Cybercrime
-
Iran-linked RedKitten campaign uses AI-generated macros to deploy SloppyMIO backdoor
A HarfangLab technical analysis links a January 2026 campaign to an Iran-aligned actor using macro-laced Excel files to deploy the SloppyMIO backdoor that retrieves configuration via GitHub and exfiltrates via Telegram.
-
TriZetto breach may have exposed PHI for more than 700,000, Oregon providers to notify patients
An intrusion into TriZetto Provider Solutions discovered in October 2025 may have exposed protected health information for more than 700,000 people. Local Oregon providers will notify thousands of patients about exposed records.
-
Researchers find Chrome extensions that hijack affiliate links and scrape data
Security researchers uncovered Chrome extensions that rewrite affiliate links and scrape product data. A Socket technical analysis links the behavior to a cluster of 29 add ons that target major e commerce sites and exfiltrate information.
-
China-linked UAT-8099 targets IIS servers in Asia with BadIIS SEO fraud
Researchers found a late 2025 to early 2026 campaign by UAT-8099 that used web shells and BadIIS malware to run SEO fraud on IIS servers, concentrating attacks in Thailand and Vietnam.
-
Google disrupts IPIDEA residential proxy network linked to malware
Google Threat Intelligence Group disrupted IPIDEA this week, taking down domains and infrastructure tied to a residential proxy network promoted to 6.7 million users. The action targeted trojanized apps and embedded SDKs that turned devices into proxies.
-
Investigation finds 175,000 publicly accessible Ollama hosts across 130 countries
A SentinelOne Labs analysis found 175,000 publicly accessible Ollama hosts in 130 countries, many exposing tool calling capabilities and operating outside standard platform guardrails, raising governance and security concerns for edge LLM deployments.
-
TA584 adopts Tsundere Bot and XWorm in expanded initial access campaign
TA584 is using Tsundere Bot and XWorm in phishing campaigns that tripled in late 2025. The chain uses geofenced URLs, redirect systems, CAPTCHA and PowerShell in memory loaders that complicate detection.
-
eScan update server breached to deliver malicious update on January 20 2026
An eScan update server was breached on January 20 2026 and pushed a malicious update to a subset of customers. Morphisec’s security bulletin details the modified updater and final backdoor payload.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
Two malicious PyPI spellchecker packages delivered Python RAT and were downloaded over 1,000 times
Researchers found two malicious PyPI packages that hid a Base64 downloader in a Basque dictionary file and delivered a Python RAT after a January 21 2026 update. The packages were downloaded just over 1,000 times before removal.
