Weekly Cyber Threat Intelligence Roundup: Microsoft Patch Tuesday, FortiSIEM Exploitation, and Emerging Malware/Phishing Trends
A weekly threat-intelligence roundup highlighted Microsoft’s January Patch Tuesday release addressing 112 vulnerabilities across Windows and Microsoft Edge, spanning multiple classes including elevation of privilege, remote code execution, and information disclosure. The same briefing reported active interest in CVE-2025-64155, a critical FortiSIEM vulnerability, with observed exploitation activity against honeypot environments following an out-of-band alert from Kroll Threat Intelligence—an indicator of likely broader scanning and attempted exploitation.
The update also covered multiple threat developments: Check Point research described VOIDLINK, a Linux-focused malware framework (implants/rootkits/loaders) designed for long-term access, including in cloud environments; North Korean-linked KTA082 (Kimsuky/APT43) was reported using QR-code phishing (“quishing”) to target government, education, and think tanks; and Iran-linked KTA060 (MuddyWater) was associated with development of the RUSTYWATER RAT. Separately, detection-engineering updates noted new and refined rules for OAuth/Entra ID consent phishing patterns (including ConsentFix-style authorization flows), correlations between Entra ID risk events and privileged actions (e.g., PIM elevation/device-code auth), Windows persistence/defense-evasion behaviors (e.g., scheduled tasks by unsigned executables, Chrome security feature tampering), and updated YARA/behavioral detections for malware families (e.g., Agent Tesla, MintsLoader) and Cobalt Strike TTPs; the briefing also referenced a leak of a database purportedly containing ~324,000 BreachForums user records posted to shinyhunte[.]rs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
BreachForums user database leak is reported on shinyhunte.rs
A database allegedly containing about 324,000 BreachForums user records, including email addresses, Argon2i password hashes, and IP addresses, was reported as posted on shinyhunte.rs.
Muddywater develops RUSTYWATER RAT and targets Middle East sectors
Iran-affiliated KTA060, also known as Muddywater, was reported developing a remote access trojan called RUSTYWATER and using phishing campaigns against diplomatic, financial, and telecom entities in the Middle East.
Kimsuky adopts QR-code phishing in new campaigns
North Korean-linked KTA082, also known as Kimsuky, was reported using QR-code phishing or 'quishing' to target government, education, and think-tank organizations.
Check Point discloses Linux malware framework VOIDLINK
Check Point research described a new Linux-focused malware framework called VOIDLINK, made up of implants, rootkits, and loaders intended for long-term access and cloud-compatible operations.
Rule updates expand Windows, email, and malware detection coverage
The same digest also documented expanded Windows endpoint detections, email scam and suspicious sign-in rules, YARA updates for Agent Tesla, MintsLoader, and ModeloRAT, and tuning changes for Cobalt Strike-related behavioral detections.
RuleCheck digest reports new detections for Entra ID and Microsoft 365 OAuth phishing
A weekly detections digest covering Jan. 12-19 reported 30 new and 38 updated rules across monitored GitHub repositories, with new detections focused on cloud identity attacks such as ConsentFix-style OAuth phishing, Entra ID risk-event correlations, and Microsoft 365 abuse.
Unknown actors observed exploiting FortiSIEM CVE-2025-64155 in honeypots
The FortiSIEM flaw CVE-2025-64155 was subsequently observed being exploited by unknown actors against honeypot environments, indicating active exploitation in the wild.
Kroll issues out-of-band notice for FortiSIEM CVE-2025-64155
Kroll published an out-of-band notice about the critical FortiSIEM vulnerability CVE-2025-64155, highlighting the issue before broader reporting on exploitation activity.
Microsoft releases January Patch Tuesday fixes for 112 vulnerabilities
Microsoft's January Patch Tuesday release addressed 112 vulnerabilities across Windows and Edge, including one zero-day vulnerability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported **APT28** rapidly weaponized a Microsoft Office zero-day (**CVE-2026-21509**) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver **Covenant** backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described **ShadowHS**, a stealthy **fileless Linux** post-exploitation framework that runs in-memory (e.g., via `memfd`-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration. Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a **supply-chain compromise** affecting *eScan* (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted **Crunchbase** confirmed a breach affecting **2M+ records** claimed by **ShinyHunters**, and cited extortion/leak claims involving **Qilin** (Tulsa International Airport) and **WorldLeaks** (Nike). Google’s legal/technical disruption of the **IPIDEA** residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via **DLL sideloading** (malicious `jli.dll`) and **process hollowing** into `AddInProcess32.exe` to run **Phantom Stealer**; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
Mar 21, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Weekly security roundups highlight exploited enterprise vulnerabilities and energy-sector attacks
The items provided are **editorial roundups/newsletters** aggregating multiple, unrelated security stories rather than reporting a single discrete incident. Across the roundups, recurring high-priority themes include **actively exploited vulnerabilities** (e.g., Microsoft Office zero-day `CVE-2026-21509`, Fortinet SSO authentication bypass `CVE-2026-24858`, and a critical SmarterMail code-execution flaw), plus broader reporting on exploitation activity (e.g., nation-state and criminal use of a WinRAR flaw) and supply-chain/package-manager risk (e.g., “PackageGate” bypass issues affecting NPM/PNPM/VLT/Bun). These are not marketing/event promotions, but they are **not a cohesive single event**; they function as curated link collections. The roundups also surface operational threat activity, including reporting that **Poland faced disruptive/wiper-style attacks against energy-related systems** in late December 2025 (targeting combined heat and power plants and renewable-energy management systems), and multiple malware/campaign writeups (e.g., KONNI using AI to generate PowerShell backdoors, Android trojan delivery via Hugging Face hosting, and other multi-stage Windows malware and extension-based abuse). For CISOs, the actionable takeaway is to treat the referenced **KEV-listed and in-the-wild exploited** issues as patch/mitigation priorities while monitoring energy-sector TTPs and malware delivery trends highlighted in the linked research.
Mar 21, 2026