. The campaign was first detected in late December 2025. “The ISO file contains three files,” Seqrite Lab said . “The LNK file, Doc.pdf.lnk, is responsible for displaying the PDF to the victim and executing the payload.

The PDF file, doc.pdf, contains the government-themed lure.” The final payload is a C++ executable that’s capable of receiving commands from an external server. The activity has not been attributed to any specific country or known hacker group. “The campaign appears to be conducted by a regionally focused threat actor with a low-to-moderate sophistication level,” the Indian cybersecurity company added. DoS attacks hit UK services U.K.

Warns of Malicious Activity from Russia-Aligned Hacktivists The U.K. government is warning of continued malicious activity from Russian-aligned hacktivist groups like NoName057(16) targeting critical infrastructure and local government organizations in the country with denial-of-service (DoS) attacks. The end goal of these attacks is to take websites offline and disable access to essential services. “Although DoS attacks are typically low in sophistication, a successful attack can disrupt entire systems, costing organisations significant time, money, and operational resilience by having to analyse, defend against, and recover from them,” the U.K.

National Cyber Security Centre (NCSC) said . Trusted apps load malicious DLLs New Stealer Campaign Uses DLL Side-Loading Trick Google-owned VirusTotal has disclosed details of an information stealer campaign that relies on a trusted executable to trick the operating system into loading a malicious DLL (“CoreMessaging.dll”) payload – a technique called DLL side-loading – leading to the execution of secondary-stage infostealers designed to exfiltrate sensitive data. Both the executable and the DLL are distributed via ZIP archives that mimic installers for legitimate applications like Malwarebytes (e.g., “malwarebytes-windows-github-io-6.98.5.zip”) and other programs. WSL abused without process spawn Windows Subsystem for Linux Beacon Object File Released SpecterOps researcher Daniel Mayer has released a beacon object file ( BOF ) – a compiled C program designed to run within the memory of a post-exploitation agent like Cobalt Strike Beacon – that interacts with the Windows Subsystem for Linux (WSL) by directly invoking the WSL COM service, avoiding process creation for “wsl.exe” entirely and allowing operators to list all installed WSL distributions and execute arbitrary commands on any WSL distribution that the BOF finds.

Ads push covert RAT installers Malicious Ads for File Converters Lead to RATs Cybersecurity researchers have disclosed an active malicious campaign that uses advertisements placed on legitimate websites to lure users into downloading “converter” tools for converting images or documents. These services share a similar website template and go by names like Easy2Convert, ConvertyFile, Infinite Docs, and PowerDoc. Should a user end up attempt to download the program, they are redirected to another domain that actually hosts the C# dropper files. “In the foreground, these tools usually work as promised, so users do not become suspicious,” Nextron Systems said .

“In the background, however, they behave almost identically: they install persistent remote access trojans (RATs) that give the threat actor continuous access to the victim system.” Specifically, the executable is designed to establish persistence using a scheduled task, which points to the main payload, a .NET application that initiates communication with a remote server, executes .NET assemblies received from the server, and sends the results back via an HTTP POST request. Short-lived TLS certs roll out Let’s Encrypt Makes 6-Day Certificates Available Let’s Encrypt said its short-lived TLS certificates with a 6-day lifetime are now generally available. Each certificate is valid for a period of 160 hours from the time it is issued. “Short-lived certificates are opt-in and we have no plan to make them the default at this time.

Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime,” Let’s Encrypt said . To request one, operators must select the “shortlived” profile in their ACME client. Short-lived certificates are opt-in and there are no plans to make them the default at this time, the non-profit certificate authority added. Support tickets abused for spam Zendesk Warns of Spam Campaigns Abusing Support Systems Zendesk has revealed that unsecured support systems are being used to send spam emails .

The attacks take advantage of Zendesk’s ability to allow unverified users to submit support tickets, which then automatically generate confirmation emails that are sent to the email address entered by the attacker. This automated response system is being weaponized to turn the support platform into a delivery vehicle for spam by creating fake tickets. “These emails look like legitimate contacts from companies that use Zendesk to communicate with their customers, and are a spam tactic known as relay spam,” the customer relationship management (CRM) vendor said in an advisory. The company described it as a “potential side effect” that arises when Zendesk is set to allow unverified users to submit requests, adding that it’s actively working to reduce spam and prevent new spam campaigns.

It has also urged customers to remove specific placeholders from first-reply triggers and permit only added users to submit tickets. EU targets high-risk suppliers E.U. Proposes Cybersecurity Rules to Secure Tech Supply Chain The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthen defenses against state-backed and cybercrime groups targeting critical infrastructure. “The new Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns,” the Commission said .

“It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the E.U. and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors, considering also economic impacts and market supply.” The revised Cybersecurity Act is also expected to ensure that products and services reaching E.S. consumers are tested for security in a more efficient way through a renewed European Cybersecurity Certification Framework (ECCF).

The amended act will take effect immediately upon approval by the European Parliament and the Council of the E.U. Once adopted, member states have one year to implement the directive into national law. Mass scans probe plugin exposure Large-Scale WordPress Plugin Reconnaissance Activity Spotted Threat intelligence firm GreyNoise has uncovered a large-scale WordPress plugin reconnaissance activity aimed at enumerating potentially vulnerable sites. The mass scanning, observed between October 20, 2025, and January 19, 2026, involved 994 unique IP addresses across 145 ASNs targeting 706 distinct WordPress plugins in over 40,000 unique enumeration events.

The most targeted plugins are Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator. The activity touched a new high on December 7, 2025, when 6,550 unique sessions were recorded. More than 95% of the spike was driven by a single IP address: 112.134.208[.]214. Users of the aforementioned plugins are advised to keep them up-to-date.

Crate vulnerabilities surface early Rust Adds “Security” Tab to Crates.io The Rust project has updated Crates.io to include a “Security” tab on individual crate pages. The tab displays security advisories drawn from the RustSec database and lists which versions of a crate may have known vulnerabilities. This change gives developers an easy way to view relevant security information before adding the crate as a dependency. “The tab shows known vulnerabilities for the crate along with the affected version ranges,” the maintainers said .

Other improvements include expanded Trusted Publishing support, which now works with GitLab CI/CD in addition to GitHub Actions, and a new Trusted Publishing mode that, when enabled, turns off traditional API token-based publishing so as to reduce the risk of unauthorized publishes from leaked API tokens. Trusted Publishing has also been updated to block pull_request_target and workflow_run GitHub Actions triggers. “These triggers have been responsible for multiple security incidents in the GitHub Actions ecosystem and are not worth the risk,” the Crates.io team said. China hosts vast C2 footprint Chinese Internet Space Hosts Over 18K C2 Servers A new analysis from Hunt.io has revealed that the Chinese internet space is hosting more than 18,000 active command-and-control (C2 or C&C) servers across 48 different providers in the last three months.

China Unicom hosts nearly half of all observed servers, with Alibaba Cloud and Tencent following suit. More than half of the C2 servers (about 9,427 unique C2 IPs) are used to control an IoT botnet known as Mozi . A chunk of the remaining C2 servers is used for activity related to Cobalt Strike (1,204), Vshell (830), and Mirai (703). “Across Chinese hosting environments, a small number of large telecom and cloud providers account for the majority of observed command-and-control activity, supporting everything from commodity malware and IoT botnets to phishing operations and state-linked tooling,” Hunt.io said.

Military-linked espionage probe Ex-Military IT Consultant Detained in Sweden for Allegedly Spying for Russia A 33-year-old former IT consultant for Sweden’s Armed Forces has been detained on suspicion of passing information to Russia’s intelligence service, according to the Swedish Prosecution Authority. The suspected criminal activity took place throughout 2025 and until January 4, 2026, but Swedish authorities suspect the espionage may have been ongoing since 2022, when Russia launched its full-scale invasion of Ukraine. The suspect, who has denied any wrongdoing, worked as an IT consultant for the Swedish military from 2018 to 2022, per the AFP . The investigation is said to be still in early stages.

In February 2021, a 47-year-old Swedish tech consultant was charged with espionage for allegedly selling information about truckmaker Scania and Volvo Cars to a Russian diplomat for several years. He was sentenced to three years in prison later that September. Supply-chain platform fully exposed Security Flaws in Bluvoyix Critical vulnerabilities (from CVE-2026-22236 through CVE-2026-22240) have been disclosed in the Bluvoyix platform of Bluspark Global, a cloud-based solution that’s used to help shippers manage their supply chain data, which could have allowed a bad actor to gain full control of the platform and access customer and shipment data. They could have enabled access to customer accounts and track freight and component shipments, as well as enabled complete access to the platform’s API without the need for authentication.

This loophole could have been weaponized to create administrator accounts for follow-on exploitation. The vulnerabilities have since been patched, but not before a protracted disclosure process . Security researcher Eaton Zveare, who has previously uncovered security holes in platforms used by automotive firms, said the “admin access made it possible to view, modify, and even cancel customer shipments going back to 2007.” Crypto scams hit record scale $17B Estimated Stolen in Crypto Scams and Fraud in 2025 Cryptocurrency scams received at least $14 billion worth of cryptocurrency in 2025, a jump from $12 billion reported in the year prior. The average scam payment extracted from victims also increased from $782 to $2,764.

High-yield investment and pig butchering remained the most dominant categories by volume, even as impersonation scams – which involve fraudsters posing as legitimate organizations such as E-ZPass to manipulate victims into transferring funds – surged 1,400%. Based on historical trends, the 2025 figure is projected to exceed $17 billion as more illicit wallet addresses are identified in the coming months, Chainalysis said. Scammers have been found increasingly leveraging deepfake technology and AI-generated content to create convincing impersonations in romance and investment scams. “Major scam operations became increasingly industrialized, with sophisticated infrastructure, including phishing-as-a-service tools, AI-generated deepfakes, and professional money laundering networks,” the company said.

“Pig-butchering networks across Southeast Asia, drawing heavily on CMLNs [Chinese money laundering networks], generate billions of dollars annually and rely on layered wallet structures, exchanges, shell companies, and informal banking channels to launder funds and convert crypto into real-world assets, including real estate and luxury goods.” ATM malware ring dismantled 5 Venezuelan Nationals Plead Guilty to ATM Jackpotting Attacks A group of five Venezuelan nationals has pleaded guilty or been sentenced for their involvement in a multi-state ATM jackpotting thefts between September 14 and 16, 2024, that used sophisticated malware to steal thousands of dollars across Georgia, Florida, and Kentucky. The group, Hector Alejandro Alvarado Alvarez (20), Cesar Augusto Gil Sanchez (22), Javier Alejandro Suarez-Godoy (20), David Josfrangel Suarez-Sanchez (24), and Giobriel Alexander Valera-Astudillo (26), targeted various financial institutions by deploying malware or accessing the ATM’s supervisor mode to trigger cash withdrawals. Members of the group were caught on camera carrying out the attacks and were identified based on fingerprints left behind on the ATM machines. They face up to 30 years in prison, followed by immediate deportation.

Zero-click chain hits Pixel Google Details Pixel 9 Zero-Click Exploit Google Project Zero has released a zero-click exploit ( Part 1 , Part 2 , and Part 3 ) that can compromise Android smartphones via the Dolby audio decoder. The exploit is made possible because the Google Messages application automatically processes incoming audio attachments in the background for transcription purposes and decodes them without requiring user interaction. The exploit leverages CVE-2025-54957 to gain arbitrary code execution in the mediacodec context of a Google Pixel 9, and then makes use of CVE-2025-36934 , a use-after-free in the BigWave driver, to escalate privileges from mediacodec to kernel on the device. “The time investment required to find the necessary vulnerabilities was small compared to the impact of this exploit, especially for the privilege escalation stage,” researcher Natalie Silvanovich said.

“The time needed to find the bugs for a 0-click exploit chain on Android can almost certainly be measured in person-weeks for a well-resourced attacker.” While Dolby patched the flaw in October 2025, Samsung was the first mobile vendor to patch the vulnerability the next month. Pixel devices did not get the patch until January 5, 2026. A patch for the BigWave driver flaw was shipped to Pixel devices on January 6, 2026. Malicious ads seed infostealer Malvertising Used to Drop TamperedChef Infostealer A malvertising campaign detected by Sophos in September 2025 used Google Ads to redirect victims to deceptive sites that promoted a trojanized PDF editing application called AppSuite PDF Editor.

The application, once installed, appeared legitimate to users, but stealthily delivered an information stealer dubbed TamperedChef targeting Windows devices. The actively evolving threat cluster is known to employ tactics like delayed execution, staying dormant for about 56 days before activating the infostealer behavior to ensure persistence. The time period aligns with the typical 30-60-day cycle of paid advertising campaigns. TamperedChef is assessed to be a part of a wider campaign known as EvilAI.

According to telemetry data gathered by the cybersecurity company, over 100 systems were affected by the campaign, with the majority of the victims located in Germany (~15%), the U.K. (~14%), and France (~9%). “Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment – possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software,” the company said. PNG files hide JS stealer Fake Pharma Invoices Distribute PureLogs Stealer A new phishing campaign has been observed using phony pharmaceutical invoices to trick recipients into opening ZIP archives containing JavaScript that, upon execution, uses PowerShell to download a malicious PNG image hosted on the Internet Archive.

“But this isn’t actually a standard PNG. Well, it is, but with extras,” Swiss Post Cybersecurity said . “The attackers embedded a Base64-encoded payload after the IEND chunk of the PNG, which marks the official end of the image data. The file still renders as a valid image in any viewer.

The actual malware sits between two custom markers, BaseStart- and -BaseEnd.” The extracted payload between these markers is used to launch a malware loader known as VMDetectLoader, which is responsible for persistence, environment checks, and launching PureLogs Stealer , a commodity stealer developed by a threat actor known as PureCoder. It’s worth noting that VMDetectLoader has been previously used to deliver DCRat in attacks targeting Colombia. Loan lures harvest bank data Fake Loan Scams in Peru A large-scale loan phishing operation in Peru has been discovered abusing fake loan offers to harvest sensitive personal and banking information (bank card details, online banking password, and a 6-digit PIN code) from unsuspecting users. The campaign is propagated via social media advertisements.

The threat actors behind the operation have created approximately 370 unique domains impersonating banks in Peru, Colombia, El Salvador, Chile, and Ecuador since 2024. “This particular phishing targets individuals through a seemingly legitimate loan application process, designed to harvest valid card credentials and corresponding PIN codes,” Group-IB said. “These credentials are then either sold on the black market or used in further phishing activities.” As soon as the details are entered on the fake sites, a script running in the background on the web page validates the information using the Luhn algorithm to ensure that the entered credit card details and government identification number are genuine. Fake installer sells bandwidth Proxyware Mimics Notepad++ A threat actor tracked as Larva-25012 is making use of a fake Notepad++ installer as a lure to distribute proxyware in attacks targeting South Korea.

The installers, written in C++ and hosted on GitHub, are promoted through advertisement pages on websites posing as download portals for cracked or otherwise illegal software. “These installers drop the downloader malware DPLoader. Once registered in the Windows Task Scheduler, DPLoader executes persistently and retrieves commands from its C&C server. All PowerShell scripts observed to date have included logic to install various Proxyware tools,” AhnLab said .

“In addition, the attacker is actively changing techniques to evade detection – such as injecting Proxyware into the Windows Explorer process or leveraging Python-based loaders.” The objective of these attacks is to install proxyware on the victim’s machine without their knowledge, and monetize their unused internet bandwidth by selling it to third parties. Larva-25012 is assessed to be active since at least 2024, distributing multiple types of proxyware, including DigitalPulse, Honeygain, and Infatica. Taken together, these incidents show how quickly the “background layer” of technology has become the front line. The weakest points weren’t exotic exploits, but the spaces people stop watching once systems feel stable.

The takeaway isn’t a single threat or fix. It’s the pattern: exposure accumulates quietly, then surfaces all at once. The full list makes that pattern hard to ignore. Found this article interesting?

Filling the Most Common Gaps in Google Workspace Security

Security teams at agile, fast-growing companies often have the same mandate: secure the business without slowing it down. Most teams inherit a tech stack optimized for breakneck growth, not resilience. In these environments, the security team is the helpdesk, the compliance expert, and the incident response team all rolled into one. Securing the cloud office in this scenario is all about finding leverage: identifying the strategic control points that drive the most resilience without adding operational overhead.

Google Workspace provides an excellent security foundation, but its native tooling has inherent limitations, and relying on the default configurations can cause headaches. To build a truly resilient program, there are some common-sense first steps teams can take to secure Workspace natively, before intelligently augmenting the platform where its capabilities fall short. Secure email, the primary attack vector and largest archive Email remains the most reliable target for attackers, as an initial attack method, as a vector to other connected apps and systems, and as a target for sensitive data. While Gmail’s default security is solid at catching some threats, it often struggles with targeted threats and sophisticated social engineering and payload-less attacks.

The gaps in native protection
BEC and Targeted spear phishing:
business email compromise (BEC) attacks often contain no malicious links or attachments, instead relying on social engineering that bypasses traditional defenses. Environmental context: Google doesn’t know who your VIPs are, which partners you work with, or how frequently you receive invoices from vendors, making it difficult to flag subtle anomalies worth scrutinizing. Data archive at rest: for most companies, email is the largest repository of sensitive data. If an account is compromised, the attacker has access to years of confidential conversations, attachments, contracts, and more.

How to improve Gmail’s security today While Google can’t provide all the capabilities of a modern email security platform, there are steps you can take to ensure your core Gmail configurations are as secure as possible. Turn on advanced scanning: enable Google’s enhanced pre-delivery message scanning and malware protection to ensure you’re making the most of Google’s capabilities. Implement basic email hygiene: configure SPF, DKIM, and DMARC. These protocols prove your emails are actually from you, and are critical for preventing domain spoofing.

Automate future settings: ensure the “Apply future recommended settings automatically” option is checked to stay current as Google rolls out more security updates. Move beyond authentication to manage access Multi-factor authentication (MFA) is the single most important control you can implement today, but it’s not a magic bullet. Your access control can’t stop at the login page. Too many windows and side doors Malicious OAuth access: compromised tokens, illicit consent grants, man-in-the-middle attacks, or simple misconfigurations can allow attackers access that appears perfectly legitimate to security tooling.

Legacy access: protocols like IMAP and POP don’t natively support MFA, and App Passwords can be circumvented. Detection gaps: Google can alert on suspicious sign-ins, but connecting that signal to other suspicious activity across the environment is a manual, time-consuming process. Harden your access control immediately Enforce strong MFA: not all MFA is created equal. At the very least, disable SMS or phone calls as MFA authentication methods.

Ideally, adopt phishing-resistant methods like physical security keys or Yubikeys. Disable legacy protocols: turn off POP and IMAP access for all users within the Gmail settings. Deny by default for OAuth: require users to request access to unconfigured third-party apps rather than granting access by default. The next steps to proactive, modern security A properly-configured Google Workspace offers a solid foundation for securing a fast-growing company.

But as your company grows, your attack surface grows with it. For lean security teams who need to maximize their efficiency and their effectiveness, the end goal isn’t just to have the right settings; it’s to have visibility across all of Google Workspace, with detection and response capabilities to detect subtle signs of compromise if an account is breached. Material Security builds on Google’s foundation, providing visibility and context that Workspace lacks natively across the emails, files, and accounts within your environment. Advanced email protection Material’s inbound protection combines threat research with AI, user report automation, and custom detection rules to provide multi-layered coverage to catch and remediate sophisticated threats.

Granular automated remediations protect the entire organization from the first detection or user report, and automatically triage and respond to user-reported phishing. Material is also the only platform on the market that protects sensitive email content, automatically detecting, classifying, and securing sensitive emails and attachments behind an MFA prompt, protecting critical information even in a breach. Context-aware account security A richer set of signals across the entire cloud office enables Material to detect and stop account takeovers early. Material monitors all activity across the cloud office, including suspicious logins, unusual data retrieval patterns and file-sharing behavior, password resets, out-of-policy forwarding rules, and much more.

This enables organizations to understand their risks and threats holistically and take action faster than with native tools alone. Data discovery and protection Material fills in the gaps in Google’s native data protection capabilities. Material automatically detects and classifies sensitive and confidential data in Google Drive, and enforces file-sharing and data access policies without slowing down collaboration. Risky sharing of sensitive files is flagged, and the system works with each user to self-heal or justify potentially risky sharing before revoking risky access and, when needed, updating labels.

How secure is your Workspace? Google Workspace security spans so many domains that it can be difficult to maintain a complete picture of your posture, and this only gets harder as your organization scales and your Workspace evolves. That’s why Material built our free Google Workspace Security Scorecard. Whether you’re a security engineer on a small security team scrambling to manage the day-to-day security of your organization, a CISO looking to better understand and report on your posture, or an IT leader responsible for Workspace administration, our quick, 5-minute assessment will not only provide a solid baseline but also actionable recommendations to improve your posture.

Check out the Google Workspace self-assessment now to find out where your gaps are. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev , mimics SymPy , replicating the latter’s project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a “development version” of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026. Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign.

The package remains available for download as of writing. According to Socket , the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar. “When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” security researcher Kirill Boychenko said in a Wednesday analysis.

The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from “63.250.56[.]54,” and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This technique has been previously adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo . The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts. “Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses,” Socket said.

“Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release

A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001 . It was patched by SmarterTools on January 15, 2026, with Build 9511 , following responsible disclosure by the exposure management platform on January 8, 2026. It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the “/api/v1/auth/force-reset-password” endpoint.

“The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said. The problem is rooted in the function “SmarterMail.Web.Api.AuthenticationController.ForceResetPassword,” which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named “IsSysAdmin” to handle the incoming request depending on whether the user is a system administrator or not. In case the flag is set to “true” (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions - Obtain the configuration corresponding to the username passed as input in the HTTP request Create a new system administrator item with the new password Update the administrator account with the new password In other words, the privileged path is configured such that it can trivially update an administrator user’s password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.

It doesn’t end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell. This can be accomplished by navigating to the Settings page, creating a new volume , and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host’s operating system. The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same “force-reset-password” endpoint to change the password on January 17, 2026, two days after the release of the patch. This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw.

To make matters worse, it doesn’t help that SmarterMail’s release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions “IMPORTANT: Critical security fixes.” In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue. “In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references,” Uzzanti said in response to transparency concerns raised by its customers. “We appreciate the feedback that encouraged this change in policy moving forward.” It’s currently not clear whether such an email was sent to SmarterMail administrators this time around.

The Hacker News has reached out to SmarterTools for comment, and we will update the story if we hear back. The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution. Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution. The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.

Jai Minton, senior manager of detection engineering and threat hunting at Huntress, told The Hacker News that CVE-2025-52691 is being exploited to deliver low sophistication web shells and “suspected loaders of malware written to Startup directories in order to achieve persistence and execution when the system is restarted.” Minton also stated that all the IP addresses attempting to exploit CVE-2026-23760 are tied to virtual infrastructure in the U.S., and that the exact origin of the attacks is unknown. As for attribution, there is no evidence to suggest either vulnerabilities being exploited are tied to any particular threat actor. “Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection,” it added . (The story was updated after publication to include details of the CVE and insights from Huntress.) Found this article interesting?

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719. Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” Arctic Wolf said of the developing threat cluster. Specifically, this entails carrying out malicious SSO logins against a malicious account “cloud-init@mail.io” from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below - 104.28.244[.]115 104.28.212[.]114 217.119.139[.]50 37.1.209[.]19 In addition, the threat actors have been observed creating secondary accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” for persistence. “All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.

The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.” The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it’s advised to disable the “admin-forticloud-sso-login” setting. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.