VerSprite Weekly Threat Intelligence #49
Date
Follow Us
Date Range: 12 January 2026 – 16 January 2026
Issue: 49th Edition
Reported Period Victimology
Security Triumphs of the Week
This week saw significant international law enforcement collaboration disrupting cybercrime: Spanish and German authorities arrested 34 Black Axe gang members linked to global fraud, while Dutch police apprehended the operator of AVCheck, a malwaretesting service. Microsoft’s legal action dismantled RedVDS, a cybercrime-as-a-service platform enabling $40M in fraud, and U.S. prosecutors secured a guilty plea from pcTattletale’s founder, marking progress against stalkerware. France fined telecom firms €42M for GDPR breaches exposing 24M customers, and California penalized Datamasters for illegally selling sensitive health data. A Dutch court upheld a hacker’s sentence for aiding drug smuggling via port system breaches, underscoring the nexus of cybercrime and physical threats.
Notorious Black Axe cybercrime gang disrupted in Europol raids
Spanish police, supported by Europol and German authorities, arrested 34 suspected members of the Black Axe cybercrime gang in raids across multiple cities. The group, linked to the Neo-Black Movement of Africa, operates globally with ~30,000 members, engaging in cyber-fraud, trafficking, armed robbery, and recruiting money mules from impoverished areas. Authorities seized $140,000 in bank accounts and $77,000 in cash. Black Axe’s hierarchical structure spans 60 zones in Nigeria and 35 abroad, enforcing violent rituals and strict codes. While their cyber campaigns remain unspecified, the gang’s small-scale operations collectively generate billions in illicit profits.
Read full article: Techradar
Microsoft taps UK courts to dismantle cybercrime host RedVDS
Microsoft launched a cross-border legal effort in the UK and the US to dismantle RedVDS, a cybercrime-as-a-service platform providing disposable virtual servers for phishing, fraud, and account hijacking. The operation, involving Europol and German authorities, seized domains and infrastructure linked to RedVDS, which facilitated $40 million in U.S. fraud losses. Microsoft filed civil lawsuits alleging the service used pirated Windows Server software and enabled attacks on over 191,000 organizations globally. High-profile victims, including H2- Pharma and a Florida condo association, joined as co-plaintiffs. RedVDS operated through global hosting providers, offering cheap infrastructure to criminal networks. Microsoft linked the platform to threat actor Storm-2470, emphasizing its role in enabling scalable cybercrime. This follows similar actions against phishing services like RaccoonO365.
Read full article: Theregister
Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam
Dutch authorities arrested a 33-year-old man in Amsterdam suspected of operating AVCheck, a major counter-antivirus (CAV) service used by cybercriminals to test malware against security tools. The platform, shut down in May 2025 during Operation Endgame, allowed criminals to evade detection and refine attacks. The suspect fled to the UAE after the takedown but was apprehended at Schiphol Airport, with data storage devices seized. International collaboration between the Netherlands, U.S., and Finland enabled the investigation. AVCheck was a critical component of the cybercrime ecosystem, enabling threat actors to assess which antivirus systems their malware could bypass.
Read full article: Theregister
pcTattletale founder pleads guilty as US cracks down on stalkerware
Bryan Fleming, founder of stalkerware app pcTattletale, pleaded guilty to federal charges related to hacking, spyware sales, and conspiracy. This marks only the second U.S. federal stalkerware prosecution in a decade, signaling potential legal action against similar tools. pcTattletale repeatedly exposed victim data through unsecured databases and API vulnerabilities, allowing unauthorized access to screenshots and backend infrastructure. Despite security flaws, Fleming openly marketed the app for spying on partners, unlike competitors hiding behind “monitoring tool” claims. Amazon eventually locked pcTattletale’s AWS infrastructure, halting operations. The case highlights efforts to combat stalkerware, with tools like Malwarebytes detecting and removing such threats.
Read full article: Malwarebytes
France fines telcos €42M for sub-par security prior to 24M customer breach
The French data regulator CNIL fined telecom companies Free and Free Mobile €42 million for GDPR violations tied to an October 2024 breach exposing 24 million customers’ data, including financial details. Attackers infiltrated via a weakly secured corporate VPN, accessed a shared subscriber management tool (MOBO), and exfiltrated records over weeks. CNIL cited insufficient security measures (e.g., weak VPN authentication, ineffective anomaly detection), failure to properly notify affected users, and non-compliance with data retention laws. Fines were based on the severity of the breach, sensitivity of stolen data (e.g., IBANs), and the companies’ revenue. The breach highlighted systemic security gaps and poor data management practices.
Read full article: Theregister
Court tosses appeal by hacker who opened port to coke smugglers with malware
A Dutch appeals court upheld a seven-year prison sentence for a hacker who infiltrated port IT systems using malware-laden USB sticks to facilitate cocaine smuggling. The defendant, arrested in 2021, argued encrypted SkyECC chat evidence was inadmissible, but judges dismissed this, citing his central role in breaching systems and aiding organized crime. The breach began when a port employee inserted a compromised USB, enabling prolonged remote access to manipulate container movements, including a 210 kg cocaine shipment. The court rejected claims that police improperly obtained encrypted chats, which detailed his hacking efforts and evasion tactics. While acquitted of a separate 5,000 kg drug charge due to insufficient evidence, his convictions for hacking, drug trafficking, and attempted extortion were confirmed. The sentence was adjusted for procedural delays, with additional penalties for cleanup costs and legal fees.
Read full article: Theregister
Data broker fined after selling Alzheimer’s patient info and millions of sensitive profiles
California regulators fined Texas-based Datamasters $45,000 for illegally selling sensitive personal data, including health information on Alzheimer’s patients, visually impaired individuals, and addiction sufferers, alongside ethnic and financial data. The company, which failed to register as a data broker under California’s Delete Act, maintained millions of records on vulnerable groups and used predictive models to sell political, financial, and consumer behavior insights. Investigators discovered Datamasters held over 200,000 California student records despite initial denials. The case highlights risks of financial exploitation and scams targeting sensitive data, exacerbated by gaps in federal health privacy laws. California’s Delete Act now mandates data broker registration and offers residents an opt-out system to request data deletion.
Read full article: Malwarebytes
Security Setbacks of the Week
This week saw significant security breaches across multiple sectors, with criminal actors exploiting vulnerabilities to aggregate and weaponize sensitive data. French citizens faced heightened identity theft risks from a consolidated 45M-record breach, while healthcare disruptions in Belgium and Maine underscored cyberattacks’ life-threatening consequences. High-profile incidents at Endesa, Target, and BreachForums highlighted criminal data monetization trends, including dark web sales of energy customer data and internal corporate code. Chinese-linked APTs weaponized VMware zero-days predisclosure, and a critical WordPress plugin flaw enabled admin takeovers. Human error and third-party compromises further amplified risks, as seen in Pax8’s accidental data exposure and Betterment’s phishing breach, emphasizing systemic vulnerabilities in global cybersecurity postures.
Cyber-stricken Belgian hospitals refuse ambulances, transfer critical patients
A cyberattack forced two Belgian hospitals, AZ Monica in Antwerp and Deurne, to shut down servers, leading to significant operational disruptions. Critical patients were transferred with Red Cross assistance, 70 surgeries were canceled, and emergency departments operated at reduced capacity. Mobile Urgency Groups (MUGs) and Paraprofessional Intervention Teams (PITs) were temporarily unavailable, halting ambulance services to the hospitals. Patients faced longer registration times, and urgent cases were redirected to alternative services. The hospital network anticipates continued disruptions but has not provided further official updates. The incident underscores the severe impact of cyberattacks on healthcare delivery and patient safety.
Read full article: Theregister
Hackers claim to have Target source code for sale following recent cyberattack
Hackers claim to be selling 860GB of Target’s internal source code and documentation, including wallet services, identity management tools, gift card systems, and developer metadata. The threat actor shared samples on a self-hosted Git platform, referencing internal systems and Target engineers. Target responded by locking down servers and removing the repositories, though breach authenticity remains unverified. The data allegedly included 57,000 files and internal URLs, with some content potentially exposed via public search engines. Target has not officially commented, but its swift takedown actions suggest the breach is significant. Investigations are ongoing to confirm the legitimacy of the hackers’ claims.
Read full article: Techradar
Massive breach leaks 45 million French records: demographic, healthcare, and financial data all leaked, here’s what we know
A massive data breach exposed 45 million French citizens’ records, combining demographic, healthcare, financial, CRM, and vehicle registration data from at least five prior breaches. Cybernews researchers discovered the unsecured database on a French cloud server, likely compiled by a criminal data broker to enhance resale value. The leaked data included voter registries, healthcare IDs, bank details (IBANs/BICs), and insurance info, posing severe risks of phishing, fraud, and identity theft. The database was taken down after Cybernews alerted the server owner. This aggregation of cross-sector data highlights heightened privacy threats, enabling attackers to link identities across multiple platforms. The incident underscores the growing trend of criminal actors merging breached datasets for exploitation.
Read full article: Techradar
Spanish energy giant Endesa says it was hit by data breach, customers affected and 20 million files allegedly put up for sale
Endesa Energia, a major Spanish energy provider, confirmed a cyberattack resulting in unauthorized access to customer data, including contact information, ID details, contract data, and IBAN numbers. Hackers allegedly stole 20 million records (1TB of SQL files) and are offering them for sale on the dark web. The company has secured its systems, notified affected customers, and alerted authorities. While no evidence of data misuse exists yet, Endesa warned of potential phishing and impersonation attempts. Investigations are ongoing, with law enforcement involved. The breach highlights risks to customer privacy and financial security.
Read full article: Techradar
Major US healthcare breach exposes data on 145,000 patients – Central Maine Healthcare reveals all
Central Maine Healthcare (CMH) suffered a major data breach in March 2025, exposing sensitive information of 145,381 patients and employees. Stolen data included names, Social Security numbers, health insurance details, treatment records, and dates of service. The breach was detected in June 2025, with investigations concluding by November 2025. No threat actors claimed responsibility, and the compromised data has not yet appeared on the dark web. CMH offered affected individuals free credit monitoring, identity theft protection, and a dedicated support line. The nonprofit healthcare provider serves approximately 400,000 residents across Maine. Authorities advise victims to monitor medical statements for unauthorized activity.
Read full article: Techradar
Hacking hub BreachForums hit by data breach – 324,000 accounts exposed
BreachForums, a notorious hacking community, experienced a data breach exposing 323,988 user records, including usernames, registration dates, and IP addresses. Approximately 70,000 public IPs could potentially identify real users, though most were loopback addresses. The leak originated from an August 2025 backup exposed during forum restoration, according to the admin. A site named after the ShinyHunters group hosted the leaked data, but the group denied involvement. The breach’s exact source and motive remain unclear. Law enforcement previously suspected BreachForums of being a honeypot post-raid, complicating the incident’s context.
Read full article: Techradar
Pax8 accidentally exposes partner data – 1,800 MSPs have customer info and licensing details exposed
Pax8, a cloud commerce platform for MSPs, accidentally exposed sensitive data of approximately 1,800 customers when an employee mistakenly emailed a spreadsheet to around 40 UK-based partners. The file contained 56,000 entries, including customer names, Microsoft SKUs, license counts, renewal dates, and internal pricing details. While no personal identifiable information was leaked, the breach revealed business-critical data. Pax8 requested recipients delete the file and confirmed no impact on marketplace security. Cybercriminals reportedly attempted to purchase the leaked data, though it hasn’t surfaced on dark web forums. The incident underscores risks of human error in data handling.
Read full article: Techradar
Eurail passengers taken for a ride as data breach spills passports, bank details
Eurail confirmed a data breach exposing customer information, including names, birthdates, addresses, passport details, and contact information. DiscoverEU program participants faced additional risks, with potential compromise of ID photocopies, bank references, and health data. The breach, initially disclosed on January 10, prompted notifications to affected customers starting January 13. Eurail stated no evidence of data misuse yet but warned of phishing, identity theft, and unauthorized access risks. The company secured systems, reset credentials, and reported the incident to Dutch GDPR authorities. Affected users were advised to change passwords and monitor for scams. The European Commission acknowledged Eurail’s remediation efforts and ongoing external cybersecurity monitoring.
Read full article: Theregister
Betterment confirms data breach, tells customers to beware crypto scam notifications
Betterment experienced a data breach after an employee’s third-party platform credentials were stolen via impersonation, enabling attackers to send crypto-themed phishing emails to a subset of customers. While no accounts were compromised, attackers accessed personal data, including names, emails, addresses, phone numbers, and birth dates. The breach highlights risks of stolen data being exploited for future phishing campaigns. Betterment revoked unauthorized access, launched an investigation, and urged customers to remain vigilant against unsolicited requests for sensitive information. The company emphasized its multi-layered security but warned of potential follow-up scams. No group has claimed responsibility, and no misuse of data has been confirmed yet.
Read full article: Techradar
Grubhub confirms hackers stole data in recent security breach
Grubhub confirmed a data breach where hackers accessed its systems, leading to extortion demands. The company stated that sensitive financial and order history data was unaffected but did not disclose breach details or confirm if customer data was compromised. Sources link the attack to the ShinyHunters group, which allegedly stole Salesforce and Zendesk data, demanding Bitcoin to prevent its release. The breach reportedly exploited credentials stolen during the 2025 Salesloft Drift attacks, part of a broader campaign targeting cloud services. Grubhub is working with cybersecurity experts and law enforcement. This follows a prior incident involving scam emails from its subdomain, though a connection remains unconfirmed. Organizations are urged to rotate compromised credentials to mitigate further risks.
Read full article: Bleepingcomputer
Woman bailed as cops probe doctor’s surgery data breach
A woman was arrested and bailed in connection with a data breach investigation at a Walsall GP surgery, where she allegedly stole data as a non-directly employed staff member. The breach details and stolen data types remain undisclosed, though affected patients will be notified. Separately, West Midlands Police faced scrutiny after Chief Constable Craig Guildford admitted using Microsoft Copilot to generate an AI-hallucinated report justifying a controversial ban on Maccabi Tel Aviv fans attending a match. The report referenced a fictitious match and risks, prompting accountability discussions ahead of a January 27 meeting with the Police Commissioner. The force apologized, denying intent to distort facts or discriminate.
Read full article: Theregister
Putinswap: France trades alleged ransomware crook for conflict researcher
France and Russia conducted a prisoner swap involving Laurent Vinatier, a French conflict researcher imprisoned in Russia for failing to register as a foreign agent and facing espionage allegations, and Daniil Kasatkin, a Russian basketball player detained in France at the U.S.’s request for alleged ransomware crimes. Vinatier, who focused on Ukraine war mediation, was pardoned by Putin after France negotiated his release. Kasatkin, accused of aiding a cybercrime group in ransomware negotiations, denied involvement, claiming ignorance of the computer linked to the crimes. The exchange reflects Russia’s “prisoner diplomacy” strategy, trading detained Western figures for its citizens. This follows a larger 2024 Cold War-era-scale swap involving cybercriminals and a state assassin.
Read full article: Theregister
China-linked cybercrims abused VMware ESXi zero-days a year before disclosure
Chinese-linked threat actors exploited VMware ESXi zero-day vulnerabilities over a year before their public disclosure in March 2025, according to Huntress researchers. The attackers used a sophisticated toolkit observed in a December 2025 intrusion, leveraging a compromised SonicWall VPN to gain Domain Admin access, pivot networks, and execute a VM escape to compromise the hypervisor. The toolkit, developed as early as February 2024, exploited three critical flaws (CVE-2025-22224 to 22226) to bypass virtualization safeguards. Code analysis revealed Chinese-language strings and timestamps indicating pre-disclosure exploitation. Attackers employed stealth tactics, disabling VMware drivers and deploying unsigned modules to evade detection. This aligns with historical patterns of China-linked groups weaponizing zero-days covertly in enterprise environments.
Read full article: Theregister
Hackers exploit Modular DS WordPress plugin flaw for admin access
A critical vulnerability (CVE-2026-23550) in the Modular DS WordPress plugin (versions ≤2.5.1) is being actively exploited, allowing attackers to bypass authentication and gain admin privileges. The flaw stems from insecure handling of requests in “direct request” mode, enabling automatic admin logins without proper validation. With over 40,000 installations, the plugin’s remote management features make it a high-value target. Patchstack identified attacks starting January 13, prompting a vendor patch (version 2.5.2) that revises route validation and removes unsafe fallback mechanisms. Users must update immediately, audit logs for suspicious activity, and regenerate WordPress security keys.
Read full article: Bleepingcomputer
Security Setbacks of the Week
Emerging threats highlight adversaries exploiting AI, cloud, and trusted platforms through novel tactics. Attackers target misconfigured AI proxies and hijack authenticated sessions via malicious prompts, while North Korean and Chinese state-linked actors conduct quishing and geopolitical-themed phishing to bypass MFA and deploy backdoors. Cloud infrastructure faces risks from advanced Linux malware like VoidLink and trojanized remote access tools, while ransomware groups leverage blockchain for evasion. Payment skimming and multi-part ZIP-based malware campaigns further underscore evolving evasion techniques, demanding enhanced detection, patching, and user vigilance against social engineering.
Hackers are going after top LLM services by cracking misconfigured proxies
Hackers are exploiting misconfigured proxies to target major Large Language Model (LLM) services like OpenAI and Google Gemini, according to GreyNoise researchers. Between October 2025 and January 2026, over 91,000 attack sessions were recorded against exposed AI systems. Two primary campaigns were identified: one involved tricking AI servers into connecting to attacker-controlled infrastructure via manipulated features like webhooks, while the other focused on mass probing to map AI models and configurations by sending simple queries. Attackers systematically tested APIs to identify accidental exposure of paid or internal AI access. Infrastructure linked to the probing campaign had a history of real-world exploitation, and activity spiked during Christmas, confirming malicious intent. These efforts highlight growing risks of misconfigured AI proxies enabling unauthorized access.
Read full article: Techradar
North Korean hackers using malicious QR codes in spear phishing, FBI warns
The FBI warns that North Korean hacking group Kimsuky is conducting sophisticated QR code phishing (“quishing”) attacks targeting US government entities, think tanks, and academia. Attackers send emails with embedded QR codes that redirect victims to credential-harvesting pages mimicking Microsoft 365, Okta, or VPN portals. By exploiting unmanaged mobile devices outside enterprise security controls, attackers steal session tokens to bypass multifactor authentication (MFA) and hijack cloud accounts. These attacks enable persistent access and secondary phishing from compromised accounts. The FBI recommends multi-layered defenses, including employee training, QR code reporting protocols, and mobile device management (MDM) to mitigate risks.
Read full article: Techradar
“Reprompt” attack lets attackers steal data from Microsoft Copilot
Researchers discovered a “Reprompt” attack exploiting Microsoft Copilot’s handling of URL parameters to hijack authenticated sessions via malicious prompts hidden in links. By embedding instructions in the “q” parameter, attackers bypassed safeguards, auto-executing commands to steal data without user interaction, plugins, or connectors. Microsoft patched the vulnerability in January 2026 updates, though no in-the-wild exploitation was reported. Mitigations include updating systems, using Microsoft 365 Copilot with Purview DLP for sensitive data, and avoiding unsolicited links. The attack highlights risks of AI assistants automatically processing untrusted inputs like URLs, emphasizing ongoing privacy concerns despite safeguards.
Read full article: Malwarebytes
Chinese spies used Maduro’s capture as a lure to phish US govt agencies
Researchers discovered a “Reprompt” attack exploiting Microsoft Copilot’s handling of URL parameters to hijack authenticated sessions via malicious prompts hidden in links. By embedding instructions in the “q” parameter, attackers bypassed safeguards, auto-executing commands to steal data without user interaction, plugins, or connectors. Microsoft patched the vulnerability in January 2026 updates, though no in-the-wild exploitation was reported. Mitigations include updating systems, using Microsoft 365 Copilot with Purview DLP for sensitive data, and avoiding unsolicited links. The attack highlights risks of AI assistants automatically processing untrusted inputs like URLs, emphasizing ongoing privacy concerns despite safeguards.
Read full article: Theregister
Hackers hijack LinkedIn comments to spread malware – here’s what to look out for
Hackers are exploiting LinkedIn comments to spread phishing links, falsely claiming user accounts are locked for policy violations. These comments, appearing official, direct users to fake login pages that steal credentials. LinkedIn confirmed awareness, emphasizing it never communicates bans via public comments. Red flags include third-party URLs, suspicious profiles with stolen branding, and lack of official communication channels. Users are urged to report such activity and avoid clicking unverified links. The platform is actively addressing the campaign but advises vigilance to prevent credential theft.
Read full article: Techradar
Online shoppers at risk as Magecart skimming hits major payment networks
A Magecart campaign targeting major payment networks like American Express, Mastercard, and Discover has been active since early 2022, using web skimming to steal card data from online checkout pages. Attackers inject obfuscated JavaScript into e-commerce platforms via supply chain vulnerabilities or third-party scripts, capturing card details and personal information. The skimming scripts self-destruct to evade detection and leverage bulletproof hosting to avoid takedowns. Customers, merchants, and payment providers are all at risk, as skimmers bypass traditional server-side security. Recommendations include using virtual cards, enabling transaction alerts, and deploying browser protection tools to block malicious scripts. Vigilance in updating systems and monitoring CMS platforms is critical for merchants.
Read full article: Malwarebytes
New Linux malware targets the cloud, steals creds, and then vanishes
A new Linux malware named VoidLink targets cloud infrastructure, using over 30 plugins for credential theft, lateral movement, and container exploitation. Written in Zig and linked to Chinese-affiliated developers, it self-destructs upon detection and employs anti-forensics to erase traces. VoidLink scans for AWS, Azure, Alibaba, and other cloud platforms, leveraging kernel-level rootkits and stealth modules to evade detection. Designed for long-term surveillance, it includes reconnaissance, privilege escalation, and persistence tools, reflecting advanced capabilities beyond typical Linux malware. While no real-world infections are confirmed, its structure suggests potential commercial use by professional threat actors. Check Point Research highlights its risk to cloud-hosted critical systems.
Read full article: Theregister
‘Imagination the limit’: DeadLock ransomware gang using smart contracts to hide their work
The DeadLock ransomware gang employs blockchain-based smart contracts to obscure their command-and-control infrastructure, using Polygon to store rotating proxy server URLs and evade detection. Unlike typical double extortion groups, DeadLock lacks a data leak site, instead threatening to sell stolen data on underground markets. Researchers highlight their use of HTML files to direct victims to the decentralized messenger Session for communication. This method, alongside smart contract exploitation, mirrors tactics like North Korean “EtherHiding,” enabling infrastructure flexibility. Group-IB notes DeadLock’s evasion techniques but lacks clarity on initial network access, though BYOVD and EDR vulnerabilities are suspected. The group’s innovative approach complicates defensive efforts.
Read full article: Theregister
How real software downloads can hide remote backdoors
A malicious campaign impersonating the RustDesk remote access software uses a fake website (rustdesk[.]work) to distribute trojanized installers. The attackers bundle legitimate RustDesk with the Winos4.0 malware framework, which installs a hidden backdoor while maintaining normal software functionality. The malware employs evasion tactics like inmemory execution, process renaming, and blending network traffic with legitimate RustDesk connections to avoid detection. Once active, Winos4.0 enables persistent remote access, credential theft, and further malware deployment. The attack relies on deception rather than exploits, exploiting user trust in search results and authentic-looking websites. Defenses include verifying download sources, monitoring network traffic, and using behavioral detection tools.
Read full article: Malwarebytes
Gootloader now uses 1,000-part ZIP archives for stealthy delivery
Gootloader malware has evolved to use multi-part ZIP archives (up to 1,000 concatenated files) to evade detection, causing analysis tools like 7-Zip and WinRAR to crash. The malformed archives exploit parsing weaknesses, including truncated metadata, randomized disk numbers, and header mismatches. Recent samples also employ XOR-encoded blobs and unique file generation to bypass network detection. Once executed, the JScript payload establishes persistence via startup shortcuts and PowerShell. Researchers recommend blocking wscript.exe/cscript.exe execution for downloaded content and changing default JScript handlers to Notepad. Detection methods include YARA rules targeting structural anomalies in ZIP headers.
Read full article: Bleepingcomputer
The New Emerging Threats
Critical vulnerabilities across cloud, AI, and IoT ecosystems exposed systemic risks, with AWS CodeBuild flaws enabling supply chain attacks, AI/ML libraries (Nvidia/Salesforce) permitting RCE via poisoned models, and Google’s Fast Pair allowing Bluetooth device hijacking. State-linked actors exploited Cisco email gateways via zero-days, while WordPress plugin flaws led to mass website takeovers. High-severity PAN-OS vulnerabilities highlighted persistent network security gaps. Despite rapid vendor patches, unpatched systems remain vulnerable to espionage, credential theft, and infrastructure disruption, underscoring the urgency of proactive updates amid evolving cross-platform attack vectors.
A simple CodeBuild flaw put every AWS environment at risk – and pwned ‘the central nervous system of the cloud’
A critical vulnerability in AWS CodeBuild exposed the cloud provider’s GitHub repositories and global environments to potential takeover, risking a supply chain attack surpassing SolarWinds in scale. Discovered by Wiz researchers, the flaw stemmed from unanchored regex filters in webhook configurations, allowing attackers to bypass approval checks by spoofing trusted GitHub user IDs. Exploiting this could grant admin access to critical repositories, including AWS’s JavaScript SDK, which underpins the AWS Console and 66% of cloud environments. AWS resolved the issue within 48 hours of disclosure, asserting no customer impact occurred. The incident highlights systemic CI/CD security risks across cloud providers, emphasizing vulnerabilities in automated build processes. Wiz warned the flaw could enable espionage or credential theft at unprecedented scale if exploited.
Read full article: Theregister
Python libraries used in top AI and ML tools hacked – Nvidia, Salesforce and other libraries all at risk
Palo Alto Networks identified critical vulnerabilities in AI/ML Python libraries NeMo (Nvidia), Uni2TS (Salesforce), and FlexTok, enabling remote code execution via malicious model metadata. These flaws, discovered in April 2025, stemmed from unsafe handling of metadata in shared third-party code. Nvidia and Salesforce issued patches (CVE-2025-23304, CVE-2026-22584) by mid-2025, with severity ratings up to 9.8/10. The libraries, cumulatively downloaded over 10 million times via HuggingFace, posed risks of automated code execution when loading tampered models. No active exploitation was observed as of December 2025. Patches were deployed via updates to NeMo 2.3.2 and Salesforce’s Morai tools.
Read full article: Techradar
Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices
A critical vulnerability (CVE-2025-36911/WhisperPair) in Google’s Fast Pair protocol allows attackers to hijack Bluetooth audio devices, enabling eavesdropping, forced audio playback, and user tracking. The flaw stems from vendors failing to enforce pairing mode checks, letting unauthorized devices pair without user consent. Affected devices include headphones, earbuds, and speakers from major brands like Google, Sony, and Xiaomi, impacting millions globally. Attackers can exploit the flaw within 14 meters using any Bluetooth-capable device, even adding vulnerable accessories to Google’s Find Hub for location tracking. Google issued patches via manufacturers after a 150-day disclosure period, but updates may not be available for all devices. Users must install firmware updates to mitigate risks, as disabling Fast Pair on Android does not prevent attacks.
Read full article: Bleepingcomputer
Cisco finally fixes AsyncOS zero-day exploited since November
A critical vulnerability (CVE-2025-36911/WhisperPair) in Google’s Fast Pair protocol allows attackers to hijack Bluetooth audio devices, enabling eavesdropping, forced audio playback, and user tracking. The flaw stems from vendors failing to enforce pairing mode checks, letting unauthorized devices pair without user consent. Affected devices include headphones, earbuds, and speakers from major brands like Google, Sony, and Xiaomi, impacting millions globally. Attackers can exploit the flaw within 14 meters using any Bluetooth-capable device, even adding vulnerable accessories to Google’s Find Hub for location tracking. Google issued patches via manufacturers after a 150-day disclosure period, but updates may not be available for all devices. Users must install firmware updates to mitigate risks, as disabling Fast Pair on Android does not prevent attacks.
Read full article: Bleepingcomputer
Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk – here’s how to stay safe
A critical security flaw (CVE-2026-23550) in the Modular DS WordPress plugin, affecting over 40,000 websites, allows attackers to bypass authentication, gain admin access, and take full control. Rated 10/10 in severity, the vulnerability exploits weak authentication mechanisms and auto-login features. Active exploitation began on January 13, 2026, prompting a patch (version 2.5.2) released by the vendor. Users must immediately update the plugin, regenerate WordPress salts and OAuth credentials, and scan for compromises. Failure to patch risks complete website takeover and data exposure. Modular DS users are urged to prioritize this update to mitigate ongoing threats.
Read full article: Techradar
Palo Alto Networks warns of DoS bug letting hackers disable firewalls
Palo Alto Networks addressed a high-severity denial-of-service (DoS) vulnerability (CVE-2026-0227) in PAN-OS 10.1 and later, allowing unauthenticated attackers to disable firewall protections via repeated exploitation. Affected systems include next-generation firewalls and Prisma Access configurations with GlobalProtect enabled. Most cloud-based Prisma Access instances are already patched, with remaining upgrades scheduled. Shadowserver reports nearly 6,000 exposed firewalls online, though exploitation evidence is absent. Patches are available for all impacted versions, urging admins to update promptly. This follows prior PAN-OS vulnerabilities exploited in late 2024, highlighting ongoing targeting of Palo Alto’s infrastructure.
Read full article: Bleepingcomputer
In-Depth Expert CTI Analysis
Recent cyber operations highlight intensified global law enforcement collaboration against cybercrime-as-a-service platforms and transnational gangs, exemplified by takedowns of RedVDS, AVCheck, and Black Axe, disrupting billions in illicit profits. Critical vulnerabilities in cloud infrastructure (AWS CodeBuild), AI libraries, and enterprise software (VMware ESXi, Cisco AsyncOS) were exploited by state-aligned actors, while ransomware groups adopted blockchain obfuscation and Linux-targeting malware (VoidLink) for stealth. Highimpact breaches across healthcare, energy, and government sectors exposed systemic data security failures, with criminal actors aggregating cross-sector datasets for phishing and fraud. Regulatory actions against stalkerware, GDPR violators, and illicit data brokers signal growing legal scrutiny, though evolving threats like AI proxy attacks and zero-day weaponization underscore persistent defensive challenges.
Proactive Defense and Strategic Foresight
Recent cyber operations underscore the critical need for proactive defense and strategic foresight. The dismantling of RedVDS and AVCheck services demonstrates the value of disrupting cybercrime supply chains preemptively, while the exploitation of VMware ESXi zero-days and AI proxy vulnerabilities reveals adversaries’ ability to weaponize emerging technologies before defenses adapt. Aggregated breaches like France’s 45 million-record leak highlight systemic risks from unpatched infrastructure and poor data governance, demanding predictive risk modeling. Meanwhile, North Korea’s QR phishing and DeadLock’s blockchain-based C2 evasion exemplify adversarial innovation requiring anticipatory threat intelligence. Organizations must prioritize continuous attack surface reduction, cross-sector collaboration, and investments in AI/ML-driven detection to counter these evolving threats. Legal actions against stalkerware and data brokers further signal the role of regulatory foresight in curbing abuse vectors. Only by integrating technical resilience with strategic horizon-scanning can defenders mitigate cascading impacts on critical sectors like healthcare and energy.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging cybercrime-as-a-service platforms (e.g., RedVDS, AVCheck) to enable scalable, disposable infrastructure and evasion testing. Threat actors exploit zero-day vulnerabilities (VMware ESXi, Modular DS WordPress plugin) pre-disclosure, while state-aligned groups (Mustang Panda, Kimsuky) weaponize geopolitical themes for targeted intrusions. Innovations include blockchain-based C2 (DeadLock), multi-vector attacks (quishing, Magecart skimming), and hybridized threats merging cyber-physical crime (port USB attacks). Aggregated breach datasets amplify identity theft risks, while critical infrastructure (healthcare, energy) remains a high-value target. Defenders must prioritize AI/ML supply chain risks, patch management, and behavioral detection to counter these adaptive, profit-driven campaigns.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by shared infrastructure, overlapping tactics, and blurred attribution. Operations like RedVDS (cybercrime-as-a-service) and AVCheck (malware testing) enable scalable criminal campaigns, while Chinese-linked APTs exploit zero-days (VMware ESXi) and AI/ML supply chains, mirroring tools used by cybercriminals. State-aligned groups like Mustang Panda leverage geopolitical lures, while ransomware gangs (DeadLock) adopt blockchain obfuscation and smart contracts traditionally associated with espionage. The French-Russian prisoner swap involving a ransomware suspect underscores diplomatic entanglements with cybercrime. This symbiosis amplifies threats: criminal networks gain advanced capabilities, while states plausibly deny aggression through proxy operations. Defensive strategies must address both profit-driven and geopolitical motives, prioritizing cross-sector intelligence sharing and hardening critical infrastructure against hybrid threats.
Operational and Tactical Implications
Operational Implications: Global takedowns of cybercrime services (RedVDS, AVCheck, Black Axe) disrupted key enablers but reinforced the resilience and rapid regeneration of cybercrime ecosystems. Large-scale data aggregation breaches across healthcare, energy, and retail show attackers prioritizing downstream monetization over single-victim compromise. State-aligned actors exploited VMware ESXi and email gateway zero-days well before disclosure, exposing gaps in vulnerability intelligence and patch velocity. AI systems and cloud automation emerged as new operational targets, with misconfigured LLM proxies and Copilot abuse expanding attack surfaces. Critical infrastructure incidents demonstrated how cyber operations now directly impact patient safety, service availability, and regulatory exposure.
Tactical Implications: Defenders must treat cloud, CI/CD, hypervisors, and AI integrations as primary attack surfaces, enforcing strict configuration baselines and continuous monitoring. Phishing-resistant MFA, tighter SaaS identity controls, and third-party credential hygiene are essential to counter quishing, session hijacking, and vendor compromise. Accelerated patching and attack surface management are critical as adversaries actively exploit VPNs, plugins, and network appliances. Behavioral detection, memory analysis, and anomaly-driven telemetry are required to identify Linux malware, fileless payloads, and blockchain-obfuscated C2. Data minimization, DLP enforcement, and stronger insider and human-error controls are increasingly necessary to limit breach amplification.
Forward-Looking Recommendations
- Enhance cross-border law enforcement collaboration to disrupt hierarchical cybercrime networks and dismantle cybercrime-as-a-service platforms.
- Mandate strict third-party vendor assessments and enforce zero-trust principles to mitigate supply chain vulnerabilities in cloud, healthcare, and critical infrastructure.
- Prioritize patching for high-risk vulnerabilities (e.g., CI/CD pipelines, AI/ML libraries, and IoT protocols) and adopt behavioral detection to counter fileless malware and stealthy lateral movement.
- Implement AI-specific security controls, including input validation for generative AI tools and strict access policies for LLM APIs to prevent abuse via QR code phishing or prompt injection.
- Strengthen data broker regulations globally, expanding opt-out frameworks like California’s Delete Act to limit aggregation of sensitive datasets exploited in fraud campaigns.
- Deploy decentralized threat intelligence sharing for ransomware groups leveraging blockchain-based C2 and smart contracts to evade takedowns.
- Enhance mobile device management (MDM) and enforce MFA with phishing-resistant tokens to counter session hijacking via quishing and stolen credentials.
- Accelerate GDPR-style breach notification requirements and impose stricter penalties for systemic security failures in VPNs, authentication, and anomaly detection systems.
- Invest in adversarial simulation for cloud environments to identify misconfigurations in AI proxies, exposed Git repositories, and unsecured hypervisors.
- Promote secure-by-design principles in software development, requiring code audits for high-risk plugins and libraries to preempt supply chain compromises.
