Kimsuky-linked campaigns are deploying PebbleDash and AppleSeed malware against government and defense targets.

Researchers say the operators abused VSCode tunneling, GitHub authentication, DWAgent, and Cloudflare Quick Tunnels post-compromise.

https://www.technadu.com/kimsuky-pebbledash-and-appleseed-malware-campaigns/627884/

#CyberSecurity #Kimsuky #APT43 #ThreatIntel #InfoSec

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got some critical RCE vulnerabilities under active exploitation, a deep dive into North Korean "quishing" tactics, and a major regulatory crackdown on AI-generated deepfakes. Let's get into it:

Critical RCE Vulnerabilities Under Active Exploitation ⚠️

- HPE OneView (CVE-2025-37164), a privileged IT infrastructure management platform, has a maximum-severity RCE flaw (CVSS 10.0) that's actively being exploited. Patching is critical as compromise grants centralised control over an organisation's infrastructure.
- The React2Shell vulnerability (CVE-2025-55182), affecting React frameworks like Next.js, allows unauthenticated RCE in default configurations. Vercel, a key maintainer, coordinated a massive industry response, paid out $1M in bug bounties for WAF bypasses, and has blocked over 6 million exploit attempts since disclosure.
- China-linked threat actors were exploiting three VMware ESXi hypervisor escape zero-days (CVE-2025-22224, -22225, -22226) for over a year before VMware publicly disclosed them in March 2025. Initial access was via a compromised SonicWall VPN, leading to VM escape and RCE on the hypervisor.
- Trend Micro Apex Central for Windows has a critical RCE flaw (CVE-2025-69258, CVSS 9.8) allowing unauthenticated remote attackers to load malicious DLLs with SYSTEM privileges. Two other DoS flaws (CVE-2025-69259, -69260) were also patched.

🌑 Dark Reading | https://www.darkreading.com/vulnerabilities-threats/maximum-severity-hpe-oneview-flaw-exploited
🤫 CyberScoop | https://cyberscoop.com/vercel-cto-security-react2shell-vulnerability/
📰 The Hacker News | https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/china_esxi_zerodays/

North Korean Hackers Adopt "Quishing" Tactics 🎣

- The FBI has warned that North Korean state-sponsored threat actors, specifically the Kimsuky group (APT43), are using malicious QR codes ("quishing") in spear-phishing campaigns.
- These QR codes redirect victims to attacker-controlled pages (e.g., fake Microsoft 365, Okta, VPN portals) to steal credentials and session tokens, effectively bypassing MFA and traditional enterprise security controls.
- The tactic leverages unmanaged mobile devices, which often lack the same EDR and network inspection capabilities as corporate machines, making it a high-confidence, MFA-resilient identity intrusion vector.

📰 The Hacker News | https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/pyongyangs_cyberspies_are_turning_qr/

Fake AI Chrome Extensions Steal User Data 🤖

- Malicious Google Chrome extensions, masquerading as legitimate AI tools from "AItopia" (e.g., "ChatGPT for Chrome with GPT-5..."), have stolen LLM conversations and browser data from over 900,000 users.
- These extensions exfiltrated sensitive data like proprietary source code, business strategies, confidential research, full URLs from all tabs, and search queries to command-and-control servers.
- This "prompt poaching" highlights the growing attack surface of LLM-powered applications and the risk of installing extensions from unknown sources, even if they appear "Featured" in the Chrome store.

🌑 Dark Reading | https://www.darkreading.com/cloud-security/fake-ai-chrome-extensions-steal-900k-users-data

Grok AI Deepfake Controversy and Data Privacy ⚖️

- Elon Musk's Grok AI has faced severe backlash for generating sexualised deepfakes, including of children, leading to calls from UK government officials, US senators, and EU regulators for action.
- UK ministers are weighing a ban on X (formerly Twitter) and its AI tools under the Online Safety Act, while US senators have urged Google and Apple to remove the X and Grok apps from their stores for violating terms of service.
- X has limited image generation to paying subscribers, but critics argue this monetises illegal content and doesn't solve the underlying issue, with reports suggesting the feature remains accessible to free users.
- Separately, the California Privacy Protection Agency (CPPA) fined data broker Datamasters $45,000 for selling sensitive health information (e.g., Alzheimer's patients) and other personal data without proper registration, ordering them to cease sales in California.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/grok_image_generation_uk/
🗞️ The Record | https://therecord.media/lawmakers-call-on-app-stores-to-remove-grok-x
🤫 CyberScoop | https://cyberscoop.com/senators-ask-apple-google-remove-x-after-grok-ai-sexual-deepfakes/
🗞️ The Record | https://therecord.media/ccpa-fines-data-broker-selling-lists-alzheimers

CISA Sunsets Emergency Directives & NSA Leadership Changes 🏛️

- CISA has retired 10 emergency directives issued between 2019 and 2024, citing successful implementation or redundancy due to the comprehensive Known Exploited Vulnerabilities (KEV) catalog. This reflects an evolving approach to federal cybersecurity.
- Tim Kosiba has been appointed as the new Deputy Chief of the National Security Agency (NSA), following a previous candidate's withdrawal due to political pressure. Kosiba brings over three decades of government experience to the role.

🗞️ The Record | https://therecord.media/cisa-sunsets-10-emergency-directives
📰 The Hacker News | https://thehackernews.com/2026/01/cisa-retires-10-emergency-cybersecurity.html
🗞️ The Record | https://therecord.media/timothy-kosiba-nsa-new-deputy-chief

CrowdStrike Acquires SGNL for Identity Security 🔒

- CrowdStrike has acquired identity security startup SGNL for $740 million, aiming to bolster its Falcon cloud security platform with "context-aware authorization" for human, machine, and AI agent identities.
- This acquisition addresses the increasing threat of identity-based attacks and the proliferation of non-human identities, providing dynamic privilege management and real-time access evaluation.
- The deal highlights the growing importance of identity as a primary control plane in major security platforms, moving beyond just detection to being in the path of access.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/08/crowdstrikes_740m_sgnl_deal_proves/

France-Russia Prisoner Swap Involving Alleged Cybercriminal 🌍

- France released Daniil Kasatkin, a Russian basketball player accused by the US of aiding ransomware negotiations for a major cybercrime outfit impacting 900 victims, in exchange for French conflict researcher Laurent Vinatier, imprisoned in Russia.
- This "Putinswap" highlights the geopolitical dimension of cybercrime, where alleged cybercriminals can become bargaining chips in international diplomacy.
- Kasatkin had been in French custody since June 2025, wanted by US officials for his alleged role in ransomware attacks between 2020-2022.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/alleged_russian_ransom_payment_negotiator/

#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #ZeroDay #Kimsuky #APT43 #Phishing #Quishing #AI #Deepfake #DataPrivacy #RegulatoryCompliance #CISA #NSA #IdentitySecurity #CrowdStrike #Geopolitics #Ransomware

🚨 Kimsuky (APT43) is taking AI-driven cyber-espionage further.
⚠️ Used ChatGPT to forge South Korean military IDs
⚠️ Phishing emails targeted defense institutions
⚠️ Malware enabled data theft + remote access

This case highlights how easily generative AI can be abused to produce convincing forgeries.

💬 Do you think AI safeguards can keep up with nation-state attackers?

Follow @technadu for more infosec insights.

#CyberSecurity #APT43 #Kimsuky #NorthKorea #ChatGPT #AIThreats #Deepfakes #Phishing

Haktywiści przejmują komputer hakera działającego na zlecenie rządu Korei Północnej. Kulisy działania północnokoreańskich grup APT

Na początku 2025 r. dwóch hakerów posługujących się pseudonimami “Saber” oraz “cyb0rg” (ich tożsamość nie jest znana) uzyskali dostęp do infrastruktury, wyróżniającej się nietypowym zestawem narzędzi hakerskich. Postanowili dokładnie przeanalizować zawartość systemu oraz śledzić działania hakera, w celu ustalenia jak najwięcej szczegółów dotyczących jego aktywności. TLDR: Jak to wszystko się...

#WBiegu #Apt43 #Awareness #Chiny #Haktywizm #Kimsuky #Korea #Szpiegostwo

https://sekurak.pl/haktywisci-przejmuja-komputer-hakera-dzialajacego-na-zlecenie-rzadu-korei-polnocnej-kulisy-dzialania-polnocnokoreanskich-grup-apt/

Hakerzy z Korei Północnej prowadzą nową kampanię cyber szpiegowską. Na celowniku placówki dyplomatyczne

Badacze z Trelix Advanced Research Center wykryli nową kampanię cyber szpiegowską wymierzoną w placówki dyplomatyczne w różnych regionach Korei Południowej. Od marca do lipca bieżącego roku zaobserwowano ponad 19 ataków spear-phishingowych, której celem były ambasady dyplomatyczne zlokalizowane na całym świecie. Za atakiem stoi prawdopodobnie ta sama grupa APT. Treści wiadomości...

#WBiegu #Apt #Apt43 #Awareness #Chiny #Github #Kimsuky #Korea #Szpiegowstwo #Xenorat

https://sekurak.pl/hakerzy-z-korei-polnocnej-prowadza-nowa-kampanie-cyber-szpiegowska-na-celowniku-placowki-dyplomatyczne/

Hackers breach and expose a major North Korean spying operation

Hackers claim to have compromised the computer of a North Korean government hacker and leaked its contents online

‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques,”

#NorthKorea #china #Kimsuky #APT #APT43 #Thallium #security #cybersecurity #hackers #hacking #hacked

https://finance.yahoo.com/news/hackers-breach-expose-major-north-173434822.html

Wie der Berufsalltag von einem #Regierungshacker aus #Nordkorea ausschaut, wurde jüngst auf der #DefCon in Las Vegas vorgestellt und gibt interessante Einblicke in die Arbeitsweise und Netzwerke professioneller Cyberkrimineller.

Zwei Sicherheitsforschern ist es gelungen, die Workstation eines #APT43 #Cybercrime-Akteurs zu infiltrieren. In dem erstellten Report vor allem lesenswert sind die Ausführungen zur Verwendung von Hacking-Tools und Vorgehensweisen:

https://data.ddosecrets.com/APT%20Down%20-%20The%20North%20Korea%20Files/phrack-apt-down-the-north-korea-files.pdf #cybersecurity