We’ve dissected these incidents, plus fresh intel on emerging tactics, patches to deploy now, and strategies to fortify your defenses. Dive in to stay one step ahead.
This week’s highlights include actively exploited zero-days in Microsoft Office and React Native tools, plus critical patches for Chrome, SolarWinds, and F5 products.
A critical vulnerability in OpenClaw (formerly Clawdbot) enables one-click remote code execution via unsafe URL handling and WebSocket hijacking, granting attackers full system access. Victims visiting malicious sites leak auth tokens, allowing command execution after bypassing safety checks. Upgrade to v2026.1.24-1 and rotate tokens immediately. Read more
Russia-linked APT28 is exploiting CVE-2026-21509 in Microsoft Office to deploy COVENANT malware against Ukrainian and EU targets via phishing docs. The attack uses WebDAV for payload delivery, COM hijacking, and Filen.io C2 to evade detection. Apply registry mitigations and block IOCs as warned by CERT-UA. Read more
Hackers are exploiting CVE-2025-11953 in React Native’s Metro server for RCE on Windows/Linux dev environments, delivering Rust malware via multi-stage loaders. Attacks bypass Defender and fetch payloads from attacker C2, detected since December 2025. Update to @react-native-community/cli 20.0.0+ and isolate dev servers. Read more
Google patched CVE-2026-1862 (V8 type confusion) and CVE-2026-1861 (libvpx heap overflow) in Chrome 144.0.7559.132, risking ACE via malicious sites. Update immediately, as these memory issues are prime for chaining exploits. Read more
CISA warns of exploited CVE-2025-40551, an unauthenticated deserialization RCE in SolarWinds Web Help Desk allowing arbitrary commands. Patch by February 6 deadline or isolate systems to prevent malware and lateral movement. Monitor logs for compromise. Read more
F5 patched DoS flaws like CVE-2026-22548 in BIG-IP WAF/ASM and CVE-2026-1642 in NGINX (CVSS up to 8.2), plus config exposures. Affected versions span BIG-IP, NGINX Plus, and container services; apply fixes via iHealth or Helm. Read more
Arsink RAT spreads via fake Google, YouTube, and WhatsApp apps on social media and file-sharing sites, hitting 45,000 devices across 143 countries to exfiltrate SMS, calls, contacts, location, and audio.
Read more: https://cybersecuritynews.com/arsink-rat-attacking-android-devices/
A deceptive document reader app on Google Play gained 50k+ downloads while concealing the Anatsa banking trojan, which overlays fake login screens to steal banking credentials.
Read more: https://cybersecuritynews.com/malicious-app-on-the-google-play-with-50k-downloads/
Chollima APT (Ricochet) targets North Korean activists with spear-phishing ZIPs containing LNK files from Dropbox, executing fileless PowerShell malware for Dropbox C2 persistence.
Read more: https://cybersecuritynews.com/chollima-apt-hackers-weaponize-lnk-file/
GlassWorm malware tainted Open VSX extensions (FTP sync, i18n tools) with 22k+ downloads, targeting developers to steal macOS browser data, crypto wallets, and SSH keys via Solana C2.
Read more: https://cybersecuritynews.com/glassworm-infiltrated-vsx-extensions/
Shadow DNS attackers reprogram home routers to Aeza resolvers, using EDNS0 evasion to redirect scam traffic selectively while evading detection.
Read more: https://cybersecuritynews.com/shadow-dns-hacking-routers-internet-traffic/
Threat actors exploit Microsoft Azure, Google Firebase, and AWS to host AiTM phishing kits like Tycoon2FA, leveraging trusted domains to capture enterprise credentials undetected.
Read more: https://cybersecuritynews.com/threat-actors-abuse-microsoft-google-platforms/
ValleyRAT poses as a LINE installer for Chinese users, disabling Defender, injecting into Explorer.exe, and stealing logins through the PoolParty exfiltration method.
Read more: https://cybersecuritynews.com/valleyrat-mimic-as-line-installer-attacking-users/
Interlock ransomware deploys “Hotta Killer” exploiting a gaming anti-cheat driver zero-day (CVE-2025-61155) to disable EDR/AV before encrypting education sector targets.
Attackers compromised Notepad++’s former shared hosting infrastructure from June to December 2025, selectively redirecting users to malicious update servers. The likely Chinese state-sponsored group exploited weak validation in older versions, prompting the release of v8.8.9 with hardened checks and future XMLDSig enforcement.
Read more: https://cybersecuritynews.com/notepad-hijacked/
Hackers are exfiltrating Active Directory’s NTDS.dit file using tools like PsExec, vssadmin, and SecretsDump to dump domain credentials undetected. This grants full control over enterprise identity systems, with experts urging KRBTGT resets and Credential Guard deployment.
Read more: https://cybersecuritynews.com/hackers-exfiltrating-ntds-dit-file/
Automated campaigns wipe unprotected MongoDB instances on port 27017, demanding $500-600 in Bitcoin, with 45% of exposed servers already hit. Over 200,000 servers are vulnerable due to misconfigurations in Docker images; enforce SCRAM auth and firewall rules immediately.
Read more: https://cybersecuritynews.com/mongodb-instances-hacked/
Threat actors used LLMs to escalate stolen AWS credentials to admin access in under 10 minutes, injecting Lambda backdoors, LLMjacking Bedrock models, and spinning up costly GPU instances. Monitor for IP rotators and restrict UpdateFunctionCode permissions.
Read more: https://cybersecuritynews.com/aws-admin-access-in-minutes/
CISA warns of CVE-2025-22225 exploitation in ransomware attacks on VMware ESXi, allowing sandbox escapes via VMX flaws. Over 41,500 instances remain vulnerable; apply patches and monitor for unsigned drivers.
Read more: https://cybersecuritynews.com/vmware-esxi-0-day-ransomware-attack/
Attackers inject proxy_pass directives into NGINX configs, especially Baota panels, to redirect traffic to scam sites without malware. Targets include Asian TLDs and .gov domains; scan for IOCs like xzz.pier46[.]com.
Read more: https://cybersecuritynews.com/threat-actors-hacking-nginx-servers/
Phishers use SEO-poisoned portals mimicking Canadian provincial sites to steal PII and card details via fake fine payments. Over 70 domains on 45.156.87.0/24 harvest data; verify via official URLs only.
Read more: https://cybersecuritynews.com/beware-of-fake-traffic-ticket-portals/
A UI glitch in Windows 11 (KB5064081, OS Build 26100.5074) hides the password icon on lock screens, mainly in enterprise setups with Group Policy or MDM . Users can still log in by hovering over the invisible spot, but Microsoft fixed it in the January 29, 2026, preview (KB5074105) . No security risk exists, though it boosts IT support tickets. Read more
Microsoft resolved an outage (TM1226769), delaying or blocking inline image loads in Teams chats across desktop, web, and mobile. It disrupted workflows like sharing threat intel screenshots in SOCs, with no breach confirmed . Engineers fixed backend issues, restoring service for 320 million users. Read more
Windows 11 preview KB5074105 adds UAC prompts for Settings > System > Storage access in versions 24H2/25H2, blocking unauthorized drive analysis . This prevents shoulder surfing or local tampering without admin creds. It includes AI model updates and requires the Servicing Stack Update KB5074104. Read more
Microsoft plans to disable NTLM by default in future Windows releases via a three-phase shift to Kerberos, combating relay and pass-the-hash attacks . Phase 1 (now) audits usage; Phase 2 (H2 2026) reduces it; Phase 3 disables the default with legacy support for dependencies. Read more
Windows 11 Insider Build 26300.7733 natively adds Sysmon for process, network, and file event logging to Event Log, easing SOC deployments . Enable via Settings or DISM/PowerShell; uninstall standalone Sysmon first to avoid conflicts . It’s off by default with custom XML filtering support. Read more
The post Cybersecurity Weekly Newsletter – Notepad++ hack, Office 0-Day, ESXi 0-day Ransomware Attacks and More appeared first on Cyber Security News.
Today, I’m talking with Chris Cocks, CEO of Hasbro. You know, Hasbro — the toy…
Fortnite has confirmed that The Foundation, its heroic character voiced by Dwayne "The Rock" Johnson,…
A newly discovered Linux malware named ClipXDaemon has emerged as a direct financial threat to…
A newly discovered critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt…
Timothy Bennett and Crystal Houston have been charged with trafficking three young people in prostitution,…
Women across the world called for equal pay, reproductive rights, education, justice and decision-making jobs…
This website uses cookies.