A suspected Chinese state-backed hacking group has been exploiting a critical zero-day vulnerability in Dell software since mid-2024. The targeted flaw is CVE-2026-22769, a hardcoded credential issue in Dell RecoverPoint for Virtual Machines, a data protection solution used to back up and recover VMware virtual machines. The researchers have linked the exploitation activity to a threat cluster tracked as UNC6201. Once inside victim environments, the attackers deployed multiple malware payloads, including a new C#-based backdoor dubbed ‘Grimbolt.’
Google has released security updates for its Google Chrome browser to address a high-severity vulnerability that has been actively exploited in zero-day attacks. The flaw, tracked as CVE-2026-2441, is the first Chrome zero-day patched since the beginning of the year. The flaw is a use-after-free issue caused by a use-after-free error within the CSS component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
The Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The flaws include CVE-2026-2441, a use-after-free vulnerability in Google Chrome that could allow remote attackers to trigger heap corruption via a crafted HTML page. The second flagged flaw, CVE-2024-7694, affects TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier, allowing arbitrary file uploads that could lead to system command execution.
Also listed is CVE-2020-7796, a server-side request forgery (SSRF) flaw in Zimbra Collaboration Suite that could allow attackers to access sensitive information by sending crafted HTTP requests. In March 2025, GreyNoise reported that around 400 IP addresses were actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, targeting vulnerable systems across the United States, Germany, Singapore, India, Lithuania, and Japan.
The fourth flaw, CVE-2008-0015, impacts the Microsoft Windows Video ActiveX Control, exposing systems to remote code execution through a malicious web page.
PAN’ Unit42 published a technical analysis of two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM). The flaws allow unauthenticated attackers to remotely execute arbitrary code on affected servers, giving them full control of mobile device management systems without needing user credentials or interaction. Unit 42 team has observed widespread attacks involving reverse shells, web shells, reconnaissance activity, and malware downloads. The campaign has impacted organizations in the United States, Germany, Australia, and Canada across sectors including government, healthcare, manufacturing, professional services, and high technology.
The team behind Notepad++ has rolled out version 8.9.2 to address security issues exploited by a China-linked threat actor who hijacked the software’s update mechanism to selectively distribute malware to specific targets. The release additionally patches a security vulnerability, tracked as CVE-2026-25926, which could allow arbitrary code execution.
Researchers at LAB52 have uncovered a new campaign, dubbed ‘Operation MacroMaze,’ attributed to APT28 aka Fancy Bear, Forest Blizzard and Frozenlake. Active from at least late September 2025 through January 2026, the operation has targeted selected entities in Western and Central Europe using basic tooling and legitimate web services to blend malicious activity with normal traffic.
A previously unknown threat actor, linked to Russian intelligence, has been carrying out cyberattacks on Ukrainian organizations using CANFAIL malware. Initially targeting defense, military, government, and energy sectors, the group has recently expanded to aerospace, military-linked manufacturing, nuclear and chemical research, and humanitarian organizations. Compared to other Russian state-backed hacker groups, it is less skilled and resourced, using AI and large language models to create phishing lures and improve attack methods.
CERT Polska has published a detailed technical analysis of a malware infection at a Polish organization that used the ClickFix technique to deliver the Latrodectus (aka BlackWidow) malware downloader. Latrodectus, developed by the creators of IcedID malware, has most often been distributed via email campaigns, primarily by TA577 and TA578.
Threat actors are abusing DNS queries to deliver malware as part of the ClickFix social engineering technique. Researchers at Microsoft Threat Intelligence have observed a novel variation that replaces traditional HTTP-based payload delivery with DNS lookups.
Acronis’ Threat Research Unit has uncovered Crescentharvest, a malware campaign targeting Farsi-speaking supporters of Iran’s protests. The attackers use protest-themed .LNK files disguised as media to deliver a remote access trojan via DLL sideloading with a signed Google executable. The malware enables command execution, keylogging, and data theft. The researchers didn’t attribute the campaign to any particular threat actor, but noted that tooling and infrastructure suggest that an Iranian state-backed hackers are behind the campaign. Crescentharvest primarily targets protest sympathizers inside Iran, but activists, journalists, and others seeking reliable information may also be at risk.
Dragos’ annual threat report says three new hacking groups targeted critical infrastructure last year, while Volt Typhoon continued attacking cellular gateways and routers used by US electric, oil, and gas companies. The new groups include Sylvanite, which helps another group called Voltzite break in by exploiting security flaws in products from F5, Ivanti, and SAP; Azurite, linked to Flax Typhoon, which targets operational technology (OT) engineering workstations to maintain long-term access and steal data; and Pyroxene, connected to Islamic Revolutionary Guard Corps, which carries out supply chain attacks using social engineering and deploys data-wiping malware against organizations in Israel.
Cybersecurity researchers at Abnormal have uncovered a sophisticated phishing kit called Starkiller that allows criminals to steal usernames and passwords by spoofing legitimate login pages and bypassing multi-factor authentication (MFA). It is sold on the dark web as a software-as-a-service (SaaS). Starkiller launches a headless Chrome instance (a browser that operates without a visible window) inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site.
Proofpoint has discovered a new malware-as-a-service (MaaS) called 'TrustConnect,' disguised as a legitimate remote monitoring and management (RMM) tool. Its purported “business page” is actually the MaaS login, with access advertised at $300 per month. Analysis of the malware’s capabilities and the threat actor’s profile suggests, with moderate confidence, that the actor behind TrustConnect was also a notable user of Redline stealer.
Scammers are now using AI to create fake chatbots that pretend to be real AI assistants and trick people into buying worthless cryptocurrencies. Malwarebytes recently found a fake “Google Coin” presale website with a chatbot claiming to be Gemini from Google. The chatbot gave a convincing sales pitch, answered investment questions, and encouraged users to send irreversible crypto payments. In reality, Google does not have a cryptocurrency, and the entire setup was a scam, the researchers warned.
ESET researchers have spotted a new Android malware called ‘PromptSpy,’ said to be the first known malware to exploit Google's generative AI chatbot Gemini in its execution flow. PromptSpy can capture lockscreen data, prevent uninstallation, collect device information, take screenshots, and record screen activity as video.
ThreatFabric’s Mobile Threat Intelligence (MTI) team has detailed a new Android banking trojan, named ‘Massiv,’ which allows operators to remotely control infected devices, execute Device Takeover attacks, and carry out fraudulent transactions from victims’ accounts. So far, the malware was observed only in limited attacks.
Threat actors are using a new obfuscation method called emoji smuggling to hide malicious code from security systems. The technique uses Unicode and emoji characters to bypass traditional security tools that are designed to detect threats written in normal letters and numbers.
Cybersecurity firm Hudson Rock says it has observed the first known in-the-wild case of infostealer malware targeting files linked to the OpenClaw AI agent framework that stores sensitive configuration data on users’ machines.
Recored Future’s Insikt Group has released a report on a cybercrime group it tracks as “GrayCharlie,” that overlaps with the threat actor known as "SmartApeSG." GrayCharlie mainly uses hacked WordPress websites to spread malware. When visitors land on the sites, they are redirected to fake browser update pages or shown ClickFix pop-ups. If victims follow the instructions, they unknowingly download NetSupport RAT, a remote access tool that allows attackers to control victims' systems. In some cases, additional malware such as Stealc or SectopRAT is also deployed.
Koi Security researchers have uncovered a large-scale malware campaign that allegedly hijacked more than half a million accounts on Russia’s most popular social network VKontakte through malicious Google Chrome browser extensions disguised as customization tools.
Check Point Research (CPR) has detailed a novel attack technique that turns artificial intelligence assistants with web-browsing capabilities into covert command-and-control (C&C) relays, allowing malicious traffic to blend into legitimate enterprise communications. Dubbed “AI as a C2 proxy,” the method was tested against platforms including Microsoft Copilot and Grok. According to researchers, the technique exploits anonymous web access combined with browsing and summarization prompts to transform the AI tools into bidirectional communication channels.
A new academic study has found that several major cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. The issues span from targeted vault integrity violations to the potential compromise of all vaults within an organization.
Texas has filed a lawsuit against networking giant TP-Link Systems, alleging that the company falsely marketed its routers as secure. The lawsuit claims hackers backed by China could exploit flaws in the devices. It also says TP-Link labeled products "Made in Vietnam" even though most parts come from China, which matters because Chinese law can force companies to share user data with the government.
The US FBI has issued a FLASH alert detailing indicators of compromise (IOCs) and technical information related to malware-based ATM jackpotting. ATM jackpotting is the type of an attack where threat actors exploit both physical and software vulnerabilities in ATMs to deploy malware that forces the machines to dispense cash without legitimate transactions. The FBI says the number of such incidents has increased across the US, with over 1,900 cases since 2020. More than 700 incidents in 2025 alone resulted in losses exceeding $20 million.
Dutch authorities arrested a 40-year-old man in Ridderkerk for allegedly downloading confidential police documents that were mistakenly sent to him. He reportedly refused to delete the files unless he received “something in return,” leading police to treat the case as attempted extortion. Officers searched his home, seized data devices, and are investigating under computer hacking laws, as accessing files clearly not meant for him can violate Dutch law.
A 47-year-old man suspected of working with the Phobos ransomware group has been arrested in Poland. Police also seized electronic devices that allegedly contain stolen data. During a search of the suspect’s home, police found computers and mobile phones containing login details, passwords, credit card numbers, and server IP addresses. Officials said the man communicated with other Phobos members through encrypted messaging apps.
A Nigerian national living in Mexico, Matthew A. Akande, has been sentenced in the US to eight years in prison for running a long-term tax fraud and hacking scheme. He was also ordered to serve three years of supervised release and pay $1.39 million in restitution. According to the authorities, he and his co-conspirators targeted tax preparation firms by sending phishing emails that installed malware, including Warzone RAT, to steal clients’ personal data. Using the stolen information, the group filed more than 1,000 fraudulent tax returns with the Internal Revenue Service, seeking over $8.1 million in refunds. The scheme ultimately netted more than $1.3 million.
Law enforcement from 16 African countries made 651 arrests and recovered over $4.3 million as part of a major police operation codenamed ‘Operation Red Card 2.0’ spanning from December 8, 2025 to January 30, 2026. The operation targeted high-yield investment scams, mobile money fraud, and fake mobile loan schemes. Investigators uncovered scams causing $45 million in losses affecting 1,247 victims, mostly in Africa. Authorities also seized 2,341 devices and shut down 1,442 malicious IPs, domains, and servers.