RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 Extra Tales

Cybersecurity firm Resecurity revealed that it intentionally lured menace actors who claimed to be related to Scattered LAPSUS$ Hunters (SLH) right into a entice, after the group claimed on Telegram that it had hacked the corporate and stolen inner and shopper knowledge. The corporate mentioned it arrange a honeytrap account populated with pretend knowledge designed to resemble real-world enterprise knowledge and planted a pretend account on an underground market for compromised credentials after it uncovered a menace actor trying to conduct malicious exercise concentrating on its sources in November 2025 by probing varied publicly dealing with companies and purposes. The menace actor can be mentioned to have focused one in all its staff who had no delicate knowledge or privileged entry. “This led to a profitable login by the menace actor to one of many emulated purposes containing artificial knowledge,” it mentioned. “Whereas the profitable login might have enabled the actor to realize unauthorized entry and commit a crime, it additionally supplied us with robust proof of their exercise. Between December 12 and December 24, the menace actor remodeled 188,000 requests trying to dump artificial knowledge.” As of January 4, 2025, the group eliminated the publish asserting the hack from their Telegram channel. Resecurity mentioned the train additionally allowed them to establish the menace actor and hyperlink one in all their lively Gmail accounts to a U.S.-based cellphone quantity and a Yahoo account. Whatever the setback, new findings from CYFIRMA point out that the loose-knit collective has resurfaced with scaled-up recruitment exercise, in search of preliminary entry brokers, insider collaborators, and company credentials. “Chatroom discussions repeatedly reference legacy menace manufacturers resembling LizardSquad, although these mentions stay unverified and are possible a part of an intimidation or reputation-inflation technique slightly than proof of a proper alliance,” it mentioned.

Risk actors are exploiting a identified flaw in GeoServer, CVE-2024-36401, to distribute an XMRig cryptocurrency miner by way of PowerShell instructions. “Moreover, the identical menace actor can be distributing a coin miner to WegLogic servers,” AhnLab mentioned. “It seems that they’re putting in CoinMiner after they scan the techniques uncovered to the skin world and discover susceptible companies.” Two different menace actors have additionally benefited from abusing the flaw to ship the miner, AnyDesk for distant entry, and a custom-made downloader malware dubbed “systemd” from an exterior server whose actual operate stays unknown. “Risk actors are concentrating on environments the place GeoServer is put in and are putting in varied coin miners,” the corporate mentioned. “The menace actor can then use NetCat, which is put in along with the coin miner, to put in different malware or steal data from the system.”

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added 245 vulnerabilities to its Recognized Exploited Vulnerabilities (KEV) catalog in 2025, because the database grew to 1,484 software program and {hardware} flaws at excessive threat of cyber assaults – a rise of about 20% from the earlier 12 months. Compared, 187 vulnerabilities had been added in 2023 and 185 in 2024. Of the 245 flaws, 24 had been exploited by ransomware teams. Microsoft, Apple, Cisco, Fortinet, Google Chromium, Ivanti, Linux Kernel, Citrix, D-Hyperlink, Oracle, and SonicWall accounted for 105 of the overall vulnerabilities added to the catalog. In line with Cyble, the oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Workplace Excel Distant Code Execution vulnerability. The oldest vulnerability within the catalog is CVE-2002-0367, a privilege escalation vulnerability within the Home windows NT and Home windows 2000 “smss.exe” debugging subsystem that has been identified for use in ransomware assaults.

OpenAI has been ordered to show over 20 million anonymized ChatGPT logs in a consolidated AI copyright case within the U.S. after it didn’t persuade a federal decide to dismiss a Justice of the Peace decide’s order, the corporate mentioned insufficiently weighed privateness issues. The high-profile lawsuit, which has main information publishers just like the New York Occasions and Chicago Tribune as plaintiffs, is centred across the core argument that the information that powers ChatGPT has included thousands and thousands of copyrighted works from the information organizations with out consent or fee. OpenAI has insisted that AI coaching is honest use, including “the information we’re making accessible to adjust to this order has undergone a de-identification course of supposed to take away or masks PII and different personal data, and is being supplied underneath tight entry controls designed to forestall the Occasions from copying and printing knowledge that is not straight related to this case.” The information plaintiffs have additionally alleged that OpenAI destroyed “related output log knowledge” by failing to briefly stop its deletion practices as quickly as litigation began in an obvious effort to dodge copyright claims.

The Nationwide Safety Bureau in Taiwan mentioned that China’s assaults on the nation’s vitality sector elevated tenfold in 2025 in comparison with the earlier 12 months. Attackers focused important infrastructure in 9 key sectors, and the overall variety of cyber incidents linked to China grew by 6%. The NSB recorded a complete of 960,620,609 cyber intrusion makes an attempt concentrating on Taiwan’s important infrastructure, allegedly coming from China’s cyber military in 2025. “On common, China’s cyber military launched 2.63 million intrusion makes an attempt per day concentrating on Taiwan’s CI throughout 9 major sectors, specifically administration and companies, vitality, communications and transmission, transportation, emergency rescue and hospitals, water sources, finance, science parks and industrial parks, in addition to meals,” the NSB mentioned. The vitality and emergency rescue/hospitals sectors skilled probably the most important year-on-year surge in cyber assaults from Chinese language menace actors. The assaults have been attributed to 5 Chinese language hacking teams, specifically BlackTech (Canary Storm, Circuit Panda, and Earth Hundu), Flax Storm (aka Ethereal Panda and Storm-0919), HoneyMyte (aka Bronze President, Mustang Panda, and Twill Storm), APT41 (aka Brass Storm, Bronze Atlas, Double Dragon, Leopard Storm, and Depraved Panda), and UNC3886, that are mentioned to have probed community tools and industrial management techniques of Taiwan’s vitality corporations to plant malware. “China has totally built-in army, intelligence, industrial, and technological capabilities throughout each private and non-private sectors to reinforce the depth of intrusion and operational stealth of its exterior cyberattacks by way of a variety of cyberattack techniques and methods,” NSB mentioned. China’s cyber military can be mentioned to have exploited vulnerabilities within the web sites and techniques of main hospitals in Taiwan to drop ransomware and conduct adversary-in-the-middle (AitM) assaults in opposition to communications corporations to steal delicate knowledge.

Microsoft mentioned it is indefinitely canceling earlier plans to implement a Mailbox Exterior Recipient Fee Restrict in Change On-line to fight abuse and stop misuse of the service for bulk spam and different malicious electronic mail exercise. “The Recipient Fee Restrict and the Tenant-level Exterior Recipient Fee Restrict talked about in Change On-line limits stay unchanged by this announcement,” the corporate mentioned. The tech large first introduced the restrict in April 2024, stating it will start implementing an exterior recipient fee restrict of two,000 recipients in 24 hours, efficient April 2026.

Bryan Fleming, the founding father of pcTattletale, pleaded responsible to working stalkerware from his residence within the U.S. state of Michigan. In Might 2024, the U.S.-based spy ware firm mentioned it was “out of enterprise and fully carried out” after an unknown hacker defaced its web site and posted gigabytes of information to its homepage. The app, which covertly captured screenshots of lodge reserving techniques, suffered from a security flaw that allowed the screenshots to be out there to anybody on the web. The breach affected greater than 138,000 customers who had registered for the service. The U.S. Homeland Safety Investigations (HSI) mentioned it started investigating pcTattletale in June 2021 for “surreptitiously spying on spouses and companions.” Whereas the software was ostensibly marketed as a parental management and worker monitoring software program, pcTattletale additionally promoted its potential to eavesdrop on spouses and home companions by monitoring each click on and display screen faucet. Fleming even had a YouTube channel to advertise the spy ware. He’s anticipated to be sentenced later this 12 months. The event marks a uncommon occasion of felony prosecution for purveyors of stalkerware, who usually function out within the open with impunity. The earlier spy ware conviction within the U.S. occurred in 2014 when a Danish citizen, Hammad Akbar, pleaded responsible to working the StealthGenie spy ware.

A important security vulnerability has been disclosed in RustFS that stems from implementing gRPC authentication utilizing a hard-coded static token that is publicly uncovered within the supply code repository, hard-coded on each shopper and server sides, non-configurable with no mechanism for token rotation, and universally legitimate throughout all RustFS deployments. “Any attacker with community entry to the gRPC port can authenticate utilizing this publicly identified token and execute privileged operations, together with knowledge destruction, coverage manipulation, and cluster configuration modifications,” RustFS mentioned. The vulnerability, which doesn’t have a CVE identifier, carries a CVSS rating of 9.8. It impacts variations alpha.13 by way of alpha.77, and has been patched in 1.0.0-alpha.78 launched on December 30, 2025.

A Home windows packer and loader named pkr_mtsi has been put to make use of in large-scale malvertising and Search engine optimisation-poisoning campaigns to distribute trojanized installers for respectable software program resembling PuTTY, Rufus, and Microsoft Groups, enabling preliminary entry and versatile supply of follow-on payloads. It is out there in each executable (EXE) and dynamic-link library (DLL) varieties. “In noticed campaigns, pkr_mtsi has been used to ship a various set of malware households, together with Oyster, Vidar Stealer, Vanguard Stealer, Supper, and extra, underscoring its function as a general-purpose loader slightly than a single-payload wrapper,” ReversingLabs mentioned. First noticed in April 2025, the packer has witnessed a gentle evolutionary trajectory within the intervening months, including more and more subtle obfuscation layers, anti-analysis and anti-debugging methods, and evasive API decision methods.

A high-severity security flaw has been disclosed in Open WebUI in variations 0.6.34 and older (CVE-2025-64496, CVSS rating: 7.3) that impacts the Direct Connections function, which lets customers connect with exterior AI mannequin servers (e.g., OpenAI’s API). “If a menace actor methods a consumer into connecting to a malicious server, it may result in an account takeover assault,” Cato Networks mentioned. “If the consumer additionally has workspace.instruments permission enabled, it may result in distant code execution (RCE). Which implies that a menace actor can management the system working Open WebUI.” The problem was addressed in model 0.6.35 launched on November 7, 2025. The assault requires the sufferer to allow Direct Connections (disabled by default) and add the attacker’s malicious mannequin URL. At its core, the flaw stems from a belief failure between untrusted mannequin servers and the consumer’s browser session. A hostile server can ship a crafted server-sent occasions message that triggers the execution of JavaScript code within the browser. This permits an attacker to steal authentication tokens saved in localStorage. As soon as obtained, these tokens grant full entry to the sufferer’s Open WebUI account. Chats, uploaded paperwork and API keys can all be uncovered.

The Iranian nation-state group often known as MuddyWater has been conducting phishing assaults designed to ship identified backdoors resembling Phoenix and UDPGangster by way of executable recordsdata disguised as PDFs and DOC recordsdata with macro code. Each the implants come fitted with command execution and file add/obtain capabilities. “It’s value noting that MuddyWater has step by step decreased the usage of ready-made distant management applications resembling RMM, and as an alternative developed and deployed quite a lot of devoted backdoors to implement penetration for particular targets,” the 360 Risk Intelligence Middle mentioned. “The disguised content material of the pattern is Israeli, Azerbaijani, and English, and the pattern can be uploaded by Israel, Azerbaijan, and different areas, which is in keeping with the assault goal of the MuddyWater group.”

File-sharing platform ownCloud has warned customers to allow multi-factor authentication (MFA) to dam malicious makes an attempt that use compromised credentials to steal their knowledge. The alert comes within the wake of a report from Hudson Rock, which flagged a menace actor named Zestix (aka Sentap) for auctioning knowledge exfiltrated from the company file-sharing portals of about 50 main world enterprises. “Opposite to assaults involving subtle cookie hijacking or session bypasses, the Zestix marketing campaign highlights a much more pedestrian – but equally devastating – oversight: The absence of Multi-Issue Authentication (2FA),” Hudson Rock mentioned. The assaults comply with a well-oiled workflow: An worker inadvertently downloads a malicious file that results in the deployment of information-stealing malware. As soon as the stolen data is made out there on the market on darknet boards, the menace actor makes use of the legitimate usernames and passwords extracted from the stealer logs to signal into widespread cloud file sharing companies ShareFile, Nextcloud, and OwnCloud by profiting from the lacking MFA protections. Zestix is believed to have been lively in Russian-language closed boards since late 2024, primarily motivated by monetary acquire by promoting entry in alternate for Bitcoin funds. Assessed to be of Iranian origin, the preliminary entry dealer has demonstrated ties with a ransomware group named FunkSec.

ANY.RUN has revealed a technical rundown of a classy distant entry trojan referred to as GravityRAT that has been actively concentrating on organizations and authorities entities since 2016. A multi-platform malware, it is geared up to reap delicate knowledge, together with WhatsApp backups on Android gadgets, and boasts a variety of anti-analysis options, together with checking BIOS variations, trying to find hypervisor artifacts, counting CPU cores, and querying CPU temperature by way of Home windows Administration Instrumentation (WMI). “This temperature examine is especially efficient as a result of most hypervisors, together with Hyper-V, VMware Fusion, VirtualBox, KVM, and Xen, don’t help temperature monitoring, inflicting them to return error messages that instantly reveal the presence of a digital surroundings,” ANY.RUN mentioned. Using GravityRAT is primarily attributed to a Pakistan-origin menace actor tracked as Clear Tribe. On Home windows, it is usually unfold by way of spear-phishing emails containing malicious Workplace paperwork with macros or exploits. On Android, it masquerades as a messaging platform and is distributed by way of third-party websites or social engineering. “The RAT operates by way of a multi-stage an infection and command-and-control structure,” ANY.RUN added. “GravityRAT implements a modular structure the place completely different parts deal with particular features.”

Cambodian authorities have arrested and extradited Chen Zhi, the alleged mastermind behind one in all Asia’s largest transnational rip-off networks, to China. Chen, 38, is the founder and chairman of Prince Group. He was among the many three Chinese language nationals arrested on January 6, 2026. His Cambodian nationality was “revoked by a Royal Decree” final month. In October 2025, the U.S. Division of Justice (DoJ) unsealed an indictment in opposition to Prince Group and Chen (in absentia) for working unlawful forced-labor rip-off compounds throughout Southeast Asia to conduct cryptocurrency fraud schemes, also called romance baiting or pig butchering. Scamsters in such incidents start by establishing pretend relationships with unsuspecting customers earlier than coaxing them into investing their funds in bogus cryptocurrency platforms. The commercial scale of the operation however, these conducting the scams are sometimes trafficked overseas nationals, who’re trapped and coerced to hold out on-line fraud underneath menace of torture. The U.Okay. and U.S. governments have additionally sanctioned Prince Group, designating it as a transnational felony group. In an announcement in November 2025, Prince Group mentioned it “categorically rejects” the accusations. China’s Ministry of Public Safety described Chen’s arrest as “one other nice achievement underneath China-Cambodia regulation enforcement cooperation.” Mao Ning, a spokesperson for China’s Ministry of Overseas Affairs, mentioned “for fairly a while, China has been actively working with international locations, together with Cambodia, to crack down on crimes of on-line playing and telecom fraud with notable outcomes.” Beijing has additionally labored with Thailand and Myanmar to launch hundreds of individuals from rip-off compounds. Regardless of ongoing crackdowns, the United Nations Workplace on Medication and Crime (UNODC) has mentioned the felony networks that run the rip-off hubs are evolving at an unprecedented scale. Rip-off victims worldwide misplaced between $18 billion and $37 billion in 2023, in accordance with UNODC estimates.

The variety of phishing-as-a-service (PhaaS) toolkits doubled throughout 2025, with 90% of high-volume phishing campaigns leveraging such instruments in 2025, in accordance with an evaluation by Barracuda. A few of the notable PhaaS gamers had been Sneaky 2FA, CoGUI, Cephas, Whisper 2FA, and GhostFrame. These kits incorporate superior anti-analysis measures, MFA bypass, and stealth deployment that make it more durable to detect utilizing conventional measures. The primary benefit of PhaaS kits is that they decrease the barrier to entry, enabling even attackers with little technical experience to mount large-scale, focused phishing campaigns with minimal effort. The commonest phishing themes noticed through the 12 months had been pretend fee, monetary, authorized, digital signature, and HR-related messages designed to deceive customers into clicking on a hyperlink, scanning a QR code, or opening an attachment. Among the many novel methods utilized by phishing kits are obfuscations to cover URLs from detection and inspection, CAPTCHA for added authenticity, malicious QR codes, abuse of trusted, respectable on-line platforms, and ClickFix, amongst others.

Two high-severity security flaws have been disclosed in Zed IDE that expose customers to arbitrary code execution when loading or interacting with a maliciously crafted supply code repository. “Zed robotically loaded MCP [Model Context Protocol] settings from the workspace with out requiring consumer affirmation,” Mindguard mentioned about CVE-2025-68433 (CVSS rating: 7.8). “A malicious challenge might use this to outline MCP instruments that execute arbitrary code on the developer’s system with out express permission.” The second vulnerability (CVE-2025-68432, CVSS rating: 7.8) has to do with the IDE implicitly trusting project-supplied Language Server Protocol (LSP) configurations, probably opening the door to arbitrary command execution when a consumer opens any supply code file within the repository. Following accountable disclosure on November 14, 2025, Zed launched model 0.218.2-pre to deal with the problems final month.