Google-owned Mandiant reported an expansion in extortion-style attacks tied to ShinyHunters that use vishing and fake credential-harvesting sites to steal SSO credentials and MFA codes. The attackers — tracked as UNC6661, UNC6671, and UNC6240 — are targeting cloud SaaS platforms (including Okta, SharePoint, and OneDrive) to exfiltrate sensitive data and extort…
Tag: SSO
A Farsi-speaking threat actor aligned with Iranian state interests has been linked to RedKitten, a campaign that uses Farsi-named XLSM spreadsheets with malicious VBA macros to drop a C# implant via AppDomainManager injection and deploy the SloppyMIO backdoor. SloppyMIO retrieves steganographic configuration from GitHub and Google Drive, uses the Telegram Bot…
The article analyzes CVE-2025-68664 (LangGrinch), a high-severity serialization injection vulnerability in the langchain-core Python package that can enable secret extraction, unintended class instantiation, and malicious side effects via an unescaped reserved lc marker. It outlines mitigation steps—upgrade to patched versions, use Microsoft Defender for Cloud and Defender XDR for discovery and hunting, and integrate Defender workflows with GitHub for faster remediation. #LangGrinch #LangChain
Italian-led law enforcement, supported by Europol, Eurojust and Interpol, seized three industrial-scale illegal IPTV services and dismantled associated infrastructure across 14 countries, identifying 31 suspects and impacting hundreds of thousands of subscribers. The operation, which targeted services retransmitting content from Sky, DAZN, Mediaset, Amazon Prime, Netflix, Paramount and Disney+, coincided with heightened protections for the upcoming Milan Winter Olympics. #IPTVItalia #DarkTV
Microsoft will disable network NTLM authentication by default in upcoming Windows Server and client releases due to long-standing vulnerabilities that enable NTLM relay and pass-the-hash attacks. A three-phase rollout will add enhanced auditing, introduce IAKerb and a Local KDC to reduce NTLM fallback, and ultimately block network NTLM while allowing admins to re-enable it via policy. #NTLM #Kerberos
Illegal cryptocurrency flows reached a record $158 billion in 2025, a 145% increase from 2024 despite the illicit share of on-chain volume dipping slightly to 1.2%. TRM Labs attributes the surge to sanctions-linked activity tied to Russia-associated networks (notably A7 and the A7A5 stablecoin), expanded nation-state use, major hacks including the Bybit breach, and growing scam and laundering sophistication. #Bybit #A7A5
ShinyHunters claims to have stolen over 10 million records from Match Group, including user data tied to Hinge, Match.com, and OkCupid as well as hundreds of internal documents allegedly exposed via AppsFlyer. Match Group says it has terminated unauthorized access and is investigating with external experts, believes a limited amount of…
A December 2025 campaign compromised at least 30 Polish wind and solar farms by exploiting default credentials, lack of multi‑factor authentication, and outdated or misconfigured OT and network devices. CERT Polska attributed the incident to Static Tundra while noting DynoWiper similarities to Sandworm-linked wipers, and reported attackers abused exposed FortiGate VPNs,…
The Android app Hicas (package com.apptool.hicash.newhicash) is distributed as a travel utility but dynamically switches on Indian devices to a fully web-based, coercive loan platform delivered via remote WebView and aggressive UI pressure. Static and dynamic analysis revealed heavy obfuscation, runtime XOR string decryption, contact harvesting, excessive permissions, and remote configuration hosted at in-h5.oss-ap-southeast-1.aliyuncs.com and bksn515.vercel.app, indicating a Chinese-operated loan ecosystem with coercive repayment tactics. #Hicas #hicas.tech
Cyble uncovered ShadowHS, a fileless Linux post‑exploitation framework that uses an encrypted, obfuscated POSIX shell loader to reconstruct and execute a weaponized variant of hackshell entirely in memory. The framework emphasizes stealth and operator-driven control—fingerprinting EDR/AV, enabling covert GSocket-backed rsync exfiltration, credential theft, lateral movement, and on‑demand cryptomining—while leaving no persistent disk artifacts. #ShadowHS #hackshell
Bitdefender researchers uncovered an Android RAT campaign that uses a malicious dropper (TrustBastion) and Hugging Face as a hosting/staging platform to deliver polymorphic APK payloads. The malware abuses Accessibility Services, screen-capture/overlay permissions and fake financial interfaces to steal credentials and exfiltrate data via a C2 at 154.198.48.57. #TrustBastion #HuggingFace…
Attackers compromised a contractor’s mailbox and hijacked an active executive approval thread to deliver a phishing link that led through multi-step redirects and Cloudflare Turnstile gates to an EvilProxy AiTM Microsoft credential‑theft page. ANY.RUN researchers detonated the message in a sandbox, revealed the full execution chain, and linked the incident to…
A joint SentinelLABS and Censys study found an unmanaged, publicly accessible layer of Ollama deployments spanning 175,108 hosts across 130 countries, with a persistent core of roughly 23,000 hosts generating the majority of observed activity. Nearly half of hosts expose tool-calling and multimodal capabilities while the ecosystem converges on a small set of model families and the Q4_K_M 4-bit quantization format, creating a brittle monoculture and governance gaps that complicate attribution and defense. #Ollama #Q4_K_M
Beast, a threat actor, has claimed ransomware against Ruskin College in the United Kingdom. Ruskin College Oxford, described as part of the University of West London and dedicated to accessible adult learning with career-oriented courses, is identified as the victim in this claim. #UnitedKingdom
![Cybersecurity News | Daily Recap [29 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [29 Jan 2026]")
Daily Recap, The day’s cybersecurity news shows ongoing exploitation of the WinRAR CVE-2025-8088 to drop silent payloads into Windows Startup folders by nation-state and criminal groups. It also highlights high-severity flaws such as Grist Core RCE in Pyodide, React2Shell deserialization, Fortinet FortiOS SSO bypass, and other attacks, underscoring urgent patching and proactive defense. #WinRAR #React2Shell