Weekly Cyber Threat Intelligence Roundup: Microsoft Patch Tuesday, FortiSIEM Exploitation, and Emerging Malware/Phishing Trends
A weekly threat-intelligence roundup highlighted Microsoft’s January Patch Tuesday release addressing 112 vulnerabilities across Windows and Microsoft Edge, spanning multiple classes including elevation of privilege, remote code execution, and information disclosure. The same briefing reported active interest in CVE-2025-64155, a critical FortiSIEM vulnerability, with observed exploitation activity against honeypot environments following an out-of-band alert from Kroll Threat Intelligence—an indicator of likely broader scanning and attempted exploitation.
The update also covered multiple threat developments: Check Point research described VOIDLINK, a Linux-focused malware framework (implants/rootkits/loaders) designed for long-term access, including in cloud environments; North Korean-linked KTA082 (Kimsuky/APT43) was reported using QR-code phishing (“quishing”) to target government, education, and think tanks; and Iran-linked KTA060 (MuddyWater) was associated with development of the RUSTYWATER RAT. Separately, detection-engineering updates noted new and refined rules for OAuth/Entra ID consent phishing patterns (including ConsentFix-style authorization flows), correlations between Entra ID risk events and privileged actions (e.g., PIM elevation/device-code auth), Windows persistence/defense-evasion behaviors (e.g., scheduled tasks by unsigned executables, Chrome security feature tampering), and updated YARA/behavioral detections for malware families (e.g., Agent Tesla, MintsLoader) and Cobalt Strike TTPs; the briefing also referenced a leak of a database purportedly containing ~324,000 BreachForums user records posted to shinyhunte[.]rs.
Sources
Related Stories
Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported **APT28** rapidly weaponized a Microsoft Office zero-day (**CVE-2026-21509**) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver **Covenant** backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described **ShadowHS**, a stealthy **fileless Linux** post-exploitation framework that runs in-memory (e.g., via `memfd`-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration. Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a **supply-chain compromise** affecting *eScan* (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted **Crunchbase** confirmed a breach affecting **2M+ records** claimed by **ShinyHunters**, and cited extortion/leak claims involving **Qilin** (Tulsa International Airport) and **WorldLeaks** (Nike). Google’s legal/technical disruption of the **IPIDEA** residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via **DLL sideloading** (malicious `jli.dll`) and **process hollowing** into `AddInProcess32.exe` to run **Phantom Stealer**; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
1 months ago
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
3 weeks ago
Weekly security roundups highlight exploited enterprise vulnerabilities and energy-sector attacks
The items provided are **editorial roundups/newsletters** aggregating multiple, unrelated security stories rather than reporting a single discrete incident. Across the roundups, recurring high-priority themes include **actively exploited vulnerabilities** (e.g., Microsoft Office zero-day `CVE-2026-21509`, Fortinet SSO authentication bypass `CVE-2026-24858`, and a critical SmarterMail code-execution flaw), plus broader reporting on exploitation activity (e.g., nation-state and criminal use of a WinRAR flaw) and supply-chain/package-manager risk (e.g., “PackageGate” bypass issues affecting NPM/PNPM/VLT/Bun). These are not marketing/event promotions, but they are **not a cohesive single event**; they function as curated link collections. The roundups also surface operational threat activity, including reporting that **Poland faced disruptive/wiper-style attacks against energy-related systems** in late December 2025 (targeting combined heat and power plants and renewable-energy management systems), and multiple malware/campaign writeups (e.g., KONNI using AI to generate PowerShell backdoors, Android trojan delivery via Hugging Face hosting, and other multi-stage Windows malware and extension-based abuse). For CISOs, the actionable takeaway is to treat the referenced **KEV-listed and in-the-wild exploited** issues as patch/mitigation priorities while monitoring energy-sector TTPs and malware delivery trends highlighted in the linked research.
1 months ago