Google has addressed a high-risk vulnerability in the latest Chrome versions 143.0.7499.192/193 for Windows and macOS, and 143.0.7499.192 for Linux. The company’s advisory doesn’t mention whether the flaw is being exploited in active attacks. Tracked as CVE-2026-0628, the vulnerability affects the WebView component and stems from insufficient policy enforcement in WebView tag in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.
US, Canadian, and Australian cyber agencies have warned that hackers are actively exploiting a recently disclosed vulnerability affecting MongoDB data storage systems. The issue is CVE-2025-14847, a flaw MongoDB disclosed on December 15 and patched on December 19. On December 25, working exploit code was published. The bug, dubbed “MongoBleed,” allows attackers to open tens of thousands of connections to a server to probe for memory leaks and reconstruct sensitive data.
Threat actors are actively exploiting a critical command injection vulnerability affecting multiple legacy D-Link DSL gateway routers that have been out of support for several years. The flaw, tracked as CVE-2026-0625, resides in the dnscfg.cgi endpoint and stems from improper input sanitization in a CGI library, allowing unauthenticated attackers to execute arbitrary commands through crafted DNS configuration parameters.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the two flaws are being exploited in the wild. The first issue, tracked as CVE-2009-0556, is a code injection vulnerability in Microsoft Office PowerPoint that can allow remote attackers to execute arbitrary code via memory corruption. The second issue, CVE-2025-37164, impacts HPE OneView, allowing unauthenticated remote code execution.
Japanese cybersecurity vendor Trend Micro has addressed a critical security flaw in its Apex Central (on-premise) product that could allow attackers to execute arbitrary code with SYSTEM privileges. Tracked as CVE-2025-69258, the flaw exists due to exposure of the LoadLibraryEX feature in MsgReceiver.exe that listens on port 20001/TCP. A remote non-authenticated attacker can send message 0x0a8d to load an attacker-controlled DLL into MsgReceiver.exe, leading to execution of attacker-supplied code under the security context of SYSTEM. The company has also fixed two medium-severity issues that could lead to the denial of service (DoS) attacks.
A new Cisco Talos’ report details UAT-7290, a threat actor that has been active since at least 2022. The group has been observed gaining initial access and conducting espionage-focused intrusions against critical infrastructure in South Asia. UAT-7290 employs a malware toolkit that includes the RushDrop, DriveSwitch and SilentRaid implants, and is known for performing extensive technical reconnaissance of target organizations prior to executing attacks.
Check Point Research analyzes a Go-based modular botnet called ‘GoBruteforcer’ (aka GoBrut) that targets databases of crypto and blockchain projects. It compromises Linux servers by bruteforcing FTP, MySQL, PostgreSQL, and phpMyAdmin services. The botnet malware spreads through a chain of web shell, downloader, IRC bot, and bruteforcer modules. The researchers estimate that more than 50,000 Internet-facing servers may be vulnerable to GoBruteforcer attacks.
In a separate report, Check Point details a massive AI-driven investment scam operation dubbed ‘Truman Show.’ It leverages legitimate Android and iOS apps and AI-generated communities for financial and identity theft. The attackers use social engineering techniques to lure potential victims to WhatsApp and Telegram groups with AI-generated community and “experts” via phishing SMS and Telegram messages, as well as ads.
Researchers at Zscaler ThreatLabz have discovered three malicious npm packages that are designed to deliver a previously unknown malware called ‘NodeCordRAT.’ NodeCordRAT targets Chrome credentials, sensitive secrets such as API tokens, and MetaMask data, including keys and seed phrases. It uses Discord servers for command-and-control communication.
Cybersecurity firm Huntress has shared details of an attack it observed in December 2025 that involved VMware ESXi exploits. The analysis of the toolkit used in the intrusion suggests that it was potentially built as a zero-day exploit over a year before VMware's public disclosure, and that a well-resourced China-linked developer may be behind the malware.
Recorded Future’s Insikt Group reports that Russian GRU-linked threat actor Blue Delta has been conducting credential-harvesting campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals. The group used free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing infrastructure. It also used customized JavaScript to capture credentials and automate victim redirection. The attacks targeted researchers and institutions in Türkiye and Europe.
Suspected Russian cybercriminals are targeting European hotels and hospitality companies with a malware campaign that uses a fake “Blue Screen of Death” to trick victims into infecting their own systems, according to new research from Securonix.
A Russia-aligned threat actor tracked as UAC-0184 has been observed targeting Ukrainian military and government entities using the Viber messaging platform to distribute malware-laced ZIP archives. The group has maintained “high-intensity intelligence gathering activities” against Ukrainian institutions throughout 2025.
Researchers at Genians Security Center have detailed a new advanced persistent threat (APT) campaign attributed to the North Korea–linked APT37 group, dubbed “Artemis.” The operation uses sophisticated social engineering and technical evasion techniques, delivering malware through trojanized Hangul Word Processor (HWP) documents.
Malwarebytes examines a fake Matryoshka doll-style WinRAR installer that was linked from various Chinese websites and delivered the Chinese Winzipper malware that deploys a hidden backdoor that lets attackers remotely control the machine, steal data, and install additional malware.
A Chinese-linked threat actor is believed to be behind thee major malicious browser extension campaigns that have compromised millions of users across Google Chrome, Microsoft Edge, and Mozilla Firefox. Security researchers at Koi Security have linked the activity to a threat actor they track as ‘DarkSpectre,’ which they say has affected more than 8.8 million users over a span of seven years. The latest campaign, dubbed ‘DarkSpectre,’ alone impacted 2.2 million users through malicious browser extensions distributed across the three major browsers.
Popular AI-powered forks of Microsoft Visual Studio Code (VS Code), including Cursor, Windsurf, Google Antigravity, and Trae, have been found to recommend extensions that do not exist in the Open VSX registry, potentially exposing developers to supply chain attacks.
The OX Research team has uncovered a new malware campaign abusing popular Chrome extensions to steal users’ AI chatbot conversations and browsing data. The campaign involves two malicious extensions that secretly exfiltrate ChatGPT and DeepSeek conversations, along with all open Chrome tab URLs, to remote command-and-control (C2) servers every 30 minutes.
Acronis Threat Research Unit has discovered a new campaign they dubbed “Boto-Cor-de-Rosa” that uses the WhatsApp messaging platform to deliver a Windows banking trojan called ‘Astaroth’ in attacks targeting Brazil.
Security researchers have uncovered a large-scale Android botnet dubbed ‘Kimwolf’ that has compromised more than 2 million devices by tunneling through residential proxy network. According to the researchers, operators behind Kimwolf are monetizing the botnet through fraudulent app installs, selling residential proxy bandwidth, and offering distributed denial-of-service (DDoS) capabilities.
Trust Wallet believes the recent compromise of its web browser extension, which led to the theft of roughly $8.5 million from more than 2,500 crypto wallets, is likely connected to the wider “Sha1-Hulud” supply chain attacks that hit the software industry in November. According to the company, attackers gained access after Trust Wallet’s developer GitHub secrets were exposed. This allowed the threat actor to obtain the browser extension source code and a Chrome Web Store (CWS) API key. With full CWS API access, the attacker bypassed Trust Wallet’s internal approval and manual review process and directly uploaded a malicious build.
The FBI has warned domestic and international organizations about active North Korean phishing campaigns that leverage QR codes to evade email security controls. According to an FBI Flash alert, the campaigns attributed to North Korea’s Kimsuky threat actor targeted think tanks, academic institutions, and US and foreign government entities throughout 2025.
Microsoft says that phishers are abusing complex email routing and misconfigured spoofing protections to impersonate organizations’ own domains and send emails that appear to be internal. The technique is being used to distribute phishing campaigns linked to phishing-as-a-service platforms like Tycoon2FA, using common lures such as voicemails, shared documents, HR notices, and password reset or expiration alerts to steal credentials.
Bryan Fleming, the founder of American spyware firm pcTattletale, has pleaded guilty to federal charges after a years-long investigation. Fleming admitted to computer hacking, illegally selling and promoting surveillance software, and conspiracy related to his stalkerware operation. Authorities say pcTattletale allowed customers to secretly monitor victims’ phones and computers, collecting messages, photos, and location data without consent. Fleming shut down pcTattletale in 2024 after a major data breach exposed customer and victim information.
Two American men have pleaded guilty in US federal court to conspiring to carry out ransomware attacks that targeted victims across the United States in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, admitted to participating in a scheme that used the ALPHV/BlackCat ransomware between April and December 2023. Goldberg worked at incident response firm Sygnia, while Martin, served as a ransomware negotiator for financial technology company DigitalMint. Goldberg was arrested on September 22, followed by Martin’s arrest on October 14.
A joint police operation carried out by the Spanish National Police, the Bavarian State Criminal Police Office, and Europol has targeted the Black Axe international criminal group, with 34 suspects arrested. Originally from Nigeria, Black Axe is a highly structured group with a worldwide reach, which specializes in crimes such as cyber fraud, drug and human trafficking, prostitution, kidnapping and armed robbery. Investigators believe that the criminal network is responsible for fraud resulting in damages exceeding €5,93 million. Over the course of the operation, authorities have frozen over €119,000 in bank accounts and seized more than €66,000 in cash during house searches.