Daily Brief

A new ClickFix campaign is deceiving European hospitality firms by using fake Windows Blue Screen of Death (BSOD) screens to deploy malware. Attackers impersonate Booking.com in phishing emails, luring victims to a fake website that mimics the legitimate platform's branding. The attack prompts users to execute malicious PowerShell commands by exploiting social engineering tactics and urgency created by fake reservation cancellations. Once executed, the malware disables Windows Defender, gains admin rights, and establishes persistence, allowing attackers to control infected systems remotely. The deployed malware, DCRAT, is a remote access Trojan enabling keylogging, remote desktop access, and further payload execution. Securonix researchers observed the attackers using the malware to deploy a cryptocurrency miner, indicating financial motives. The campaign highlights the need for enhanced cybersecurity awareness and training within targeted sectors to prevent such social engineering attacks.

Resecurity's threat intelligence team successfully ensnared the Scattered Lapsus$ Hunters cybercrime group using a strategically placed honeypot, leading to a subpoena for one of the perpetrators. The honeypot, deployed in November 2025, included synthetic data and fake employee accounts, which the cybercriminals accessed, believing they had breached Resecurity's systems. The cybercrime group initially claimed to have stolen sensitive data, including internal chats and client information, but later retracted these claims from their Telegram channel. Resecurity's operation exposed several operational security errors by the attackers, revealing the servers used for their automation processes. The security firm collaborated with a foreign law enforcement agency, resulting in a subpoena for a suspect linked to the cybercrime activities. The operation demonstrates the effectiveness of honeypots in gathering intelligence and disrupting cybercriminal operations. This incident underscores the ongoing threat posed by cybercrime groups and the importance of proactive threat intelligence measures.

Brightspeed, a major U.S. broadband provider, is investigating claims by the Crimson Collective of a data breach impacting over 1 million customers. The breach reportedly involves sensitive data, including personally identifiable information, payment history, and user account details. Crimson Collective announced plans to release sample data, urging Brightspeed employees to respond promptly to their demands. Brightspeed has committed to keeping customers, employees, and authorities informed as the investigation progresses. Crimson Collective's past activities include breaches of Red Hat's GitLab and targeting AWS environments, indicating a pattern of sophisticated cyber extortion. The incident highlights ongoing threats to telecommunications and underscores the need for robust cybersecurity measures in the industry.

Palo Alto Networks is reportedly eyeing a $400 million acquisition of Israeli cybersecurity startup Koi, amid a series of strategic purchases. CEO Nikesh Arora's recent visit to Tel Aviv fueled speculation, although the company has not officially confirmed any acquisition plans. Koi, founded by former IDF 8200 Intelligence Corps members, specializes in endpoint software security, offering tools to manage enterprise software at scale. The potential acquisition aligns with Palo Alto's recent M&A activity, including its significant $25 billion bid for CyberArk. Palo Alto's acquisition strategy aims to enhance its cybersecurity offerings, focusing on innovative technologies and talent integration. The company reassures that its acquisition of CyberArk will prioritize technology and talent, with minimal workforce reductions anticipated. Palo Alto's ongoing acquisitions, including Protect AI and Chronosphere, reflect its commitment to expanding capabilities in AI and observability.

The threat actor UAC-0184, also known as Hive0156, is targeting Ukrainian military and government using Viber to deliver malicious ZIP files. The campaign employs war-themed phishing emails to distribute Hijack Loader, which facilitates Remcos RAT infections on compromised systems. Attackers use Viber as an initial vector, deploying LNK files disguised as Word and Excel documents to execute malware covertly. The attack chain involves multi-stage processes, including DLL side-loading and module stomping, to evade detection by security tools. Hijack Loader scans for security software and establishes persistence via scheduled tasks, subverting static signature detection. Remcos RAT enables attackers to manage endpoints, execute payloads, and steal data through a GUI control panel. The ongoing activity reflects a sophisticated evolution in tactics, leveraging messaging apps for cyber espionage and data theft.

The Kimwolf botnet has compromised over 2 million Android devices, primarily targeting regions like Vietnam, Brazil, India, and Saudi Arabia, through exposed Android Debug Bridge (ADB) services. Synthient's analysis reveals Kimwolf's monetization through app installations, residential proxy sales, and DDoS capabilities, with connections to the AISURU botnet. The malware exploits residential proxy networks to relay malicious traffic, orchestrating large-scale DDoS attacks and leveraging IPIDEA's proxy services for distribution. Significant vulnerabilities were identified, with 67% of affected devices running unauthenticated ADB by default, often pre-infected with SDKs from proxy providers. Affected devices include unofficial Android-based smart TVs and set-top boxes, with the main payload listening on port 40860 for command execution. Recent security measures by IPIDEA include a patch to block access to local network devices, aiming to mitigate further exploitation. Organizations are urged to secure devices with unauthenticated ADB shells and restrict access to private IP ranges to prevent unauthorized use.

AI-powered IDEs forked from Microsoft VSCode are recommending non-existent extensions, creating a potential attack vector for threat actors to upload malicious content. Due to licensing restrictions, these IDEs rely on OpenVSX, an open-source marketplace, rather than Microsoft's official extension store. Researchers identified unclaimed namespaces in OpenVSX, which could be exploited by attackers to distribute malware under trusted extension names. Google has proactively removed 13 risky extension recommendations from its IDE, while other IDE providers, Cursor and Windsurf, have yet to respond. Security firm Koi has preemptively claimed vulnerable namespaces and coordinated with OpenVSX to implement registry-level safeguards. No evidence currently suggests exploitation of this vulnerability prior to the researchers' intervention, but users are advised to verify extension sources independently. This incident underscores the importance of rigorous supply chain security measures and the need for continuous monitoring of third-party dependencies.

Agentic AI introduces complex identity challenges, as AI agents act with human-like intent but operate at machine scale, complicating traditional identity management approaches. Security teams are tasked with ensuring AI deployment safety without hindering business operations, similar to past challenges with cloud and SaaS technologies. AI agents are decentralized, often overprivileged, and can operate across multiple systems, making them attractive targets for attackers seeking to exploit identity weaknesses. Traditional identity and access management tools fall short, as they are designed for human users or predictable workloads, not the dynamic nature of AI agents. Effective management requires a lifecycle approach, ensuring clear ownership, explicit purpose, and continuous visibility to prevent privilege drift and unauthorized access. Correlating identity signals across platforms and applications is essential for understanding and mitigating risks associated with AI agents. Organizations must shift from reactive to proactive identity management, integrating discipline at the creation stage of AI agents to prevent security and compliance issues. Successful AI integration hinges on robust identity governance, enabling secure, scalable, and innovative use of agentic AI in enterprise environments.

Ledger customers were informed of a data breach at Global-e, a third-party payment processor, affecting their personal information. The breach did not impact Ledger's network, hardware, or software systems, ensuring the security of their blockchain platform. Exposed data includes names and contact details of customers who used Global-e for transactions on Ledger.com. Critical financial information and 24-word seed phrases for crypto wallets were not compromised in the breach. Ledger has advised customers to remain vigilant against potential phishing attacks targeting their passphrases. Global-e's cloud-based system, which handles order processing for numerous brands, was accessed by unauthorized parties. Affected customers will receive direct communication from Global-e, with recommendations to seek further details from the company.

NordVPN addressed allegations of a breach, clarifying that attackers accessed only dummy data from a trial account on a third-party testing platform. A threat actor claimed to have stolen over 10 databases, including Salesforce API keys and Jira tokens, via a brute-force attack on a development server. NordVPN confirmed the data was from a temporary test environment and not connected to its main infrastructure, ensuring no customer or sensitive business information was compromised. The company has engaged with the vendor involved for further details, emphasizing that no real customer data or sensitive credentials were at risk. NordVPN's past security enhancements include a bug bounty program, third-party audits, and plans to transition to dedicated RAM servers. This incident serves as a reminder of the importance of robust testing environments and vendor management in safeguarding against data breaches.

Google announced that Gmail will stop supporting the POP3 mail fetching feature starting January 2026, affecting users who consolidate multiple email accounts through Gmail. The decision was communicated through a support note, with minimal direct notification to users, leading to potential disruptions for those relying on this feature. Gmailify, which offers enhanced features like spam protection for third-party accounts, will also be discontinued, impacting users accustomed to these integrations. Concerns about security, particularly POP3's use of plaintext passwords, are speculated to be a driving factor behind Google's decision to phase out these features. Users are advised to transition to local email clients such as MZLA Thunderbird, which supports a variety of email servers and offers a consistent interface across platforms. The change may prompt businesses and individuals to reconsider their email management strategies, potentially increasing reliance on alternative email solutions. Google's move reflects a broader trend towards enhancing security and reducing reliance on outdated protocols, although it may inconvenience users with legacy accounts.

A nine-month-long campaign has targeted IoT devices and web applications using the RondoDox botnet, exploiting the React2Shell vulnerability (CVE-2025-55182) with a CVSS score of 10.0. React2Shell affects React Server Components and Next.js, allowing unauthenticated attackers to execute remote code on vulnerable devices, posing significant security risks. As of early January 2026, approximately 84,916 instances remain vulnerable, with the majority located in the U.S., Germany, France, and India. The Shadowserver Foundation's statistics indicate a pressing need for organizations to patch affected systems promptly to prevent further exploitation. The continued exploitation of React2Shell underscores the importance of timely vulnerability management and proactive security measures to protect critical infrastructure. Organizations are urged to prioritize updates and monitor systems for unusual activity to mitigate the risk posed by this and similar vulnerabilities. This incident reflects a broader trend of attackers reusing effective vulnerabilities, emphasizing the need for vigilance in cybersecurity practices.

New Zealand's ManageMyHealth platform experienced a cyberattack affecting over 100,000 patients, prompting a government-ordered review to assess the incident's cause and impact. The breach involved unauthorized access to deeply personal health data, raising significant privacy concerns and prompting an urgent response from Health New Zealand. ManageMyHealth, serving 1.85 million users, confirmed the breach affected approximately 6-7% of its user base, with data potentially including passport scans and sensitive personal images. A cybercriminal known as Kazu claimed responsibility, demanding a $60,000 ransom, threatening to release over 428,000 files if not paid by mid-January. New Zealand's policy advises against ransom payments, aligning with Western allies, while ManageMyHealth seeks a legal injunction to prevent data dissemination. The company is collaborating with cybersecurity experts and law enforcement to enhance security measures and determine the full scope of the breach. Users are advised to change passwords and enable multi-factor authentication as a precaution against potential identity theft and scams. This incident underscores the critical need for robust data protection measures in handling sensitive health information.

The report addresses the transformation of cybersecurity from isolated solutions to integrated architectures, emphasizing trust and rapid execution as key components in modern defense strategies. With the rise of cloud infrastructure and distributed endpoints, organizations face challenges in securing complex supply chains and fragmented data environments. Authentication is shifting towards cryptographic methods, with hardware-backed solutions like Yubico's passkeys offering robust defenses against credential theft. Network visibility remains crucial as encrypted traffic complicates detection, with telemetry providing essential insights into attacker behavior and incident reconstruction. AI integration is advancing security to the hardware level, enhancing real-time monitoring and response capabilities to counteract the swift pace of modern cyber threats. Human risk management is evolving beyond traditional training, focusing on continuous behavioral analysis and adaptive interventions to mitigate insider threats. The software supply chain demands binary-level verification to ensure trust, as open-source and AI-generated components become prevalent in modern applications.

Ilya Lichtenstein, convicted for laundering funds from the 2016 Bitfinex hack, announced his early release under the U.S. First Step Act. Lichtenstein and his wife, Heather Morgan, were arrested in 2022 and pleaded guilty in 2023 for their roles in the cryptocurrency heist. The 2016 breach involved unauthorized transactions of 119,754 bitcoin, valued at $71 million at the time, exploiting a vulnerability in Bitfinex's multi-signature withdrawal setup. Authorities recovered approximately 94,000 bitcoin, valued at $3.6 billion in 2022, marking one of the largest U.S. asset seizures. U.S. prosecutors filed for the return of the recovered assets to Bitfinex in January 2025, following the couple's conviction. Lichtenstein's release is part of a broader initiative to reform the criminal justice system, aiming to reduce federal prison populations. Lichtenstein expressed a commitment to positively impacting cybersecurity, while Morgan shared her relief at their reunion after his release.