For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained fully functional and oil transport continued without interruption. The attack was claimed by the Qilin ransomware group.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin)

• La Sapienza University in Rome, one of Europe’s largest universities, has confirmed a cyberattack that prompted it to take down computer systems for three days, with email and workstations partially limited. The website remains offline as the school restores services.
• The City of New Britain, a municipal government in Connecticut, was hit by a ransomware attack that disrupted internet and phone services for over 48 hours. While emergency services remained operational, it is unclear whether personal data was compromised.
• Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, has experienced a ransomware attack that escalated into extortion of parents. Attackers reduced demand from €100,000 to €15,000 and threatened to leak student and staff data or charge parents €50 per child, while the school refused payment and is investigating potential exposure.

AI THREATS

• Threat actors leveraged exposed credentials from public AWS S3 buckets to launch an AI-assisted intrusion, escalating cloud privileges from ReadOnlyAccess to admin within eight to ten minutes via Lambda code injection and IAM role assumptions. The attack further abused Amazon Bedrock models for LLMjacking and provisioned GPU-based EC2 instances using JupyterLab to exploit resources, pivoting rapidly across 19 AWS principals.
• Ask Gordon, Docker’s AI assistant, was affected by the critical “DockerDash” vulnerability, allowing Meta Context Injection via Model Context Protocol that treats malicious Docker image LABEL metadata as executable instructions. This enabled remote code execution and data exfiltration in cloud, CLI, and Docker Desktop environments, with mitigations released in Docker Desktop 4.50.0.
• Bondu, an AI plush toy maker, exposed a web console that allowed anyone with a Google account to access 50,000 chat transcripts with children – revealing names, birth dates, family details, and intimate conversations. Researchers reported the issue, after which Bondu disabled the console and added authentication.

VULNERABILITIES AND PATCHES

• Ivanti addressed two zero-days in Endpoint Manager Mobile, CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8), exploited for unauthenticated code injection and remote code execution. The flaws affect in-house app distribution and Android file-transfer features, with emergency fixes issued January 29 for on-premises EPMM deployments.

Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Command Injection (CVE-2026-1281, CVE-2026-1340))

• Active exploitation of CVE-2025-11953, an OS command injection flaw, was detected in the React Native Community CLI and the Metro development server used by major mobile app projects. This flaw can enable unauthenticated remote code execution, including full shell access on Windows.

Check Point IPS provides protection against this threat (React Native Community CLI Command Injection (CVE-2025-11953))

• n8n maintainers have released patches for a critical issue allowing authenticated users to run system commands through crafted workflows, risking full server compromise and credential theft. The flaw extends a prior expression-engine bug and fixes available in versions v1.123.17 and v2.5.2.

THREAT INTELLIGENCE REPORTS

• Check Point Research observed Amaranth-Dragon, a Chinese-aligned group linked to APT41, conducting espionage against government and law enforcement across Southeast Asia. The threat actor weaponized WinRAR flaw CVE-2025-8088 within 10 days after its disclosure, geo-fenced servers to targets, and introduced TGAmaranth, a Telegram-based remote access tool.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (RARLAB WinRAR Directory Traversal (CVE-2025-8088); Trojan.Win.Amaranth; Trojan.Wins.Amaranth.ta.*; APT.Win.APT41; APT.Wins.APT41.ta.*; Trojan.Wins.APT41.ta.*)

• Check Point researchers assessed three most significant financial-sector trends in 2025. DDoS attacks surged 105%, data breaches and leaks rose 73%, and ransomware incidents reached 451 cases with aggressive multi-extortion tactics. Hacktivists drove DDoS attacks, and ransomware groups like Qilin, Akira, and Cl0p scaled operations via shared tooling and third-party access.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin; Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Clop; Ransomware.Wins.CLOP.ta.*; Ransomware.Win.Clop)

• Check Point researchers described a phishing campaign that abused legitimate SaaS notifications from Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes to drive phone-based scams. The operation sent 133,260 emails to 20,049 organizations, intensifying in recent months as attackers leveraged trusted messages to bypass link-focused defenses and steer targets to attacker-controlled phone numbers.

The post 9th February – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service for more than eight hours.
• Crunchbase, a private company intelligence platform, has confirmed a data breach of over 2 million records claimed by ShinyHunters threat group after a ransom demand was refused. The published files were stolen from its corporate network and include customer names, contact details, partner contracts and other internal documents. Crunchbase said that their operations were not disrupted.
• Qilin ransomware group has leaked an alleged database belonging to Tulsa International Airport in Oklahoma. The database include financial records, internal emails, and employee identification data. The airport authority has not yet confirmed compromise, and operations reportedly continue.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin)

• WorldLeaks extortion group has claimed responsibility for a data breach on the sportswear giant Nike. The threat group allegedly exposed samples totaling 1.4 terabytes of internal data including documents and archives related to the company’s supply chain and manufacturing operations.

AI THREATS

• Clawdbot, an open source AI agent gateway, has more than 900 publicly exposed and often unauthenticated instances due to localhost auto approval behind reverse proxies. It enables credential theft, access to chat histories, and remote code execution.
• Researchers uncovered RedKitten, a 2026 campaign with LLM-assisted development indicators targeting Iranian activists and NGOs. The campaign uses password-protected Excel lures to deliver SloppyMIO, a C# implant that uses Telegram for C2 and GitHub/Google Drive for payloads, with steganographic configuration, AppDomain Manager injection, and scheduled task persistence.
• Researchers identified 16 malicious Chrome extensions for ChatGPT that exfiltrate authorization details and session tokens. The extensions inject scripts into the ChatGPT web application to monitor outbound requests, allowing attackers to hijack sessions and access chat histories.
• Researchers analyzed publicly accessible open-source LLM deployments via Ollama and revealed many with disabled guardrails and exposed system prompts, enabling spam, phishing, disinformation, and other abuse.

VULNERABILITIES AND PATCHES

• A critical path traversal vulnerability (CVE-2025-8088) in WinRAR is actively exploited by government backed threat actors linked to Russia and China as well as financially motivated threat actors. Weaponized phishing forces WinRAR to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft. A patch is available on WinRAR 7.13.

Check Point IPS provides protection against this threat (RARLAB WinRAR Directory Traversal (CVE-2025-8088))

• SmarterTools addressed two critical SmarterMail flaws, including CVE-2026-24423 enabling remote code execution and CVE-2026-23760 allowing unauthenticated admin account takeover. The second flaw is actively exploited, and over 6,000 exposed SmarterMail servers are reportedly vulnerable.

Check Point IPS provides protection against this threat (SmarterTools SmarterMail Remote Code Execution (CVE-2026-24423); SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760))

• Fortinet has fixed CVE-2026-24858, an authentication bypass in FortiCloud single sign on which allowed unauthorized access and admin creation on downstream devices. The flaw carries CVSS 9.4 and is actively exploited via FortiCloud SSO.

THREAT INTELLIGENCE REPORTS

• Check Point Research has published the 2026 Cyber Security Report, highlighting AI as a force multiplier across attacks, fragmentation in ransomware with data only extortion, and multi-channel social engineering attacks. It maps threat activity to geopolitics and identity driven paths, quantifies risky AI usage, and provides sector and regional breakouts.
• Polish CERT detailed coordinated destructive attacks on Polish energy and manufacturing sectors, attributed to Static Tundra, using FortiGate SSL VPN access. The attackers conducted reconnaissance, firmware damage, lateral movement, and deployed DynoWiper and LazyWiper that corrupt files.
• Researchers have uncovered renewed Matanbuchus downloader campaigns using Microsoft Installer files disguised as legitimate installers, with frequent component changes to evade antivirus and machine learning detection. In many cases, the loader is used for further ransomware deployment.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan-Downloader.Wins.Matanbuchus.ta.*; Trojan-Downloader.Wins.Matanbuchus; Trojan-Downloader.Win.Matanbuchus)

• Researchers have identified PyRAT, a Python based cross platform RAT for Windows and Linux, using unencrypted HTTP POST C2, fingerprinting victims, and file and screenshot exfiltration. Persistence uses a deceptive autostart on Linux and a user Run key on Windows, with semi persistent identifiers.
• Researchers have found an Android campaign distributing a RAT via fake security alerts installing TrustBastion, which retrieves a second-stage payload from Hugging Face. The malware abuses Accessibility Services, deploys credential-stealing overlays, and uses server-side polymorphism to regenerate payloads every 15 minutes.

The post 2nd February – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 26th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• RansomHub ransomware group has claimed responsibility for a cyber-attack on Luxshare, an electronics manufacturer of Apple, Nvidia, LG, Tesla, and others. The threat actors claimed access to 3D CAD models, circuit board designs, and engineering documentation. The company has not yet confirmed the breach.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Ransomhub.ta.*; Ransomware.Win.RansomHub)

• Dark-web threat actor has leaked an alleged database belonging to Under Armour, a US sportswear company, affecting 72 million customer records following a November ransomware attack. The claimed exposed data includes names, email addresses, genders, dates of birth, and addresses.
• Raaga, an India-based music streaming platform, has experienced a data breach involving 10.2 million user records, reportedly exfiltrated in December and later advertised on criminal forums. Exposed details include names, emails, demographics, locations, and passwords stored with unsalted MD5 hashes, raising credential stuffing and phishing risks.
• ​Germany’s Dresden State Art Collections (SKD), one of Europe’s oldest museum networks, has confirmed a cyberattack that resulted in widespread disruption to its digital infrastructure and communications. The incident disabled online ticket sales, visitor services, and the museum shop, forced on-site payments to cash-only, and limited digital and phone services, with no indication of data theft or exposure reported.

AI THREATS

• Researchers discovered an indirect prompt-injection flaw in Gemini’s Google Calendar assistant that bypassed Calendar privacy controls via a malicious invite description. Gemini used Calendar.create to place summaries of the victim’s meetings into a new event readable by the attacker.
• Researchers uncovered a web attack technique where hidden prompts in benign pages call LLM API to generate polymorphic malicious JavaScript at runtime. This enables phishing and credential theft while evading signature-based detection and network filtering by leveraging AI service domains.
• Advanced language models such as GPT-5.2 and Opus 4.5 were observed generating working exploits for a previously unknown zero-day vulnerability in QuickJS, a JavaScript interpreter, including in hardened environments where automated systems can produce functional attack code with little to no human intervention. Across six different configurations, the systems produced over 40 distinct exploits.

VULNERABILITIES AND PATCHES

• Three high severity vulnerabilities (CVE-2025-68143, CVE-2025-68144, CVE-2025-68145) were disclosed in mcp-server-git, Anthropic’s Git MCP server, enabling path traversal and argument injection exploitable via prompt injection to read or delete files and achieve remote code execution. Fixes available in versions 2025.9.25 and 2025.12.18.
• Zoom has fixed CVE-2026-22844, a critical command injection flaw in Zoom Node Multimedia Routers, used in Meeting Connector and Meetings Hybrid deployments. It enables participant remote code execution in versions before 5.2.1716.0, with no confirmed in-the-wild exploitation.
• Fortinet has confirmed active exploitation of a FortiCloud SSO auth bypass on fully patched FortiGate firewalls, tied to CVE-2025-59718 and CVE-2025-59719. Attackers are logging in via crafted SAML messages, creating persistent accounts, enabling VPN access, and extracting firewall configurations.

THREAT INTELLIGENCE REPORTS

• Check Point Research revealed that VoidLink, a recently exposed cloud-native Linux malware framework, is authored almost entirely by AI, likely under the direction of a single individual. The malware was produced predominantly through AI-driven development, reaching the first functional implant in under a week. From a methodology perspective, the actor used the model beyond coding, adopting an approach called Spec Driven Development (SDD).
• Check Point Research identified an ongoing phishing campaign associated with KONNI, a North Korean–linked threat actor active since at least 2014. The campaign targets software developers and engineering teams across the Asia-Pacific region, including Japan, Australia, and India, using blockchain-themed lures to prompt interaction and deliver malicious content. In observed activity, the threat actor deploys AI-generated PowerShell backdoors that establish persistence, steal credentials, and enable infiltration of development environments
• Check Point researchers describe a Microsoft Teams phishing campaign abusing guest invitations and finance-themed team names to mimic billing notices. More than 12K emails were observed hitting 6,135 users via invite emails with obfuscated text. The campaign targeted US-based organizations across manufacturing, technology, and education.
• Researchers revealed a new ransomware family, Osiris, that blends legitimate Windows tools with custom malware to infiltrate networks and deploy encryption. The operators use a custom malicious driver, Poortry, masquerading as Malwarebytes to disable security software, and exfiltrated data with Rclone to Wasabi buckets before encryption.
• Researchers identified a North Korean spear-phishing campaign targeting South Korea that abuses Microsoft Visual Studio Code tunnels for remote access. JSE files masquerading as Hangul documents start the infection chain and grant attackers terminal and file access using living-off-the-land techniques.

The post 26th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 12th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Manage My Health, New Zealand’s largest patient portal, has acknowledged a cyberattack occurred on December 2025, that potentially exposed data of nearly 110K users. An alleged attacker, dubbed Kazu, claimed responsibility and demanded a $60,000 ransom.
• France’s Office for Immigration and Integration has confirmed data theft via a third-party operator after a hacker posted samples online. The exposed records include names, contact details, entry dates, and reasons for stay for foreign residents.
• Ledger, a global crypto hardware wallet maker, has disclosed a breach at e-commerce partner Global-e exposing customer contact and order details. Attackers launched phishing lures impersonating both firms to harvest wallet data. Ledger said wallets and seed phrases were unaffected, but targeted scams increased.
• Giant US fiber broadband provider, Brightspeed, was claimed as breached by the Crimson Collective extortion gang. The intrusion allegedly exposed sensitive information belonging to over 1 million customers; however the company has not yet confirmed the incident.
• American Dartmouth College, has disclosed that an August attack exploiting Oracle E-Business Suite exposed personal information of over 40,000 people. Leaked data includes Social Security numbers and bank account information. Reports attribute the intrusion to Clop ransomware group.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution (CVE-2025-61882, CVE-2025-61884); Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• JBS Mental Health Authority, a regional US nonprofit, has experienced a ransomware attack in late December. The organization was listed by the Medusa ransomware group, which claims it stole 168.6GB of data, including sensitive client records and internal operational information.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Medusa)

• Prosura, an Australia and New Zealand car rental insurance provider, has reported a data breach that resulted from an unauthorized access to parts of its systems. The attacker allegedly exposed driver licenses and policy documents. Prosura paused online self-service and said payment card data is not stored in its systems.
• Free Speech Union, a UK membership organization, has experienced a data breach after activist group Bash Back compromised its website and posted transaction details online. Records for thousands of donations were leaked, including amounts and comments. The organization took its site offline as a precaution.

VULNERABILITIES AND PATCHES

• SmarterTools fixed CVE-2025-52691, a critical pre-auth remote code execution flaw with a CVSS score of 10.0. Successful exploitation allows an attacker to upload files and write to web-accessible paths, potentially resulting in full server compromise.

Check Point IPS provides protection against this threat (SmarterMail Arbitrary File Upload (CVE-2025-52691))

• A patch was released for CVE-2025-64496 vulnerability in Open WebUI, a self-hosted interface for AI models, enabling code injection via the Direct Connection feature and potential remote code execution. Versions through 0.6.34 are affected.
• Cisco has addressed CVE-2026-20029, a medium-severity flaw in Identity Services Engine and ISE-PIC, which allows administrators to access sensitive files via improper XML parsing. Exploitation of the flaw requires valid admin credentials.

THREAT INTELLIGENCE REPORTS

• Check Point Research observed GoBruteforcer, a modular Go botnet brute-forcing Linux servers running phpMyAdmin, MySQL, PostgreSQL and FTP. Campaigns exploit AI-generated server deployments that propagate common usernames and weak defaults. The botnet converts hosts into scanners and credential harvesters, with crypto-focused runs stealing funds and expanding access through backdoors and IRC-based control.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point researchers identified the OPCOPRO “Truman Show” investment scam, which industrializes social engineering via WhatsApp and Telegram. Apps from official stores serve as interfaces to attacker servers, fabricating balances and trades, harvesting KYC documents, and driving identity theft and deposits.

Check Point Harmony Endpoint provides protection against this threat

• Researchers analyzed LockBit 5.0 ransomware, detailing ChaCha20-Poly1305 file encryption, X25519 with BLAKE2b key exchange, termination of VSS and backup services, and Temp directory cleanup. LockBit 5.0 uses custom random extensions per execution, excludes system files, supports Stealbit exfiltration, and drops a ransom note threatening data leakage.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Lockbit; Ransomware.Wins.Lockbit.ta.*; Ransomware.Win.LockBit; Gen.Win.Crypter.Lockbit)

• Researchers uncovered PHALT#BLYX, an ongoing campaign that targets European hospitality via Booking.com-themed phishing and ClickFix-style fake BSOD/captcha lures that prompt PowerShell execution. The chain aims for credential theft and privilege elevation.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (RAT.Wins.Dcrat; RAT.Win.DCRat; InfoStealer.Wins.DcRat)

The post 12th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic information systems, databases, email, web servers, and Windows workstations. Operational technology controlling water infrastructure was not impacted, and no data leakage has been reported, but key IT services were disrupted across the organization.
• France’s postal service La Poste has suffered a cyber-attack that disrupted key digital systems, impacting online parcel tracking, mail distribution, and banking services for customers of both the postal service and La Banque Postale. Some services were temporarily unavailable, with no evidence of data compromise. The attack was claimed by the pro-Russian hacktivist group NoName057(16).
• Insurance giant Aflac has confirmed a data breach they experienced in June that resulted in the theft of sensitive files containing insurance claims, health data and Social Security numbers. The breach affected personal details of approximately 22.7 million individuals in its US business. The attack has been attributed to Scattered Spider threat group.

Check Point Harmony Endpoint provides protection against this threat.

• Japan’s leading carmaker Nissan Motor Corporation has acknowledged a data breach that resulted in the exposure of personal information for approximately 21,000 customers from Nissan Fukuoka Sales Corporation including names, addresses, phone numbers, email addresses, and sales operation data. The incident occurred after unauthorized access to Red Hat data servers led to the leak, but financial data was not affected. The Crimson Collective threat actor claimed responsibility for the initial breach, with ShinyHunters later hosting samples of the stolen data.
• Trust Wallet, a popular non-custodial cryptocurrency wallet, has disclosed a cyber-attack involving a compromised Chrome extension update. The attack exfiltrated sensitive wallet data, including seed phrases, to a malicious domain, resulting in at least $7 million in losses. The incident primarily affected users of Chrome extension version 2.68.0, allowing attackers to drain wallets.
• Ubisoft’s live service game Rainbow Six Siege (R6) has confirmed a cyber-attack in which threat actors abused internal systems to manipulate bans, unlock all cosmetics and developer-only skins, and distribute around $13.33 million worth of in-game currency worldwide.
• Baker University has encountered a data breach that resulted in attackers accessing its network and stealing sensitive information belongs to 53,624 students, alumni, staff, and affiliates of the university, such as names, Social Security numbers, financial account details, and medical records.

VULNERABILITIES AND PATCHES

• A high-severity memory-read vulnerability, CVE-2025-14847, dubbed “MongoBleed” has been identified in multiple MongoDB Server versions, allowing unauthenticated remote attackers to exploit a zlib implementation flaw and potentially access uninitialized heap memory. The issue, caused by improper handling of length parameter inconsistency (CWE-130), may permit arbitrary code execution and system compromise. Affected versions include MongoDB 4.0 through 8.2.3.
• Details on a critical serialization injection vulnerability in LangChain Core were disclosed. CVE-2025-68664 (CVSS 9.3) affects langchain-core, where unescaped user-controlled dictionaries with lc keys are treated as trusted objects during deserialization, enabling secret extraction, prompt injection, and potentially arbitrary code execution.
• A critical buffer overflow vulnerability, CVE-2025-68615, in Net-SNMP’s snmptrapd daemon can be triggered remotely via a specially crafted packet. The issue has a CVSS score of 9.8 and may allow unauthenticated attackers to achieve remote code execution or cause service crashes. Patches are available, and the vulnerability is addressed in Net-SNMP versions 5.9.5 and 5.10.pre2.

THREAT INTELLIGENCE REPORTS

• Check Point researchers describe a phishing campaign in which attackers abused Google Cloud Application Integration’s “Send Email” workflow to send over 9,000 spoofed Google notification emails from a Google address. The messages targeted manufacturing, technology, and finance sectors and used multi-step redirection through Google domains to lead victims to a Microsoft-themed credential harvesting site. Most victims located in the US, Asia-Pacific, and Europe.
• Researchers uncovered a two-year Evasive Panda campaign using adversary-in-the-middle DNS poisoning to deliver MgBot via fake updaters and stealthy loaders. The chain used multi-stage shellcode, hybrid encryption, and DLL sideloading to run MgBot in memory, with victim-specific payloads tied to machines via DPAPI and RC5. Attackers poisoned legitimate domains, injected into signed system processes for persistence, and updated configs with hardcoded C2s.

Check Point Harmony Endpoint provides protection against this threat (Infostealer.Win.MgBot)

• A Webrat campaign leveraged fake GitHub repositories masquerading as exploit and proof-of-concept code for high-severity CVEs, targeting gamers, students, and inexperienced security researchers. The attack uses droppers to elevate privileges, disable Windows Defender, and deploy the Webrat backdoor, enabling remote control, credential theft, keylogging, and device surveillance.
• Researchers found lotusbail, a malicious npm package masquerading as a WhatsApp Web API library that intercepts messages and steals session/auth data, contacts, and media via WebSocket tampering and device-pairing hijack. Separately, 14 malicious NuGet packages were found redirecting crypto funds and stealing Google Ads OAuth tokens.

The post 29th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated that no passwords, payment information, or government-issued IDs were compromised. OpenAI also acknowledged a related incident that was caused by compromise of Mixpanel. The breach has been attributed to the ShinyHunters extortion group.
• SoundCloud, an online audio streaming platform, has confirmed a cyber attack that resulted in threat actors gaining unauthorized access to a database containing users’ email addresses and public profile information. The breach affected approximately 20% of SoundCloud’s users, which might impact 28 million accounts, and caused outages and VPN connection issues. The ShinyHunters extortion gang has claimed responsibility for this attack.
• Autoparts giant LKQ has acknowledged a cyberattack tied to the Oracle E-Business Suite compromise. The company said personal data of over 9,070 people, including Employer Identification Numbers and Social Security numbers, was exposed.

Check Point IPS provides protection against this threat (Oracle Multiple Products Remote Code Execution)

• DXS International, a British NHS technology supplier, has encountered a cyber-attack on December 14^th that resulted in unauthorized access to its internal office servers, affecting internal systems but not disrupting clinical services. It remains unclear whether NHS patient data was compromised.
• The University of Sydney has suffered a data breach that resulted in hackers gaining access to an online coding repository and stealing files containing personal information of staff and students. Over 27,000 individuals were affected, including names, dates of birth, phone numbers, home addresses, and job details for current and former staff, students, alumni, and affiliates.
• Petróleos de Venezuela (PDVSA), Venezuela’s state oil company, has experienced a cyberattack that resulted in disruptions to its export operations and offline systems managing the country’s main crude terminal. The incident affected administrative and operational network systems, leading to a halt in cargo deliveries. The scope of data or user information compromised has not been disclosed.
• Denmark’s water utility has experienced a cyber attack that resulted in a disruption of critical water infrastructure systems. The attack impacted operational control systems supporting essential services, forming part of a broader campaign of attacks targeting Denmark’s critical infrastructure and electoral environment. The Danish Defence Intelligence Service attributed the incident to the Russia affiliated group Z-Pentest.

VULNERABILITIES AND PATCHES

• Critical severity vulnerability with a CVSS score of 10.0 was disclosed in HPE OneView Software. The flaw, CVE-2025-37164, allows unauthenticated remote code execution and affects all versions prior to 11.00, including versions 5.20 through 10.20. Successful exploitation could enable a remote attacker to execute arbitrary code on affected centralized IT infrastructure management systems.

Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))

• A critical remote code execution vulnerability, CVE-2025-14733, in WatchGuard Firebox firewalls running Fireware OS 11.x and later is being actively exploited. The out-of-bounds write flaw enables unauthenticated remote code execution on unpatched devices with IKEv2, without user interaction.
• Researchers spotted active exploitation of CVE-2025-59718 and CVE-2025-59719, critical authentication bypass flaws in Fortinet FortiGate, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers can log in without credentials and export full device configurations, risking cracked passwords.

THREAT INTELLIGENCE REPORTS

• Check Point Research revealed a sophisticated wave of attacks attributed to the Chinese threat actor Ink Dragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised IIS servers into relay nodes with ShadowPad, exploits predictable configuration keys for access, and deploys a new FinalDraft backdoor for exfiltration and lateral movement.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research analyzed GachiLoader, a Node.js–based malware loader observed in a campaign linked to the YouTube Ghost Network. The campaign is notable for extensive obfuscation and a previously undocumented PE injection technique. GachiLoader deploys a second-stage loader, Kidkadi, which abuses Vectored Exception Handling (VEH) in a novel method, dubbed Vectored Overloading, to load its malicious payload.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research noticed a surge in darknet campaigns recruiting insiders at banks, crypto exchanges, telecoms, and major tech firms to sell access and data. Listings advertise payouts of $3,000 to $15,000, offer datasets like 37 million records for $25,000, and solicit telecom staff for SIM swapping to bypass two-factor authentication.
• Check Point researchers updated on a global surge in AI-driven holiday scams across phishing, fake retail sites, and social media giveaways. They recorded 33,502 phishing emails in two weeks and over 10,000 daily ads impersonating delivery brands like Royal Mail, FedEx, UPS and DPD, while AI chatbots help fraudulent stores appear credible.

The post 22nd December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The University of Pennsylvania and the University of Phoenix were hit by data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite servers. At least 1,488 people at UPenn and numerous students, alumni, donors, staff, faculty, employees, and suppliers at Phoenix were impacted. The Cl0p ransomware gang is likely responsible, as part of a broader campaign.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Financial software provider Marquis Software Solutions has disclosed a data breach that impacted over 74 banks and credit unions across the US and exposed sensitive data of more than 400,000 customers. The Akira ransomware gang is possibly responsible for the attack, which exploited vulnerabilities in SonicWall firewalls to gain network access.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira)

• American pharmaceutical firm Inotiv has reported on a ransomware attack that occurred in August 2025. The Qilin ransomware group claimed responsibility, leaking personal information from over 9,500 individuals, including current and former employees and their family members.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• South Korean retail giant Coupang has confirmed a data breach that resulted in the exposure of personal information belonging to nearly 34 million clients, including full names, phone numbers, email addresses, and more. No payment details or account passwords were leaked in the incident.
• YouTube app for Android TV, SmartTube, has been targeted in an attack that resulted in the compromise of its developer signing keys and the distribution of a malicious update containing hidden malware. The incident impacted Android TV, Fire TV Stick, and similar device users.
• Belgian postal and package delivery service, Bpost, has suffered a data breach that resulted in the exfiltration of 5,140 files totaling about 30.46GB from a third-party exchange platform. The stolen data reportedly includes personal and business information of some customers of the affected department. The ransomware group TridentLocker has claimed responsibility for the attack.
• Canadian wireless telecommunications provider, Freedom Mobile, has experienced a data breach that resulted in attackers gaining unauthorized access to its customer account management platform and stealing personal information, including names, addresses, dates of birth, phone numbers, and account numbers. The company has not disclosed the exact number of affected customers.

VULNERABILITIES AND PATCHES

• Check Point has elaborated on the critical React2Shell vulnerability, CVE-2025-55182, that affects React 19.x and related server-side frameworks such as Next.js 15.x/16.x. The vulnerability enables unauthenticated remote code execution via malicious HTTP requests targeting the server’s decoding process. Exploitation allows attackers to gain full control over application servers, intercept sensitive data, inject false transactions, and potentially pivot deeper into enterprise environments.

Check Point IPS provides protection against this threat (React Server Components Remote Code Execution (CVE-2025-55182))

• Check Point Research revealed a vulnerability in OpenAI Codex CLI that allowed attackers to achieve remote code execution via malicious project-local configuration files (MCP entries) executed without user prompts. OpenAI released a patch in version 0.23.0 to address the automatic execution risk.
• Check Point Research shared details of a critical exploit in Yearn Finance’s yETH pool, where an attacker abused a smart contract flaw to mint trillions of tokens with a minuscule deposit, resulting in the theft of approximately $9 million in assets from the Ethereum-based DeFi protocol.

THREAT INTELLIGENCE REPORTS

• Check Point summarizes a multiyear Salt Typhoon cyber-espionage campaign that compromised 80 telecom providers worldwide and a US state Army National Guard network, chaining SIM-based credential theft, network scans, Ivanti/PAN-OS/Cisco CVEs and GTP/GTPDOOR abuses to exfiltrate sensitive communications and configuration data.
• US and Canadian cybersecurity agencies outlined BRICKSTORM, a stealthy backdoor used by Chinese affiliated hackers to infiltrate VMware vSphere environments and maintain long-term access. The campaign targeted government services and IT, stealing credentials via VM snapshots and creating hidden machines.
• The ShadyPanda threat actor ran a seven-year campaign weaponizing verified Chrome and Edge extensions to infect over 4.3 million devices with spyware for remote code execution, payload delivery, traffic redirection, credential and cookie theft, browser fingerprinting, HTTPS credential interception, and behavioral biometrics exfiltration.
• Researchers identified a campaign weaponizing Velociraptor, a digital forensics tool, to establish stealthy command channels and maintain persistence in enterprise environments. Attackers exploited SharePoint’s “ToolShell” chain using CVE-2025-49706 and CVE-2025-49704, linked to Storm-2603, and in confirmed cases delivered Warlock ransomware.
• Albiriox, a new Android banking trojan sold as Malware-as-a-Service (MaaS), targets over 400 financial and crypto apps using VNC-style remote control, accessibility abuse, overlays, and black-screen masking for on-device fraud. The malware is spread via smishing, WhatsApp lures, and fake apps with droppers over unencrypted TCP C2 channels using structured JSON messages.

The post 8th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate location, operating system, browser information, referring websites, and organization or user IDs. No sensitive credentials or API keys were exposed.
• Dartmouth College, a private Ivy League research university in New Hampshire, has been a victim of a data breach that resulted in the theft of personal information, including names, Social Security numbers and financial details, from its Oracle E-Business Suite servers. The Cl0p extortion gang was responsible for exploiting zero-day vulnerability as part of a broader campaign. Other targets include Harvard University, Envoy Air, and others with sensitive data exposed via dark web and torrent sites.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Concurrent Processing Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Crisis24, a leader in crisis and risk management, was hit by a cyberattack on its OnSolve CodeRED emergency alert platform that resulted in widespread disruption of notification systems nationwide and the theft of user data. Leaked information including names, addresses, email addresses, phone numbers, and clear-text passwords affecting state and local governments, public safety agencies, and residents across the US. The INC Ransomware gang has claimed responsibility for the attack and is offering stolen data for sale.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)

• Major American investment advisory provider SitusAMC has confirmed a data breach that resulted in the compromise of corporate data associated with client relationships, including accounting records, legal agreements, and potentially customer data. The breach impacted an undisclosed number of clients and customers, likely including largest banks and financial institutions in the US, with no information yet provided on the amount or exact type of data leaked.
• A Russian postal operator Donbas Post has encountered a cyber-attack that disrupted its corporate network, web platform, and email systems, destroying over 1,000 workstations, 100 virtual machines, and several dozen terabytes of data, and forcing the suspension of services at postal branches and the call center. The Ukrainian Cyber Alliance has claimed responsibility.
• The French Football Federation (FFF) has suffered a data breach that resulted in unauthorized access to administrative management software and theft of personal and contact information from members of French football clubs. Exposed data includes names, email addresses, and more.

VULNERABILITIES AND PATCHES

• A new Mirai-based botnet, ShadowV2, was observed exploiting multiple known vulnerabilities (including CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375) in IoT devices to gain control and launch distributed denial-of-service (DDoS) attacks. The botnet leveraged command injection and other flaws in routers, NAS devices, and DVRs across global sectors.

Check Point IPS provides protection against this threat (D-Link DNS NAS Devices Command Injection (CVE-2024-10914); D-Link DNS Series Command Injection; TP-Link Archer AXE75 Command Injection (CVE-2024-53375))

• Security researcher uncovered more than 17,000 exposed credentials during a scan of 5.6 million public GitLab repositories, including API keys, passwords, and access tokens associated with over 2,800 domains. Many of these credentials – primarily Google Cloud, MongoDB, Telegram, and OpenAI keys – remain active. While most were leaked after 2018, some valid keys date back to 2009.
• A patch was released for a critical authentication bypass vulnerability (CVE-2025-59366) in ASUS routers with AiCloud enabled, which allows remote attackers to exploit chained path traversal and OS command injection flaws for unauthorized function execution. Successful exploitation does not require user interaction and could result in attackers gaining control over vulnerable devices.

THREAT INTELLIGENCE REPORTS

• Check Point researchers analyzed the Shai-Hulud 2.0 npm supply chain campaign that compromised over 600 npm packages and 25,000 GitHub repositories. Malicious preinstall scripts stole developer and multi-cloud credentials, exfiltrated them to attacker GitHub repos, registered infected hosts as self-hosted runners, and used the stolen tokens for worm-like propagation across npm and GitHub.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.ShaiHulud.ta.*)

• Check Point researchers uncovered GhostAd, a large-scale Android adware campaign where at least 15 Google Play applications with millions of installs abuse foreground services, blank notifications, JobScheduler, and ad SDKs to run persistent background ads and drain device resources. These applications also use background execution and storage permissions to persist, hide, and silently exfiltrate external-storage files, including corporate documents, to attacker infrastructure.
• Check Point overviews expected cyber risks at 2026, including converging agentic AI, quantum computing, and Web 4.0. The blog outlines 12 trends: autonomous AI operations, digital-twin/XR environments, LLM-native attacks, deepfake fraud, quantum “harvest-now, decrypt-later” exposure, data-pressure ransomware, expanding supply-chain, SaaS, and identity threats.
• Researchers detailed HashJack, an indirect prompt injection technique that embeds malicious instructions in elements like URL fragments or emails to manipulate AI browser assistants – including Comet, Copilot for Edge, and Gemini for Chrome. This method enables threat actors to trigger phishing, misinformation, data exfiltration, and credential theft, exploiting LLMs’ inability to distinguish instructions from legitimate data.

The post 1st December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsight integrations and has revoked all active access tokens as a precaution, emphasizing there is no vulnerability in the Salesforce’s core platform.
• Eurofiber France SAS, the French unit of Dutch telecommunications provider Eurofiber Group N.V., has been a victim of a data breach. The attack resulted in an unauthorized access to its French ticket management system and exfiltration of customer information from its cloud division and regional sub-brands. A threat actor “ByteToBreach” claimed responsibility for the attack.
• Italian IT provider Almaviva has confirmed a cyberattack, with stolen data including information from Ferrovie dello Stato Italiane, Italy’s national railway operator. Nearly 2.3 TB of sensitive files were leaked, including passenger passport data, employee records across FS subsidiaries, defense-related contracts, and financial documents. Almaviva says critical services remain operational.
• South Korean giant battery maker LG Energy Solution has experienced a ransomware attack at a single overseas facility, which the company says has been restored, with headquarters unaffected. The Akira gang claimed to have stolen 1.7 terabytes of data.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Win.Akira)

• Microsoft’s Azure cloud was hit by a massive 15.72 Tbps distributed denial-of-service (DDoS) attack (3.64 billion packets per second) against a public IP address in Australia, sourced from over 500,000 IPs. The high-rate UDP flood is attributed to the Aisuru Turbo Mirai-class IoT botnet, which abuses compromised home routers, cameras, and other internet-connected devices.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Mirai)

• French social security service provider, Pajemploi, has suffered a data breach that resulted in the theft of personal data linked to up to 1.2 million of private employers using its childcare services. Exposed information reportedly includes full names, places of birth, postal addresses, Social Security numbers, Pajemploi and accreditation numbers, and banking institution names.
• AIPAC, a US political advocacy organization, has encountered a data breach tied to an external third-party system, with notification filed to the Maine attorney general on November 14^th. Unauthorized access occurred between October 2024 and February 2025, impacting 810 individuals and exposing personal identifiers. No threat actor claimed responsibility.

VULNERABILITIES AND PATCHES

• Fortinet warned of CVE-2025-58034, a FortiWeb command injection flaw actively exploited in the wild. The bug lets authenticated attackers run unauthorized code via crafted requests, with updates available for multiple 7.x and 8.x releases.

Check Point IPS provides protection against this threat (Fortinet FortiWeb Command Injection (CVE-2025-58034))

• Google fixed CVE-2025-13223, a high-severity type confusion flaw in Chrome’s V8 engine. The bug is being actively exploited to run malicious code via crafted web pages. Google has issued fixes in Chrome 142.0.7444.175 and later.
• Researchers warns of active exploitation and a public proof of concept of CVE-2025-11001, a 7-Zip Windows vulnerability that lets attackers run code by abusing ZIP symbolic link handling. The flaw carries a CVSS 7.0 score and was fixed in 7-Zip version 25.00.

THREAT INTELLIGENCE REPORTS

• Check Point Research uncovered a surge in fraudulent Black Friday domains and brand impersonation. Roughly 1 in 11 new Black Friday domains are malicious, and 1 in 25 domains referencing Amazon, AliExpress, or Alibaba pose active threats, with fake storefronts stealing credentials and payment data. Recent examples also mimic HOKA and AliExpress.
• Check Point researchers detailed a Europe-wide scam in which criminal networks use generative AI to impersonate health regulators and sell fake GLP-1 weight-loss products. The criminals clone logos and endorsements from the official health services, then localize persuasive ads to exploit drug shortages and public trust.
• Akamai discovered a RAT that disguises its C2 traffic as LLM chat completions API requests, sending Base64- and XOR-encoded payloads without standard headers. The malware steals data from remote access tools and browsers and deploys a .NET proxy toolkit with persistence.
• Researchers analyzed a Howling Scorpius campaign that used fake CAPTCHA prompts to install SectopRAT on a global data storage and infrastructure company, enabling remote control and lateral movement. Over 42 days, the attackers stole nearly 1 TB of data, deleted cloud backups, and deployed Akira ransomware across three networks, halting operations.
• Google analyzed a nearly three-year APT24 cyber-espionage campaign centered on the BadAudio C++ downloader, which uses AES-encrypted C2 traffic, cookie-embedded host profiling, and control-flow flattening to deploy payloads such as Cobalt Strike Beacon in memory. The research details how APT24 shifted from strategic web compromises to large-scale supply-chain and spear-phishing operations that weaponize FingerprintJS-based browser fingerprinting, DLL search-order hijacking, and repeatedly re-compromised Taiwanese marketing infrastructure to deliver BADAUDIO across more than 1,000 domains.

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.