UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
Cisco Talos has identified a new threat cluster, UAT-10027, delivering a novel backdoor called Dohdoor that leverages DNS‑over‑HTTPS for command‑and‑control. The malware uses DLL side‑loading through legitimate Windows executables and drops a Cobalt Strike beacon that unhooks NTDLL calls to evade endpoint detection. The campaign, active since December 2025, has compromised multiple U.S. education institutions and a healthcare facility for the elderly. Technical similarities to Lazarus‑linked LazarusLoader suggest possible North Korean APT involvement, though the victim profile diverges from typical Lazarus targets.
SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks
Scattered LAPSUS$ Hunters (SLH) is paying women $500 to $1,000 per call to conduct voice‑phishing attacks against IT help desks. The group supplies pre‑written scripts and leverages legitimate proxy services and tunneling tools to evade detection. These vishing campaigns aim...
Top 5 Ways Broken Triage Increases Business Risk Instead of Reducing It
The article outlines five common triage failures that inflate business risk, from decisions made without execution evidence to manual, error‑prone processes. It shows how interactive sandboxes—exemplified by ANY.RUN—provide rapid execution evidence, enabling analysts to reach evidence‑backed verdicts within seconds. Reported...
Manual Processes Are Putting National Security at Risk
More than half of national‑security agencies still move classified data by hand, a practice the CYBER360 report flags as a strategic liability. Manual transfers introduce human error, audit gaps, and exploitable seams that adversaries can weaponize. Legacy platforms, protracted procurement...
Identity Prioritization Isn't a Backlog Problem - It's a Risk Math Problem
Identity programs still rank remediation like IT tickets, ignoring context. The article argues that true prioritization must treat identity risk as a function of controls posture, hygiene, business impact, and user intent, not just checklist completion. When these factors align,...
APT28 Targeted European Entities Using Webhook-Based Macro Malware
Russia‑linked APT28 launched Operation MacroMaze, a campaign against Western and Central European entities from September 2025 through January 2026. The attackers delivered spear‑phishing documents containing a macro that calls a webhook.site URL, acting as a tracking‑pixel to verify document opening. The macro drops...
How Exposed Endpoints Increase Risk Across LLM Infrastructure
Enterprises deploying private Large Language Models are rapidly adding inference APIs, model‑management dashboards, and tool‑calling endpoints. Each new endpoint widens the attack surface, especially when permissions are excessive and credentials remain static. Exposed endpoints let attackers hijack non‑human identities, enabling...
MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP
Iranian APT group MuddyWater has launched Operation Olalampo, targeting organizations across the Middle East and North Africa. The campaign, first seen on Jan 26, 2026, deploys new malware families—GhostFetch, HTTP_VIP, the Rust backdoor CHAR, and the GhostBackDoor implant—delivered via macro‑laden Office...
EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Security
EC‑Council announced its Enterprise AI Credential Suite, adding four role‑based AI certifications and an updated Certified CISO v4 program. The launch targets the estimated $5.5 trillion global AI risk exposure and a U.S. reskilling gap of 700,000 workers. It aligns with recent...
Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026
Identity cyber scores are emerging as the primary metric insurers use to underwrite cyber‑insurance policies in 2026. Insurers now scrutinize password hygiene, privileged‑access management and MFA coverage, linking weak identity controls to higher breach likelihood and premium costs. The global...
Former Google Engineers Indicted Over Trade Secret Transfers to Iran
Two former Google engineers and a spouse were indicted for allegedly stealing trade secrets related to Google’s Tensor processor and other hardware designs, then transferring the data to Iran. The defendants used personal devices, messaging channels, and manual photographs to...
INTERPOL Operation Red Card 2.0 Arrests 651 in African Cybercrime Crackdown
INTERPOL’s Operation Red Card 2.0, conducted from Dec 8 2025 to Jan 30 2026, resulted in 651 arrests across 16 African nations and the seizure of more than $4.3 million. The eight‑week crackdown exposed scams responsible for roughly $45 million in losses and identified 1,247 victims worldwide....
3 Ways to Start Your Intelligent Workflow Program
Security, IT and engineering teams face pressure to accelerate outcomes while extracting AI value, yet 88% of AI proofs‑of‑concept never reach production despite 70% of workers seeking time‑saving automation. The Hacker News article outlines three pre‑built intelligent‑workflow use cases—automated phishing response,...
SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer
Researchers have uncovered a new SmartLoader campaign that distributes a trojanized Oura Health Model Context Protocol (MCP) server to install the StealC infostealer. The malicious server is hosted in fabricated GitHub repositories and submitted to the MCP Market registry, exploiting...
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
Google Threat Intelligence Group disclosed a coordinated campaign by state‑sponsored actors from China, Iran, Russia and North Korea targeting the defense industrial base. The operations concentrate on battlefield technologies used in the Russia‑Ukraine war, recruitment‑process infiltration, edge‑device entry points, and...
Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History
Researchers uncovered a wave of malicious Chrome extensions that siphon data from corporate tools, social platforms, AI assistants, and general browsing activity. The CL Suite add‑on steals Meta Business Suite credentials and analytics, while VK‑styled extensions hijacked roughly 500,000 VKontakte...
Npm’s Update to Harden Their Supply Chain, and Points to Consider
npm completed a major authentication overhaul in December 2025, revoking classic long‑lived tokens and moving to short‑lived session tokens with MFA default for publishing. The changes also promote OIDC Trusted Publishing, giving CI systems per‑run credentials. However, MFA phishing attacks...
Exposed Training Open the Door for Crypto-Mining in Fortune 500 Cloud Environments
Pentera Labs identified nearly 2,000 publicly exposed training applications across cloud platforms, with about 60% hosted on AWS, Azure or GCP. Roughly one‑fifth of these instances contained crypto‑mining scripts, web‑shells or persistence tools, indicating active exploitation. The vulnerable apps were...
ZAST.AI Raises $6M Pre-A to Scale "Zero False Positive" AI-Powered Code Security
ZAST.AI announced a $6 million Pre‑Series A round led by Hillhouse Capital, bringing total funding near $10 million. The Seattle‑based startup claims its AI‑driven platform delivers “zero false‑positive” code security by automatically generating and validating proof‑of‑concept exploits. In 2025 the company uncovered...
How Samsung Knox Helps Stop Your Network Security Breach
Samsung Knox introduces a per‑app firewall and Zero‑Trust Network Access (ZTNA) that extend traditional enterprise security to mobile devices. The firewall provides granular, app‑specific rules and detailed logging, shrinking investigation times from days to hours. Knox ZTNA works alongside existing...
Compromised dYdX Npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
Security researchers uncovered a supply‑chain attack on dYdX's official npm package @dydxprotocol/v4-client-js and its PyPI counterpart dydx‑v4‑client. The compromised versions, published with legitimate maintainer credentials, embed wallet‑stealing code and, in the Python case, a remote‑access trojan. dYdX acknowledged the breach,...
AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
The AISURU/Kimwolf botnet launched a record‑setting DDoS attack in November 2025, peaking at 31.4 Tbps and lasting just 35 seconds. Cloudflare, which automatically mitigated the traffic, said the attack is part of a surge in hyper‑volumetric HTTP assaults, with average sizes...
The Buyer’s Guide to AI Usage Control
Enterprises are grappling with an explosion of AI tools embedded in SaaS, browsers, and shadow applications, yet most security programs still rely on legacy, perimeter‑focused controls. The new Buyer’s Guide for AI Usage Control highlights that AI risk resides in...
The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
Eric Zimmerman of the SANS Institute argues that incident response failures stem more from early‑stage decisions than from tool gaps. He defines the "first 90 seconds" as a repeatable decision window that recurs each time a new system enters scope,...
When Cloud Outages Ripple Across the Internet
Recent high‑profile outages at AWS, Azure and Cloudflare have shown that cloud failures ripple far beyond compute, crippling the identity layer that underpins authentication and authorization. When shared services such as DNS, load balancers or managed databases go down, even...
Securing the Mid-Market Across the Complete Threat Lifecycle
Mid‑market firms face tight budgets and lean security teams, making traditional, siloed tools costly and inefficient. The article advocates a full‑lifecycle approach—prevention, protection, detection, and response—delivered through integrated platforms such as Bitdefender GravityZone. By unifying endpoint, cloud, identity, and network...
Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
Researchers uncovered a supply‑chain breach of the Open VSX Registry where a legitimate developer’s credentials were hijacked to publish malicious updates of four popular extensions. The poisoned versions, released on Jan 30 2026, embedded the GlassWorm loader and were downloaded over 22,000...
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
Mandiant reports a surge in ShinyHunters‑style vishing campaigns that harvest SSO credentials and MFA codes to infiltrate SaaS environments. The attacks, attributed to UNC6661, UNC6671, and UNC6240, impersonate IT staff and use fake credential‑harvesting sites to enroll attackers’ devices for...
Badges, Bytes and Blackmail
Orange Cyberdefense compiled a dataset of 418 publicly announced law‑enforcement actions against cybercrime from 2021 to mid‑2025. The analysis shows extortion, malware distribution and hacking as the most frequently targeted offenses, with arrests accounting for 29% of responses. The United...
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories
The FBI’s seizure of the RAMP cybercrime forum underscores law‑enforcement pressure on underground marketplaces, while Meta confronts a U.S. lawsuit alleging unauthorized access to WhatsApp messages. CISA published its first list of post‑quantum cryptography‑compatible products, urging organizations to prepare for...
3 Decisions CISOs Need to Make to Prevent Downtime Risk in 2026
Enterprises face escalating operational downtime risk, prompting CISOs to prioritize three strategic decisions. First, adopt STIX/TAXII‑compatible threat intelligence feeds that deliver fresh, high‑quality indicators, boosting detection rates by up to 58 %. Second, eliminate noisy false positives to protect analysts from...
Fake Moltbot AI Coding Assistant on VS Code Marketplace Drops Malware
Moltbot, an open‑source AI coding assistant with over 85,000 GitHub stars, has no official Visual Studio Code extension, yet a counterfeit "ClawdBot Agent – AI Coding Assistant" appeared on the Marketplace. Published on January 27 2026, the malicious extension automatically runs on IDE launch...
From Triage to Threat Hunts: How AI Accelerates SecOps
AI‑driven SOC agents are moving from hype to practical augmentation, handling every alert with human‑level accuracy. By automatically correlating telemetry from EDR, identity, cloud and network sources, they eliminate the triage bottleneck and achieve near‑zero dwell time. The continuous investigation...
Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan
Researchers uncovered two malicious PyPI packages, spellcheckerpy and spellcheckpy, that pretended to be spell‑checking tools but delivered a Python‑based remote‑access trojan. The packages were downloaded just over 1,000 times before being removed, with version 1.2.0 adding an execution trigger that runs...
CTEM in Practice: Prioritization, Validation, and Outcomes That Matter
Continuous Threat Exposure Management (CTEM) is a Gartner‑defined, continuous cycle that links threats, vulnerabilities, and attack‑surface data to prioritize exploitable exposures. It moves security from isolated scans to an operational model of scoping, discovery, prioritization, validation, and mobilization. By integrating...
China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023
Trend Micro researchers have uncovered a JScript‑based command‑and‑control framework called PeckBirdy, used by China‑aligned APT groups since 2023. The framework runs via living‑off‑the‑land binaries across browsers, MSHTA, WScript, Node JS and .NET, delivering modular backdoors such as HOLODONUT and MKDOOR. It powers...
Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware
Researchers at eSentire have uncovered a tax‑phishing campaign targeting Indian users by masquerading as the Income Tax Department. The campaign delivers a multi‑stage backdoor that first sideloads a malicious DLL, then escalates privileges and installs a Blackmoon trojan variant alongside...
Winning Against AI-Based Attacks Requires a Combined Defensive Approach
Offensive AI is reshaping cyber attacks, with large language models generating and morphing malware in real time. Recent incidents such as Anthropic’s AI‑orchestrated espionage campaign and ClickFix steganography attacks show adversaries bypassing traditional endpoint detection (EDR). Network Detection and Response...
Filling the Most Common Gaps in Google Workspace Security
Google Workspace’s default security leaves critical gaps, especially in Gmail where Business Email Compromise and sophisticated spear‑phishing thrive. Native protections lack contextual awareness of VIP contacts and cannot fully safeguard years‑long email archives. The article recommends enabling advanced scanning, enforcing...
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release
A critical authentication‑bypass flaw in SmarterTools' SmarterMail was patched on Jan 15, 2026, but attackers began exploiting it by Jan 17, 2026. The vulnerability allows unauthenticated users to reset the system administrator password via the /api/v1/auth/force-reset-password endpoint and then execute OS commands, yielding a...
Exposure Assessment Platforms Signal a Shift in Focus
Gartner’s inaugural Magic Quadrant introduces Exposure Assessment Platforms (EAP) as a formal replacement for traditional vulnerability management, emphasizing Continuous Threat Exposure Management. The report evaluated 20 vendors on continuous discovery, risk‑informed prioritization, and cross‑environment visibility. Data shows 74 % of identified...
The Hidden Risk of Orphan Accounts
Orchid Security highlights the growing threat of orphan accounts—unused human, service, and AI identities that remain active across enterprise environments due to fragmented IAM and IGA processes. These hidden credentials, often with elevated privileges, have been leveraged in high‑profile breaches...
Why Secrets in JavaScript Bundles Are Still Being Missed
Intruder scanned 5 million web applications and uncovered over 42,000 exposed tokens hidden in JavaScript bundles. The secrets spanned 334 types, including active GitHub, GitLab, and Linear API keys, as well as Slack, Zapier, and CAD service credentials. Existing scanners—traditional regex‑based...
Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice
Ukrainian and German authorities have arrested two Ukrainian suspects linked to the Black Basta ransomware‑as‑a‑service operation and placed its alleged Russian leader, Oleg Nefedov, on the EU Most Wanted and INTERPOL Red Notice lists. The gang, which emerged in 2022, infiltrated over...
Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts
Researchers identified five malicious Chrome extensions that masquerade as HR and ERP tools such as Workday, NetSuite, and SuccessFactors. The add‑ons steal authentication cookies, block security‑admin pages, and enable session hijacking by injecting stolen tokens. While most have been removed...
China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure
Chinese‑linked APT group UAT‑8837 has been exploiting a critical Sitecore zero‑day (CVE‑2025‑53690, CVSS 9.0) to breach American critical‑infrastructure networks. The attackers gain initial access via the vulnerability or stolen credentials, then deploy open‑source tools such as GoTokenTheft, SharpHound and Rubeus to...
ThreatsDay Bulletin: AI Voice Cloning Exploit, Wi-Fi Kill Switch, PLC Vulns, and 14 More Stories
The latest ThreatsDay bulletin spotlights a wave of high‑severity, unauthenticated remote code execution flaws—from Redis’s XACKDEL buffer overflow affecting roughly 2,900 servers to AI‑ML libraries that execute malicious model metadata. It also flags a Broadcom Wi‑Fi chipset kill‑switch that can...
Model Security Is the Wrong Frame – The Real Risk Is Workflow Security
Security teams are still focusing on protecting AI models, but recent incidents show the real risk lies in the workflows surrounding them. Malicious Chrome extensions harvested chat data from over 900,000 users, and prompt‑injection attacks can coerce AI coding assistants...
4 Outdated Habits Destroying Your SOC's MTTR in 2026
Many security operations centers still rely on outdated, manual processes that slow incident response. The article highlights four habits—manual sample review, sole reliance on static scans, fragmented toolsets, and excessive alert escalations—that inflate mean time to respond. It shows how...
Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers
Black Lotus Labs at Lumen Technologies announced that it has null‑routed traffic to more than 550 command‑and‑control nodes used by the AISURU/Kimwolf botnet since early October 2025. The botnet now controls over two million Android devices, primarily unsecured TV boxes, and...
