REAL-TIME CYBERSECURITY
INTELLIGENCE

Unknown actors who compromised MicroWorld Technologies eScan antivirus update server Jan 20-21, 2026. Distributed trojanized Reload.exe and CONSCTLX.exe backdoor via legitimate update infrastructure. Malware blocks auto-remediation via hosts file modification. Signed with compromised eScan certificate.

Coalition of 550+ threat groups including APTs from China, DPRK, Iran, and Russia plus criminal syndicates. Used IPIDEA residential proxy network for SaaS attacks, password spraying, and reconnaissance. Network partially disrupted by Google Jan 28-29, 2026. 5M bots still operational.

Prolific data breach threat group responsible for Panera Bread (14M records), Match Group, and CarMax breaches. Publishes stolen data to leak sites and dark web forums. Specializes in large-scale PII exfiltration enabling identity theft, targeted phishing, and credential stuffing attacks.

Automated attack campaign abusing FortiCloud SSO and SAML validation to compromise fully patched FortiGate firewalls. Creates rogue admin accounts in seconds, modifies VPN policies, exfiltrates configurations. 11,000+ exposed devices. Uses accounts like [email protected], [email protected].

Criminal group deploying Android trojans using TensorFlow.js ML models to detect and click ads in hidden WebViews. Phantom mode renders invisible ads; signalling mode enables WebRTC remote screen control. 150K+ downloads via Xiaomi GetApps and modded APKs. C2: playstations[.]click, dllpgd[.]click.

North Korea-linked threat group running phishing campaigns against software developers and blockchain teams. Uses Discord-hosted ZIP archives with PDF lures and LNK files. Deploys AI-generated obfuscated PowerShell backdoors with scheduled task persistence. Targets APAC region for crypto theft and supply chain compromise.

Actors exploiting CVE-2025-36911 Bluetooth Fast Pair vulnerability. Forced pairing within 50m range enables eavesdropping, location tracking via Google Find My Device network. Affects 100M+ devices including Google Pixel Buds, JBL, Jabra, Sony WH-1000XM5. Firmware-level vulnerability affecting both iPhone and Android users.

Brazilian banking malware group using novel WhatsApp Web distribution vector. Weaponized messages deliver obfuscated VBScript downloaders. Multi-stage infection chain with self-sustaining propagation via compromised WhatsApp accounts. Targets Brazilian online banking sessions for financial fraud.

Novel AI assistant exploitation technique targeting Microsoft Copilot. Bypasses DLP protections via session persistence exploitation. Exfiltrates corporate data after chat sessions terminate. Represents paradigm shift in AI security threats. Traditional security controls ineffective.

Advanced persistent threat with Rust-based backdoor variants (CISA MAR-10244545.r1.v2). Operates as background services with encrypted WebSocket C2 capabilities. Sophisticated persistence and defense evasion techniques. Actively targeting critical infrastructure sectors. Two new YARA detection rules released by CISA/NSA/CCCS.

Self-replicating npm worm infected 12,000+ systems Nov 24-26. Created 25,000+ malicious repos at ~1,000/30min rate. Compromised Trust Wallet developer GitHub secrets, published malicious Chrome extension ($8.5M theft from 2,520 wallets). Harvested 775 GitHub PATs, 373 AWS, 300 GCP, 115 Azure credentials. Cross-victim supply chain attack.

Go-based ransomware (Prince fork) targeting Taiwan healthcare. 6 confirmed facilities compromised. Uses BYOVD (Zemana driver exploit) for EDR evasion, AD exploitation, GPO lateral movement, ChaCha20 encryption. Advanced TTPs including partial file encryption (1:2 ratio) for speed.

Attacked Manage My Health (NZ) on Dec 30, 2025, compromising 125,000 patient records. Double-extortion tactics with $60,000 ransom demand. Released sample data on dark web leak site. Targets healthcare and patient portal infrastructure.

3 victims in January 2026 (MUTTI-PARMA.COM, CPJ.ORG, BORING.COM). Veteran ransomware gang with history of mass exploitation campaigns and supply chain attacks. Known for exploiting zero-days and file transfer vulnerabilities.

4 victims in January 2026 (Udall Law Firm, Morton Buildings, Gordon Companies). Known for targeting professional services and construction sectors with aggressive encryption and data theft operations.

Systematic reconnaissance campaign Dec 25-28, 2025 testing 240+ different exploits against internet-facing systems. Logs all confirmed vulnerabilities for sale to ransomware gangs. GreyNoise intelligence confirms single operator building comprehensive vulnerability inventory for 2026 intrusion supply chain.

Phishing-as-a-Service platform exploiting email routing misconfigurations since May 2025. 13M+ malicious emails blocked in Oct 2025 alone. Sophisticated campaigns targeting voicemails, shared docs, HR comms, password resets, and financial scams via internal-looking spoofed emails.

Breached European Space Agency external servers Dec 18-25. Exfiltrated 200GB including Bitbucket repos, CI/CD pipelines, API tokens, hardcoded secrets, and Terraform configs. Week-long persistence with sophisticated data theft.

Chinese APT exploiting Cisco AsyncOS zero-day (CVE-2025-20393) since November 2025. CVSS 10.0 root-level RCE in email security appliances. No patch available. Sophisticated reconnaissance and exploitation capabilities.

Chinese APT groups actively exploiting React2Shell (CVE-2025-55182) with CVSS 10.0 RCE. Targeting React Server Components globally since December 2025. State-sponsored operations with advanced persistence capabilities.

Emerged August 2025, rapidly scaled to ~40 victims. Targeted Oltenia Energy Complex (Romania, 30% national power) on Dec 26. Sophisticated critical infrastructure targeting with encrypted IT systems while preserving OT operations.

Social engineering specialists behind Aflac 22.6M breach (June 2025), Erie Insurance, and Philadelphia Insurance attacks. Masters of vishing, credential relays, and MFA bypass via push notification fatigue. Also known as UNC3944.

European targets including bpost breach. Full data publication when ransoms unpaid. Double extortion tactics employed with continued operations in Q4 2025.

Attacking semiconductor industry. Renesas Electronics confirmed victim. Aggressive ransom demands and data theft claims with supply chain targeting strategy.

State-sponsored backdoor targeting VMware vSphere & Windows. Maintains long-term access (18+ months documented). APT-level sophistication with persistent implants.

10 victims claimed in January 2026 alone (TriVector Services, Gaviota, STESAD, Softlab SpA, Spring Grove Area School District, Retrofit Service, Anteriad, PTS Goldkist Industries, The Cressi, Telstar-Hommel). Most active ransomware group in 2026 with banking sector expertise and double-extortion tactics.

Claimed ESA breach in Sept 2024 via publicly disclosed vulnerability. Exfiltrated 500GB+ data including spacecraft mission details, contractor data (SpaceX, Airbus, Thales), CI/CD pipelines, API tokens. Offered 200GB+ on BreachForums Dec 2025. Vulnerability reportedly remains unpatched enabling persistent access.