Daily Brief

Between October and December 2025, Ukraine's Defense Forces were targeted by a malware campaign delivering PluggyApe, a backdoor malware, through charity-themed messages. The campaign is attributed to the Russian threat group 'Void Blizzard' and 'Laundry Bear' with medium confidence, known for targeting NATO states. Attackers used Signal and WhatsApp to send messages directing recipients to download malicious archives disguised as charity documents. The malware, PluggyApe, is delivered via PIF files and achieves persistence through Windows Registry modifications, with enhanced features in its latest version. PluggyApe communicates with command-and-control servers using MQTT-based protocols and retrieves addresses from external sources like rentry.co and pastebin.com. CERT-UA warns that mobile devices are increasingly targeted, exploiting compromised accounts and using legitimate Ukrainian telecom numbers for convincing attacks. Indicators of compromise and deceptive charity websites are detailed in CERT-UA's report, aiding in detection and prevention efforts.

Check Point researchers have identified VoidLink, a sophisticated Linux malware framework targeting cloud environments with custom loaders, implants, rootkits, and plugins. VoidLink, written in Zig, Go, and C, is designed for modern infrastructures and shows signs of active development, likely intended for commercial use. The malware can detect Kubernetes or Docker environments and adjust its behavior accordingly, although no active infections have been confirmed. VoidLink collects extensive system details and calculates a risk score, allowing attackers to tailor module behavior for stealth and effectiveness. Communication with operators is secured through a custom encrypted layer, disguising traffic as normal web or API activity to evade detection. The framework includes 35 plugins and employs rootkit modules to hide its presence, using advanced anti-analysis mechanisms to avoid forensic investigations. Check Point provides indicators of compromise and technical details to aid in detection and prevention efforts against this advanced threat.

Security flaws were found in popular AI/ML Python libraries NeMo, Uni2TS, and FlexTok, affecting models with tens of millions of downloads on Hugging Face. The vulnerabilities allow remote code execution through poisoned metadata, exploiting Hydra's instantiate() function used for configuration management. Palo Alto Networks' Unit 42 identified these issues, prompting maintainers to issue warnings, fixes, and CVEs, although no active exploitation has been reported. Salesforce, Nvidia, and Apple, along with EPFL VILAB, have addressed these vulnerabilities by updating libraries and documentation to mitigate risks. The flaws expose a significant attack surface in AI/ML projects, as Hydra is used by nearly 50 libraries on Hugging Face, necessitating enhanced scrutiny of metadata handling. Meta has updated Hydra's documentation to warn users of potential RCE risks and recommended implementing a block-list mechanism, though it is not yet available in a release. Organizations utilizing these libraries should ensure they apply the latest patches and consider additional security measures to safeguard against potential exploitation.

Central Maine Healthcare (CMH) experienced a data breach affecting more than 145,000 individuals, including patients and employees, with hackers remaining undetected for over two months. The breach impacted the CMH network, which serves over 400,000 people across multiple hospitals, posing significant risks to personal data security. Exposed data includes sensitive patient and employee information, potentially leading to increased risks of phishing, impersonation, and fraud for those affected. CMH promptly notified impacted individuals and continued updates as the investigation progressed, concluding the analysis in November 2025. Affected individuals are advised to monitor healthcare and insurance statements for unauthorized services and report discrepancies immediately. CMH has established a dedicated support line for inquiries and is providing free credit monitoring services to mitigate potential financial fraud risks. No threat actor has publicly claimed responsibility for the breach, leaving the source of the attack currently unidentified.

Belgian hospital AZ Monica experienced a cyberattack, leading to the shutdown of all servers and cancellation of scheduled medical procedures. Critical patients were transferred to other hospitals with assistance from the Red Cross, as emergency services operated at reduced capacity. The cyberattack disrupted access to digital medical files, impacting non-urgent consultations and hospital operations. Hospital officials have informed patients and are maintaining necessary care for those already admitted, while visitors remain welcome. Authorities, including police and prosecutors, have been notified and are currently investigating the incident. The hospital continues to monitor the situation closely and will provide updates as new information emerges. While the nature of the attack remains unspecified, local reports suggest a potential ransom demand, though this is unconfirmed.

Microsoft has begun replacing expiring Secure Boot certificates on Windows 11 24H2 and 25H2 systems to maintain system integrity and prevent rootkit malware during startup. Secure Boot, a critical security feature, ensures only trusted bootloaders execute by validating digital signatures against stored certificates in UEFI firmware. Certificates are set to expire starting June 2026, potentially impacting secure boot capabilities if not updated, affecting both personal and business devices. The update process includes a phased deployment, where high-confidence devices automatically receive new certificates based on successful update signals. IT administrators are advised to install new certificates before expiration to maintain Secure Boot functionality and continue receiving security updates. Organizations can also deploy certificates manually using registry keys, Windows Configuration System, and Group Policy settings to ensure compliance. Microsoft's Secure Boot playbook recommends inventorying device fleets, verifying Secure Boot status, and applying necessary firmware updates prior to certificate installation.

Target employees verified the authenticity of leaked source code and documentation shared by threat actors, confirming it matches internal systems and platforms used by the company. The breach involves a significant dataset, with threat actors claiming to possess approximately 860GB of Target's internal source code, raising concerns about potential exposure. In response, Target accelerated security measures, restricting access to its Enterprise Git server to internal networks or VPN, aiming to protect its proprietary development environment. The root cause of the data leak remains undetermined, but a compromised employee workstation infected with infostealer malware is a potential vector for the breach. Security researcher Alon Gal noted that the compromised workstation had access to critical internal services, which could have facilitated unauthorized data exfiltration. The situation underscores the importance of robust access controls and monitoring for internal systems to prevent similar incidents in the future. Target's silence on the investigation's progress or potential insider involvement leaves questions about the full scope and impact of the breach unanswered.

Microsoft has issued the KB5073724 extended security update for Windows 10, addressing three zero-day vulnerabilities and expiring Secure Boot certificates. The update applies to users of Windows 10 Enterprise LTSC and those enrolled in the ESU program, bringing systems to build 19045.6809. Key fixes include an elevation of privileges vulnerability in Agere modem drivers and a security flaw in the WinSqlite DLL. The update also addresses the expiration of Secure Boot certificates, which could otherwise compromise boot protections if left unresolved. Microsoft has been alerting users since June 2025 about the expiration of Secure Boot certificates, with the update preventing potential security breaches. No known issues have been reported with this update, ensuring a smooth implementation for affected systems. This update is part of Microsoft's January 2026 Patch Tuesday, which resolved 114 vulnerabilities, reinforcing system security.

Microsoft's January 2026 Patch Tuesday releases security updates for 114 vulnerabilities, including one actively exploited and two publicly disclosed zero-day flaws, enhancing system protection for users. The update addresses eight critical vulnerabilities, with six involving remote code execution and two related to elevation of privilege, emphasizing the importance of timely patch application. An actively exploited zero-day, CVE-2026-20805, involves an information disclosure flaw in Desktop Window Manager, allowing attackers to read memory addresses linked to remote ALPC ports. Microsoft has renewed Secure Boot certificates nearing expiration to maintain the trust chain, mitigating risks associated with the CVE-2026-21265 security feature bypass vulnerability. The update removes vulnerable Agere Soft Modem drivers, addressing the CVE-2023-31096 elevation of privilege issue, previously exploited to gain administrative access on affected systems. Organizations are advised to prioritize these updates to safeguard against potential exploitation, ensuring continued system integrity and security. The proactive measures taken by Microsoft underscore the ongoing need for vigilance and timely response to emerging cybersecurity threats.

A significant web skimming campaign has been identified, active since January 2022, compromising major payment networks like American Express, Mastercard, and UnionPay. The campaign targets e-commerce sites, using malicious JavaScript to harvest credit card and personal information during online transactions. Silent Push researchers linked the campaign to a domain associated with a sanctioned hosting provider, now rebranded to evade sanctions. The skimmer uses obfuscated JavaScript payloads and incorporates detection evasion techniques, such as checking for WordPress admin elements. Victims are tricked into entering payment details into fake forms, with stolen data exfiltrated to a remote server. The attack impacts enterprise clients of affected payment providers, posing risks of financial loss and reputational damage. Organizations are urged to enhance security measures on e-commerce platforms to detect and mitigate such skimming threats.

A malicious Chrome extension, "MEXC API Automator," is stealing API keys from MEXC cryptocurrency exchange users, posing as a trading tool. The extension, available since September 1, 2025, has been downloaded 29 times and remains accessible on the Chrome Web Store. It programmatically creates new API keys with withdrawal permissions, concealing this capability in the user interface while exfiltrating keys to a Telegram bot. Once installed, the extension allows threat actors to control MEXC accounts, enabling unauthorized trades and withdrawals, potentially draining users' balances. The extension operates by injecting a script into authenticated MEXC sessions, bypassing the need for user passwords or additional authentication. The threat is significant due to the extension's ability to maintain access even after uninstallation, as long as the API keys remain valid. Researchers warn that this method could be adapted to other exchanges and platforms, with future variants possibly incorporating more obfuscation and broader permissions.

Forrester projects AI and automation could eliminate 10.4 million US jobs by 2030, equating to 6.1% of the current workforce. The anticipated job losses are considered structural and permanent, contrasting with cyclical losses experienced during economic recessions. AI is expected to augment rather than replace roles, with one in five positions potentially impacted, necessitating investment in staff training. Some SaaS providers, including Salesforce and Workday, are already integrating AI to replace parts of their workforce. Over-automation risks include potential reputational damage and weakened employee experiences, as noted by companies like Duolingo and Klarna. Forrester warns that many layoffs attributed to AI are financially driven, with AI often used as a scapegoat. The rise of agentic AI and generative AI projects has shifted the forecast, with 50% of automation-related job losses now linked to these technologies. Despite these changes, Forrester predicts that humans will continue to perform most work tasks over the next five years.

Betterment, a leading U.S. digital investment advisor, experienced a data breach, leading to fraudulent crypto-related emails being sent to a subset of its customers. The breach involved unauthorized access to a third-party marketing platform, not Betterment's core systems, ensuring customer accounts and credentials remained secure. Hackers used the compromised system to send emails from a legitimate Betterment subdomain, falsely promising to triple cryptocurrency deposits. The company promptly warned customers about the scam, confirming the fraudulent nature of the messages and advising caution against unexpected communications. Betterment is enhancing defenses against social engineering attacks and plans to release a detailed incident analysis once investigations conclude. This incident mirrors a similar attack on Grubhub, suggesting the potential reuse of tactics by the same threat actor. Betterment manages over $65 billion in assets for more than one million customers, underscoring the importance of robust cybersecurity measures in the financial sector.

A new phishing tactic on LinkedIn involves fake "reply" comments that mimic official LinkedIn branding, misleading users into visiting external links under the guise of policy violations. The scam employs LinkedIn's own URL shortener, lnkd.in, to disguise phishing links, making them difficult to distinguish from legitimate URLs, especially on certain devices. Fraudulent comments claim users' accounts are "temporarily restricted" due to non-compliance, prompting them to verify their identity through malicious links. Phishing sites like very1929412.netlify[.]app are used to harvest credentials by further misleading users to verify their accounts. Fake company pages, such as "Linked Very," are being used to post these deceptive comments, exploiting LinkedIn's official logo and branding. LinkedIn has acknowledged the issue and is actively working to dismantle the campaign, urging users to report suspicious activity for prompt action. Users are advised to remain vigilant and avoid interacting with comments or messages that impersonate LinkedIn, especially those urging clicks on external links.

Dutch police apprehended a 33-year-old suspect at Schiphol Airport, believed to be behind the AVCheck online platform used by cybercriminals. The arrest follows an international investigation involving authorities from the Netherlands, United States, and Finland, part of Operation Endgame. AVCheck was a service enabling cybercriminals to test malware against antivirus products, crucial for evading detection in cyberattacks. The suspect had deregistered in the Netherlands and moved to the UAE around the time AVCheck was dismantled in May 2025. Authorities seized data storage devices from the suspect, potentially containing critical evidence for ongoing investigations. AVCheck's takedown marks a significant blow to the cybercrime ecosystem, disrupting a major tool for refining and deploying malware. This operation demonstrates the effectiveness of international cooperation in combating sophisticated cybercriminal networks.