Microsoft addressed nearly 60 security bugs in this month’s Patch Tuesday release, including six actively exploited zero-day flaws. The exploited flaws are:
-
CVE-2026-21510 affects Windows SmartScreen and Windows Shell, enabling attackers to bypass security prompts if a user is tricked into opening a malicious link or shortcut file.
-
CVE-2026-21514 impacts Microsoft 365 and Office, allowing attackers to bypass OLE mitigations via a crafted Office document.
-
CVE-2026-21513 involves malicious HTML or LNK files and could enable security control bypass and potential code execution.
-
CVE-2026-21519 in Windows Desktop Window Manager and CVE-2026-21533 in Windows Remote Desktop Services, which could allow elevation to SYSTEM privileges.
-
CVE-2026-21525 in Windows Remote Access Connection Manager could be exploited to cause local denial-of-service attacks.
Apple has released security updates to address a zero-day vulnerability that the company says was exploited in an “extremely sophisticated attack.” The flaw, tracked as CVE-2026-20700, is an arbitrary code execution issue in dyld, the Dynamic Link Editor used across Apple operating systems including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. An attacker with memory write capabilities could exploit the vulnerability to execute malicious code on affected devices. Apple said it is aware of reports that the vulnerability was used in targeted attacks on versions of iOS prior to iOS 26. The company also noted that two previously disclosed flaws, CVE-2025-14174 and CVE-2025-43529, which were patched in December, were exploited in the same incidents.
Fortinet has fixed a couple of high-risk vulnerabilities affecting its FortiOS product. The first one is CVE-2025-68686, an information disclosure issue that allows a remote user to gain access to potentially sensitive information via a specially crafted HTTP request. This flaw was marked as exploited in the wild, though it needs to be paired with other vulnerabilities that provide access at filesystem level.
The second flaw is CVE-2026-22153, an authentication bypass issue that stems from an error in fnbamd. It allows a remote attacker to bypass LDAP authentication in Agentless VPN and FSSO and gain unauthorized access to the network.
BeyondTrust has released security updates to fix a critical vulnerability affecting its Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). The flaw is a pre-authentication operating system command injection, tracked as CVE-2026-1731, that could allow an unauthenticated attacker to execute arbitrary operating system commands via specially crafted requests, potentially leading to remote code execution. Cybersecurity firm watchTowr said it observed the flaw is being exploited in the wild, with attackers abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.
Microsoft said it observed a sophisticated multi-stage cyber intrusion involving the exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances. Threat actors used the compromised systems to gain initial access and laterally move across affected networks to high-value assets within the organization.
The company said it has yet to confirm which specific SolarWinds vulnerability was used in the attacks. The activity may have involved recently disclosed flaws tracked as CVE-2025-40551 and CVE-2025-40536, or a previously patched issue (CVE-2025-26399). Due to the intrusions occurring in December 2025 on systems vulnerable to both older and newer flaws, Microsoft said it could not reliably determine the exact entry point.
GreyNoise observed 417 exploitation attempts targeting Ivanti EPMM, with 83% traced to a single PROSPERO-hosted IP (193.24.123[.]42). The main target was CVE-2026-1281, which can be chained with CVE-2026-1340 to achieve unauthenticated RCE. Ivanti confirmed limited zero-day exploitation.
The same IP also probed CVE-2026-21962 (Oracle WebLogic), CVE-2026-24061 (GNU InetUtils telnetd), and CVE-2025-24799 (GLPI). Most activity used DNS beaconing to identify vulnerable systems. Separately, Defused Cyber researchers uncovered a stealthy “sleeper shell” implanted on compromised EPMM instances for persistence.
Earlier this month, the EU, Dutch, Singapore authorities disclosed security breaches linked to Ivanti vulnerabilities. In case of Singapore, the attacks were attributed to a China-nexus cyberespionage group, tracked as UNC3886. The threat actor targeted all four of Singapore’s major telecommunications operators – M1, SIMBA Telecom, Singtel and StarHub. In one instance, the threat actor used a zero-day exploit to access the victim’s network and steal a small amount of network-related data, likely to further its operation. In another intrusion, UNC3886 used advanced tools and techniques such as rootkits to maintain persistent access and stay hidden.
A new Google report says government-backed hacking groups are increasingly using AI to support their cyberattacks. In late 2025, the groups, for instance, China-linked TEMP.Hex (aka Mustang Panda, Twill Typhoon and Earth Preta), used AI tools to research targets, find email addresses, study security weaknesses and create more convincing phishing messages. Hackers linked to Iran, North Korea and China used tools like Google’s Gemini to gather public information, profile important individuals and plan the attacks. Some groups like APT31 (aka Violet Typhoon, Judgment Panda, Zirconium) also experimented with AI to automatically analyze software vulnerabilities.
Cyfirma published a profile on Fancy Bear aka APT28, a Russian state-sponsored threat actor active since at least 2007 and linked to major cyber operations, including election interference. More recently, the group exploited a Microsoft Office vulnerability (CVE-2026-21509) to target government and defense organizations in Eastern Europe and the EU. It has also expanded targeting to energy, defense, and government communication sectors, using spoofed portals to harvest credentials and gather strategic intelligence.
Finnish cybersecurity firm CheckFirst has mapped the internal structure of Russia's information operations forces by examining 118 images of insignia, patches, and military pennants. The researchers were able to identify VIO units, trace their chain of command, and locate their facilities throughout Russia.
ReversingLabs has uncovered a new branch of the Lazarus Group’s fake recruiter campaign, dubbed ‘graphalgo,’ active since May 2025. The operation targets JavaScript and Python developers with cryptocurrency-themed job offers distributed via LinkedIn, Facebook, and Reddit. Posing as a blockchain company, the attackers deliver malicious code via platforms like GitHub, npm, and PyPI. A key component is the npm package called ‘bigmathutils,’ which gained over 10,000 downloads in its legitimate form before a later version was updated to include a malicious payload.
In a separate incident, a North Korea-linked threat cluster, tracked as UNC1069, launched targeted attacks against the cryptocurrency sector, using AI-generated deepfake video and the ClickFix social engineering technique to deliver malware to both macOS and Windows systems.
Indian defense organizations and related government groups have been targeted in phishing campaigns attempting to infect Windows and Linux systems with remote access trojans (RATs) like Geta RAT, Ares RAT, and DeskRAT able to steal sensitive information and provide long-term control over compromised devices. The campaigns are linked to Pakistan-aligned threat groups known as SideCopy and APT36 (Transparent Tribe).
A previously undocumented cyber espionage group operating from Asia has breached at least 70 government and critical infrastructure organizations across 37 countries over the past year. The threat actor gains initial access through phishing emails that deliver malicious ZIP files hosted on MEGA, containing a custom loader known as Diaoyu Loader.
Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory warning of a sophisticated phishing campaign targeting users of the Signal messaging app. The operation is believed to be conducted by a state-sponsored threat actor and is aimed at high-ranking figures in politics, the military, and diplomacy, as well as investigative journalists across Germany and Europe.
Supply-chain security firm Koi has found that the AgreeTo Outlook add-in (originally a legitimate meeting scheduling tool) was hijacked and turned into a phishing kit that stole over 4,000 Microsoft account credentials. The add-in, available in the Microsoft Office Add-in Store since December 2022, relied on a developer-hosted URL. After the original developer abandoned the project, attackers took control, deploying a fake Microsoft sign-in page, a password collection form, an exfiltration script, and a redirect to harvest user credentials.
SmarterTools has confirmed that the Warlock ransomware gang breached its network after compromising an internal email system, though the company says business applications and customer account data were not impacted. Threat actors breached a SmarterMail virtual machine (VM) that had been set up by an employee and was not receiving updates. Attackers exploited CVE-2026-23760, an authentication bypass vulnerability in SmarterMail versions prior to Build 9518, that allows threat actors to reset administrator passwords and gain full system privileges.
eSEntire has shared its findings on the Russia-linked Prometei botnet active since 2016. It provides remote control, credential harvesting, Monero mining, lateral movement, and C2 over both the clearweb and TOR, with self-preservation mechanisms to maintain exclusive system access.
The researchers were not able to determine initial access vector in the observed incident due to limited logging and lack of EDR on the affected system. However, an analysis of Prometei modules suggests the attackers may have exploited default or commonly used RDP credentials.
A massive worm-driven campaign is targeting cloud-native environments to build malicious infrastructure for large-scale follow-on attacks. The activity, first observed around December 25, 2025, exploits exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, as well as the critical React2Shell vulnerability (CVE-2025-55182). The campaign has been attributed to the TeamPCP threat cluster, also tracked as DeadCatx3, PCPcat, PersyPCP, and ShellForce.
A recently observed Linux botnet, dubbed ‘SSHStalker,’ is leveraging the decades-old Internet Relay Chat (IRC) protocol to manage its command-and-control (C&C) operations. Instead of sophisticated evasion techniques, SSHStalker uses noisy SSH scanning, one-minute cron jobs for persistence, and an array of 15-year-old vulnerabilities.
A fake website impersonating the popular file archiver 7-Zip is being used to distribute a trojanized installer that turns infected computers into residential proxy nodes. Malwarebytes says the campaign impersonates not only 7-Zip, but HolaVPN, TikTok, WhatsApp, and Wire VPN.
Threat actors have been using a cyber-espionage toolkit dubbed ‘DKnife’ since at least 2019 to hijack internet traffic at the edge-device level and deliver malware. DKnife is a post-compromise framework designed for traffic monitoring and adversary-in-the-middle (AitM) attacks. It intercepts and manipulates traffic destined for endpoint devices such as computers, mobile phones, and IoT systems.
CloudSek’s SVigil discovered that login credentials for airports’ operational dashboards for a European fourth-party airport vendor were exposed on cybercrime forums, creating a potential backdoor into 200 global airports.
LayerX researchers spotted a coordinated campaign of 30 Chrome extensions, marketed as AI assistants for summarization, chat, writing, and Gmail. While they appear legitimate, the extensions embed remote, server-controlled interfaces and act as privileged proxies, giving attackers access to sensitive browser capabilities. Despite being published under different names and IDs, all share the same codebase, permissions, and backend infrastructure, impacting over 260,000 users.
Dutch police have arrested a 21-year-old from Dordrecht for allegedly distributing JokerOTP, a tool used by cybercriminals to steal one-time passwords. This marks the third arrest linked to JokerOTP, following the detention of its developer and co-developer earlier in 2025. Authorities say the suspect sold the bot via Telegram and possessed its license keys at the time of his arrest.
A US court sentenced Daren Li, a dual citizen of China and St. Kitts and Nevis, to 20 years in prison in absentia for his role in a $73 million international cryptocurrency scam. Li, who became a fugitive after removing his ankle monitor in December, was also sentenced to three years of supervised release. He and his accomplices operated from scam centers in Cambodia, targeting victims via social media, phone calls, and online dating platforms. They used professional or romantic relationships to gain trust and trick victims into investing in fake crypto platforms or sending funds to resolve nonexistent tech issues.
Samuel D. Marcus, a former employee of the US Department of Defense, has been indicted for allegedly laundering millions of dollars for Nigeria-based scammers. Prosecutors say he helped move money from fraud schemes, including romance and business email scams, by transferring stolen funds through his accounts, converting some into cryptocurrency, and sending it overseas. He is accused of lying to banks and investigators and continuing the activity even after being warned by the FBI. If convicted, he faces up to 100 years in prison and fines of up to $2 million.