FlagThis

Russian state-sponsored hackers are actively exploiting the “linked devices� feature in Signal Messenger to conduct cyber-espionage campaigns. Groups like APT44 (Sandworm), UNC5792, UNC4221, and Turla target military personnel, politicians, and activists to compromise their secure communications. These actors abuse Signal’s feature to gain persistent access to accounts, using phishing tactics to trick users into linking their devices to attacker-controlled systems. Mandiant warns of the real-time spying risks associated with this activity, which primarily targets Ukrainian entities amidst Russia’s ongoing invasion.

The Qualys Threat Research Unit (TRU) disclosed two vulnerabilities in OpenSSH: CVE-2025-26465, a machine-in-the-middle (MitM) attack against the OpenSSH client when the VerifyHostKeyDNS option is enabled, and CVE-2025-26466, an asymmetric denial-of-service (DoS) attack affecting both client and server. CVE-2025-26465 allows attackers to intercept communications by spoofing DNS records, while CVE-2025-26466 enables resource exhaustion through excessive memory and CPU consumption. These vulnerabilities impact OpenSSH client and server components, potentially exposing millions to risks.

Lee Enterprises, a major newspaper publisher, confirmed a ransomware attack affecting 77 newspapers and 350 weekly publications, encrypting critical applications and exfiltrating certain files. The StaryDobry campaign used trojanized game installers to deploy the XMRig cryptominer. BlackLock ransomware is emerging as a major player, and uses custom-built malware targeting Windows, VMware ESXi, and Linux environments. The campaign has also been observed deploying the XMRig cryptominer to unsuspecting users, particularly in Russia, Brazil, Germany, Belarus, and Kazakhstan. The attackers are using double-extortion tactics.

The NailaoLocker ransomware is targeting European healthcare organizations. This ransomware uses VPN flaws and is deployed via ShadowPad and PlugX backdoors. The attackers, linked to China-nexus groups, have evolved their malware.

A high-severity vulnerability, CVE-2024-12284, affects NetScaler Console and NetScaler Console Agent. An authenticated attacker could exploit this improper privilege management vulnerability to execute commands without authorization, leading to significant security risks. Mitigation involves upgrading to the latest non-vulnerable builds and implementing security best practices, such as configuring external authentication.

Chinese-linked threat actor “Mustang Panda” has been observed using the Microsoft Application Virtualization Injector (MAVInject.exe) tool to inject malicious payloads into running processes, evading detection by antivirus software. Researchers from Trend Micro have detailed this evasion technique. This tactic involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems. It’s essential for security teams to be aware of this new technique used by advanced persistent threats and incorporate it into their threat intelligence systems.

A global attack campaign, dubbed StaryDobry, involves trojanized game installers to deploy XMRig cryptocurrency miner. Attackers upload trojanized installers for popular games such as BeamNG.drive, Garry’s Mod, and Dyson Sphere Program to torrent sites. Downloading these triggers an installer screen, and dropper extraction and execution occurs. The campaign primarily targets individual users in Russia, Brazil, Germany, Belarus, and Kazakhstan.

Palo Alto Networks has addressed an authentication bypass vulnerability (CVE-2025-0108) in PAN-OS that allows unauthenticated attackers to access the management web interface and execute PHP scripts, potentially obtaining sensitive information. Active exploitation is being observed in the wild, patch now.

A critical authentication bypass vulnerability, tracked as CVE-2025-21589, impacts the Session Smart Router, Session Smart Conductor, and WAN Assurance Router products. This vulnerability allows a network-based attacker to bypass authentication and gain administrative control over the affected devices.

Juniper Threat Labs discovered a new JavaScript obfuscation technique used in phishing attacks targeting affiliates of a major American political action committee (PAC) in early January 2025. The attack uses an invisible obfuscation technique. Check Point researchers have discovered an extremely sophisticated attack, perpetrated by nation state threat actors, that targeted the CEO and a high-ranking employee of a well-known organization.

A state-sponsored hacking group is using a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers. The hacking group Salt Typhoon, also known as FamousSparrow and GhostEmperor, has been active since at least 2019 and is believed to be linked to China.

A new variant of Snake Keylogger has been detected launching over 280 million attacks, targeting credentials and data. The resurgence primarily impacts users in China, Turkey, Indonesia, Taiwan, and Spain, infiltrating systems through phishing emails. The keylogger steals credentials from browsers like Chrome and exfiltrates data via Telegram Bots.

Observed DNS queries and domains associated with the campaign include cleararhorizon.cyou, lightojourney.top, brhightfusion.top, and support.fortineat.com, indicating a wide infrastructure used in the attacks.

A new malware campaign is using a DLL side-loading technique to distribute the XLoader malware through a legitimate tool called jarsigner.exe, which is part of the Eclipse Foundation’s IDE package. Cybercriminals are placing malicious DLL files alongside the legitimate executable, ensuring their execution when the application runs. This method allows the malware to evade detection.

Venture capital firm Insight Partners suffered a cyberattack involving unauthorized access to its information systems through a sophisticated social engineering scheme. The firm is investigating the full impact and potential data exposure. The attack occurred on January 16, 2025, raising concerns over the compromise of sensitive financial and investment data.

A new Golang-based backdoor leverages Telegram’s Bot API for command-and-control (C2) communications, potentially of Russian origin. The malware, still under development but fully functional, uses cloud applications to evade detection, posing a significant challenge for security teams due to its use of a legitimate platform for malicious activities. This backdoor can execute PowerShell commands and self-destruct, adding to its evasive capabilities.

South Korea has temporarily suspended downloads of DeepSeek AI’s apps due to privacy concerns. The Personal Information Protection Commission (PIPC) cited the need for the service to comply with data protection regulations. This action follows similar restrictions in other regions, highlighting increasing global scrutiny over AI app privacy practices. The suspension will remain in effect until DeepSeek implements the necessary changes to address the identified privacy issues.

A malware campaign is distributing Lumma Stealer via weaponized PDF documents, targeting educational institutions. The attack uses malicious LNK files disguised as PDFs, delivered through compromised school infrastructure, to steal sensitive data. Educational institutions must enhance their cybersecurity to protect student and staff information. Employ robust anti-malware solutions and user awareness training.

The BlackLock ransomware group is poised to become one of the most prolific RaaS operators in 2025. The group cropped up in early 2024 and is known for their unusually active presence and good reputation on the ransomware-focused Russian-language forum RAMP, and their aggressive recruiting of traffers, initial access brokers, and affiliates. Its ransomware uses custom-built ransomware that can evade analysis. The group employs significant techniques to prevent analysis.

Rapid7 researchers have discovered vulnerabilities in Xerox VersaLink C7025 Multifunction printers (MFPs). These flaws enable attackers to capture authentication credentials via pass-back attacks through Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB/FTP) services. Exploiting these vulnerabilities allows malicious actors to intercept authentication credentials, leading to credential theft and lateral attacks within enterprise networks, highlighting the need for security.

A sophisticated phishing campaign, tracked as Storm-2372, has been targeting global organizations via device code phishing. The threat actor, with medium confidence linked to Russian interests, has been active since August 2024. Lures resembling messaging app experiences, such as WhatsApp and Signal, are being used to deceive targets, potentially granting persistent access to networks. Targets include government entities, NGOs, IT services, and technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.