Ivanti has warned of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as as CVE-2026-1281 and CVE-2026-1340, actively exploited in the wild. Both issues are code-injection flaws that allow unauthenticated remote attackers to execute arbitrary code on affected devices. Ivanti noted that, at the time of disclosure, exploitation had been observed in a very limited number of customer environments.
Microsoft has released out-of-band security updates to address a critical zero-day vulnerability in Microsoft Office that has been exploited in the wild. The flaw, tracked as CVE-2026-21509, is a security feature bypass issue affecting multiple Office products, including Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. According to Microsoft, patches are currently available for most supported versions, but updates for Office 2016 and Office 2019 have not yet been released and will be provided as soon as possible.
Fortinet has started releasing patched FortiOS versions to fix a critical zero-day vulnerability that allowed attackers to log into targeted organizations’ FortiGate firewalls. The company said the flaw (CVE-2026-24858) was actively exploited in the wild by two malicious FortiCloud accounts, which were disabled on January 22, 2026.
CISA has flagged five security flaws as actively exploited. These include:
-
CVE-2025-68645 – Critical RFI in Zimbra Collaboration Suite allowing unauthenticated arbitrary file inclusion via /h/rest (fixed in 10.1.13).
-
CVE-2025-34026 – Critical auth bypass in Versa Concerto SD-WAN granting access to admin endpoints (fixed in 12.2.1 GA).
-
CVE-2025-31125 – Improper access control in Vite/Vitejs enabling arbitrary file read via crafted imports (patched March 2025).
-
CVE-2025-54313 – Malicious backdoor in eslint-config-prettier leading to execution of the Scavenger Loader info-stealer.
-
CVE-2024-37079 – Critical heap overflow in VMware vCenter Server DCE/RPC implementation enabling remote code execution.
Google Mandiant says a recently patched WinRAR vulnerability is being widely exploited by multiple threat actors, ranging from Russian state-linked groups to Chinese espionage actors and financially motivated cybercriminals. The flaw, tracked as CVE-2025-8088, allows attackers to place malicious files on a victim’s system by tricking users into opening specially crafted RAR archives.
Cybersecurity firm MicroWorld Technologies, developer of the eScan antivirus, suffered a cyberattack on January 20 when an unknown threat actor breached one of its software update servers. The attacker deployed a malicious backdoor via the Reload.exe file, which disabled future updates, created a persistent scheduled task, and connected to a remote command-and-control (C&C) server to download additional malware. The attack lasted about an hour. eScan has since taken the affected server offline and resolved the issue.
A coordinated cyberattack targeting multiple sites across Poland’s power grid has been attributed with medium confidence to a Russian state-sponsored hacking group known as Electrum. The activity, detected in late December 2025, marks the first major cyberattack aimed at distributed energy resources (DERs), operational technology cybersecurity firm Dragos noted. Earlier this week, Slovak cybersecurity firm ESET attributed the attack on Polish energy grid to the Russian threat actor Sandstorm. The company said that attackers deployed a previously undocumented data-destroying malware, dubbed ‘DynoWiper,’ but didn’t provide any additional details.
On January 30, Polish cybersecurity authority (CERT Polska) has released an incident report regarding the December 2025 campaign, where it confirmed that the attack targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant supplying heat to almost half a million customers in Poland. Based on the analysis of the infrastructure, including compromised VPS servers, routers, traffic patterns, and other artifacts, CERT Polska linked the campaign to the activity cluster, tracked as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec). Dragonfly was previously attributed to Russia's Federal Security Service (FSB) Center 16.
GreyNoise has detected a significant surge in Ivanti Connect Secure reconnaissance targeting the CVE-2025-0282 flaw. Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating over 34 000 sessions and a stealthier distributed botnet approach across 6 000 IPs.
Cybersecurity researchers have uncovered a flexible command-and-control (C&C) framework, dubbed ‘PeckBirdy,’ that has been used by China-aligned state-backed threat actors since at least 2023 to compromise a range of environments. PeckBirdy is JScript-based, which allows it to run across different environments using legitimate system tools, or so-called living-off-the-land binaries (LOLBins).
Synaptic Systems analyzes a Gamaredon campaign that leverages the Windows BITS service to deliver payloads to compromised systems.
The North Korean-linked hacking group, known as Konni, Opal Sleet and TA406, is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. The group’s latest campaign is focused on the Asia-Pacific region, with malware samples submitted from Japan, Australia, and India.
CrowdStrike released a report detailing the evolution of the North Korea-linked hacker group known as LABYRINTH CHOLLIMA. According to the researchers, the group has split into three distinct adversaries with different malware, objectives, and tactics. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA now likely operate independently, focusing mainly on cryptocurrency targets, while the core LABYRINTH CHOLLIMA group continues to conduct espionage operations against industrial, logistics, and defense organizations.
Cisco Talos has observed a new campaign attributed to the UAT-8099 threat actor targeting vulnerable IIS servers across Asia, particularly in Thailand and Vietnam. The activity shows operational overlap with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victim profiles. UAT-8099 leverages web shells, PowerShell, and the GotoHTTP tool to gain remote access, while deploying new BadIIS variants that are region-specific and highly customized.
Researchers at HarfangLab have detailed a campaign dubbed ‘RedKitten,’ first seen in early January 2026, targeting Iranian protest activity, particularly NGOs and individuals documenting recent human rights abuses. The malware leverages GitHub and Google Drive for configuration and payload delivery, with Telegram used for command and control, and shows signs of AI-assisted development. The activity aligns with the Dey 1404 Protests that erupted in Iran late December 2025. The researchers did not attribute the campaign to a particular threat actor, but noted that the activity leverages techniques previously associated with Iranian state-sponsored groups.
An offensive OT framework is being sold on a TOR-accessible platform and promoted by the “APT IRAN” channel, which claims it is the most comprehensive industrial and military control network framework in the Black Industry ecosystem to date. APT Iran is widely believed to be a rebrand of the CyberAv3ngers hacktivist group.
Indian government entities were targeted in two cyber-espionage campaigns, tracked as Gopher Strike and Sheet Attack, attributed to a Pakistan-based threat actor. Sheet Attack abused legitimate services like Google Sheets, Firebase, and email for command-and-control to hide malicious activity within normal traffic. Gopher Strike used phishing emails with PDF attachments that showed a blurred image and a fake prompt to download a malicious Adobe Acrobat Reader DC update.
Obsidian Security researchers have uncovered (part1, part2) malicious Chrome extensions stealing OpenAI API keys at scale. The extensions, installed roughly 10,000 times, have already exfiltrated at least 459 unique API keys to an attacker-controlled Telegram channel. The activity appears isolated and the attacker’s intent is unclear, the researchers note.
LayerX Research has discovered a coordinated campaign involving malicious Chrome browser extensions posing as ChatGPT enhancement and productivity tools. While advertised as helpful add-ons, the extensions are designed to hijack users’ ChatGPT identities by stealing session authentication tokens. The campaign includes at least 16 distinct extensions linked to the same threat actor that have accumulated roughly 900 downloads.
CloudSEK uncovered multiple interconnected fraud clusters exploiting traffic ticket enforcement, tax refund claims, airline booking portals, and postal delivery alerts to steal personal and financial data at scale. Much of this activity is linked to the “PayTool” phishing ecosystem, a well-known fraud framework that uses SMS-based social engineering to target Canadians with traffic violation and fine payment scams.
A prolific initial access broker, tracked as TA584, has expanded its activity with Tsundere Bot used alongside the XWorm RAT to gain network access that may lead to ransomware attacks. According to Proofpoint, the group now employs a continuous attack chain designed to evade static detection, with malware capable of information gathering, data exfiltration, lateral movement, and deploying additional payloads. TA584 overlaps with a group tracked as Storm-0900.
Researchers uncovered a large-scale cybercrime campaign, dubbed ‘Operation Bizarre Bazaar,’ targeting exposed or poorly secured LLM service endpoints to monetize unauthorized AI access. Over 40 days, Pillar Security observed 35,000+ attack sessions on honeypots. The campaign exploits common misconfigurations such as unauthenticated Ollama instances on port 11434, internet-exposed OpenAI-compatible APIs on port 8000, MCP servers lacking access controls, development and staging AI infrastructure with public IP addresses, and production chatbot endpoints, such as customer support or sales bots, operating without authentication or rate limiting.
A new malicious campaign has been observed that combines the ClickFix social-engineering technique with fake CAPTCHA pages and a signed Microsoft Application Virtualization (App-V) script to distribute the Amatera infostealing malware. The campaign abuses a legitimate Microsoft script (SyncAppvPublishingServer.vbs), which is executed via the trusted wscript.exe binary.
Fortinet FortiGuard Labs detailed a new multi-stage phishing campaign targeting users in Russia, delivering ransomware alongside the Amnesia RAT remote access trojan. The attack relies on business-themed phishing documents and abuses trusted cloud services like GitHub and Dropbox to host malicious scripts and payloads. It also uses the Defendnot tool to impersonate legitimate antivirus software and disable Microsoft Defender.
Security researchers at Varonis have uncovered a new malware-as-a-service (MaaS) operation dubbed “Stanley,” which involves malicious Chrome extensions capable of passing Google’s review process and being published on the Chrome Web Store.
Google, working with industry partners, has disrupted IPIDEA, one of the world’s largest residential proxy networks, by taking legal action to shut down domains controlling compromised devices. The company says IPIDEA enabled large-scale botnet operations by infecting devices via its SDKs and routing malicious proxy traffic. IPIDEA has been linked to major botnets, including BadBox 2.0, Aisuru, and Kimwolf.
US authorities have seized the dark web and clearnet domains of RAMP (Russian Anonymous Marketplace), a major cybercrime forum used by ransomware gangs, extortionists, and initial access brokers. DNS records show the domains have been seized. An alleged platform’s administrator, known online as “Stallman,” has confirmed in a post on the XSS cybercrime forum that authorities had taken control of RAMP. Stallman said that he wouldn’t be relaunching RAMP; however, he will continue his primary business of buying network access.
Hungarian and Romanian police have arrested four young suspects in connection with bomb threats, false emergency calls, and misuse of personal data. The suspects are accused of online swatting and doxing, targeting schools, religious sites, residential buildings, and individuals. Authorities said the suspects obtained victims’ personal information via Discord and used it to make false emergency reports, leading to repeated police deployments.
US authorities took control of over $400 million in cryptocurrency, property, and money linked to Helix, a cryptocurrency mixer used by criminals to hide the source of crypto transactions. The service was run by Larry Dean Harmon, who handled more than $300 million in cryptocurrency from 2014 to 2017. Harmon pleaded guilty to money laundering and was sentenced in 2024 to three years in prison, with his assets seized.
The US Department of Justice has charged 31 more people in a large ATM jackpotting scheme that allegedly stole at least $5.4 million from 63 ATMs using Ploutus malware. The group is accused of installing the malware after testing ATM security, allowing them to remotely force machines to dispense cash. The new indictment follows charges against 56 suspects last month, with some defendants alleged to have ties to the Venezuelan gang Tren de Aragua.
A 33-year-old man from Slovakia has pleaded guilty to helping operate Kingdom Market, a dark web marketplace used to trade drugs and stolen personal data. Alan Bill of Bratislava admitted in a US court to providing web administration services for the site, managing its online presence, and receiving cryptocurrency payments. Kingdom Market ran from March 2021 until authorities shut it down in December 2023, seizing its associated domains during the takedown.
Ianis Aleksandrovich Antropenko, a Russian national living in the United States, pleaded guilty to leading a years-long ransomware conspiracy that targeted dozens of victims and caused at least $1.5 million in losses. He admitted to conspiracy to commit computer fraud and money laundering, faces up to 25 years in prison, and has been ordered to pay restitution and forfeit assets; authorities have already seized more than $2.8 million in cryptocurrency. Federal investigators traced his activities across multiple online and financial platforms, and identified his ex-wife as an alleged co-conspirator, though she has not been charged.