Research
-
China-linked UAT-8099 targets IIS servers in Asia with BadIIS SEO fraud
Researchers found a late 2025 to early 2026 campaign by UAT-8099 that used web shells and BadIIS malware to run SEO fraud on IIS servers, concentrating attacks in Thailand and Vietnam.
-
Google disrupts IPIDEA residential proxy network linked to malware
Google Threat Intelligence Group disrupted IPIDEA this week, taking down domains and infrastructure tied to a residential proxy network promoted to 6.7 million users. The action targeted trojanized apps and embedded SDKs that turned devices into proxies.
-
Investigation finds 175,000 publicly accessible Ollama hosts across 130 countries
A SentinelOne Labs analysis found 175,000 publicly accessible Ollama hosts in 130 countries, many exposing tool calling capabilities and operating outside standard platform guardrails, raising governance and security concerns for edge LLM deployments.
-
TA584 adopts Tsundere Bot and XWorm in expanded initial access campaign
TA584 is using Tsundere Bot and XWorm in phishing campaigns that tripled in late 2025. The chain uses geofenced URLs, redirect systems, CAPTCHA and PowerShell in memory loaders that complicate detection.
-
Critical vm2 sandbox escape CVE-2026-22709 allows arbitrary code execution
A critical sandbox escape in the vm2 Node.js library, tracked as CVE-2026-22709 and rated CVSS 9.8, lets attackers run code on host systems. Users should update to vm2 3.10.3.
-
Two n8n sandbox escape flaws allow remote code execution
JFrog Security Research disclosed two eval injection flaws in n8n that can bypass sandboxes and allow remote code execution. One is rated CVSS 9.9. Users are advised to update affected versions.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
Two malicious PyPI spellchecker packages delivered Python RAT and were downloaded over 1,000 times
Researchers found two malicious PyPI packages that hid a Base64 downloader in a Basque dictionary file and delivered a Python RAT after a January 21 2026 update. The packages were downloaded just over 1,000 times before removal.
-
Cellbreak Pyodide sandbox escape in Grist‑Core allows remote code execution
A Pyodide sandbox escape in Grist‑Core, CVE-2026-24002, can enable remote code execution and host runtime JavaScript. The flaw was fixed in version 1.7.9 on January 9, 2026. Update or set the sandbox to gvisor.
-
PeckBirdy JScript framework used by China-aligned actors to target gambling and government sites
A JScript C2 framework called PeckBirdy has been used since 2023 to compromise gambling sites and Asian government and private organizations. The framework runs across browsers and common binaries and delivers modular backdoors including HOLODONUT and MKDOOR.
