Cyber Threat Intelligence 28 January 2026

NCSA_THAICERT

Financial Sector

Investigation Into International “ATM Jackpotting” Scheme And Tren De Aragua Results In Additional Indictment And 87 Total Charged Defendants
"A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as “ATM jackpotting.” Fifty-six others have already been charged. Many of the defendants charged in this Homeland Security Task Force operation are Venezuelan and Colombian nationals including illegal alien Tren de Aragua (TdA) members. This indictment alleges 32 counts including conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, bank fraud, bank burglary, and damage to computers."
https://www.justice.gov/opa/pr/investigation-international-atm-jackpotting-scheme-and-tren-de-aragua-results-additional
https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm
https://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/
https://hackread.com/us-charges-atm-jackpotting-scam-suspects/

Healthcare Sector

Report: Attacks 'Cascade' From IT, OT To Patient Care
"Of the millions of threats detected in healthcare IT environments last year, email phishing, identity failures and device vulnerabilities were among the dominant vectors for non-clinical IT compromises - often "cascading" into patient care workflows and causing nearly $2 million a day in losses, said a new report from security firm Trellix. Of 54.7 million threats detected by Trellix last year across its healthcare customers worldwide, 75% originated at U.S.-based organizations, with email incidents - including phishing - accounting for at least 85% of the detections, Trellix said."
https://www.bankinfosecurity.com/report-attacks-cascade-from-it-ot-to-patient-care-a-30608
https://www.trellix.com/assets/reports/trellix-healthcare-cybersecurity-threat-intelligence-report.pdf

Vulnerabilities

Critical Sandbox Escape Flaw Found In Popular Vm2 NodeJS Library
"A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code."
https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/
Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
"Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability."
https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/
https://fortiguard.fortinet.com/psirt/FG-IR-26-060
https://www.helpnetsecurity.com/2026/01/28/fortinet-forticloud-sso-zero-day-vulnerability-cve-2026-24858/
Cellbreak: Grist’s Pyodide Sandbox Escape And The Data-At-Risk Blast Radius
"One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead. This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between “cell logic” and host execution. Grist‑Core is a modern relational spreadsheet and programmable alternative to Excel and Google Sheets. Teams use it to model business data, build lightweight apps, and automate workflows with Python formulas across tables and integrations."
https://www.cyera.com/research-labs/cellbreak-grists-pyodide-sandbox-escape-and-the-data-at-risk-blast-radius
https://www.infosecurity-magazine.com/news/pyodide-sandbox-escape-rce-grist/
CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2018-14634 Linux Kernel Integer Overflow Vulnerability
CVE-2025-52691 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability
CVE-2026-23760 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE-2026-24061 GNU InetUtils Argument Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://securityaffairs.com/187375/security/u-s-cisa-adds-microsoft-office-gnu-inetutils-smartertools-smartermail-and-linux-kernel-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://www.securityweek.com/organizations-warned-of-exploited-linux-vulnerabilities/
Over 6,000 SmarterMail Servers Exposed To Automated Hijacking Attacks
"Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8, which released a fix on January 15 without assigning an identifier. The vulnerability was later assigned CVE-2026-23760 and rated critical severity, as it allows unauthenticated attackers to hijack admin accounts and gain remote code execution on the host, enabling them to take control of vulnerable servers."
https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/
https://securityaffairs.com/187394/hacking/shadowserver-finds-6000-likely-vulnerable-smartermail-servers-exposed-online.html
OpenSSL Security Advisory (corrected - Added CVE-2026-22795 And CVE-2026-22796)
"Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs."
https://groups.google.com/a/openssl.org/g/openssl-project/c/pwBoo9Tac6M

Malware

Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
"The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness."
https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
https://cyberscoop.com/winrar-defect-active-exploits-google-threat-intel/
HoneyMyte Updates CoolClient And Deploys Multiple Stealers In Recent Campaigns
"Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities. As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance."
https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/
https://www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/
Alert: Sicarii Ransomware Encryption Key Handling Defect
"Sicarii ransomware operations have been observed using an encryption process that can render post-payment data recovery impossible, even if a decryptor is provided. Halcyon malware analysts were the first to observe that the Sicarii binary includes a functional RSA implementation, but it is used in a way that undermines recoverability. During execution, the malware regenerates a new RSA key pair locally, uses the newly generated key material for encryption, and then discards the private key. This per-execution key generation means encryption is not tied to a recoverable master key, leaving victims without a viable decryption path and making attacker-provided decryptors ineffective for affected systems. Halcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error. Organizations impacted by Sicarii ransomware should assume that ransom payment will not result in successful data restoration unless there is independent confirmation that this defect has been corrected."
https://www.halcyon.ai/ransomware-alerts/alert-sicarii-ransomware-encryption-key-handling-defect
https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decrypted
How We Discovered A Campaign Of 16 Malicious Extensions Built To Steal ChatGPT Accounts
"LayerX Research identified a coordinated set of Chrome browser extensions marketed as ChatGPT enhancement and productivity tools. In practice, however, these extensions are meant to steal users’ ChatGPT identities. The campaign consists of at least 16 distinct extensions developed by the same threat actor, in order to reach as wide a distribution as possible. This campaign coincides with a broader trend: the rapid growth in adoption of AI-powered browser extensions, aimed at helping users with their everyday productivity needs."
https://layerxsecurity.com/blog/how-we-discovered-a-campaign-of-16-malicious-extensions-chatgpt/
https://hackread.com/fake-chatgpt-extensions-hijack-user-accounts/
https://www.securityweek.com/chrome-edge-extensions-caught-stealing-chatgpt-sessions/
APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, And MAILCREEP | Part 2
"In September 2025, Zscaler ThreatLabz uncovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. In Part 2 of this series, ThreatLabz will delve into these backdoors and analyze how threat actors are leveraging generative AI in their malware development processes. The Sheet Attack campaign stands out for its use of Google Sheets as a command-and-control (C2) channel, an uncommon tactic in this region. Between November 2025 and January 2026, ThreatLabz observed the deployment of new tools, including SHEETCREEP and FIREPOWER, along with MAILCREEP, which is used to manipulate emails, and a PowerShell-based document stealer to exfiltrate files."
https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and
Dark Web Profile: BravoX Ransomware
"BravoX is an emerging Ransomware-as-a-Service (RaaS) operation that surfaced after the publication of a new TOR-based data leak site (DLS) following a forum post on the RAMP underground forum. First observed in January 2026, the group currently operates at low volume, listing a limited number of victims while actively advertising an affiliate-driven model aimed at scaling its operations."
https://socradar.io/blog/dark-web-profile-bravox-ransomware/

Breaches/Hacks/Leaks

SoundCloud Data Breach
"In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month."
https://haveibeenpwned.com/Breach/SoundCloud
https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
Russian Security Systems Firm Delta Hit By Cyberattack, Services Disrupted
"A cyberattack has disrupted operations at Delta, a Russian provider of alarm and security systems for homes, businesses and vehicles, causing widespread service outages and a wave of customer complaints. Delta said on Monday that it had been hit by a “large-scale, coordinated and well-organized” cyberattack that originated from an unspecified “hostile foreign state.” The company acknowledged temporary disruptions to some services but said there was no evidence that customers’ personal data had been compromised."
https://therecord.media/russia-delta-security-alarm-company-cyberattack
Nova Ransomware Claims Breach Of KPMG Netherlands
"KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated. The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day. Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations."
https://dig.watch/updates/nova-ransomware-claims-breach-of-kpmg-netherlands

General News

When Open Science Meets Real-World Cybersecurity
"Scientific research environments are built for openness and collaboration, often prioritizing long-term discovery over traditional enterprise security. In this Help Net Security interview, Matthew Kwiatkowski, CISO at Fermilab, America’s particle physics and accelerator laboratory, discusses where cybersecurity blind spots emerge, why availability can outweigh confidentiality, and how security teams protect complex, legacy-driven research infrastructure while supporting scientific progress."
https://www.helpnetsecurity.com/2026/01/27/matthew-kwiatkowski-fermilab-research-cybersecurity-challenges/
Waiting For AI Superintelligence? Don’t Hold Your Breath
"AI’s impact on systems, security, and decision-making is already permanent. Superintelligence, often referred to as artificial superintelligence (ASI), describes a theoretical stage in which AI capability exceeds human cognitive performance across domains. Whether current systems are progressing toward cybersecurity superintelligence remains uncertain."
https://www.helpnetsecurity.com/2026/01/27/cybersecurity-superintelligence-ai-future/
AI’s Appetite For Data Is Testing Enterprise Guardrails
"Privacy programs are taking on more operational responsibility across the enterprise. A new Cisco global benchmark study shows expanding mandates, rising investment, and sustained pressure around data quality, accountability, and cross-border data management tied to AI systems. AI projects expanded the scope of privacy work across most enterprises over the past year. Budgets followed that shift, with additional spending planned as AI moves from pilots into production systems."
https://www.helpnetsecurity.com/2026/01/27/cisco-ai-expands-privacy-programs/
AI & The Death Of Accuracy: What It Means For Zero-Trust
"The glut of AI-generated content could introduce risks to large language models (LLMs) as AI tools begin to train on themselves. Gartner on Jan. 21 predicted that, by 2028, 50% of organizations will implement a zero-trust data governance posture due to an increase in what the analyst firm calls "unverified AI-generated data." Gartner dubbed the idea "model collapse," where machine-learning models could degrade based on errors introduced when they train on AI-generated content. That, in turn, could prompt a new security practice area related to zero-trust: continuous model behavior evaluation."
https://www.darkreading.com/application-security/ai-death-accuracy-zero-trust
Beauty In Destruction: Exploring Malware's Impact Through Art
"An eye-catching giant heart dangles from the ceiling in the lobby of Finnish security company WithSecure. The heart is crafted from 728 computer mice, crowdsourced from around the world, and each one is painted pink. The "Click for Love" art installation is the work of two artists, Hugo Lankinen and Kasper Hildén, who conceived of a pixelated heart in which each mouse acted as a 3D pixel."
https://www.darkreading.com/vulnerabilities-threats/beauty-in-destruction-exploring-malware-impact-through-art
Hand CVE Over To The Private Sector
"The Common Vulnerability Enumeration (CVE), now dubbed Common Vulnerabilities and Exposures, was created in 1999 to fill a void that never really existed to begin with. The CVE initiative was born out of a white paper titled "Towards a Common Enumeration of Vulnerabilities," written by David Mann and Steve Christey-Coley. The gist of the paper described the need for a "common enumeration" of vulnerabilities. However, it overlooks that there was already a broad coverage public vulnerability database (VDB) that had existed for more than a year."
https://www.darkreading.com/cybersecurity-operations/hand-cve-over-to-private-sector
Over 80% Of Ethical Hackers Now Use AI
"The vast majority (82%) of ethical hackers now use AI in their workflows, enabling companies to benefit from faster findings, more assessments, broader security coverage and higher quality reporting, according to Bugcrowd. The bug bounty specialist polled 2000 security researchers worldwide to compile its Inside the Mind of a Hacker report. It revealed a sharp jump in the share of respondents using AI, up from 64% in 2023. Three-quarters (74%) now believe AI increases the value of their work, virtually unchanged from last year."
https://www.infosecurity-magazine.com/news/over-80-of-ethical-hackers-now-use/
Cyber Insights 2026: Quantum Computing And The Potential Synergy With Advanced AI
"It’s hard not to have a dystopian view on the long term future effect of powerful quantum computers wedded to advanced artificial intelligence. But at least we have a few years to prepare. Quantum computers are coming, with a potential computing power almost beyond comprehension. That’s a given. The known threat is to current public key encryption methods, such as RSA and ECC, which will both be crackable through Shor’s algorithm in short timeframes. It is believed that nation states and advanced criminal gangs are engaged in a widespread harvest now, decrypt later (HNDL) campaign – steal and store data and secrets today, even if they are encrypted, because they can be decrypted later with quantum computers."
https://www.securityweek.com/cyber-insights-2026-quantum-computing-and-the-potential-synergy-with-advanced-ai/
China Hacked Downing Street Phones For Years
"China hacked the mobile phones of senior officials in Downing Street for several years, The Telegraph can disclose. The spying operation is understood to have compromised senior members of the government, exposing their private communications to Beijing. State-sponsored hackers are known to have targeted the phones of some of the closest aides to Boris Johnson, Liz Truss and Rishi Sunak between 2021 and 2024."
https://www.telegraph.co.uk/news/2026/01/26/china-hacked-downing-street-phones-for-years/
https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
Why Has Microsoft Been Routing Example.com Traffic To a Company In Japan?
"From the Department of Bizarre Anomalies: Microsoft has suppressed an unexplained anomaly on its network that was routing traffic destined to example.com—a domain reserved for testing purposes—to a maker of electronics cables located in Japan. Under the RFC2606—an official standard maintained by the Internet Engineering Task Force—example.com isn’t obtainable by any party. Instead it resolves to IP addresses assigned to Internet Assiged Names Authority. The designation is intended to prevent third parties from being bombarded with traffic when developers, penetration testers, and others need a domain for testing or discussing technical issues. Instead of naming an Internet-routable domain, they are to choose example.com or two others, example.net and example.org."
https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/

อ้างอิง
Electronic Transactions Development Agency (ETDA)