Cyber Threat Intelligence 13 January 2026

NCSA_THAICERT

Vulnerabilities

Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
"Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare." n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm."
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-impacts-nearly-60-000-n8n-instances/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-8110 Gogs Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/
https://securityaffairs.com/186837/hacking/u-s-cisa-adds-a-flaw-in-gogs-to-its-known-exploited-vulnerabilities-catalog.html

Malware

RMM Tools (Syncro, SuperOps, NinjaOne, Etc.) Being Distributed Disguised As Video Files
"AhnLab SEcurity intelligence Center (ASEC) recently discovered cases of attacks using RMM tools such as Syncro, SuperOps, NinjaOne, and ScreenConnect. Threat actors distributed a PDF file that prompted users to download and run the RMM tool from a disguised distribution page such as Google Drive. The certificate used to sign the malware shows that the threat actor has been performing similar attacks since at least October 2025."
https://asec.ahnlab.com/en/91995/
The Unfriending Truth: How To Spot a Facebook Phishing Scam Before It's Too Late
"As one of the world's largest social media platforms, with over 3 billion active users, Facebook is a frequent target for phishing scams. Hackers aim to hijack user accounts to exploit people in their network. The goal is to steal the victim's credentials so the attackers can take over the account, spread scams, steal personal data, or commit identity fraud. In the second half of 2025, Trellix observed a surge in Facebook phishing scams employing a variety of tactics and techniques, most notably the "Browser in the Browser" (BitB) technique. This advanced method tricks users by simulating a legitimate third-party login pop-up window (like a Facebook authentication screen) within the browser tab, effectively masking a credential-harvesting page."
https://www.trellix.com/en-au/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/
https://www.bleepingcomputer.com/news/security/facebook-login-thieves-now-using-browser-in-browser-trick/
'Bad Actor' Hijacks Apex Legends Characters In Live Matches
"Apex Legends players over the weekend experienced disruptions during live matches as threat actors hijacked their characters, disconnected them, and changed their nicknames. Respawn, the publisher of the still popular battle royale-hero shooter, issued a public statement about the security incident, assuring players that it hadn't been caused by an exploit or malware infection. The title continues to have a large user base, with an estimated half a million daily concurrent players across all platforms as of mid-2025."
https://www.bleepingcomputer.com/news/security/bad-actor-hijacks-apex-legends-characters-in-live-matches/
Hidden Telegram Proxy Links Can Reveal Your IP Address In One Click
"A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram tells BleepingComputer it will now add warnings to proxy links after researchers demonstrated that specially crafted links could be used to reveal a Telegram user's real IP address without any further confirmation."
https://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-can-reveal-your-ip-address-in-one-click/
n8mare On Auth Street: Supply Chain Attack Targets n8n Ecosystem
"Attackers infiltrated n8n's community node ecosystem this week with a malicious npm package that masqueraded as a Google Ads integration. The package, n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, tricked developers into entering OAuth credentials through what appeared to be a legitimate credential form, then silently exfiltrated them during workflow execution to an attacker-controlled server. This novel supply chain attack—targeting users beyond n8n's recently disclosed remote code execution (RCE) flaws—demonstrates how threat actors are exploiting trust in community-maintained integrations."
https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem
https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html
Scaling The Fraud Economy: Pig Butchering As a Service
"The scam industry has undergone massive transformations over the last decade. The cliché image of the once-iconic Nigerian prince duping Westerners from a local cybercafé is now passé. Western Africa is still a hotbed for digital fraud operations, but it has been superseded in both scale and efficiency by hundreds of industrial-scale scam centres now scattered throughout Southeast Asia. Over the past decade major Chinese-speaking criminal groups have managed to infiltrate a growing number of countries in Southeast Asia, securing vast amounts of land to build cities and special economic zones dedicated to crime operations."
https://www.infoblox.com/blog/threat-intelligence/scaling-the-fraud-economy-pig-butchering-as-a-service/
https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
Analyzing a Multi-Stage AsyncRAT Campaign Via Managed Detection And Response
"AsyncRAT has emerged as a notable Remote Access Trojan (RAT) used by threat actors for its robust capabilities and ease of deployment. It gained favor for its extensive feature set, which includes keylogging, screen capturing, and remote command execution capabilities. Its modular architecture, typically implemented in Python, provides flexibility and ease of customization, making it a preferred tool of choice for cybercriminals. During our investigation of AsyncRAT infections, we observed Python scripts playing a central role in the infection chain, automating various stages of the attack."
https://www.trendmicro.com/en_us/research/26/a/analyzing-a-a-multi-stage-asyncrat-campaign-via-mdr.html
Malicious Crystal PDF Converter Detected On SLTT Networks
"In late October 2025, the Center for Internet Security (CIS) Cyber Threat Intelligence (CTI) team observed an increase in CIS Managed Detection and Response (CIS MDR) alerts associated with a malicious fake PDF converter called Crystal PDF on U.S. State, Local, Tribal, and Territorial (SLTT) government entity endpoints. The CIS CTI team’s analysis confirmed that Crystal PDF is a managed .NET (F#) staged loader, but the second-stage payload was unavailable for analysis."
https://www.cisecurity.org/insights/blog/malicious-crystal-pdf-converter-detected-on-sltt-networks
THE KNOWNSEC LEAK: Yet Another Leak Of China’s Contractor-Driven Cyber-Espionage Ecosystem
"In November of 2025, an allegedly massive leak of data from Chinese company “KnownSec” was posted to a github account. The initial leak was covered by Wired Magazine, and a few other outlets. The leak has since been pulled off of Github and downloaded by very few, and of those few who gained access, only one uploaded 65 documents as a primer to the leak elsewhere for others to see. DTI was able to get the 65 document images and this report is derived from this slice of a much larger leak that is out there but not available."
https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/

Breaches/Hacks/Leaks

University Of Hawaii Cancer Center Hit By Ransomware Attack
"University of Hawaii says a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants, including documents from the 1990s containing Social Security numbers. Founded in 1907, the University of Hawaii (UH) System now includes 3 universities and 7 community colleges, as well as 10 campuses and training and research centers across the Hawaiian Islands. Its Cancer Center is located in the Kakaʻako district of Honolulu and has over 300 faculty and staff, as well as an additional 200 affiliate members."
https://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/
https://www.securityweek.com/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/
Target's Dev Server Offline After Hackers Claim To Steal Source Code
"Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target's internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel."
https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/
Spanish Energy Giant Endesa Discloses Data Breach Affecting Customers
"Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the company's systems and accessed contract-related information, which includes personal details. Endesa is the largest electric utility company in Spain, now owned by Enel Group, that distributes gas and electricity to more than 10 million customers in Spain and Portugal. In total, the company says it has about 22 million clients."
https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/
Everest Ransomware Claims Breach At Nissan, Says 900GB Of Data Stolen
"The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer. The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents."
https://hackread.com/everest-ransomware-nissan-data-breach/
Armenia Probes Alleged Sale Of 8 Million Government Records On Hacker Forum
"Hackers are offering for sale what they claim is a large trove of Armenian government-related data, prompting officials in Yerevan to open an investigation into a potential breach. The alleged seller, using the alias dk0m, said it gained access to a government notification system used to distribute official communications, including legal and administrative notices."
https://therecord.media/armenia-probes-alleged-sale-government-records

General News

What Security Teams Can Learn From Torrent Metadata
"Security teams often spend time sorting through logs and alerts that point to activity happening outside corporate networks. Torrent traffic shows up in investigations tied to policy violations, insider risk, and criminal activity. A new research paper looks at that same torrent activity through an open source intelligence lens and asks how much signal security teams can extract from data that is already public."
https://www.helpnetsecurity.com/2026/01/12/torrent-metadata-osint-research/
Downtime Pushes Resilience Planning Into Security Operations
"CISOs describe a shift in how they define success. New research from Absolute Security shows broad agreement that resilience outweighs security goals centered on prevention alone. Security leaders increasingly define their role around keeping the business operating through disruption. CISOs see themselves as responsible for recovery when incidents interrupt operations. Business continuity, endpoint restoration, and coordination with IT teams fall within their scope. Formal resilience strategies have become common, indicating that this shift is built into planning instead of treated as an add on."
https://www.helpnetsecurity.com/2026/01/12/absolute-ciso-resilience-planning/
Statistics Report On Malware Targeting Windows Web Servers In Q4 2025
"AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting poorly managed Windows web servers. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks that occurred against these servers in the fourth quarter of 2025. Additionally, it will categorize the malware strains used in each attack and provide detailed statistics."
https://asec.ahnlab.com/en/92002/
Statistics Report On Malware Targeting Windows Database Servers In Q4 2025
"AhnLab SEcurity intelligence Center (ASEC) utilizes the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting MS-SQL and MySQL servers installed on Windows operating systems. This post covers the damage status of MS-SQL and MySQL servers that have become attack targets and statistics on attacks against these servers, based on the logs identified in the fourth quarter of 2025. It also categorizes the malware strains used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/92003/
Statistics Report On Malware Targeting Linux SSH Servers In Q4 2025
"AhnLab SEcurity intelligence Center (ASEC) utilizes a honeypot to respond to and classify brute-force and dictionary attacks targeting poorly managed Linux SSH servers. This post covers the status of the attack sources identified in the logs from the fourth quarter of 2025 and the statistics of attacks launched by these sources. It also classifies the malware strains used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/92004/
Hacker Gets Seven Years For Breaching Rotterdam And Antwerp Ports
"The Amsterdam Court of Appeal sentenced a 44-year-old Dutch national to seven years in prison for multiple crimes, including computer hacking and attempted extortion. The man was arrested in 2021 and convicted in 2022 by the Amsterdam District Court, but he appealed the sentence because authorities had unlawfully intercepted his communications, deriving incriminating evidence. These communications occurred on the end-to-end encrypted chat service Sky ECC. Europol 'cracked' the service in 2021, which led to the arrest of the CEO and multiple users. The actions deriving from the operation extended into last year."
https://www.bleepingcomputer.com/news/security/hacker-gets-seven-years-for-breaching-rotterdam-and-antwerp-ports/
https://therecord.media/dutch-court-sentences-hacker-who-smuggled-cocaine-ports
Cybersecurity In The Public Sector: Challenges, Strategies And Best Practices
"Once upon a time, computer crimes were associated with the image of a hacker in a black hoodie working in a dark room by the glow of a monitor. But times have changed, and so have the threats. From simple penetration attempts, cyber attacks have evolved into complex, coordinated operations specifically targeting state systems, rather than pursued merely for entertainment or recognition."
https://hackread.com/cybersecurity-public-sector-challenges-strategies-practices/
Rethinking OT Security For Project Heavy Shipyards
"In this Help Net Security interview, Hans Quivooij, CISO at Damen Shipyards Group, discusses securing OT and ICS in the shipyard. He outlines how project-based operations, rotating contractors, and temporary systems expand the threat surface and complicate access control. Quivooij also covers visibility in legacy environments and the risks introduced by IT and OT integration."
https://www.helpnetsecurity.com/2026/01/12/hans-quivooij-damen-shipyards-group-securing-shipyard-ot-ics/
Global Cybersecurity Outlook 2026
"The World Economic Forum's Global Cybersecurity Outlook 2026, written in collaboration with Accenture, examines the cybersecurity trends that will affect economies and societies in the year to come. The report explores how accelerating AI adoption, geopolitical fragmentation and widening cyber inequity are reshaping the global risk landscape. As attacks grow faster, more complex and more unevenly distributed, organizations and governments face rising pressure to adapt amid persistent sovereignty challenges and widening capability gaps. Drawing on leaders’ perspectives, the report provides actionable insights to inform strategy, investment and policy."
https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf
https://www.infosecurity-magazine.com/news/fraud-overtakes-ransomware-as-top/
Cyber Insights 2026: What CISOs Can Expect In 2026 And Beyond
"The responsibility of the CISO is ever increasing, and this won’t slow down in the coming years. Paul Kivikink, VP of product management and technology partnerships, at DataBee, explains the starting point: “Traditionally, CISOs came up through the technical ranks, deeply rooted in cybersecurity operations. But as cyber risk has become a board-level concern, the CISO is now expected to speak the language of business, connecting security investments to revenue protection, regulatory compliance, and enterprise resilience.”"
https://www.securityweek.com/cyber-insights-2026-what-cisos-can-expect-in-2026-and-beyond/
Block CISO: We Red-Teamed Our Own AI Agent To Run An Infostealer On An Employee Laptop
"When it comes to security, AI agents are like self-driving cars, according to Block Chief Information Security Officer James Nettesheim. "It's not enough for self-driving cars to be just as good as humans," Nettesheim said in an exclusive interview with The Register. "They have to be safer and better than humans - and provably so. We need that with our agentic use, too." The parent company of Square, Cash App, and Afterpay is pushing hard to position itself as an AI leader, co-designing the Model Context Protocol (MCP) with Anthropic and using MCP to build Goose, its open source AI agent that's used by almost all Block's 12,000 employees and connects to all of the company's systems including Google accounts and Square payments."
https://www.theregister.com/2026/01/12/block_ai_agent_goose/
2026 Crypto Crime Report Key Insights: TRM Identifies Record USD 158 Billion In Illicit Crypto Flows In 2025, Reversing a Multi-Year Decline
"This blog features key highlights from TRM’s upcoming 2026 Crypto Crime Report. Be sure to check back in the coming weeks to get your complete copy. Illicit crypto volume reached an all-time high of USD 158 billion in 2025, up nearly 145% from 2024. Despite the increase in absolute illicit volume, illicit volume as a proportion of overall crypto volume fell in 2025, from 1.3% in 2024 to 1.2% in 2025. While illicit activity represented a small share of overall on-chain volume, illicit entities captured 2.7% of available crypto liquidity in 2025, using a new metric that frames risk relative to deployable capital rather than raw transaction volume."
https://www.trmlabs.com/resources/blog/2026-crypto-crime-report-key-insights-trm-identifies-record-usd-158-billion-in-illicit-crypto-flows-in-2025-reversing-a-multi-year-decline
https://www.infosecurity-magazine.com/news/illicit-crypto-activity-record/

อ้างอิง
Electronic Transactions Development Agency (ETDA)