The cybersecurity landscape remains a dynamic and often perilous environment, with attackers constantly evolving their tactics. This week’s developments highlight the ingenuity of threat actors, the significant risks posed by overlooked vulnerabilities, and the persistent exploitation of well-established tools. From sophisticated honeypot operations to widespread malware campaigns and critical infrastructure attacks, staying informed is paramount for individuals and organizations alike to navigate the evolving threat landscape. This analysis delves into the most significant cybersecurity events of the past week.
Resecurity’s Honeypot Catches Claimed LAPSUS$ Affiliate
Cybersecurity firm Resecurity announced on January 8, 2026, that it successfully lured threat actors, who claimed affiliation with the Scattered LAPSUS$ Hunters (SLH) group, into a meticulously crafted trap. The operation began after SLH posted on Telegram alleging a data breach of Resecurity’s internal and client information. Resecurity responded by deploying a honeypot account filled with synthetic data designed to mimic real business information. This decoy was placed on an underground marketplace for compromised credentials after the company detected malicious activity targeting its systems in November 2025. The threat actor also targeted an employee without sensitive or privileged access, leading to a successful login to the emulated application containing the fake data. Between December 12 and December 24, the threat actor initiated over 188,000 requests to exfiltrate the synthetic data. The SLH group later removed their breach announcement from Telegram. Resecurity stated the exercise identified the threat actor and linked a Gmail account to a U.S. phone number and a Yahoo account. Meanwhile, CYFIRMA reports indicate that the SLH collective is actively recruiting initial access brokers, insider collaborators, and seeking corporate credentials, with unverified mentions of legacy brands like LizardSquad potentially serving as an intimidation tactic.
GeoServer Vulnerabilities Fuel Cryptocurrency Mining Operations
Threat actors are actively exploiting a known vulnerability in GeoServer, identified as CVE-2024-36401, to distribute the XMRig cryptocurrency miner through PowerShell commands. AhnLab reported that alongside GeoServer, the same threat actors are also deploying coin miners to WegLogic servers, suggesting a pattern of targeting publicly exposed, vulnerable services. Further analysis by AhnLab indicates that two other threat actors have leveraged this flaw to deliver cryptocurrency miners, as well as AnyDesk for remote access and a custom downloader malware named “systemd.” These actors are specifically targeting environments where GeoServer is installed, installing various coin miners and utilizing NetCat to potentially install additional malware or steal system information.
CISA’s Known Exploited Vulnerabilities Catalog Sees Significant Expansion
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) significantly expanded its Known Exploited Vulnerabilities (KEV) catalog in 2025, adding 245 new vulnerabilities. This brings the total number of high-risk flaws to 1,484, representing approximately a 20% increase from the previous year. For comparison, CISA added 187 vulnerabilities in 2023 and 185 in 2024. Of the newly added flaws, 24 were specifically exploited by ransomware groups. Major technology vendors including Microsoft, Apple, Cisco, Fortinet, Google Chromium, Ivanti, Linux Kernel, Citrix, D-Link, Oracle, and SonicWall accounted for 105 of the total additions. Cyble research indicates the oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the entire catalog remains CVE-2002-0367, a privilege escalation vulnerability in Windows NT and 2000’s “smss.exe” debugging subsystem, known to be used in ransomware attacks.
AI Copyright Lawsuit Intensifies with ChatGPT Log Disclosure Order
OpenAI has been ordered by a U.S. federal judge to hand over 20 million anonymized ChatGPT logs as part of a consolidated AI copyright lawsuit. The company’s attempt to dismiss a magistrate judge’s order, citing insufficient consideration of privacy concerns, was unsuccessful. The lawsuit, filed by major news publishers including The New York Times and Chicago Tribune, centers on the allegation that copyrighted works were used without consent or payment to train ChatGPT. OpenAI maintains that AI training constitutes fair use and states the provided data has undergone de-identification processes with strict access controls. The plaintiffs also allege that OpenAI destroyed “relevant output log data” by failing to halt deletion practices during the litigation period, which they claim was an effort to evade copyright claims.
Taiwan Reports Tenfold Increase in Cyberattacks Targeting Energy Sector
Taiwan’s National Security Bureau reported a significant escalation in cyberattacks originating from China, with a tenfold increase in assaults targeting the nation’s energy sector in 2025 compared to the previous year. The bureau recorded a total of 960,620,609 cyber intrusion attempts directed at Taiwan’s critical infrastructure, attributing them to China’s cyber army. These attacks impacted critical infrastructure across nine key sectors, including administration, energy, communications, transportation, emergency services, water resources, finance, science and industrial parks, and food. The energy and emergency rescue/hospital sectors experienced the most substantial year-on-year surge in attacks. Five Chinese hacking groups—BlackTech, Flax Typhoon, HoneyMyte, APT41, and UNC3886—are implicated in these activities, with a focus on probing network equipment and industrial control systems of Taiwanese energy companies to deploy malware. The National Security Bureau stated that China has integrated military, intelligence, industrial, and technological capabilities to enhance the depth and stealth of its cyberattacks, exploiting vulnerabilities in hospital systems for ransomware deployment and conducting adversary-in-the-middle attacks against communications companies.
Microsoft Reverses Planned Exchange Online Recipient Rate Limit
Microsoft announced on January 8, 2026, that it is indefinitely canceling its previously planned enforcement of a Mailbox External Recipient Rate Limit in Exchange Online. The measure was initially intended to combat abuse and prevent the misuse of the service for bulk spam and other malicious email activities. The company clarified that the existing Recipient Rate Limit and Tenant-level External Recipient Rate Limit in Exchange Online remain unchanged. Microsoft had initially announced the external recipient limit of 2,000 recipients per 24 hours, scheduled for enforcement in April 2026.
Stalkerware Founder Pleads Guilty in Rare Prosecution
Bryan Fleming, the founder of the stalkerware application pcTattletale, pleaded guilty on January 8, 2026, to operating the software from his home in Michigan. In May 2025, the company ceased operations after its website was defaced and data was leaked, stemming from a security flaw that exposed screenshots of hotel booking systems. This breach affected over 138,000 registered users. U.S. Homeland Security Investigations began probing pcTattletale in June 2021 for its alleged surreptitious spying on spouses and partners, despite its marketing as parental control and employee monitoring software. Fleming actively promoted the spyware on YouTube. He faces sentencing later this year, marking a significant instance of criminal prosecution for stalkerware purveyors. The U.S. previously saw a spyware conviction in 2014 with the case of Hammad Akbar.
Critical Hardcoded Token Vulnerability Disclosed in RustFS
A critical security vulnerability (CVSS score: 9.8, no CVE identifier assigned) has been disclosed in RustFS due to the implementation of gRPC authentication using a hard-coded static token. This token is publicly exposed in the source code repository, hard-coded on both client and server sides, non-configurable, and lacks a rotation mechanism, making it universally valid across all RustFS deployments. Attackers with network access to the gRPC port can utilize this token to execute privileged operations, including data destruction, policy manipulation, and cluster configuration changes. The vulnerability affects versions alpha.13 through alpha.77 and has been patched in version 1.0.0-alpha.78, released on December 30, 2025.
pkr_mtsi Packer Facilitates Widespread Malware Distribution
A Windows packer and loader named pkr_mtsi has been observed in large-scale malvertising and SEO-poisoning campaigns, distributing trojanized installers for legitimate software like PuTTY, Rufus, and Microsoft Teams. This malware enables initial access and flexible delivery of follow-on payloads, available in both executable (EXE) and dynamic-link library (DLL) formats. ReversingLabs noted that pkr_mtsi has been used to deliver various malware families, including Oyster, Vidar Stealer, Vanguard Stealer, and Supper, positioning it as a general-purpose loader. First detected in April 2025, the packer has shown consistent evolution with added obfuscation, anti-analysis, anti-debugging techniques, and evasive API resolution strategies.
Open WebUI Vulnerabilities Expose Users to Account Takeover and RCE
A high-severity security flaw (CVE-2025-64496, CVSS score: 7.3) has been disclosed in Open WebUI, versions 0.6.34 and older, affecting its Direct Connections feature. This feature allows users to connect to external AI model servers. Cato Networks reported that if a threat actor tricks a user into connecting to a malicious server, it can lead to account takeover attacks. With the ‘workspace.tools’ permission enabled, this flaw can result in remote code execution (RCE), allowing an attacker to control the system running Open WebUI. The issue was addressed in version 0.6.35, released on November 7, 2025. The attack hinges on a trust failure between untrusted model servers and the user’s browser session, where a crafted server-sent events message can trigger JavaScript execution, enabling attackers to steal authentication tokens stored in localStorage, granting them full access to the victim’s Open WebUI account, including chats, documents, and API keys.
Iranian Cyber Group MuddyWater Adapts Tactics Against Israeli and Azerbaijani Targets
The Iranian nation-state group MuddyWater has been observed conducting phishing attacks designed to deliver backdoors like Phoenix and UDPGangster. These are delivered via executable files disguised as PDF or DOC documents containing macro code, equipped with command execution and file upload/download capabilities. Reports indicate MuddyWater is reducing its reliance on off-the-shelf remote control programs and developing dedicated backdoors for targeted penetrations. The disguised content of these samples frequently references Israel and Azerbaijan, aligning with MuddyWater’s known targeting priorities.
ownCloud Warns Users to Enable MFA Amidst Data Exfiltration Concerns
File-sharing platform ownCloud has urged users to enable multi-factor authentication (MFA) to protect against compromised credentials being used to steal data. This warning follows a report from Hudson Rock highlighting a threat actor known as Zestix (aka Sentap) who is allegedly auctioning data exfiltrated from approximately 50 global enterprises via their corporate file-sharing portals. The Zestix campaign reportedly exploits the absence of MFA, with a typical workflow involving an employee downloading malicious files that deploy information-stealing malware. Stolen credentials are then used to access cloud file-sharing services like ShareFile, Nextcloud, and OwnCloud. Zestix is believed to be active in Russian-language forums since late 2024, motivated by financial gain and demonstrating ties to the FunkSec ransomware group.
GravityRAT Remote Access Trojan Analysis Reveals Cross-Platform Capabilities
ANY.RUN has published a detailed technical analysis of GravityRAT, a sophisticated remote access trojan (RAT) that has been targeting organizations and government entities since 2016. This multi-platform malware is designed to harvest sensitive data, including WhatsApp backups on Android devices, and incorporates advanced anti-analysis features. These include checks for BIOS versions, hypervisor artifacts, CPU core counts, and CPU temperature queries using Windows Management Instrumentation (WMI). The temperature check is noted as particularly effective in detecting virtualized environments. The use of GravityRAT is primarily attributed to a Pakistan-origin threat actor tracked as Transparent Tribe. On Windows, it is often distributed via spear-phishing emails with malicious Office documents, while on Android, it masquerades as a messaging platform and is spread through third-party sites or social engineering. ANY.RUN describes GravityRAT as having a modular architecture for infection and command-and-control operations.
Alleged Scam Empire Kingpin Chen Zhi Extradited to China
Cambodian authorities have arrested and extradited Chen Zhi, believed to be the mastermind behind a large transnational scam network in Asia, to China. Chen, 38, founder and chairman of Prince Group, was arrested on January 6, 2026, following the revocation of his Cambodian nationality. In October 2025, the U.S. Department of Justice (DoJ) indicted Chen and Prince Group for operating forced-labor scam compounds across Southeast Asia to conduct cryptocurrency fraud schemes. These scams, often referred to as “pig butchering” or romance baiting, involve building fake relationships before coercing victims into investing in fraudulent platforms. The operations reportedly utilize trafficked foreign nationals trapped under threat of violence. The U.K. and U.S. governments have sanctioned Prince Group as a transnational criminal organization. China’s Ministry of Public Security hailed the arrest as a significant achievement under China-Cambodia law enforcement cooperation, noting ongoing efforts with regional partners to combat telecom fraud. The UNODC estimates that scam victims worldwide lost between $18 billion and $37 billion in 2023, with criminal networks evolving at an unprecedented scale.
Phishing-as-a-Service Toolkit Usage Doubles in 2025
The number of phishing-as-a-service (PhaaS) toolkits doubled during 2025, with 90% of high-volume phishing campaigns leveraging these tools, according to Barracuda’s analysis. Notable PhaaS providers include Sneaky 2FA, CoGUI, Cephas, Whisper 2FA, and GhostFrame, which incorporate advanced anti-analysis measures and MFA bypass capabilities. PhaaS kits significantly lower the barrier to entry for attackers, enabling widespread, targeted phishing campaigns with minimal technical expertise. Common phishing themes observed included fake payment, financial, legal, digital signature, and HR-related messages. Novel techniques employed by these kits involve URL obfuscation, CAPTCHA integration, malicious QR codes, and the abuse of legitimate online platforms.
Zed IDE Suffers from Two Critical Remote Code Execution Flaws
Two high-severity security vulnerabilities (CVE-2025-68433, CVSS score: 7.8 and CVE-2025-68432, CVSS score: 7.8) have been disclosed in Zed IDE. These flaws allow for arbitrary code execution when loading or interacting with a maliciously crafted source code repository. Mindguard reported that CVE-2025-68433 exploits the IDE’s automatic loading of Model Context Protocol (MCP) settings from the workspace without user confirmation, enabling malicious projects to define MCP tools that execute arbitrary code. The second vulnerability involves the IDE implicitly trusting project-supplied Language Server Protocol (LSP) configurations, potentially leading to arbitrary command execution when a user opens a source code file in a repository. Zed released version 0.218.2-pre on December 14, 2025, to address these issues following responsible disclosure on November 14, 2025.
This week’s cybersecurity updates underscore the persistent and evolving nature of cyber threats. The successful operational security measures taken by companies like Resecurity, contrasted with the widespread exploitation of common vulnerabilities and the continued rise of sophisticated malware and scam operations, highlight the ongoing arms race between defenders and attackers. Users and organizations must remain vigilant, prioritize software updates, and implement robust security practices, such as multi-factor authentication, to mitigate emerging risks. ThreatsDay will return next Thursday with further insights into the week’s significant cybersecurity developments.