Cyber threats in the past week have highlighted a crucial shift: attackers no longer require sophisticated, large-scale breaches to inflict significant damage. Instead, they are increasingly targeting the everyday tools and software that organizations and individuals rely on daily, from network firewalls to browser extensions and smart TVs. This trend means that even seemingly minor vulnerabilities in commonly used systems can be exploited to create substantial security breaches.
The evolving threat landscape emphasizes that the real danger often lies not in a single, massive attack, but in the aggregation of hundreds of smaller, stealthy intrusions that leverage existing, trusted software and devices within a network. Any system left unpatched or overlooked can become a critical entry point for malicious actors, undermining overall cybersecurity defenses.
Network Security Products Under Attack Amidst Evolving Cyber Threats
Over the past week, multiple vendors of network security products, including Fortinet, SonicWall, Cisco, and WatchGuard, have reported that vulnerabilities within their offerings have been actively exploited in real-world attacks. Cisco, for instance, detailed how a critical flaw in its AsyncOS operating system, identified as CVE-2025-20393, was abused by a China-nexus advanced persistent threat (APT) actor. This exploitation facilitated the delivery of various malware strains, such as ReverseSSH, Chisel, AquaPurge, and AquaShell, to compromised systems. The vulnerability remains unpatched, continuing to pose a risk.
Similarly, SonicWall indicated that attacks leveraging CVE-2025-40602, a local privilege escalation vulnerability affecting its Secure Mobile Access (SMA) 100 series appliances, have been observed. These attacks, in conjunction with CVE-2025-23006 (rated with a CVSS score of 9.8), have enabled unauthenticated remote code execution with root privileges. This heightened targeting of firewalls and edge appliances is driven by their strategic position, granting attackers broad visibility into network traffic, VPN connections, and downstream systems.
Top Cybersecurity News and Global Campaigns
In a significant privacy concern, Urban VPN Proxy, a popular Chrome and Edge browser extension with over 7.3 million installations, was found to be covertly harvesting user prompts entered into numerous AI chatbots. These included prominent services like OpenAI’s ChatGPT, Anthropic’s Claude, Microsoft Copilot, Google Gemini, and xAI’s Grok. Three other extensions from the same developer also exhibited similar data-gathering capabilities, collectively installed more than eight million times. These extensions have since been removed from the Chrome Web Store.
The threat actor known as Ink Dragon, also identified as Jewelbug or Earth Alux, has intensified its focus on governmental targets in Europe since July 2025, while maintaining operations in Southeast Asia and South America. This campaign has affected numerous victims, including government entities and telecommunications companies across multiple continents. Ink Dragon’s strategy involves not just data theft, but actively repurposing compromised victims to support ongoing attacks against other targets, creating a self-sustaining infrastructure that obscures attack origins.
A new botnet named Kimwolf has emerged, reportedly controlling approximately 1.8 million Android TVs globally, with significant concentrations in Brazil, India, and the U.S. Kimwolf is believed to share origins with the AISURU botnet, previously linked to large-scale DDoS attacks. Researchers suggest that code sharing occurred in early development stages, with Kimwolf evolving to evade detection. QiAnXin XLab noted that Kimwolf might be collaborating with or even leading some of these cyber operations.
A previously undocumented China-aligned threat cluster, dubbed LongNosedGoblin, has been linked to cyberattacks targeting governmental entities in Southeast Asia and Japan. The group’s primary tactic involves exploiting Group Policy to distribute malware across compromised networks and utilize cloud services for communication with infected endpoints via a backdoor known as NosyDoor. This threat cluster is believed to have been active since at least September 2023, with initial access methods remaining unknown.
North Korea’s Kimsuky threat actor has been associated with a new campaign distributing an Android data-gathering malware variant named DocSwap. This malware is disseminated through QR codes hosted on phishing sites that mimic the Seoul-based logistics firm CJ Logistics. The malicious apps are disguised as package delivery service applications. Attacks often begin with smishing texts or phishing emails impersonating delivery companies, directing recipients to click on booby-trapped URLs. A notable aspect of this attack is its QR code-based mobile redirection, prompting users on desktop computers to scan a QR code to install the supposed shipment tracking app on their Android devices.
Trending Vulnerabilities (CVEs)
Hackers are adept at exploiting new vulnerabilities shortly after their discovery, making timely patching crucial. This week’s notable security flaws include CVE-2025-14733 (WatchGuard), CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304 (pre-boot DMA protection Bypass), CVE-2025-37164 (HPE OneView Software), CVE-2025-59374 (ASUS Live Update), CVE-2025-20393 (Cisco AsyncOS), CVE-2025-40602 (SonicWall SMA 100 Series), CVE-2025-66430 (Plesk), CVE-2025-33213 (NVIDIA Merlin Transformers4Rec for Linux), CVE-2025-33214 (NVIDIA NVTabular for Linux), CVE-2025-54947 (Apache StreamPark), CVE-2025-13780 (pgAdmin), CVE-2025-34352 (JumpCloud Agent), CVE-2025-14265 (ConnectWise ScreenConnect), CVE-2025-40806, CVE-2025-40807 (Siemens Gridscale X Prepay), CVE-2025-32210 (NVIDIA Isaac Lab), CVE-2025-64374 (Motors WordPress theme), CVE-2025-64669 (Microsoft Windows Admin Center), CVE-2025-46295 (Apache Commons Text), CVE-2025-68154 (systeminformation), and CVE-2025-14558 (FreeBSD). Additionally, cross-site scripting and information disclosure flaws were identified in Roundcube Webmail.
Around the Cyber World
The U.S. Federal Bureau of Investigation (FBI) has issued a warning regarding ongoing campaigns since at least 2023 where malicious actors impersonate senior U.S. government officials. These actors use smishing (SMS phishing) and vishing (voice phishing) techniques via text and AI-generated voice messages to establish rapport with targeted individuals, often family members or personal acquaintances of officials. The attackers then prompt the victims to move communication to encrypted mobile messaging apps, where they request authentication codes to sync with the victim’s contact list, obtain Personally Identifiable Information (PII) and sensitive documents, or solicit money transfers under false pretenses.
Austrian privacy non-profit noyb has filed complaints against TikTok, AppsFlyer, and Grindr, alleging unlawful user tracking across apps in violation of GDPR laws. According to noyb, a user discovered that data from their Grindr usage was shared with TikTok, likely through the tracking company AppsFlyer, enabling TikTok to infer information about their sexual orientation. TikTok initially withheld this data, which noyb states violates GDPR Article 15, before eventually revealing the extent of data sharing, including app usage and in-app activities.
A new malware-as-a-service (MaaS) information stealer, AuraStealer, is being distributed through ‘Scam-Yourself’ campaigns, luring victims via TikTok videos disguised as product activation guides. Gen Digital reports that executed commands, ostensibly for activation, instead download and run the malicious payload. AuraStealer also spreads through cracked games and software, employing numerous anti-analysis and obfuscation techniques. It is capable of harvesting credentials, cryptocurrency wallets, session tokens, and system metadata from various sources.
The threat actor known as Blind Eagle continues to target Colombian institutions, with recent phishing attacks aimed at agencies under the Ministry of Commerce, Industry and Tourism (MCIT). These sophisticated attacks utilize an off-the-shelf loader named Caminho to deliver DCRat malware. Emails are sent from compromised internal accounts, employing a legal-themed design referencing labor lawsuits to pressure recipients into opening malicious attachments.
A large-scale Business Email Compromise (BEC) collective, operating under the name Scripted Sparrow, is reportedly distributing over three million email messages monthly and refining its social-engineering tactics. Fortra notes the group’s operations suggest significant automation, using both free webmail addresses and registered domains for their campaigns. Scripted Sparrow impersonates executive coaching and leadership training consultancies, having registered numerous domains and utilized hundreds of bank accounts for financial transfers.
A study by Belgian researchers has revealed that a majority of smart devices, including smart TVs and e-readers, come with embedded web browsers that are significantly outdated, sometimes up to three years behind current versions. This practice, linked partly to development frameworks like Electron that bundle browsers with other components, can expose users to phishing and other security vulnerabilities due to unpatched flaws.
Denmark’s Defence Intelligence Service (DDIS) has blamed Russia for destructive cyber attacks, including an incident targeting a water utility in 2024 and distributed denial-of-service (DDoS) attacks on Danish websites leading up to the 2025 municipal elections. The attacks are attributed to pro-Russian hacktivist groups Z-Pentest and NoName057(16), which the DDIS asserts are instruments of Russia’s hybrid warfare strategy to foster insecurity and undermine Western support for Ukraine.
Russian manufacturing companies have become targets for a threat actor known as Arcane Werewolf (Mythic Likho). Campaigns in October and November 2025 likely used phishing emails containing links to malicious archives hosted on attacker servers, directing victims to spoofed websites of Russian manufacturing firms. The ultimate goal is to deploy a custom implant named Loki 2.1 via a Go-based dropper and PowerShell code embedded in a Windows shortcut file.
The RansomHouse ransomware group, also known as Jolly Scorpius, has upgraded its file encryption process to use two distinct encryption keys per file, significantly increasing the difficulty of decryption without both keys. Active since December 2021, the group lists 123 victims on its data leak site and utilizes a tool called MrAgent for persistent access and scaled management of compromised hosts, including deployment of the Mario encryptor for ESXi hypervisor VM files.
The emergence of large language models (LLMs) is accelerating the ransomware lifecycle, according to SentinelOne. LLMs are enhancing speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation. Criminals are increasingly using uncensored ‘dark LLMs’ and employing techniques to bypass guardrails, suggesting a commoditization of malicious code generation and AI-driven cybercrime services. This trend is lowering the barrier to entry for cybercrime and blurring the lines between nation-state and criminal activity.
TikTok has finalized an agreement to move a substantial portion of its U.S. business into a new joint venture, TikTok USDS Joint Venture LLC. The deal, effective January 22, 2026, involves investors Oracle, Silver Lake, and MGX, who will collectively own 45% of the U.S. operation, with ByteDance retaining a near 20% share. This entity will be responsible for U.S. data protection, algorithm security, and content moderation, with Oracle serving as the trusted security partner. This move is a result of U.S. national security concerns requiring ByteDance to divest TikTok’s U.S. operations.
A large-scale Android adware campaign, dubbed GhostAd, has targeted users in the Philippines, Pakistan, and Malaysia. Distributed through 15 apps on Google Play disguised as utility tools, GhostAd creates a persistent background advertising engine that consumes battery and mobile data even after device reboots. The campaign utilizes multiple legitimate advertising SDKs in ways that violate fair-use policies, continuously loading and refreshing ads in the background. These apps have since been removed by Google.
Texas Attorney General Ken Paxton has filed a lawsuit against TV manufacturers Sony, Samsung, LG, Hisense, and TCL, accusing them of spying on customers and illegally collecting data through Automatic Content Recognition (ACR) technology. The lawsuit alleges that ACR software can capture screenshots of television displays, monitor viewing activity in real time, and transmit this information to the companies without user knowledge or consent.
Check Point has highlighted dark web advertisements seeking to recruit insiders within organizations, particularly in the financial sector, cryptocurrency firms, and major corporations like Accenture and Netflix. These enticing offers range from $3,000 to $15,000 for access to corporate networks, devices, or cloud environments. Disabling defenses, leaking credentials, or providing privileged information by insiders significantly complicates attack prevention.
Synacktiv researchers have disclosed multiple vulnerabilities in the strategy game Anno 1404. When chained together, these flaws allow for arbitrary code execution within the game’s multiplayer mode, posing a security risk to those who play online.
A Facebook ad campaign used to distribute the compiled V8 JavaScript malware, JSCEAL, has evolved. Attackers have adopted a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine for greater stealth. The campaign now uses a broader variety of top-level domains and implements stricter filtering, requiring a specific PowerShell User-Agent for access and delivering the payload in stages.
Nathan Austad, 21, has pleaded guilty to hacking thousands of user accounts at an unnamed fantasy sports and betting website and selling access to these accounts. In a credential stuffing attack launched in November 2022, Austad and co-conspirators compromised approximately 60,000 accounts. They allegedly added personal payment methods to victim accounts to withdraw existing funds, stealing an estimated $600,000 from about 1,600 accounts. Access to these compromised accounts was then sold online.
The number of critical Common Vulnerabilities and Exposures (CVEs) reported in 2025 has decreased to 3,753, down from 4,629 in 2023 and 4,283 in 2024, despite the total number of CVEs exceeding 40,000. VulnCheck notes that about 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score, indicating that adoption of the newer scoring system is limited by factors such as resource constraints and perceived value by major publishers.
A new Amadey malware loader campaign has utilized an exploited self-hosted GitLab instance to distribute the StealC infostealer. Trellix analysis indicates that threat actors are hijacking abandoned GitLab servers to establish legitimate-looking payload distribution infrastructure, using domains with valid TLS certificates for evasion. Evidence suggests that either user accounts or the entire server infrastructure has been compromised.
U.S. authorities have seized the servers and infrastructure of the E-Note cryptocurrency exchange for allegedly laundering over $70 million from ransomware and account takeover attacks since 2017. The operator, Mykhalio Petrovich Chudnovets, a Russian national, has been indicted on conspiracy to launder monetary instruments. This action is part of a broader law enforcement effort to dismantle services that facilitate money laundering for cybercriminals.
Conclusion
The past week’s cybersecurity landscape has underscored the erosion of traditional network perimeters, making proactive defense and accountability paramount. Every device, application, and cloud service now plays a role in an organization’s security posture. Consequently, rapid patching, continuous verification of running software, and default setting scrutiny have transitioned from routine maintenance to essential survival skills in the face of evolving cyber threats. As threat actors become more adaptive, resilience will depend on heightened awareness and swift action, rather than reactive measures. Maintaining visibility, prioritizing risk reduction through updates, and recognizing that most breaches originate from seemingly ordinary, unchecked elements are critical for sustained security.