Current Cyber Threats

LastPass has warned users about an active phishing campaign that began around January 19, 2026, in which attackers impersonate the password management service to steal users' master passwords.

PurpleBravo, a North Korean state-sponsored threat group, poses an acute and often overlooked risk to the global IT software supply chain, specifically targeting software developers in the cryptocurrency, financial services, and IT/software development sectors.

Admins are reporting that Fortinet FortiGate firewalls remain vulnerable to a critical authentication bypass flaw, identified as CVE-2025-59718, even after applying corrective patches.

A recent investigation by Trend Micro has detailed a sophisticated campaign deploying "Evelyn Stealer," a multistage information-stealing malware specifically targeting software developers.

Check Point Research has identified a groundbreaking shift in the threat landscape with the discovery of VoidLink, a sophisticated malware framework authored almost entirely by Artificial Intelligence.

The campaign begins with threat actors targeting high-value individuals via social media private messages, often masquerading as professional inquiries or project plans.

The Contagious Interview campaign, attributed to a North Korean (DPRK) state-sponsored threat actor under the Lazarus APT umbrella, has evolved to employ a sophisticated infection chain targeting software developers.

Security researchers at Miggo recently disclosed a critical "semantic" vulnerability within the Google Gemini ecosystem that allows attackers to bypass privacy controls and exfiltrate sensitive data via malicious calendar invites.

The NCSC released an advisory warning that Russian-aligned hacktivist groups continue to target UK and global organizations with ideologically motivated cyberattacks designed to disrupt operations, take websites offline, and cripple key services.

Chainlit, a widely adopted Python framework for building conversational AI applications, was found to contain two critical backend vulnerabilities that allow for Arbitrary File Read and Server-Side Request Forgery (SSRF).

Sophos X-Ops has detailed their research on "TamperedChef," a recent and still active malvertising campaign likely associated with the broader "EvilAI" activity cluster, which utilizes SEO poisoning and paid advertisements (Google and Bing Ads) to distribute trojanized utilities.

A new Symantec and Carbon Black whitepaper reveals that the cyber-extortion landscape reached unprecedented levels in 2025 as attackers adopted new business models and stealthy tactics.

Wiz Research recently disclosed a critical supply chain vulnerability, dubbed "CodeBreach," which stemmed from a subtle misconfiguration in AWS CodeBuild CI/CD pipelines.

The Acronis Threat Research Unit has identified a targeted cyber-espionage campaign delivering a previously undocumented backdoor dubbed "LOTUSLITE." Attributed with moderate confidence to the Chinese state-aligned threat actor Mustang Panda (also known as TA416 or Bronze President),

VirusTotal shared details of an active malware campaign that occurred between January 11 and January 15, 2026. The operation targets users by distributing malicious ZIP archives that impersonate legitimate software installers, primarily Malwarebytes (e.g., malwarebytes-windows-github-io-X.X.X[.]zip) and Logitech.

Varonis Threat Labs has disclosed a critical AI vulnerability dubbed "Reprompt," which allows threat actors to perform silent, one-click data exfiltration from Microsoft Copilot (Personal). The attack leverages the q URL parameter to inject malicious instructions (Parameter 2 Prompt or P2P injection) into a Copilot session.

A critical security vulnerability, tracked as CVE-2025-64155, has been identified in Fortinet's FortiSIEM (Security Information and Event Management) platform, a cornerstone tool used by many organizations for centralized log management and threat detection.

MonetaStealer is a newly identified macOS information stealer that emerged in January 2026. The stealer was compiled using PyInstaller and is delivered as a deceptive Mach-O binary (Portfolio_Review.exe) masquerading as a Windows .exe file.

A recent analysis of China's hosting ecosystem reveals a massive consolidation of malicious infrastructure, with over 18,000 active C2 servers identified across 48 Chinese service providers in a three-month window ending January 2026.

Cisco Talos has identified a sophisticated China-nexus advanced persistent threat (APT) group, designated as UAT-8837, which has been actively targeting critical infrastructure sectors in North America since at least 2025.

CrazyHunter is a sophisticated, Go-based ransomware threat, definitively identified as a fork of Prince ransomware, that is currently targeting the healthcare sector in Taiwan, with at least six confirmed compromises to date.

The AhnLab Security Emergency response Center (ASEC) has released a comprehensive analysis of LockBit 5.0, the latest iteration of the dominant Ransomware-as-a-Service (RaaS) group which accounted for approximately 21% of known ransomware attacks in 2023.

Trellix researchers have identified a widespread campaign where multiple threat actors are abusing a legitimate, signed executable named ahost[.]exe to deploy various malware payloads.

As part of the January Patch Tuesday, Microsoft addresses a total of 114 flaws, including zero-days. Of the 114 flaws addressed, there were 57 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 22 Remote Code Execution vulnerabilities, 22 Information Disclosure vulnerabilities, 2 Denial of Service vulnerabilities, and 5 Spoofing vulnerabilities.

Cloud marketplace and distributor Pax8 confirmed that an internal email sent on January 13 to fewer than 40 UK-based partners mistakenly included a CSV file containing sensitive business information related to Microsoft licensing and MSP customers.

Threat actors are actively conducting a software supply chain attack targeting the n8n workflow automation ecosystem via malicious npm packages. These packages masquerade as legitimate "community nodes" which n8n automatically recognizes as a new node (specifically for Google Ads integrations) to deceive users into installing them on their n8n instances.

ASEC identified an ongoing campaign in which threat actors abuse legitimate Remote Monitoring and Management (RMM) tools, including Syncro, ConnectWise ScreenConnect, NinjaOne, and SuperOps, to gain persistent remote access to victim systems, primarily via phishing.

In October 2025, AppOmni, a SaaS security firm, notified ServiceNow regarding their intent to publish an article about a critical privilege escalation vulnerability affecting ServiceNow instances using the Virtual Agent API and Now Assist AI Agents.

Palo Alto Networks Unit 42 has released research on the emerging risks associated with "vibe coding" the use of AI-assisted tools to generate code rapidly.

Securonix Threat Research has identified a new multi-stage malware campaign, dubbed SHADOW#REACTOR, which utilizes a sophisticated chain of obfuscated scripts and fileless execution to deploy the Remcos RAT.

VoidLink is a highly sophisticated, cloud-native malware framework written in the Zig programming language, specifically engineered for long-term persistence and stealth within Linux-based cloud and containerized environments.

CVE-2026-22200 is a critical PHP Filter Chain Injection vulnerability discovered by Horizon3.ai that affects Enhancesoft osTicket, a widely used open-source help desk and ticketing system.

GreyNoise Intelligence has identified ongoing threat campaigns targeting Large Language Model (LLM) infrastructure between October 2025 and January 2026. Capturing over 91,000 attack sessions, these campaigns demonstrate a systematic effort to map the expanding attack surface of AI deployments.

The notorious hacking platform BreachForums has suffered a massive data exposure, with a database containing information for approximately 324,000 accounts being leaked online.

CloudSEK researchers recently identified a significant shift in the operational tactics of the MuddyWater Advanced Persistent Threat (APT) group, an Iranian-nexus actor linked to the Ministry of Intelligence and Security (MOIS).

According to Cyble's 2025 threat landscape report, ransomware attacks aimed at the Telecom sector have grown four-fold since 2021. In 2025, Cyble documented 444 security incidents affecting the sector, including 90 confirmed ransomware attacks.

We issued an advisory last week for the "NI8MARE" vulnerability, tracked as CVE-2024-49780. The vulnerability is a maximum-severity (CVSS 10.0) flaw impacting n8n, a popular low-code workflow automation platform.

The Huntress Tactical Response team recently detailed a sophisticated intrusion involving a VMware ESXi "virtual machine (vm) escape" toolkit, marking a significant escalation in hypervisor-targeted attacks.

Between February and September 2025, the Russian state-sponsored threat group BlueDelta (aka APT28, Fancy Bear, Forest Blizzard), attributed to the GRU, executed a sophisticated credential harvesting campaign targeting strategic entities in Turkey and Europe.

The FBI has issued a FLASH alert regarding the North Korean state-sponsored threat group Kimsuky (also known as APT43 or Emerald Sleet), which has evolved its spearphishing tactics to incorporate malicious Quick Response (QR) codes, a technique known as "Quishing."

Between December 25-28, 2025, a single operator launched a systematic reconnaissance campaign targeting vulnerable systems across the internet.

Network defenders should immediately prioritize the remediation of a critical remote code execution (RCE) vulnerability in Trend Micro Apex Central (on-premise), tracked as CVE-2025-69258.

Cisco Talos has identified a sophisticated China-nexus threat actor, designated as UAT-7290, that has been conducting cyber espionage operations since at least 2022.

Check Point Research (CPR) has published an analysis of the evolving "GoBruteforcer" (or GoBrut) modular botnet, a botnet rewritten entirely in Go in mid-2025 and targeting Linux servers.

A critical vulnerability, tracked as CVE-2025-68428 (CVSS 9.2), has been identified in the popular JavaScript library jsPDF, specifically affecting its Node.js builds prior to version 4.0.0. The flaw is a local file inclusion (LFI) and path traversal issue that stems from improper sanitization of file paths within the loadFile method,

The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook) highlighted an active search engine optimization poisoning campaign, where actors are using fraudulent websites advertising popular software to distribute malware.

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2024-52264 and dubbed "Ni8mare," has been identified in the n8n workflow automation platform.