Cyber Threat Intelligence 08 January 2026

NCSA_THAICERT

Vulnerabilities

Ni8mare - Unauthenticated Remote Code Execution In n8n (CVE-2026-21858)
"We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users should upgrade to version 1.121.0 or later to remediate the vulnerability."
https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html
https://cyberscoop.com/n8n-critical-vulnerability-massive-risk/
https://securityaffairs.com/186648/security/ni8mare-flaw-gives-unauthenticated-control-of-n8n-instances.html
n8n Warns Of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted And Cloud Versions
"Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE). The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system. "Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service," n8n said in an advisory released Tuesday. "This could result in full compromise of the affected instance.""
https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html
https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
CVE-2025-68428: Critical Path Traversal In JsPDF
"A critical local file inclusion and path traversal vulnerability has been disclosed in jsPDF, a widely-adopted npm package for generating PDF documents in JavaScript applications. The flaw, tracked as CVE-2025-68428 and GHSA-f8cm-6447-x5h2, allows attackers to read arbitrary files from the local filesystem and exfiltrate their contents by embedding them within generated PDFs. Successful exploitation results in unauthorized disclosure of sensitive data including configuration files, environment variables, credentials, and other files accessible to the Node.js process. File contents are included verbatim in generated PDFs, enabling data exfiltration through normal application output. As a result, this is considered a critical vulnerability with a CVSS v4.0 score of 9.2."
https://www.endorlabs.com/learn/cve-2025-68428-critical-path-traversal-in-jspdf
https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/
New Veeam Vulnerabilities Expose Backup Servers To RCE Attacks
"Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability. Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," Veeam explained in a Tuesday advisory."
https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabilities-expose-backup-servers-to-rce-attacks/
https://www.veeam.com/kb4792
https://thehackernews.com/2026/01/veeam-patches-critical-rce.html
https://cyberscoop.com/veeam-backup-replication-security-flaw-remote-code-execution-fix/
https://securityaffairs.com/186630/security/veeam-resolves-cvss-9-0-rce-flaw-and-other-security-issues.html
https://www.securityweek.com/several-code-execution-flaws-patched-in-veeam-backup-replication/
IBM's AI Agent Bob Easily Duped To Run Malware, Researchers Show
"IBM describes its coding agent thus: "Bob is your AI software development partner that understands your intent, repo, and security standards." Unfortunately, Bob doesn't always follow those security standards. Announced last October and presently in closed beta testing, IBM offers Bob in the form of a command line interface – a CLI, like Claude Code – and an integrated development environment – an IDE like Cursor."
https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/

Malware

Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, And Crypto-Focused Campaigns
"GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. It targets internet-exposed services such as phpMyAdmin web panels, MySQL and PostgreSQL databases, and FTP servers. Infected hosts are incorporated into the botnet and accept remote operator commands. Newly discovered weak credentials are used to steal data, create backdoor accounts, sell access, and expand the botnet. The malicious toolkit is usually split into two parts. The first is an IRC bot that enables remote control of the compromised host, including command execution and updates. The second is a bruteforcer that is fetched later and used to scan random public IP ranges and attempt logins using credentials that are hardcoded or provided by the command and control (C2) server."
https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/
https://www.bleepingcomputer.com/news/security/new-gobruteforcer-attack-wave-targets-crypto-blockchain-projects/
International Threats: Themes For Regional Phishing Campaigns
"Cofense Intelligence relies on over 35 million trained employees from around the world, therefore a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025 and focuses on the overall themes of campaigns in the top five most commonly seen languages besides English that bypassed perimeter filtering such as Secure Email Gateways (SEGs). Themes are valuable because they inform individuals what to be most suspicious of, can be used to help guide Security Awareness Training (SAT) by customizing content and phishing simulations, and enable a more rapid and informed response from Security Operations Centers (SOCs)."
https://cofense.com/blog/international-threats-themes-for-regional-phishing-campaigns
Phishing Actors Exploit Complex Routing And Misconfigurations To Spoof Domains
"Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing."
https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/
https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html
https://www.darkreading.com/cloud-security/phishers-exploit-office-365-users-guard-down
https://www.securityweek.com/complex-routing-misconfigurations-exploited-for-domain-spoofing-in-phishing-attacks/
https://securityaffairs.com/186638/hacking/misconfigured-email-routing-enables-internal-spoofed-phishing.html
DDoSia Powers Affiliate-Driven Hacktivist Attacks
"A pro-Russian hacktivist group known as NoName057(16) is using a volunteer-distributed distributed denial-of-service (DDoS) tool to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. The group has been active since at least 2022 and relies on a custom denial-of-service platform, dubbed DDoSia, that allows individuals with minimal technical skill to participate in coordinated attacks against target entities. Many of NoName057(16)'s campaigns have often coincided with major geopolitical events — such as Western sanctions, diplomatic actions, or military aid announcements — that it quickly frames as provocations worthy of retaliatory cyberattacks, and are similar to other ideologically driven cyber operations."
https://www.darkreading.com/cyberattacks-data-breaches/ddosia-powers-volunteer-driven-hacktivist-attacks
Cyberattacks Likely Part Of Military Operation In Venezuela
"The recent US military operation in Venezuela resulting in the capture of President Nicolás Maduro had "layering effects" provided by US Cyber Command and other agencies, but the degree to which cyber operations played a role in the raid remains a question mark, experts say. During a Jan. 3 press conference following the successful operation, President Donald Trump hinted that "a certain expertise" had allow US forces to shut down power to the area of operations. "It was dark — the lights of Caracas were largely turned off due to a certain expertise that we have," he told reporters during the press conference."
https://www.darkreading.com/cybersecurity-operations/cyberattacks-part-military-operation-venezuela
Ghost Tapped: Tracking The Rise Of Chinese Tap-To-Pay Android Malware
"Group-IB researchers have observed the growing proliferation of NFC-enabled Android tap-to-pay malware developed and sold within Chinese cybercrime communities on Telegram. Also referred to as “Ghost Tap”, these applications are used to relay NFC communications between a victim’s device or a mobile wallet loaded with compromised payment cards, and the criminal’s device. This technique allows criminals to complete payments or cash-out remotely as though the victims’ cards were physically present."
https://www.group-ib.com/blog/ghost-tapped-chinese-malware/
https://www.infosecurity-magazine.com/news/ghost-tap-malware-remote-nfc-fraud/
Malicious NPM Packages Deliver NodeCordRAT
"Zscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload. This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities. It is also possible to download bip40 as a standalone package, completely bypassing the other libraries. To deceive developers into downloading the fraudulent packages, the attacker used name variations of real repositories found within the legitimate bitcoinjs project."
https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat
Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches
"A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data. According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook), the activity is designed to strategically push bogus sites to the top of search results on search engines like Microsoft Bing, specifically targeting users looking for programs like Google Chrome, Notepad++, QQ International, and iTools."
https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html
Unpacking The Packer ‘pkr_mtsi’
"This blog post presents an in-depth technical analysis of pkr_mtsi, a malicious Windows packer first observed in the wild on April 24, 2025, and continuously deployed through the time of writing. The packer is actively leveraged in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers for legitimate software, enabling initial access and flexible delivery of follow-on payloads. In observed campaigns, pkr_mtsi has been used to deliver a diverse set of malware families, including Oyster, Vidar, Vanguard Stealer, Supper, and more, underscoring its role as a general-purpose loader rather than a single-payload wrapper."
https://www.reversinglabs.com/blog/unpacking-pkr_mtsi
https://www.infosecurity-magazine.com/news/malware-loader-pkrmtsi-payloads/

Breaches/Hacks/Leaks

OwnCloud Urges Users To Enable MFA After Credential Theft Reports
"File-sharing platform ownCloud warned users today to enable multi-factor authentication (MFA) to block attackers using compromised credentials from stealing their data. ownCloud has over 200 million users worldwide, including hundreds of enterprise and public-sector organizations such as the European Organization for Nuclear Research, the European Commission, German tech company ZF Group, insurance firm Swiss Life, and the European Investment Bank."
https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enable-mfa-after-credential-theft-reports/
Major Data Breach Hits Company Operating 150 Gas Stations In The US
"Gulshan Management Services, Inc., a Texas-based company that operates over 150 gas stations and convenience stores under the Handi Plus and Handi Stop brands all over the United States, has confirmed a large-scale data breach that exposed personal information tied to more than 377,000 people. The incident came to light through a filing with the Maine Attorney General, a required step when residents of that state are affected. According to the disclosure, attackers gained unauthorized access to an external system between September 17 and September 27, 2025. The breach was discovered on September 27, suggesting it went undetected for several days before being identified."
https://hackread.com/data-breach-us-gas-stations-company/
Spanish Airline Iberia Attributes Recent Data Breach Claims To November Incident
"Leaked data exposed by a cybersecurity firm this week was allegedly stolen during a data breach identified in November, according to Spanish airline Iberia. On Monday, researchers at Hudson Rock published a report about a threat actor named Zestix that has been auctioning data allegedly stolen from the corporate file-sharing portals of about 50 large companies and law firms."
https://therecord.media/spanish-airline-attributes-recent-breach-allegation-to-nov-incident
Illinois State Agency Exposed Personal Data Of 700,000 People
"The Illinois Department of Human Services (IDHS) exposed personal information belonging to more than 700,000 state residents after inadvertently posting the data on the open internet where it remained for as long as four years before being taken down in September. The agency learned in late September that personal data showing names, addresses and other information for more than 32,400 disabled customers were left on the open web after agency officials created planning maps on a mapping website to help direct resource allocations."
https://therecord.media/illinois-agency-exposed-data
ESA Calls Cops As Crims Lift Off 500 GB Of Files, Say Security Black Hole Still Open
"The European Space Agency on Wednesday confirmed yet another massive security breach, and told The Register that the data thieves responsible will be subject to a criminal investigation. And this could be a biggie. Earlier in the week, Scattered Lapsus$ Hunters told us that they gained initial access to ESA's servers back in September by exploiting a public CVE, and stole 500 GB of very sensitive data. This, we're told, includes operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space, among others."
https://www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/

General News

Why Legitimate Bot Traffic Is a Growing Security Blind Spot
"Security teams have spent years improving their ability to detect and block malicious bots. That effort remains critical. Automated traffic now makes up more than half of all web traffic, and bot-driven attacks continue to grow in volume and sophistication. What has changed is the role of legitimate bots and how little visibility most security teams have into their behavior. So-called good bots now account for a significant share of automated traffic. Search engine crawlers index content. AI systems scrape pages to train models and generate responses. Agentic AI is beginning to interact with applications on behalf of users. These bots often operate within accepted norms, but at a scale that introduces real security, performance, and cost implications."
https://hackread.com/legitimate-bot-traffic-security-blind-spot/
When AI Agents Interact, Risk Can Emerge Without Warning
"System level risks can arise when AI agents interact over time, according to new research that examines how collective behavior forms inside multi agent systems. The study finds that feedback loops, shared signals, and coordination patterns can produce outcomes that affect entire technical or social systems, even when individual agents operate within defined parameters. These effects surface through interaction itself, which places risk in the structure of the system and how agents influence one another."
https://www.helpnetsecurity.com/2026/01/07/research-interacting-ai-risks/
https://arxiv.org/pdf/2512.17793
What European Security Teams Are Struggling To Operationalize
"European security and compliance teams spend a lot of time talking about regulation. A new forecast report from Kiteworks suggests the harder problem sits elsewhere. According to the report, many European organizations have strong regulatory frameworks on paper, driven by GDPR and upcoming AI rules, and weaker operational systems that show how those rules work in daily practice. The gap, the report argues, shows up in areas like AI incident response, supply chain visibility, and compliance automation as organizations move toward 2026."
https://www.helpnetsecurity.com/2026/01/07/security-teams-european-compliance-operations-gap/
Cloud And Threat Report: 2026
"The 2026 edition of the Netskope Cloud and Threat Report is designed to analyze the most significant cybersecurity trends of the previous year, offering a critical preview of the challenges and risks that will define the enterprise landscape in 2026. In 2025, the rapid, often ungoverned, adoption of generative AI fundamentally reshaped the cybersecurity landscape. As organizations navigated the complexities of cloud data security, persistent phishing campaigns, and malware delivered through trusted channels, the introduction of widespread AI usage—particularly “shadow AI” and emerging “agentic AI”—layered new and complex data exposure risks onto the modern enterprise environment. This report provides a look back at the most significant trends of 2025 and serves as a critical preview of the evolving threat landscape for 2026, highlighting the additive nature of the risks that security teams must now confront. Not only do security teams still have to manage existing risks, but they now also have to manage the risks created by genAI."
https://www.netskope.com/resources/cloud-and-threat-reports/cloud-and-threat-report-2026
https://www.infosecurity-magazine.com/news/personal-llm-accounts-drive-shadow/
https://www.helpnetsecurity.com/2026/01/07/gen-ai-data-violations-2026/
The Loudest Voices In Security Often Have The Least To Lose
"Years ago, during one of the many times I’ve been in London, I turned on the television one evening. When the television fired up, I found myself watching a political debate between the leaders of different political parties leading up to an election. In the UK parliamentary system, the chosen leader of the political party that wins the most votes is appointed Prime Minister by the monarch. Thus, although there is no direct election for the Prime Minister, I was effectively watching a debate between candidates for Prime Minister."
https://www.securityweek.com/the-loudest-voices-in-security-often-have-the-least-to-lose/
Threat Spotlight: How Phishing Kits Evolved In 2025
"In 2025, 90% of high-volume phishing campaigns leveraged Phishing-as-a-Service (PhaaS) kits. These kits have transformed the phishing landscape, enabling even less-skilled cybercriminals to access advanced tools and automation and launch large-scale, targeted phishing campaigns, often impersonating legitimate services and institutions. This article provides an overview of phishing kit activity and evolution during 2025. It is a companion piece to the 2026 phishing predictions published in December 2025."
https://blog.barracuda.com/2026/01/07/threat-spotlight-phishing-kits-evolved-2025
Stalkerware Operator Pleads Guilty In Rare Prosecution
"The owner of a Michigan-based stalkerware company pleaded guilty on Monday to federal charges for selling a surveillance product designed to spy on people without their consent. Bryan Fleming admitted to founding and running pcTattletale, a company that marketed its spyware as a way for customers to catch romantic partners cheating. Fleming’s guilty plea is the first successful prosecution of a stalkerware operator since 2014."
https://therecord.media/stalkerware-guilty-plea-fleming
https://www.theregister.com/2026/01/07/stalkerware_slinger_pleads_guilty/
Alleged Cyber Scam Kingpin Arrested, Extradited To China
"Cambodian authorities on Tuesday arrested and extradited to China Chen Zhi, the head of the Prince Group conglomerate and the alleged mastermind behind a multi-billion dollar scam empire. Cambodia’s Ministry of Interior announced the arrests of Zhi and two others — Xu Ji Liang and Shao Ji Hui — whose relation to Prince Group is unclear."
https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extradited
Top 10 Ransomware Groups Of 2025
"The Top 10 Ransomware Groups of 2025 illustrate how the ransomware ecosystem changed in structure rather than simply growing in volume. After the disruption of dominant groups in 2024, the ecosystem entered 2025 without a clear center of gravity. Instead of collapsing, ransomware operations adapted. Affiliates became more independent, group boundaries blurred, and former rivals increasingly operated without strict competitive lines. This shift reshaped how campaigns were organized, how infrastructure was shared, and how ransomware operations sustained momentum."
https://socradar.io/blog/top-10-ransomware-groups-2025/

อ้างอิง
Electronic Transactions Development Agency (ETDA)