Cyber Threat Intelligence 15 January 2026

NCSA_THAICERT

Industrial Sector

Western Cyber Agencies Warn About Threats To Industrial Operational Technology
"A group of Western cyber agencies warned on Wednesday about the growing digital threats facing the operational technology at the heart of industrial systems. New guidance issued by Britain’s National Cyber Secure Centre (NCSC), a part of signals and cyber intelligence agency GCHQ, sets out how organizations should securely connect equipment such as industrial control systems, sensors and other critical services. These types of technology are often at the heart of critical infrastructure, from energy generation plants through to water treatment facilities, manufacturing lines and transportation networks."
https://therecord.media/cyber-agencies-warn-of-industrial-system-threats
https://www.ncsc.gov.uk/files/ncsc-secure-connectivity-for-operational-technology.pdf

New Tooling

CISO Assistant: Open-Source Cybersecurity Management And GRC
"CISO Assistant is an open-source governance, risk, and compliance (GRC) platform designed to help security teams document risks, controls, and framework alignment in a structured system. The community edition is maintained as a self-hosted tool for organizations that want direct access to the code and data. The community edition focuses on foundational GRC functions. It allows teams to define assets, document risks, create controls, and map those controls to security and compliance frameworks. All of these elements are connected through a shared data model that emphasizes traceability."
https://www.helpnetsecurity.com/2026/01/14/ciso-assistant-open-source-cybersecurity-management-grc/
https://github.com/intuitem/ciso-assistant-community

Vulnerabilities

Fortinet Patches Critical Vulnerabilities In FortiFone, FortiSIEM
"Fortinet on Tuesday announced patches for six vulnerabilities across its products, including two critical-severity bugs in FortiFone and FortiSIEM. The most severe of these flaws is CVE-2025-64155 (CVSS score of 9.4), an OS command injection issue in FortiSIEM that could be exploited by unauthenticated attackers for code and command execution. Exploitable via crafted TCP requests, the security defect was resolved in FortiSIEM versions 7.1.9, 7.2.7, 7.3.5, and 7.4.1."
https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/
https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html
https://securityaffairs.com/186902/security/fortinet-fixed-two-critical-flaws-in-fortifone-and-fortisiem.html
Chrome 144, Firefox 147 Patch High-Severity Vulnerabilities
"Google and Mozilla on Tuesday announced the release of Chrome 144 and Firefox 147 with patches for a total of 26 vulnerabilities. Chrome 144 was rolled out to the stable channel with fixes for 10 security defects, including three high-severity bugs. Two of the high-severity flaws affect V8, the browser’s JavaScript and WebAssembly engine: CVE-2026-0899 is an out-of-bounds memory access issue, while CVE-2026-0900 is an inappropriate implementation weakness."
https://www.securityweek.com/chrome-144-firefox-147-patch-high-severity-vulnerabilities/
CVE-2025-64155: Three Years Of Remotely Rooting The Fortinet FortiSIEM
"In August of 2025, Fortinet released an advisory for CVE-2025-25256, a command injection vulnerability which affected the FortiSIEM appliance. After the August advisory, we decided to dive in and assess the situation, ultimately leading to the discovery of:

An unauthenticated argument injection vulnerability resulting in arbitrary file write allowing for remote code execution as the admin user
A file overwrite privilege escalation vulnerability leading to root access
These vulnerabilities were reported and assigned CVE-2025-64155. Our proof of concept exploit can be found on our GitHub."
https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/
https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/

CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/01/13/cisa-adds-one-known-exploited-vulnerability-catalog
https://therecord.media/desktop-windows-manager-vulnerability-added-to-cisa-list
https://securityaffairs.com/186898/security/u-s-cisa-adds-a-flaw-in-microsoft-windows-to-its-known-exploited-vulnerabilities-catalog.html
Mitigating Denial-Of-Service Vulnerability From Unrecoverable Stack Space Exhaustion For React, Next.js, And APM Users
"Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability. A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled b
https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks
https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

Malware

ConsentFix Debrief: Insights From The New OAuth Phishing Attack
"In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ConsentFix. This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. We saw this attack running across a large network of compromised websites that attackers were injecting the malicious payload into, forming a large-scale campaign that was detected across multiple customer estates."
https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/
Predator's Kill Switch: Undocumented Anti-Analysis Techniques In iOS Spyware
"n December 2024, Google's Threat Intelligence Group (GTIG) published extensive research on Intellexa's Predator spyware, documenting its zero-day exploit chains and the PREYHUNTER stager component. Their research identified that the "watcher" module detects developer mode, jailbreak tools, security applications and network interception configurations. However, while conducting independent reverse engineering of a Predator sample, Jamf Threat Labs discovered several undocumented mechanisms that reveal how sophisticated this spyware's anti-analysis capabilities truly are."
https://www.jamf.com/blog/predator-spyware-anti-analysis-techniques-ios-error-codes-detection/
https://cyberscoop.com/predator-spyware-demonstrates-troubleshooting-researcher-dodging-capabilities/
https://www.securityweek.com/predator-spywares-granular-anti-analysis-features-exposed/
Microsoft Disrupts Global Cybercrime Subscription Service Responsible For Millions In Fraud Losses
"Today, Microsoft is announcing a coordinated legal action in the United States and, for the first time, the United Kingdom to disrupt RedVDS, a global cybercrime subscription service fueling millions in fraud losses. These efforts are part of a broader joint operation with international law enforcement, including German authorities and Europol, which has allowed Microsoft and its partners to seize key malicious infrastructure and take the RedVDS marketplace offline, a major step toward dismantling the networks behind AI-enabled fraud, such as real estate scams."
https://blogs.microsoft.com/on-the-issues/2026/01/14/microsoft-disrupts-cybercrime/
https://www.darkreading.com/threat-intelligence/microsoft-disrupts-cybercrime-service-redvds
https://therecord.media/microsoft-redvds-cybercrime-scam
https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/
https://www.infosecurity-magazine.com/news/criminal-subscription-service/
https://www.securityweek.com/redvds-cybercrime-service-disrupted-by-microsoft-and-law-enforcement/
Inside The Latest PayPal Scam: RMM Abuse And Credential Theft
"Over the past two months, cybercriminals have increasingly abused Remote Monitoring and Management (RMM) tools in multi-stage attack campaigns. These attacks often begin with phishing emails disguised as holiday party invitations, overdue invoices, tax notices, Zoom meeting requests, or document signing notifications. While these lures appear harmless, their true intent is credential theft and unauthorized access. Recent public research released on November 19, 2025, highlighted this trend, noting that attackers frequently use seasonal lures such as “Party Invitation” or “December Holiday Party” to trick victims into engaging with malicious content."
https://www.cyberproof.com/blog/inside-the-latest-paypal-scam-rmm-abuse-and-credential-theft/
https://www.infosecurity-magazine.com/news/hackers-fake-paypal-notices-deploy/
DeadLock Ransomware Group Utilizes Polygon Smart Contracts
"A newly emerged digital extortion group is using blockchain smart contracts to store proxy server addresses for facilitating ransomware negotiations with victim organizations. The DeadLock ransomware group - it dates to July 2025 - has been using smart contracts on Polygon, a cryptocurrency blockchain platform designed to run alongside the ethereum blockchain. Known as "EtherHiding," the technique embeds malicious instructions in blockchain smart contracts. In many cases, such activities leave no trace. Devotees have included a North Korean nation-state group targeting developers and cryptocurrency firms and a financially motivated cybercrime group (see: Hackers Use Blockchain to Hide Malware in Plain Sight)."
https://www.bankinfosecurity.com/deadlock-ransomware-group-utilizes-polygon-smart-contracts-a-30518
https://www.infosecurity-magazine.com/news/deadlock-polygon-smart-contracts/
https://www.theregister.com/2026/01/14/deadlock_ransomware_smart_contracts/
How Real Software Downloads Can Hide Remote Backdoors
"It starts with a simple search. You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding. You install the software, launch it, and everything works exactly as expected. What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer."
https://www.malwarebytes.com/blog/threat-intel/2026/01/how-real-software-downloads-can-hide-remote-backdoors
Researchers Null-Route Over 550 Kimwolf And Aisuru Botnet Command Servers
"The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025. AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS) attacks and relay malicious traffic for residential proxy services."
https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html
https://cyberscoop.com/kimwolf-aisuru-botnet-lumen-technologies/
Hiding In Plain Sight: Deconstructing The Multi-Actor DLL Sideloading Campaign Abusing Ahost.exe
"The Trellix Advanced Research Center has uncovered an active malware campaign that exploits a DLL sideloading vulnerability within the legitimate ahost.exe utility. This utility is a component of the open-source c-ares library (used for asynchronous DNS lookups) and is commonly bundled within Git for Windows installations, including those embedded in developer tools like GitKraken or GitHub Desktop. Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code. This DLL sideloading technique allows the malware to bypass traditional signature-based security defenses."
https://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/
https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.html
Reprompt: The Single-Click Microsoft Copilot Attack That Silently Steals Your Personal Data
"Varonis Threat Labs uncovered a new attack flow, dubbed Reprompt, that gives threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection — all from one click. First discovered in Microsoft Copilot Personal, Reprompt is important for multiple reasons:"
https://www.varonis.com/blog/reprompt
https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/
NFC Skimming Attacks
"Thanks to the convenience of NFC and smartphone payments, many people no longer carry wallets or remember their bank card PINs. All their cards reside in a payment app, and using that is quicker than fumbling for a physical card. Mobile payments are also secure — the technology was developed relatively recently and includes numerous anti-fraud protections. Still, criminals have invented several ways to abuse NFC and steal your money. Fortunately, protecting your funds is straightforward: just know about these tricks and avoid risky NFC usage scenarios."
https://www.kaspersky.com/blog/nfc-gate-relay-attacks-2026/55116/

Breaches/Hacks/Leaks

Victorian Department Of Education Says Hackers Stole Students’ Data
"The Department of Education in Victoria, Australia, notified parents that attackers accessed a database containing the personal information and email addresses of current and former students, prompting password resets. The department disclosed the breach in letters sent to parents, stating that an unauthorized third party accessed students' names, school names, year levels, and school-issued email addresses, as well as encrypted passwords for accounts that use them."
https://www.bleepingcomputer.com/news/security/victorian-department-of-education-notifies-parents-of-data-breach/
Monroe University Says 2024 Data Breach Affects 320,000 People
"Monroe University revealed that threat actors stole the personal, financial, and health information of over 320,000 people after breaching its systems in a December 2024 cyberattack. Founded in 1933 as a Bronx secretarial school, Monroe University is now a private institution with over 9,000 students each year across campuses in New York (Bronx and New Rochelle), and in the Caribbean nation of Saint Lucia. As the school explained in data breach notifications filed with the Office of the Maine Attorney General this week, the attackers had access to its network for 2 weeks, from December 9 to December 23."
https://www.bleepingcomputer.com/news/security/monroe-university-says-2024-data-breach-affects-320-000-people/
Hacker Claims Full Breach Of Russia’s Max Messenger, Threatens Public Leak
"A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum. The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code."
https://hackread.com/hacker-russia-max-messenger-breach-data-leak/
Eurail Passengers Taken For a Ride As Data Breach Spills Passports, Bank Details
"Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week. The European travel company, also known as Interrail to EU residents, initially posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13."
https://www.theregister.com/2026/01/14/eurail_breach/

General News

International Threats: How Malware Campaigns Vary Across Non-English Languages
"Cofense Intelligence relies on over 35 million trained employees from around the world. As a result, a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025, providing a historical perspective that demonstrates long-term patterns and trends seen over the last several years. It focuses on the malware families delivered by campaigns bypassing secure email gateways (SEGs) in the top five languages, excluding English, most commonly seen delivering malware by Cofense Intelligence."
https://cofense.com/blog/international-threats-how-malware-campaigns-vary-across-non-english-languages
Retail, Services Industries Under Fire In Oceania
"New data suggests that in Australia and New Zealand, hackers are increasingly targeting companies in non-critical sectors like retail and construction. Cyble's "Threat Landscape Report 2024" for Australia and New Zealand focused on the threat to industries critical to the functioning of modern society: government, healthcare, and finance, for example. These are the kinds of sectors that tend to top most cybersecurity year-in-review lists — they carry the most significance to state-level attackers, and have the most money floating around for cybercriminals."
https://www.darkreading.com/cybersecurity-analytics/retail-services-industries-oceania
Survey: Rapid AI Adoption Causes Major Cyber Risk Visibility Gaps
"As software supply chains become longer and more interconnected, enterprises have become well aware of the need to protect themselves against third-party vulnerabilities. However, the rampant adoption of artificial intelligence chatbots and AI agents means they’re struggling to do this. On the contrary, the majority of organizations are exposing themselves to unknown risks by allowing employees to access AI services and software packages that include AI integrations, with little oversight. This revelation is one of the main findings of Panorays’ latest CISO Survey for Third-Party Cyber Risk Management, which revealed that 60% of CISOs rate AI vendors as “uniquely risky,” primarily due to their opaque nature."
https://hackread.com/survey-rapid-ai-adoption-cyber-risk-visibility-gaps/
https://panorays.com/resources/reports-whitepapers/2026-ciso-survey/
How Cybercrime Markets Launder Breach Proceeds And What Security Teams Miss
"A corporate customer database is breached on a quiet Sunday night. Millions of credentials and card numbers are quietly exfiltrated, sorted, and listed on a well‑known fraud shop on a cybercrime forum. Over the next few days, small crews buy slices of that data and start testing logins, draining loyalty points, taking over e‑commerce accounts, and running carding scripts against online merchants. The successful hits are funnelled into mule accounts and digital wallets. From there, the proceeds converge. Balances spread across multiple services are swept into a single exchange and converted into liquid, dollar‑pegged assets for rapid movement across chains and borders."
https://hackread.com/cybercrime-markets-stablecoins-launder-breach-proceeds/
Firmware Scanning Time, Cost, And Where Teams Run EMBA
"Security teams that deal with connected devices often end up running long firmware scans overnight, checking progress in the morning, and trying to explain to colleagues why a single image consumed a workday of compute time. That routine sets the context for a new research paper that examines how the EMBA firmware analysis tool behaves when it runs in different environments."
https://www.helpnetsecurity.com/2026/01/14/emba-iot-firmware-security/
https://www.preprints.org/frontend/manuscript/46bc80aec11f8fa7c0eb1e55f5634d27/download_pub
How AI Image Tools Can Be Tricked Into Making Political Propaganda
"A single image can shift public opinion faster than a long post. Text to image systems can be pushed to create misleading political visuals, even when safety filters are in place, according to a new study. The researchers examined whether commercial text to image tools can be tricked into producing politically sensitive images of actual public figures. They focused on scenes that could be used for propaganda or disinformation, such as elected leaders holding extremist symbols or performing gestures tied to hate movements. Tests were carried out on GPT-4o, GPT-5, and GPT-5.1, using the gpt-image-1 image generator through standard web interfaces."
https://www.helpnetsecurity.com/2026/01/14/ai-generated-political-propaganda-study/
https://arxiv.org/pdf/2601.05150
G7 Sets 2034 Deadline For Finance To Adopt Quantum-Safe Systems
"Financial businesses and public entities should have fully transitioned to post-quantum cryptography (PQC) by 2034 at the latest, according to the G7. In a new document published on January 13, the G7 Cyber Expert Group (CEG) set a recommended roadmap for financial entities to test, migrate and fully transition to quantum-resistant cryptographic systems in order to anticipate the risk of potential quantum-enabled cyber-attacks in the future that would break current cryptographic systems."
https://www.infosecurity-magazine.com/news/g7-2034-deadline-finance-pqc/
https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf

อ้างอิง
Electronic Transactions Development Agency (ETDA)