Research
-
New SHADOW#REACTOR campaign uses text only stagers and MSBuild to deploy Remcos RAT
A technical report from Securonix details SHADOW#REACTOR, a campaign that stages text only fragments and in memory loaders to deliver the Remcos RAT and achieve persistent access, using MSBuild and other legitimate Windows binaries.
-
CISA Adds Gogs Path Traversal CVE-2025-8110 to Known Exploited Vulnerabilities Catalog
CISA added CVE-2025-8110, a high severity Gogs path traversal that can enable code execution, to its Known Exploited Vulnerabilities catalog on January 12 2026. About 1,600 exposed instances exist with several hundred compromised.
-
BreachForums database of 323,986 user accounts leaked in January
A database of 323,986 BreachForums accounts was published January 9. The dump is dated August and includes hashed passwords, private messages, a password protected PGP key and a 4,400 word manifesto titled Doomsday.
-
OpenCode vulnerability allowed unauthenticated code execution on users machines
An independent disclosure found OpenCode started an unauthenticated local HTTP server that allowed connected clients to execute arbitrary code. Update to v1.1.10 or newer and check server settings to reduce exposure.
-
GoBruteforcer botnet targets crypto and blockchain databases with credential brute force
A technical analysis found GoBruteforcer campaigns since mid 2025 that turn exposed Linux servers into botnet nodes to brute force FTP and database credentials and to probe blockchain accounts for funds.
-
China-linked UAT-7290 targets telcos in South Asia and expands into Southeastern Europe
A China-linked cluster called UAT-7290 has targeted telecommunications providers in South Asia and moved into Southeastern Europe. The group performs deep reconnaissance and deploys modular malware that can turn edge devices into relay nodes.
-
Cisco issues updates for ISE XML parsing flaw CVE-2026-20029 and Snort 3 bugs
Cisco issued updates on Jan 8, 2026 to fix a medium severity XML parsing flaw in Identity Services Engine CVE-2026-20029 with a public proof of concept. The company also patched two Snort 3 DCE/RPC vulnerabilities.
-
Black Cat uses SEO poisoning to distribute backdoor, compromises about 277,800 hosts in China
A CNCERT/CC and ThreatBook technical analysis links the Black Cat gang to an SEO poisoning campaign that pushed fake software downloads and implanted a backdoor, compromising about 277,800 hosts in China between December 7 and 20, 2025.
-
Two Chrome extensions exfiltrated ChatGPT and DeepSeek conversations from 900,000 users
A technical analysis by OX Security found two malicious Chrome extensions that collected ChatGPT and DeepSeek conversations and tab URLs from about 900,000 users and sent the data to external servers on a regular schedule.
-
PHALT#BLYX campaign uses fake Booking emails and BSoD lures to deliver DCRat
PHALT#BLYX used fake Booking.com reservation emails and a bogus blue screen lure in late December 2025 to deliver the DCRat remote access trojan to European hospitality systems.
