https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/

They switch up how the payload gets delivered to the victim.

#MustangPanda

📢🔍⚠️Chinese-linked Mustang Panda hackers used fake diplomatic briefings to target officials with spyware.

Read: https://hackread.com/chinese-mustang-panda-briefing-spy-diplomat/

#CyberSecurity #China #MustangPanda #CyberAttack #Phishing

quote :
#DreamSecurity 判定這波攻勢是由中國網路間諜組織 #MustangPanda 發動。該組織利用各國的頭條新聞或重要議題作為誘餌，藉此竊取國家機密並潛伏在美國政府機構之中。

#APT

#中國 #駭客 鎖定全球外交官員寄假美國政策檔案　開啟即遭駭入
https://www.cna.com.tw/news/aopl/202602040014.aspx

It's been a busy 24 hours in the cyber world with critical zero-day and n-day vulnerabilities under active exploitation, new threat actor tradecraft, a significant cyberattack on critical infrastructure, and important discussions around data privacy and AI's impact on security. Let's dive in:

Poland's Power Grid Hit by Coordinated Cyberattack ⚡
- A coordinated cyberattack in late December compromised control and communications systems at approximately 30 facilities linked to Poland's distributed energy generation.
- While the attack, attributed to Russia's Sandworm group, didn't cause power outages, it disabled key equipment beyond repair and prevented remote monitoring/control of systems.
- This incident highlights the growing targeting of distributed energy systems, which often have less cybersecurity investment than centralised infrastructure, by sophisticated adversaries.

🗞️ The Record | https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Mustang Panda Updates CoolClient Backdoor with Infostealers 🐼
- Chinese espionage group Mustang Panda has updated its CoolClient backdoor, now capable of stealing browser login data and monitoring clipboards.
- The new variant, observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan, was deployed via legitimate Sangfor software, a shift from previous DLL side-loading tactics.
- It features enhanced core functions, a new clipboard monitoring module, active window title tracking, HTTP proxy credential sniffing, and deploys infostealers using hardcoded API tokens for services like Google Drive to evade detection.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/

Fake Python Spellcheckers Deliver RATs on PyPI 🐍
- Two malicious packages, "spellcheckerpy" and "spellcheckpy," were found on PyPI, masquerading as legitimate spellcheckers but delivering a full-featured Python Remote Access Trojan (RAT).
- The payload was cleverly hidden within a Basque language dictionary file, base64-encoded, and triggered upon importing the "SpellChecker" module in versions 1.2.0 and later.
- The RAT downloads from a domain linked to Cloudzy, a hosting provider with a history of serving nation-state groups, and is suspected to be from the same actor behind a similar "spellcheckers" campaign in November 2025.

📰 The Hacker News | https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on-pypi-delivered-hidden-remote-access-trojan.html

'Bizarre Bazaar' Operation Hijacks Exposed LLM Endpoints 🤖
- A new cybercrime campaign, dubbed 'Bizarre Bazaar', is actively targeting exposed Large Language Model (LLM) service endpoints to commercialise unauthorised access to AI infrastructure.
- Attackers exploit misconfigurations like unauthenticated Ollama endpoints (port 11434) and OpenAI-compatible APIs (port 8000) within hours of them appearing on Shodan/Censys.
- This operation involves a criminal supply chain for resource theft (crypto mining), reselling API access on darknet markets, data exfiltration from prompts, and lateral movement into internal systems via Model Context Protocol (MCP) servers.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/

Fortinet FortiCloud SSO Zero-Day Under Active Exploitation (CVE-2026-24858) ⚠️
- Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability (CVE-2026-24858, CVSS 9.4) affecting FortiOS, FortiManager, and FortiAnalyzer.
- Attackers are using FortiCloud accounts and registered devices to log into other customers' devices via FortiCloud SSO, creating rogue admin accounts (e.g., [email protected]) and exfiltrating configurations.
- Fortinet has implemented server-side mitigations by blocking SSO connections from vulnerable firmware versions, and patches are currently in development. Admins should still consider disabling FortiCloud SSO if not strictly necessary and review logs for compromise indicators.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/
📰 The Hacker News | https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/28/fortinet_forticloud_vuln/

WinRAR Path Traversal Flaw (CVE-2025-8088) Widely Exploited 🎯
- A six-month-old, high-severity WinRAR path traversal vulnerability (CVE-2025-8088, CVSS 8.8) is under widespread active exploitation by both nation-state actors (Russia, China) and financially motivated cybercriminals.
- The exploit method involves crafting malicious RAR archives that, when opened, silently drop a malicious payload into critical system locations like the Windows Startup folder, often using decoy files and Alternate Data Streams (ADS).
- Google Threat Intelligence Group (GTIG) reports that Russian groups like RomCom, Sandworm, Gamaredon, and Turla are targeting Ukrainian military and government entities, while cybercriminals deploy commodity RATs and infostealers globally. Patching WinRAR to version 7.13 or later is crucial.

🤫 CyberScoop | https://cyberscoop.com/winrar-defect-active-exploits-google-threat-intel/
📰 The Hacker News | https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/28/winrar_bug_under_attack/

Critical RCE and Sandbox Escape Flaws in Node.js vm2 and n8n 💻
- A critical sandbox escape vulnerability (CVE-2026-22709, CVSS 9.8) in the Node.js vm2 library allows attackers to run arbitrary code outside the sandboxed environment due to improper Promise handler sanitisation. Update to vm2 version 3.10.3 immediately.
- The n8n workflow automation platform is also affected by two critical vulnerabilities: CVE-2026-1470 (JavaScript AST sandbox escape) and CVE-2026-0863 (Python AST sandbox escape), both leading to full RCE on the main n8n node, even for authenticated non-admin users.
- These flaws highlight the inherent difficulty in safely sandboxing dynamic languages like JavaScript and Python; self-hosted n8n instances should update to versions 1.123.17, 2.4.5, 2.5.1 (for CVE-2026-1470) and 1.123.14, 2.3.5, 2.4.2 (for CVE-2026-0863) respectively.

📰 The Hacker News | https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox-escape-and-arbitrary-code-execution.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-sandbox-escape-flaw-exposes-n8n-instances-to-rce-attacks/

SolarWinds Web Help Desk Plagued by Critical RCE and Auth Bypass Flaws 🛠️
- SolarWinds has released patches for multiple critical vulnerabilities in its Web Help Desk (WHD) software, including authentication bypass flaws (CVE-2025-40552, CVE-2025-40554) and remote code execution (RCE) bugs (CVE-2025-40553, CVE-2025-40551).
- These RCE flaws, stemming from untrusted data deserialisation, can be exploited by unauthenticated attackers to run commands on vulnerable hosts, while authentication bypasses allow remote unauthenticated access.
- Given WHD's widespread use in critical sectors and a history of its vulnerabilities being actively exploited, admins should upgrade to Web Help Desk 2026.1 without delay.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

AI's Impact on Zero-Trust and Data Accuracy 🤖
- Gartner predicts that by 2028, 50% of organisations will adopt a zero-trust data governance posture due to the rise of "unverified AI-generated data," leading to "model collapse" where LLMs degrade by training on their own erroneous outputs.
- This degradation can lead to confident-yet-plausible errors in critical tasks like code reviews and security triaging, eroding guardrails and creating prompt injection opportunities.
- To combat this, organisations need to identify and tag AI-generated data, establish active metadata practices, and filter out synthetic or toxic data from training inputs, treating human-generated data as the "gold standard."

🌑 Dark Reading | https://www.darkreading.com/application-security/ai-death-accuracy-zero-trust

Latin America Becomes Riskiest Region for Cyberattacks 📈
- Latin America and the Caribbean now lead globally in cyberattack frequency, experiencing an average of 3,065 attacks per week last year, a 26% year-over-year increase.
- Attacks are driven by a shift towards data-leak extortion, credential-stealing campaigns, exploitation of edge devices, and increased use of AI by attackers, with ransomware activity expected to accelerate further.
- The region's rapid digitalisation, valuable yet vulnerable industries, and increased interest from major cyber powers (including China-linked espionage) contribute to its elevated risk profile, urging improved ransomware resilience and GenAI governance.

🌑 Dark Reading | https://www.darkreading.com/cyber-risk/surging-cyberattacks-latin-america-riskiest-region

Moltbot AI Assistant Raises Data Security Concerns 🧠
- The viral open-source Moltbot (formerly Clawdbot) AI assistant, popular for local hosting and deep system integration, is raising significant data security concerns due to insecure enterprise deployments.
- Careless configurations, especially behind reverse proxies, often lead to exposed admin interfaces allowing unauthenticated access, credential theft, conversation history leaks, and even root-level command execution.
- Security researchers warn that info-stealing malware will likely adapt to target Moltbot's local storage, stressing the importance of isolating AI instances in virtual machines with strict firewall rules rather than running them directly on host OS with broad permissions.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/viral-moltbot-ai-assistant-raises-concerns-over-data-security/

WhatsApp Rolls Out 'Strict Account Settings' for High-Risk Users 🔒
- Meta's WhatsApp is introducing "Strict Account Settings," a new one-click lockdown mode designed to provide extreme safeguards for high-risk individuals like journalists and public figures against sophisticated cyberattacks, including spyware.
- This feature, found under Settings > Privacy > Advanced, automatically enables two-step verification, blocks media from unknown senders, silences calls from unknown numbers, turns off link previews, and restricts access to profile information.
- The move comes as WhatsApp also transitions to the Rust programming language for media processing to boost security, following past incidents of zero-day exploits and spyware attacks targeting its users.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/whatsapp_strict_account_settings_meta_rust/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/whatsapp-gets-new-lockdown-feature-that-blocks-cyberattacks/

FBI Seizes RAMP Cybercrime Forum 🚨
- The FBI has seized the RAMP cybercrime forum, a notorious platform known for openly allowing the promotion of ransomware operations and advertising various malware and hacking services.
- Both the forum's Tor site and clearnet domain (ramp4u.io) now display an FBI seizure notice, indicating law enforcement has likely gained access to significant user data, including emails, IP addresses, and private messages.
- RAMP was launched in July 2021 by "Orange" (later identified as Mikhail Matveev, indicted by the U.S. DOJ for ransomware involvement) after other major Russian-speaking forums banned ransomware promotion, becoming a hub for gangs to recruit affiliates and sell network access.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #ActiveExploitation #WinRAR #Fortinet #NodeJS #SolarWinds #ThreatActors #MustangPanda #Malware #RAT #LLMjacking #AI #DataPrivacy #Regulatory #Darknet #Cybercrime #IncidentResponse

Chinese #MustangPanda hackers deploy infostealers via #CoolClient #backdoor

https://www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/

#China #infostealer #cybersecurity

📢⚠️ The China-linked notorious Mustang Panda group is using #Venezuela related news lure to deliver #LOTUSLITE backdoor against US govt targets in a cyberespionage campaign.

Read: https://hackread.com/mastang-panda-venezuela-news-lotuslite-malware/

#CyberSecurity #China #MustangPanda #Malware

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got a mix of significant breaches, an actively exploited vulnerability making waves, new insights into nation-state and cybercrime tradecraft, and some interesting discussions around AI security and regulation. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

Coinbase Insider Threat & Fraud 💸
- An ex-Coinbase customer service agent in India has been arrested for allegedly selling customer data to criminals, leading to social engineering scams and an attempted $20 million extortion against Coinbase.
- The stolen data included names, addresses, phone numbers, emails, IDs, and bank info for nearly 70,000 customers, though no 2FA codes or private keys were compromised.
- This highlights the critical risk of insider threats, especially in outsourced customer service operations, and the ongoing challenge of social engineering attacks targeting crypto users.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/29/indian_cops_cuff_coinbase_exrep/

Coupang Data Breach & Compensation 🛍️
- South Korean retail giant Coupang is set to distribute $1.17 billion in compensation to 33.7 million customers affected by a data breach discovered in November.
- The breach, one of South Korea's largest, was traced to a 43-year-old Chinese former IT employee who retained system access after leaving the company, accessing 33 million accounts and retaining data from about 3,000.
- While the company claims the data was not transferred or further misused, the incident underscores the severe financial and reputational costs of insider threats and poor identity and access management.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/coupang-to-split-117-billion-among-337-million-data-breach-victims/

Korean Telco Femtocell Security Failure 📞
- Korea Telecom (KT) deployed thousands of femtocells with critical security flaws, including shared certificates, no root passwords, plaintext keys, and enabled SSH, leading to micropayment fraud and potential customer communication snooping.
- Attackers cloned femtocells, enabling them to read SMS messages and call logs, with one fake femtocell used for ten months, and a large gang involved in "war-driving" to find more phones.
- This incident exposes severe vulnerabilities in critical infrastructure, suggesting that the $169,000 in micropayment fraud might be a smokescreen for larger-scale surveillance, with one key even linked to a military base.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/30/kt_telecom_femtocell_security_fail/

Cybersecurity Experts Plead Guilty to BlackCat Ransomware Attacks 🚨
- Two former cybersecurity incident response professionals, Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint), have pleaded guilty to conspiring to obstruct commerce by extortion using BlackCat (ALPHV) ransomware.
- They leveraged their expertise to breach multiple US organisations, demanding ransoms up to $10 million and receiving $1.27 million from one victim, with 20% going to ALPHV administrators.
- This shocking case highlights the severe risk of insider threats within the cybersecurity industry itself and the importance of due diligence when engaging third-party incident response firms.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-plead-guilty-to-blackcat-alphv-ransomware-attacks/
🗞️ The Record | https://therecord.media/ransomware-responders-guilty-plea-using-alphv-blackcat-us-attacks

European Space Agency Confirms External Server Breach 🛰️
- The European Space Agency (ESA) has confirmed a breach of "external servers" containing unclassified information related to collaborative engineering activities, following claims by a threat actor on BreachForums.
- The attackers claim to have stolen over 200GB of data, including source code, CI/CD pipelines, API tokens, and hardcoded credentials, after accessing ESA's JIRA and Bitbucket servers for a week.
- While ESA states the impact is limited to a "very small number of external servers" and unclassified data, the nature of the stolen data (source code, API tokens) suggests potential for further compromise or intellectual property theft.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/european-space-agency-confirms-breach-of-external-servers/

Vulnerabilities Under Active Exploitation 🛡️

MongoBleed (CVE-2025-14847) Under Active Exploitation ⚠️
- A high-severity information-disclosure vulnerability, CVE-2025-14847 (dubbed "MongoBleed"), affecting many default MongoDB versions, is now under active exploitation in the wild.
- The flaw, stemming from mismatched length fields in zlib-compressed protocol headers, allows unauthenticated attackers to leak server memory, potentially exposing sensitive data like credentials, API keys, and PII.
- CISA has added MongoBleed to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch by January 19, 2026, with estimates of 74,000 to 87,000 internet-exposed vulnerable instances globally. If immediate patching isn't possible, disabling zlib compression is advised.
🤫 CyberScoop | https://cyberscoop.com/mongobleed-vulnerability-mongodb-exploitation/
🗞️ The Record | https://therecord.media/us-australia-bug-exploitation
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-mongobleed-flaw-actively-exploited-in-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/30/mongodb_vuln_exploited_cve_2025_14847/

New Threat Research and Tradecraft 🔬

Mustang Panda Uses Kernel-Mode Rootkit for ToneShell Backdoor 🐼
- The Chinese state-sponsored group Mustang Panda (aka HoneyMyte or Bronze President) is deploying a new variant of its ToneShell backdoor using a previously undocumented kernel-mode rootkit driver.
- This rootkit, signed with a stolen or leaked certificate, registers as a mini-filter driver to evade user-mode monitoring, protect its files and processes, and interfere with Microsoft Defender, giving it high stealth and persistence.
- The evolved TTPs, including dynamic API resolution and network traffic obfuscation, highlight Mustang Panda's increasing sophistication in targeting government organisations in Southeast and East Asia, making memory forensics crucial for detection.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/
📰 The Hacker News | https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html

Silver Fox Targets India with ValleyRAT Malware 🦊
- The Chinese cybercrime group Silver Fox (aka SwimSnake) is now targeting Indian users with tax-themed phishing emails to distribute its modular ValleyRAT (Winos 4.0) remote access trojan.
- The sophisticated kill chain involves DLL hijacking via a legitimate executable (Thunder) and a Donut loader, performing anti-analysis checks before injecting ValleyRAT into explorer.exe.
- Silver Fox also uses SEO poisoning and fake application sites (e.g., Microsoft Teams, Signal) to spread ValleyRAT globally, demonstrating a multi-pronged approach for espionage, financial gain, and intelligence collection.
📰 The Hacker News | https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with-tax-themed-emails-delivering-valleyrat-malware/

Zoom Stealer Browser Extensions Harvest Corporate Meeting Intelligence 🕵️‍♀️
- A campaign dubbed "Zoom Stealer," attributed to the China-linked threat actor DarkSpectre, is affecting 2.2 million Chrome, Firefox, and Edge users through 18 malicious browser extensions.
- These extensions, some functional as video downloaders or recorders, covertly collect sensitive meeting-related data (URLs, IDs, topics, embedded passwords, speaker info) from 28 video-conferencing platforms.
- The exfiltrated data, streamed in real-time, is likely used for corporate espionage, sales intelligence, and large-scale social engineering or impersonation operations, underscoring the need for careful extension permission review.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/

Threat Landscape Commentary 🗣️

OpenAI: Prompt Injection May Never Be 'Solved' for Browser Agents 🤖
- OpenAI warns that prompt injection is a central security risk for AI browser agents like ChatGPT Atlas, which operate within a web browser and can carry out tasks for users.
- Internal red-teaming uncovered new complex prompt-injection attacks, leading to a security update with an adversarially trained model and strengthened safeguards.
- The company acknowledges that prompt injection may never be fully mitigated, advising a focus on risk reduction and limiting impact, as content designed to persuade humans can now command AI agents.
🤫 CyberScoop | https://cyberscoop.com/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness/

Regulatory Issues 🏛️

Fragmented AI Regulation Poses Challenges ⚖️
- The rapid, uncoordinated expansion of state-level AI regulations in the US is creating a "patchwork regulatory landscape" that hinders responsible AI development and security.
- Conflicting definitions, compliance, and enforcement approaches across states disproportionately burden small and midsize companies, stifling innovation and allowing larger firms to gravitate towards less stringent rules.
- A unified federal framework is urgently needed to establish clear expectations for transparency, accountability, and responsible innovation, ensuring consistent safeguards and a more secure AI ecosystem.
🤫 CyberScoop | https://cyberscoop.com/ai-regulation-unified-federal-standards-needed-op-ed/

Sponsored Content 📈

Integrating AI into Modern SOC Workflows 📊
- Many SOCs struggle to operationalise AI, often treating it as a shortcut or applying it to ill-defined problems, with 40% using AI/ML tools informally and 42% without customisation.
- AI can reliably enhance SOC capabilities in detection engineering (for narrow, well-defined tasks), threat hunting (for exploration and pattern comparison), code development (for scaffolding), automation (for workflow drafting), and reporting (for standardisation and clarity).
- Successful AI adoption requires clear expectations, ongoing validation, and human accountability, with teams acting as "takers," "shapers," or "makers" to integrate AI effectively into existing workflows.
📰 The Hacker News | https://thehackernews.com/2025/12/how-to-integrate-ai-into-modern-soc.html

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #MongoBleed #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #MustangPanda #SilverFox #DarkSpectre

HoneyMyte aka Mustang Panda is using a signed rootkit to drop the #ToneShell backdoor in ongoing attacks, hiding its activity from security tools and giving attackers remote access to system.

Read: https://hackread.com/honeymyte-mustang-panda-toneshell-backdoor/

#CyberSecurity #HoneyMyte #MustangPanda #Malware