All news with #threat report tag

🔒 In episode 451 of Smashing Security, host Graham Cluley and guest Ray Redacted explore a prolific intruder who claims to have compromised the U.S. Supreme Court, Veterans Affairs, AmeriCorps and other organisations, posting screenshots and even a victim’s blood type under the account I hacked the government. They also examine research revealing flaws in wireless headphone pairing — notably in Google’s Fast Pair ecosystem — that let attackers hijack earbuds, inject audio and eavesdrop without obvious signs. The episode mixes incident reporting, legal context and consumer privacy implications.

🚨 Jamf Threat Labs and other researchers observed DPRK-linked actors using malicious Visual Studio Code project repositories to deliver a multi-stage backdoor enabling remote code execution. The campaign abuses VS Code task configuration files (runOn: folderOpen) to fetch obfuscated JavaScript from Vercel and deploy implants named BeaverTail and InvisibleFerret. Targets are lured to clone and open repository-based job assessments, and on macOS the chain uses nohup/curl to run Node.js payloads that persist beyond the IDE.

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.

🔒 PwC’s 29th Global CEO Survey of 4,454 executives finds cyber risk among the top threats as CEOs lose confidence in short-term growth. Nearly a third (31%) see high or extreme exposure to potential financial loss from cyber attacks, and 84% plan enterprise-wide cybersecurity improvements. PwC recommends investing in data, processes and responsible AI to help preserve stakeholder trust.

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.

🔍 Group-IB's January report argues that AI has created a new 'fifth wave' of cybercrime by turning advanced skills into inexpensive, scalable services that make attacks cheaper and faster. Analysts documented low-cost synthetic identity kits, deepfake-as-a-service subscriptions and biometric datasets sold for as little as $5, plus subscription dark LLMs. The firm highlights agentized phishing that automates lure creation, delivery and campaign adaptation and the rise of self-hosted dark LLMs used to generate scams, malware and exploit code.

🔐 The World Economic Forum's Global Cybersecurity Outlook 2026 finds that advances in AI, geopolitical fragmentation and complex supply chains are intensifying cyber risk. Respondents named AI the top driver of change (94%) and reported rising AI-related vulnerabilities (87%), while confidence in national preparedness continued to fall. The report urges security-by-design, strong governance, and retained human oversight as organizations scale AI defenses. Notably, 64% now assess AI tools before deployment and 77% have deployed AI in security operations, though skills gaps and trust remain major obstacles.

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.

🛡️ Gootloader operators now deliver malformed ZIP archives that concatenate up to 1,000 parts to evade analysis and detection. The archived JScript unpacks successfully with Windows' built-in extractor while tools relying on 7-Zip and WinRAR often crash. Samples employ truncated EOCD entries, randomized disk fields, metadata mismatches and XOR-encoded blobs appended client-side. Researchers devised a YARA rule and advise changing the default .js opener to Notepad and blocking wscript.exe/cscript.exe where possible.

🔮 Cisco Talos outlines expectations for cybersecurity in 2026, warning of continued geopolitical-driven campaigns such as infostealers, phishing, and proxy-enabled destructive operations. The briefing highlights the growing risk posed by inadequately governed generative AI agents that could cause breaches or mimic insider threats through flawed design or prompt manipulation. Talos also emphasizes that familiar weaknesses — unpatched systems, leaked credentials, and absent MFA — will remain primary enablers of intrusion. The advisory specifically flags UAT-8837, a medium-confidence China-nexus APT targeting critical infrastructure since 2025, and urges patching, credential hygiene, and proactive hunting.

🚨 New research from Symantec and Carbon Black shows cybercriminals increasingly favour data theft and extortion over file encryption. While counts of traditional ransomware incidents remained broadly stable in 2025, attacks that rely solely on stolen data rose sharply. Threat actors exploit unpatched zero‑days, software supply‑chain weaknesses and credential theft, prompting firms to prioritise patching, robust credential hygiene and MFA.

🔒 Cyble's Annual Threat Landscape Report 2025 (published Jan 15, 2026) found a sharp rise in attacks against industrial environments, with ICS vulnerability disclosures nearly doubling to 2,451 across 152 vendors in 2025. The report highlights an August spike (802 disclosures) and Q3 accounting for 45.26% of disclosures. HMI and SCADA systems were increasingly exploited, with Siemens and Schneider among the most affected vendors. Cyble warns threat actors — including ransomware groups and coordinated hacktivists — will focus on exposed HMI/SCADA and VNC takeovers in 2026.

🛡️ This week’s ThreatsDay covers a broad set of active risks: a critical Redis XACKDEL stack‑overflow RCE (CVE‑2025‑62507, CVSS 8.8) with ~2,924 servers affected, signed malware campaigns by BaoLoader, and surging abuse of legitimate RMM tools delivered by phishing. Researchers also disclosed RCE in AI/ML libraries via Hydra.instantiate() misuse and a new voice‑cloning evasion technique, VocalBridge. Multiple OT, Wi‑Fi, and smart‑contract incidents — and law‑enforcement activity — round out this week’s notable developments. Prioritize patches, certificate vetting, and account hygiene.

🔒 In Q4 2025, Check Point Research found Microsoft to be the most impersonated brand in phishing campaigns, responsible for 22% of branded phishing attempts. Google followed with 13%, while Amazon rose to 9%, driven by Black Friday and holiday sales, displacing Apple. After a lengthy absence, Facebook (Meta) reappeared in the top ten at fifth, underscoring renewed interest in social media account takeover. The pattern reflects a multi-quarter trend of attackers abusing trusted enterprise and consumer brands to harvest credentials and gain initial access.

🚨 Check Point Research reports large-scale active exploitation of CVE-2025-37164, a critical remote code execution flaw in HPE OneView. The campaign, attributed to the RondoDox botnet, generated tens of thousands of automated attack attempts that were blocked by Check Point defenses. The issue was reported to CISA and added to the Known Exploited Vulnerabilities catalog on January 7, 2026; organizations should patch immediately.

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.

🛡️Microsoft said it executed coordinated legal action in the U.S. and U.K. to seize infrastructure and take RedVDS (redvds[.]com) offline after linking the service to large‑scale fraud. For as little as US $24 per month, the subscription offered disposable Windows RDP hosts and a Telegram management bot with no activity logs. Microsoft attributed roughly US $40 million in U.S. fraud since March 2025 and says RedVDS‑enabled attacks compromised over 191,000 organizations worldwide since September 2025.