Jan 01, 2025Ravie LakshmananCybersecurity / Hacking News
The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it's that threat actors don't pause for holidays or resolutions. They just evolve faster. This week's round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what "cybercrime" looks like in practice.
Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn't about one big breach anymore; it's about many small openings that attackers exploit with precision.
The pace of exploitation, deception, and persistence hasn't slowed; it's only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week.
Here's a sharp look at what's moving beneath the surface of the cybersecurity world as 2026 begins.
-
KMSAuto malware scam busted
A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man has been extradited from Georgia to South Korea. "From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto)," South Korean authorities said. "Through this malware, the hacker stole virtual assets worth approximately KRW 1.7 billion ($1.2 million) in 8,400 transactions from users of 3,100 virtual asset addresses." The suspect is alleged to have used KMSAuto as a lure to trick victims into downloading a malicious executable that functioned as a clipper malware.
-
Holiday ColdFusion exploit spree
A new "coordinated exploitation" campaign has been observed targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. "The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited)," GreyNoise said. "This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024." The activity originated from 8 unique IP addresses and leveraged over 10 different CVEs (CVE-2023-26359, CVE-2023-38205, CVE-2023-44353, CVE-2023-38203, CVE-2023-38204, CVE-2023-29298, CVE-2023-29300, CVE-2023-26347, CVE-2024-20767, and CVE-2023-44352) to target the U.S., Spain, India, Canada, Chile, Germany, Pakistan, Cambodia, Ecuador, and France. Some of the payloads deployed following the exploitation enable direct code execution, credential harvesting (by accessing "/etc/passwd"), and JNDI lookups.
-
Android tablets backdoored
Kaspersky said it discovered pre-installed malware on certain models of tablets running Android. The malware has been codenamed Keenadu. "It's a backdoor in libandroid_runtime.so," the Russian cybersecurity company said. While the company has yet to provide additional details, backdoors of this kind can allow remote access for data exfiltration, command execution, and other forms of post-exploitation.
-
AI jailbreak hub shut down
Reddit has taken the step of banning r/ChatGPTJailbreak, a community of over 229,000 users dedicated to finding workarounds and jailbreaks for safety filters and guardrails erected by developers of large language models (LLMs). Reddit said the "community was banned for violating Rule 8," which refers to any effort that could break the site or interfere with its normal use. "Do not interrupt the serving of Reddit, introduce malicious code onto Reddit, make it difficult for anyone else to use Reddit due to your actions, block sponsored headlines, create programs that violate any of our other API rules, or assist anyone in misusing Reddit in any way," the rule states. The move follows a WIRED report about how some chatbot users were sharing instructions on generating non-consensual deepfakes using photos of fully clothed women. Following the ban, the community has resurfaced at chatgptjailbreak.tech on a federated alternative called Lemmy. While the subreddit sprang forth as a red teaming hub for discussing AI jailbreaks, it goes without saying that content shared on the forum had the potential to trigger indirect prompt injections, given that the data (along with everything else posed on the platform) powers Reddit Answers, and serves as a real-time dataset for other models that leverage retrieval-augmented generation (RAG) techniques to incorporate new information. The development comes as prompt injections and jailbreaks continue to plague artificial intelligence (AI) systems, with actors, both good and bad, continuously exploring ways to circumvent protections put in place to prevent misuse. Indeed, a new study from Italy's Icaro Lab, Sapienza University of Rome, and Sant'Anna School of Advanced Studies found that adversarial poetic prompts have a higher attack-success rate (ASR) against LLMs and cause them to skirt contemporary safety mechanisms designed to block production of explicit or harmful content like child sex abuse material, hate speech, and instructions on how to make chemical and nuclear weapons. "When prompts with identical task intent were presented in poetic rather than prose form, the Attack Success Rate (ASR) increased from 8.08% to 43.07%, on average – a fivefold increase," researchers said.
-
Macs join GlassWorm hitlist
The supply chain campaign known as GlassWorm has resurfaced a fourth time with three suspicious extensions on the Open VSX marketplace that are designed to exclusively target macOS users. These extensions attracted 50,000 downloads. The primary objective of these extensions is to target over 50 browser extension wallets and steal funds. The names of the extensions are: studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro, and Puccin-development.full-access-catppuccin-pro-extension. Conspicuously absent are the invisible Unicode techniques and the Rust binaries. "This time, the payload is wrapped in AES-256-CBC encryption and embedded in compiled JavaScript -- but the core mechanism remains the same: fetch the current C2 endpoint from Solana, execute what it returns," Koi said. "What's new is the target: code designed to replace hardware wallet applications with trojanized versions." As of December 29, 2025, the C2 server endpoints for the trojanized wallets are returning empty files, suggesting that the campaign is still under development. The targeting of Macs is intentional, as the devices are prevalent in cryptocurrency, Web3, and startup environments. The shift is complemented by the use of AppleScript for stealth execution instead of PowerShell and LaunchAgents for persistence. The malware, besides waiting for 15 minutes before activating its malicious behavior, is designed to facilitate the theft of iCloud Keychain database and developer credentials, such as GitHub tokens, npm tokens, and the contents of the ~/.ssh directory.
-
Regulators misled by cleanup tactic
With Meta attracting scrutiny for allowing scammers to advertise through its platform, a new report from Reuters found that the company attempted to fend off pressure from regulators to crack down on the threat by make scam ads and problematic content "not findable" when authorities search for them through its Ad Library, at the same time it launched an "enforcement blitz" to reduce the volume of offending ads. "To perform better on that test, Meta staffers found a way to manage what they called the 'prevalence perception' of scam ads returned by Ad Library searches, the documents show. First, they identified the top keywords and celebrity names that Japanese Ad Library users employed to find the fraudulent ads. Then they ran identical searches repeatedly, deleting ads that appeared fraudulent from the library and Meta's platforms," Reuters reported. "The tactic successfully removed some fraudulent advertising of the sort that regulators would want to weed out. But it also served to make the search results that Meta believed regulators were viewing appear cleaner than they otherwise would have." The search result cleanup effort was so successful that Japanese regulators did not enforce rules that would have otherwise required it to verify the identity of all its advertisers. The tactic was then added to its "general global playbook" to avoid regulatory scrutiny in other markets, including the U.S., Europe, India, Australia, Brazil, and Thailand, according to leaked internal documents. Meta has pushed back against the claims, stating the cleaning effort also helps to remove the ads from its systems as well.
-
Smart contract upgrade exploited
The decentralized intellectual property platform Unleash Protocol said it "detected unauthorized activity" involving its smart contracts that led to the withdrawal and transfer of user funds worth approximately $3.9 million, per blockchain security company PeckShield. "Our initial investigation indicates that an externally owned address gained administrative control via Unleash's multisig governance and carried out an unauthorized contract upgrade," it said. "This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures." Once they were withdrawn, the assets were bridged using third-party infrastructure and transferred to external addresses. The incident originated within Unleash Protocol's governance and permission framework, the company added. The stolen funds have been deposited into the Tornado Cash cryptocurrency mixing service in the form of 1,337.1 ETH. Users are advised to refrain from interacting with Unleash Protocol contracts until further notice.
-
FTC fines Disney over COPPA
The U.S. Justice Department (DoJ) said Disney has agreed to pay a $10 million civil penalty as part of a settlement to resolve Federal Trade Commission (FTC) allegations that the entertainment giant violated children's privacy laws in connection with its YouTube video content. The FTC had argued that Disney failed to correctly designate YouTube video content as directed toward children, allowing the company to serve targeted ads on the platform and unlawfully collect their information without parental notice and consent. The order also bars Disney from operating on YouTube in a manner that violates child privacy laws in the U.S. and requires it to create a program that will ensure it properly complies with COPPA on YouTube going forward.
-
Fake glitch scam toolkit exposed
A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions. Hudson Rock, which detailed the toolkit, said the "comprehensive software suite industrializes the deployment of ClickFix lures." The service, advertised by a threat actor named "LenAI," is a cross-platform threat capable of targeting Windows, macOS, Linux, and Android to deliver tailored payloads. The ErrTraffic control panel is a self-hosted PHP application that incorporates hard-coded exclusions for Commonwealth of Independent States (CIS) countries. Once set up, an attacker can connect the panel to compromised websites via a single line of HTML injection. This allows them to serve information stealers and Android banking trojans via ClickFix-style instructions that claim to fix the issue by installing a browser update, downloading a system font, or pasting something in the command prompt.
-
Magecart evolves into ID theft
Source Defense Research has flagged a new global Magecart campaign that hijacks checkout and account creation flows. The activity leverages modular, localized payloads targeting services like Stripe, Mollie, PagSeguro, OnePay, and PayPal. It "uses fake payment forms, phishing iframes, and silent skimming, plus anti-forensics tricks (hidden inputs, Luhn-valid junk cards)." The activity is also designed to steal credentials and personal information, enabling account takeovers and long-term persistence via rogue admin access. "This is Magecart evolving into [a] full identity compromise," it said.
-
Deniable cyber activism detailed
Hacktivist proxy operations refer to activities in which ideologically aligned, non-state cyber groups conduct disruptive operations that align with state geopolitical interests without requiring formal sponsorship, command-and-control, or direct tasking. These activities primarily rely on public claims, volunteer participation, and low-complexity techniques to impose psychological, political, and operational costs on adversaries while allowing the benefiting state to enjoy plausible deniability. "The model follows a consistent activation sequence: geopolitical trigger events such as sanctions, military assistance announcements, or diplomatic escalations are followed by rapid narrative mobilization in hacktivist communication channels, volunteer coordination, targeted disruptive activity (primarily DDoS attacks, defacement, and symbolic intrusions), and public amplification of claimed impact," CYFIRMA said. "Activity typically de-escalates once signalling objectives are achieved, distinguishing these operations from sustained cybercrime or espionage campaigns." The development comes as cyber operations have become an integral component to pursuing strategic geopolitical objectives. Under the Hacktivist Proxy Operations model, ideologically aligned cyber groups function as deniable instruments of pressure without direct control from the state. This allows hacktivist groups to apply disruptive force or shape narratives in a manner that gives the state a strategic advantage without assuming explicit responsibility.
-
OceanLotus adapts to Xinchuang
In 2022, the Chinese government ramped up a major initiative called Xinchuang that aims for technological self-reliance by replacing foreign hardware and software with domestic alternatives in key sectors like government and finance, with an aim to build an independent IT ecosystem and mitigate geopolitical risks. According to a new report from QiAnXin, the OceanLotus group has been targeting such domestic information innovation platforms and Windows systems using phishing lures containing desktop files, PDF documents, and Java Archive (JAR) files to download next-stage payloads. As of mid-2025, the threat actor was observed exploiting CVE-2023-52076 (CVSS score: 8.5), a remote code execution flaw impacting the Atril document viewer, to launch a desktop file that ultimately executes a Python downloader. "The ELF Trojan released by the OceanLotus group on indigenous innovation platforms has slight differences from traditional Linux ELF files," QiAnXin said. "This indigenous innovation Trojan achieves a precise compatibility attack by zeroing out the three bytes following the ELF file Magic Number (used to identify bitness, endianness, and version). This results in traditional Linux systems refusing to execute the file due to format errors, while the indigenous innovation platform can parse and run it normally. This carefully designed detail fully demonstrates OceanLotus's in-depth understanding of the underlying operation mechanism of domestic indigenous innovation systems." Also deployed by OceanLotus is a passive backdoor targeting IoT devices such as routers.
-
AWS key deletion delay risk
Researchers have found that AWS IAM eventual consistency creates a 4-second window that attackers can exploit, allowing them to leverage deleted AWS access keys. "The cause is eventual consistency in AWS Identity and Access Management and, if improperly handled, can be exploited by attackers to have access in your AWS environment, even after defenders believe credentials are revoked," OFFENSAI said. "The distributed nature of AWS infrastructure means that credential validation, caching layers, and edge services may create brief windows where revoked access keys remain temporarily valid. In short, the attacker can use a deleted set of access keys to create a new one, achieving persistence this way." To mitigate any potential security risks, AWS customers are advised to avoid long-term IAM access keys and instead use temporary credentials or leverage IAM roles and federation for programmatic access to AWS services.
-
New global proxy botnet uncovered
A new proxy network called IPCola ("ipcola[.]com") has claimed to offer more than 1.6 million unique IP addresses comprising IoT, desktop, and mobile devices from over 100 countries for sale. A majority of the infected devices are located in India, Brazil, Mexico, and the U.S. "IPCola is a non-KYC proxy provider, allowing anyone to sign up on the platform, deposit crypto, and [...] start using the proxies without restriction," Synthient said. "Like most platforms, IPCola allows users to purchase residential, datacenter, and ISP proxies, each with its own drawbacks and advantages." Further infrastructure analysis has revealed that the service is powered by GaGaNode, a decentralized bandwidth monetization service that enables users and publishers to earn cryptocurrency for their bandwidth or monetize other people's bandwidth. Users either have an option to run the standalone GaGaNode application or integrate into their apps a software development kit (SDK) that implements the proxy functionality. More significantly, the SDK facilitates remote code execution (RCE) on any device running the SDK, representing a major escalation of the threat. It's believed that a Chinese company named NuoChen is behind IPCola and its Chinese-only version, InstaIP.
-
Hidden ad fraud drains devices
A large-scale Android adware campaign has been observed silently draining resources and interfering with normal phone use through persistent background activity. The campaign, dubbed GhostAd, leverages a network of at least 15 Android applications on Google Play masquerading as harmless utility and emoji-editing tools. These apps were cumulatively downloaded millions of times, with one of the apps reaching the #2 spot in Google Play's "Top Free Tools" category. The names of some of the apps are Vivid Clean and GenMoji Studio. All these apps have since been removed from Google Play. "Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data," Check Point said. Besides enabling persistent execution via a foreground service, the malware uses a JobScheduler to trigger ad-loading tasks every time it's terminated. The attacks appear to be concentrated around the Philippines, Pakistan, and Malaysia. "GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies," the company said. "Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle. This design quietly generates ad impressions and revenue, all while draining device resources." In a related development, DoubleVerify revealed details of a fraud scheme codenamed SkyWalk that uses innocent-seeming iOS gaming apps to charge advertisers for phony ad impressions. The operation uses a set of iOS games that serve ads inside invisible browser windows using the UniSkyWalking iOS mobile framework. "But when a user opens one, the app also secretly launches hidden websites on the user's iOS device," DoubleVerify said. "As the user plays 'Sushi Party' or 'Bicycle Race' in the app, the hidden sites run in the background, undetected, serving ads no one sees. Impressions are reported. Advertisers get billed. Not a single ad is viewed by a human."
-
Amazon thwarts DPRK job infiltration
Hackers affiliated with North Korea (aka DPRK) stole more than $2 billion worth of cryptocurrency in 2025, a significant increase from the roughly $1.3 billion recorded in 2024. This includes the record-breaking $1.5 billion Bybit heist in February 2025. Despite the overall jump in stolen cryptocurrency in 2025, the actual frequency of attacks conducted by North Korean hackers has declined. This drop in operational tempo in the wake of the Bybit hack is likely an attempt to focus on laundering the stolen cryptocurrency. At the same time, Pyongyang's crypto theft operations are increasingly relying on its IT workers to land jobs at cryptocurrency exchanges, custodians, and Web3 companies. While North Korea's effort to infiltrate Western companies with fake IT workers is well-known, 2025 may have been the first time the IT army has shifted from securing positions to posing as recruiters for crypto and other types of Web3 businesses. As part of these efforts, the threat actors run fake technical assessments that grant them unauthorized access to developer machines and ultimately steal credentials and source code, giving them remote access to target networks. The pervasive threat posed by the IT worker threat was exemplified recently by Amazon, which stopped more than 1,800 suspected North Korea operatives from joining its workforce since April 2024. "We've detected 27% more DPRK-affiliated applications quarter over quarter this year," the tech giant's chief security officer, Stephen Schmidt, said last month. In one case, Amazon said it caught an IT worker by identifying an "infinitesimal delay in the typed commands." The IT worker was hired by an Amazon contractor and was subsequently ousted from their systems within days. "For years, the regime has weaponized crypto theft as a revenue engine for weapons proliferation, sanctions evasion, and destabilizing activity," TRM Labs said. "What the last three years make unmistakably clear is that North Korea is the most sophisticated, financially motivated cyber operator in the crypto theft ecosystem."
The year starts with no pause, just new tricks and quieter attacks. Hackers are getting smarter, not louder. Each story here connects to a bigger shift: less noise, more precision. 2026 is already testing how alert we really are.
The threats that matter now don't shout. They blend in — until they don't.
from The Hacker News https://bit.ly/4956NT2
via IFTTT
