For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained fully functional and oil transport continued without interruption. The attack was claimed by the Qilin ransomware group.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin)

• La Sapienza University in Rome, one of Europe’s largest universities, has confirmed a cyberattack that prompted it to take down computer systems for three days, with email and workstations partially limited. The website remains offline as the school restores services.
• The City of New Britain, a municipal government in Connecticut, was hit by a ransomware attack that disrupted internet and phone services for over 48 hours. While emergency services remained operational, it is unclear whether personal data was compromised.
• Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, has experienced a ransomware attack that escalated into extortion of parents. Attackers reduced demand from €100,000 to €15,000 and threatened to leak student and staff data or charge parents €50 per child, while the school refused payment and is investigating potential exposure.

AI THREATS

• Threat actors leveraged exposed credentials from public AWS S3 buckets to launch an AI-assisted intrusion, escalating cloud privileges from ReadOnlyAccess to admin within eight to ten minutes via Lambda code injection and IAM role assumptions. The attack further abused Amazon Bedrock models for LLMjacking and provisioned GPU-based EC2 instances using JupyterLab to exploit resources, pivoting rapidly across 19 AWS principals.
• Ask Gordon, Docker’s AI assistant, was affected by the critical “DockerDash” vulnerability, allowing Meta Context Injection via Model Context Protocol that treats malicious Docker image LABEL metadata as executable instructions. This enabled remote code execution and data exfiltration in cloud, CLI, and Docker Desktop environments, with mitigations released in Docker Desktop 4.50.0.
• Bondu, an AI plush toy maker, exposed a web console that allowed anyone with a Google account to access 50,000 chat transcripts with children – revealing names, birth dates, family details, and intimate conversations. Researchers reported the issue, after which Bondu disabled the console and added authentication.

VULNERABILITIES AND PATCHES

• Ivanti addressed two zero-days in Endpoint Manager Mobile, CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8), exploited for unauthenticated code injection and remote code execution. The flaws affect in-house app distribution and Android file-transfer features, with emergency fixes issued January 29 for on-premises EPMM deployments.

Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Command Injection (CVE-2026-1281, CVE-2026-1340))

• Active exploitation of CVE-2025-11953, an OS command injection flaw, was detected in the React Native Community CLI and the Metro development server used by major mobile app projects. This flaw can enable unauthenticated remote code execution, including full shell access on Windows.

Check Point IPS provides protection against this threat (React Native Community CLI Command Injection (CVE-2025-11953))

• n8n maintainers have released patches for a critical issue allowing authenticated users to run system commands through crafted workflows, risking full server compromise and credential theft. The flaw extends a prior expression-engine bug and fixes available in versions v1.123.17 and v2.5.2.

THREAT INTELLIGENCE REPORTS

• Check Point Research observed Amaranth-Dragon, a Chinese-aligned group linked to APT41, conducting espionage against government and law enforcement across Southeast Asia. The threat actor weaponized WinRAR flaw CVE-2025-8088 within 10 days after its disclosure, geo-fenced servers to targets, and introduced TGAmaranth, a Telegram-based remote access tool.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (RARLAB WinRAR Directory Traversal (CVE-2025-8088); Trojan.Win.Amaranth; Trojan.Wins.Amaranth.ta.*; APT.Win.APT41; APT.Wins.APT41.ta.*; Trojan.Wins.APT41.ta.*)

• Check Point researchers assessed three most significant financial-sector trends in 2025. DDoS attacks surged 105%, data breaches and leaks rose 73%, and ransomware incidents reached 451 cases with aggressive multi-extortion tactics. Hacktivists drove DDoS attacks, and ransomware groups like Qilin, Akira, and Cl0p scaled operations via shared tooling and third-party access.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin; Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Clop; Ransomware.Wins.CLOP.ta.*; Ransomware.Win.Clop)

• Check Point researchers described a phishing campaign that abused legitimate SaaS notifications from Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes to drive phone-based scams. The operation sent 133,260 emails to 20,049 organizations, intensifying in recent months as attackers leveraged trusted messages to bypass link-focused defenses and steer targets to attacker-controlled phone numbers.

The post 9th February – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service for more than eight hours.
• Crunchbase, a private company intelligence platform, has confirmed a data breach of over 2 million records claimed by ShinyHunters threat group after a ransom demand was refused. The published files were stolen from its corporate network and include customer names, contact details, partner contracts and other internal documents. Crunchbase said that their operations were not disrupted.
• Qilin ransomware group has leaked an alleged database belonging to Tulsa International Airport in Oklahoma. The database include financial records, internal emails, and employee identification data. The airport authority has not yet confirmed compromise, and operations reportedly continue.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin)

• WorldLeaks extortion group has claimed responsibility for a data breach on the sportswear giant Nike. The threat group allegedly exposed samples totaling 1.4 terabytes of internal data including documents and archives related to the company’s supply chain and manufacturing operations.

AI THREATS

• Clawdbot, an open source AI agent gateway, has more than 900 publicly exposed and often unauthenticated instances due to localhost auto approval behind reverse proxies. It enables credential theft, access to chat histories, and remote code execution.
• Researchers uncovered RedKitten, a 2026 campaign with LLM-assisted development indicators targeting Iranian activists and NGOs. The campaign uses password-protected Excel lures to deliver SloppyMIO, a C# implant that uses Telegram for C2 and GitHub/Google Drive for payloads, with steganographic configuration, AppDomain Manager injection, and scheduled task persistence.
• Researchers identified 16 malicious Chrome extensions for ChatGPT that exfiltrate authorization details and session tokens. The extensions inject scripts into the ChatGPT web application to monitor outbound requests, allowing attackers to hijack sessions and access chat histories.
• Researchers analyzed publicly accessible open-source LLM deployments via Ollama and revealed many with disabled guardrails and exposed system prompts, enabling spam, phishing, disinformation, and other abuse.

VULNERABILITIES AND PATCHES

• A critical path traversal vulnerability (CVE-2025-8088) in WinRAR is actively exploited by government backed threat actors linked to Russia and China as well as financially motivated threat actors. Weaponized phishing forces WinRAR to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft. A patch is available on WinRAR 7.13.

Check Point IPS provides protection against this threat (RARLAB WinRAR Directory Traversal (CVE-2025-8088))

• SmarterTools addressed two critical SmarterMail flaws, including CVE-2026-24423 enabling remote code execution and CVE-2026-23760 allowing unauthenticated admin account takeover. The second flaw is actively exploited, and over 6,000 exposed SmarterMail servers are reportedly vulnerable.

Check Point IPS provides protection against this threat (SmarterTools SmarterMail Remote Code Execution (CVE-2026-24423); SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760))

• Fortinet has fixed CVE-2026-24858, an authentication bypass in FortiCloud single sign on which allowed unauthorized access and admin creation on downstream devices. The flaw carries CVSS 9.4 and is actively exploited via FortiCloud SSO.

THREAT INTELLIGENCE REPORTS

• Check Point Research has published the 2026 Cyber Security Report, highlighting AI as a force multiplier across attacks, fragmentation in ransomware with data only extortion, and multi-channel social engineering attacks. It maps threat activity to geopolitics and identity driven paths, quantifies risky AI usage, and provides sector and regional breakouts.
• Polish CERT detailed coordinated destructive attacks on Polish energy and manufacturing sectors, attributed to Static Tundra, using FortiGate SSL VPN access. The attackers conducted reconnaissance, firmware damage, lateral movement, and deployed DynoWiper and LazyWiper that corrupt files.
• Researchers have uncovered renewed Matanbuchus downloader campaigns using Microsoft Installer files disguised as legitimate installers, with frequent component changes to evade antivirus and machine learning detection. In many cases, the loader is used for further ransomware deployment.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan-Downloader.Wins.Matanbuchus.ta.*; Trojan-Downloader.Wins.Matanbuchus; Trojan-Downloader.Win.Matanbuchus)

• Researchers have identified PyRAT, a Python based cross platform RAT for Windows and Linux, using unencrypted HTTP POST C2, fingerprinting victims, and file and screenshot exfiltration. Persistence uses a deceptive autostart on Linux and a user Run key on Windows, with semi persistent identifiers.
• Researchers have found an Android campaign distributing a RAT via fake security alerts installing TrustBastion, which retrieves a second-stage payload from Hugging Face. The malware abuses Accessibility Services, deploys credential-stealing overlays, and uses server-side polymorphism to regenerate payloads every 15 minutes.

The post 2nd February – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 26th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• RansomHub ransomware group has claimed responsibility for a cyber-attack on Luxshare, an electronics manufacturer of Apple, Nvidia, LG, Tesla, and others. The threat actors claimed access to 3D CAD models, circuit board designs, and engineering documentation. The company has not yet confirmed the breach.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Ransomhub.ta.*; Ransomware.Win.RansomHub)

• Dark-web threat actor has leaked an alleged database belonging to Under Armour, a US sportswear company, affecting 72 million customer records following a November ransomware attack. The claimed exposed data includes names, email addresses, genders, dates of birth, and addresses.
• Raaga, an India-based music streaming platform, has experienced a data breach involving 10.2 million user records, reportedly exfiltrated in December and later advertised on criminal forums. Exposed details include names, emails, demographics, locations, and passwords stored with unsalted MD5 hashes, raising credential stuffing and phishing risks.
• ​Germany’s Dresden State Art Collections (SKD), one of Europe’s oldest museum networks, has confirmed a cyberattack that resulted in widespread disruption to its digital infrastructure and communications. The incident disabled online ticket sales, visitor services, and the museum shop, forced on-site payments to cash-only, and limited digital and phone services, with no indication of data theft or exposure reported.

AI THREATS

• Researchers discovered an indirect prompt-injection flaw in Gemini’s Google Calendar assistant that bypassed Calendar privacy controls via a malicious invite description. Gemini used Calendar.create to place summaries of the victim’s meetings into a new event readable by the attacker.
• Researchers uncovered a web attack technique where hidden prompts in benign pages call LLM API to generate polymorphic malicious JavaScript at runtime. This enables phishing and credential theft while evading signature-based detection and network filtering by leveraging AI service domains.
• Advanced language models such as GPT-5.2 and Opus 4.5 were observed generating working exploits for a previously unknown zero-day vulnerability in QuickJS, a JavaScript interpreter, including in hardened environments where automated systems can produce functional attack code with little to no human intervention. Across six different configurations, the systems produced over 40 distinct exploits.

VULNERABILITIES AND PATCHES

• Three high severity vulnerabilities (CVE-2025-68143, CVE-2025-68144, CVE-2025-68145) were disclosed in mcp-server-git, Anthropic’s Git MCP server, enabling path traversal and argument injection exploitable via prompt injection to read or delete files and achieve remote code execution. Fixes available in versions 2025.9.25 and 2025.12.18.
• Zoom has fixed CVE-2026-22844, a critical command injection flaw in Zoom Node Multimedia Routers, used in Meeting Connector and Meetings Hybrid deployments. It enables participant remote code execution in versions before 5.2.1716.0, with no confirmed in-the-wild exploitation.
• Fortinet has confirmed active exploitation of a FortiCloud SSO auth bypass on fully patched FortiGate firewalls, tied to CVE-2025-59718 and CVE-2025-59719. Attackers are logging in via crafted SAML messages, creating persistent accounts, enabling VPN access, and extracting firewall configurations.

THREAT INTELLIGENCE REPORTS

• Check Point Research revealed that VoidLink, a recently exposed cloud-native Linux malware framework, is authored almost entirely by AI, likely under the direction of a single individual. The malware was produced predominantly through AI-driven development, reaching the first functional implant in under a week. From a methodology perspective, the actor used the model beyond coding, adopting an approach called Spec Driven Development (SDD).
• Check Point Research identified an ongoing phishing campaign associated with KONNI, a North Korean–linked threat actor active since at least 2014. The campaign targets software developers and engineering teams across the Asia-Pacific region, including Japan, Australia, and India, using blockchain-themed lures to prompt interaction and deliver malicious content. In observed activity, the threat actor deploys AI-generated PowerShell backdoors that establish persistence, steal credentials, and enable infiltration of development environments
• Check Point researchers describe a Microsoft Teams phishing campaign abusing guest invitations and finance-themed team names to mimic billing notices. More than 12K emails were observed hitting 6,135 users via invite emails with obfuscated text. The campaign targeted US-based organizations across manufacturing, technology, and education.
• Researchers revealed a new ransomware family, Osiris, that blends legitimate Windows tools with custom malware to infiltrate networks and deploy encryption. The operators use a custom malicious driver, Poortry, masquerading as Malwarebytes to disable security software, and exfiltrated data with Rclone to Wasabi buckets before encryption.
• Researchers identified a North Korean spear-phishing campaign targeting South Korea that abuses Microsoft Visual Studio Code tunnels for remote access. JSE files masquerading as Hangul documents start the infection chain and grant attackers terminal and file access using living-off-the-land techniques.

The post 26th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, for sale.
• Belgian hospital AZ Monica has experienced a cyberattack that forced the shutdown of IT systems across its Deurne and Antwerp campuses. Surgeries were canceled, emergency capacity reduced, and the Red Cross transferred seven critical patients, while radiology, imaging, and chemotherapy were postponed and doctors lacked access to electronic records.
• South Korean conglomerate Kyowon has reported a ransomware attack disrupting operations and potentially exposing customer information. Authorities estimate up to 9.6 million accounts could be affected, with approximately 600 of 800 servers compromised, while the company assesses data exposure and no group has claimed responsibility.
• US digital investment advisor Betterment has disclosed a breach after a social engineering attack on a third party marketing platform enabled access used to send crypto phishing emails. Exposed data includes names, emails, postal addresses, phone numbers, and dates of birth, while customer accounts were not compromised.
• Eurail, operator of Interrail and Eurail passes, has discloseda security incident affecting customers and seat reservations. Reports note exposure of personal, order, and reservation details, with some outlets referencing possible ID document copies and banking identifiers. DiscoverEU travelers may also be affected.
• Anchorage Police Department (APD) has addresseda third party incident tied to Whitebox Technologies, a data migration vendor supporting multiple agencies. APD disabled vendor access and removed remaining data from provider systems, noting no evidence of APD data misuse as mitigation steps continued.
• Armenia’s government has acknowledgeda potential leak after an actor advertised eight million records allegedly from official systems for 2,500 dollars. Early indications suggest data may stem from an electronic civil litigation platform, and authorities are validating the claims.
• US nonprofit Central Maine Healthcare has disclosed a breach affecting 145,381 individuals after intruders persisted on its network between March and June 2025. Compromised data includes personal, treatment, and insurance information. Notifications began this month across affected communities in central, western, and mid-coast Maine.

VULNERABILITIES AND PATCHES

• Check Point Research observed active exploitation of CVE-2025-37164 in HPE OneView, a CVSS 10.0 remote code execution flaw impacting versions 5.20 through 10.20. RondoDox botnet exploited this vulnerability starting January 7^th. The exploitation was reported to CISA, which added the bug to KEV.

Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))

• Microsoft January Patch Tuesday addressed 114 vulnerabilities, including one actively exploited zero-day, CVE-2026-20805 in Desktop Window Manager. Eight critical flaws were fixed across Windows and components.

Check Point IPS provides protection against this threat (Microsoft Desktop Windows Manager Information Disclosure (CVE-2026-20805))

• A patch was releasedfor CVE-2026-23550 in the Modular DS WordPress plugin, rated maximum severity. Active exploitation began January 13 and allows unauthenticated admin takeover via exposed routes. Users should upgrade to version 2.5.2 from 2.5.1 or earlier immediately.
• A critical flaw (CVE-2025-36911) in Google’s Fast Pair protocol enables hijacking of Bluetooth audio accessories, eavesdropping, and tracking. Fixes require firmware updates from device vendors rather than phone updates, with many impacted models pending patches.

THREAT INTELLIGENCE REPORTS

• Check Point Research recorded a sharp December surge in cyber attacks in Latin America, where organizations averaged 3,065 weekly hits, a 26% year-over-year increase, while the global average reached 2,027 attacks. Ransomware activity accelerated with 945 publicly reported attacks, 60% increase year over year.
• Check Point Research has revealed VoidLink, a cloud-native Linux framework with loaders, implants, rootkits, and modular plugins designed for persistence across containers and Kubernetes. It uses rootkits and over 30 modular plugins for credential theft, lateral movement, and covert communication. The toolkit appears China-affiliated and is rapidly evolving, yet no real-world infections have been confirmed.
• Check Point Research uncovered the Sicarii ransomware-as-a-service operation, emerging in late 2025, which uses explicit Israeli/Jewish branding despite Russian-language activity and limited Hebrew proficiency, suggesting possible identity manipulation. The malware geo-fences to avoid Israeli systems, steals data and credentials, scans networks and attempts Fortinet exploitation.
• Check Point Research identified Microsoft as the most impersonated brand in Q4 2025 phishing rank, representing 22 percent of attempts, with Google at 13 percent and Amazon at 9 percent. Campaigns spoofed Roblox, Netflix account recovery, and Spanish Facebook pages to steal credentials, enabling account takeover and enterprise access.

The post 19th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 12th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Manage My Health, New Zealand’s largest patient portal, has acknowledged a cyberattack occurred on December 2025, that potentially exposed data of nearly 110K users. An alleged attacker, dubbed Kazu, claimed responsibility and demanded a $60,000 ransom.
• France’s Office for Immigration and Integration has confirmed data theft via a third-party operator after a hacker posted samples online. The exposed records include names, contact details, entry dates, and reasons for stay for foreign residents.
• Ledger, a global crypto hardware wallet maker, has disclosed a breach at e-commerce partner Global-e exposing customer contact and order details. Attackers launched phishing lures impersonating both firms to harvest wallet data. Ledger said wallets and seed phrases were unaffected, but targeted scams increased.
• Giant US fiber broadband provider, Brightspeed, was claimed as breached by the Crimson Collective extortion gang. The intrusion allegedly exposed sensitive information belonging to over 1 million customers; however the company has not yet confirmed the incident.
• American Dartmouth College, has disclosed that an August attack exploiting Oracle E-Business Suite exposed personal information of over 40,000 people. Leaked data includes Social Security numbers and bank account information. Reports attribute the intrusion to Clop ransomware group.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution (CVE-2025-61882, CVE-2025-61884); Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• JBS Mental Health Authority, a regional US nonprofit, has experienced a ransomware attack in late December. The organization was listed by the Medusa ransomware group, which claims it stole 168.6GB of data, including sensitive client records and internal operational information.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Medusa)

• Prosura, an Australia and New Zealand car rental insurance provider, has reported a data breach that resulted from an unauthorized access to parts of its systems. The attacker allegedly exposed driver licenses and policy documents. Prosura paused online self-service and said payment card data is not stored in its systems.
• Free Speech Union, a UK membership organization, has experienced a data breach after activist group Bash Back compromised its website and posted transaction details online. Records for thousands of donations were leaked, including amounts and comments. The organization took its site offline as a precaution.

VULNERABILITIES AND PATCHES

• SmarterTools fixed CVE-2025-52691, a critical pre-auth remote code execution flaw with a CVSS score of 10.0. Successful exploitation allows an attacker to upload files and write to web-accessible paths, potentially resulting in full server compromise.

Check Point IPS provides protection against this threat (SmarterMail Arbitrary File Upload (CVE-2025-52691))

• A patch was released for CVE-2025-64496 vulnerability in Open WebUI, a self-hosted interface for AI models, enabling code injection via the Direct Connection feature and potential remote code execution. Versions through 0.6.34 are affected.
• Cisco has addressed CVE-2026-20029, a medium-severity flaw in Identity Services Engine and ISE-PIC, which allows administrators to access sensitive files via improper XML parsing. Exploitation of the flaw requires valid admin credentials.

THREAT INTELLIGENCE REPORTS

• Check Point Research observed GoBruteforcer, a modular Go botnet brute-forcing Linux servers running phpMyAdmin, MySQL, PostgreSQL and FTP. Campaigns exploit AI-generated server deployments that propagate common usernames and weak defaults. The botnet converts hosts into scanners and credential harvesters, with crypto-focused runs stealing funds and expanding access through backdoors and IRC-based control.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point researchers identified the OPCOPRO “Truman Show” investment scam, which industrializes social engineering via WhatsApp and Telegram. Apps from official stores serve as interfaces to attacker servers, fabricating balances and trades, harvesting KYC documents, and driving identity theft and deposits.

Check Point Harmony Endpoint provides protection against this threat

• Researchers analyzed LockBit 5.0 ransomware, detailing ChaCha20-Poly1305 file encryption, X25519 with BLAKE2b key exchange, termination of VSS and backup services, and Temp directory cleanup. LockBit 5.0 uses custom random extensions per execution, excludes system files, supports Stealbit exfiltration, and drops a ransom note threatening data leakage.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Lockbit; Ransomware.Wins.Lockbit.ta.*; Ransomware.Win.LockBit; Gen.Win.Crypter.Lockbit)

• Researchers uncovered PHALT#BLYX, an ongoing campaign that targets European hospitality via Booking.com-themed phishing and ClickFix-style fake BSOD/captcha lures that prompt PowerShell execution. The chain aims for credential theft and privilege elevation.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (RAT.Wins.Dcrat; RAT.Win.DCRat; InfoStealer.Wins.DcRat)

The post 12th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 5th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Two US banks, Artisans’ Bank and VeraBank, disclosed that customer data was exposed in an August ransomware attack on their vendor, Marquis Software. The vendor was breached via SonicWall vulnerability, and while the banks’ own systems were not compromised, researchers estimate the incident may have affected in total up to 1.35 million people across dozens of financial institutions.
• Romania’s largest coal-based power producer, Oltenia Energy Complex, has faced a ransomware attack attributed to the Gentlemen group. The company said files were encrypted and Enterprise Resource Planning systems, email, and the website were disrupted, partially affecting operations, while power supply remained stable and recovery continues.
• Emurasoft, maker of EmEditor software, reported a website compromise that redirected the homepage download button to a fake installer for 4 days. The installer deployed infostealer malware that harvested credentials and added a rogue extension enabling remote control and cryptocurrency swapping.
• US-based Sedgwick Government Solutions, which manages claims, workforce health, risk, and productivity for government agencies and federal employees, has experienced a cybersecurity incident. The incident was limited to an isolated file transfer system, with no evidence of access to claims servers. The company notified law enforcement and clients after the TridentLocker ransomware group claimed an attack on December 31.
• Korean Air, South Korean airline, has suffered a data breach via KC&D Service, a vendor managing inflight catering and duty free. The incident exposed personal data of roughly 30,000 employees, including names and bank account numbers, while customer information was not affected. Cl0p claimed responsibility and reportedly exploited an Oracle E-Business Suite flaw.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Trust Wallet, a cryptocurrency wallet provider, has disclosed a second Shai-Hulud supply-chain compromise of its Chrome extension, resulting in approximately $8.5 million in losses. Using a leaked Chrome store key, attackers published tampered v2.68 which exfiltrated wallet recovery phrases upon unlock.
• European Space Agency (ESA), has confirmed a cybersecurity incident affecting a very small number of external servers outside its corporate network. ESA began forensic analysis and secured potentially affected devices after a threat actor claimed to have stolen 200GB of source code and access credentials in mid-December.

VULNERABILITIES AND PATCHES

• Researchers highlighted CVE-2025-14346, a critical missing-authentication flaw in WHILL Model C2 and Model F power wheelchairs that enables attackers within Bluetooth range to take control. CISA urged immediate mitigations, warning that compromise could manipulate wheelchair movements and cause physical harm in healthcare and public settings. No public exploitation has been reported yet.
• Security researchers disclosed CVE-2025-20700, CVE-2025-20701 (CVSS 8.8) and CVE-2025-20702 (CVSS 9.6) affecting Airoha Bluetooth SoCs. The flaws enabling unauthenticated access to the RACE protocol, arbitrary memory operations, and nearby takeover of headphones to extract link keys and impersonate devices to access paired smartphones.
• A patch has been released for CVE-2025-47411, an important privilege escalation in Apache StreamPipes 0.69.0 to 0.97.0 caused by flawed user ID creation enabling JWT token manipulation. Attackers can impersonate existing administrators to gain full control.
• IBM API Connect, an enterprise API management platform, is affected by a critical authentication bypass vulnerability (CVE-2025-13915, CVSS 9.8) enabling remote unauthorized access without credentials. The flaw impacts versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, with patches and iFixes available; no exploitation has been reported.

THREAT INTELLIGENCE REPORTS

• Researchers exposed a new APT36 cyber espionage campaign targeting Indian government, academic, and strategic institutions. The Pakistan affiliated group delivers ZIP attachments disguised as PDFs that install ReadOnly and WriteOnly malware, which enables remote control, steals data, monitors clipboards, captures screenshots, and maintains access.
• DarkSpectre, a Chinese affiliated threat actor, has compromised 8.8 million Chrome, Edge, and Firefox users globally via campaigns including ShadyPanda, Zoom Stealer, and GhostPoster. The group employs malicious browser extensions with tactics such as time-bomb activation, dormant sleepers, PNG steganography, and heavy JavaScript obfuscation, exfiltrating corporate meeting data while impersonating videoconferencing tools and abusing browser platform permissions.
• Security researchers discovered two Chrome Web Store extensions, Chat GPT for Chrome with GPT-5 and AI Sidebar, that exfiltrate ChatGPT and DeepSeek chat histories, along with users’ browsing activity, every 30 minutes. The extensions collectively have over 900,000 installations, and one holds a Google Featured badge.
• Researchers identified the rapid expansion of the Kimwolf botnet, which has infected more than 2 million devices globally by abusing residential proxy networks to reach local devices behind home routers. The campaign leverages insecure Android TV boxes and digital photo frames to enable DDoS, ad fraud, account takeover, and mass scraping.

The post 5th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic information systems, databases, email, web servers, and Windows workstations. Operational technology controlling water infrastructure was not impacted, and no data leakage has been reported, but key IT services were disrupted across the organization.
• France’s postal service La Poste has suffered a cyber-attack that disrupted key digital systems, impacting online parcel tracking, mail distribution, and banking services for customers of both the postal service and La Banque Postale. Some services were temporarily unavailable, with no evidence of data compromise. The attack was claimed by the pro-Russian hacktivist group NoName057(16).
• Insurance giant Aflac has confirmed a data breach they experienced in June that resulted in the theft of sensitive files containing insurance claims, health data and Social Security numbers. The breach affected personal details of approximately 22.7 million individuals in its US business. The attack has been attributed to Scattered Spider threat group.

Check Point Harmony Endpoint provides protection against this threat.

• Japan’s leading carmaker Nissan Motor Corporation has acknowledged a data breach that resulted in the exposure of personal information for approximately 21,000 customers from Nissan Fukuoka Sales Corporation including names, addresses, phone numbers, email addresses, and sales operation data. The incident occurred after unauthorized access to Red Hat data servers led to the leak, but financial data was not affected. The Crimson Collective threat actor claimed responsibility for the initial breach, with ShinyHunters later hosting samples of the stolen data.
• Trust Wallet, a popular non-custodial cryptocurrency wallet, has disclosed a cyber-attack involving a compromised Chrome extension update. The attack exfiltrated sensitive wallet data, including seed phrases, to a malicious domain, resulting in at least $7 million in losses. The incident primarily affected users of Chrome extension version 2.68.0, allowing attackers to drain wallets.
• Ubisoft’s live service game Rainbow Six Siege (R6) has confirmed a cyber-attack in which threat actors abused internal systems to manipulate bans, unlock all cosmetics and developer-only skins, and distribute around $13.33 million worth of in-game currency worldwide.
• Baker University has encountered a data breach that resulted in attackers accessing its network and stealing sensitive information belongs to 53,624 students, alumni, staff, and affiliates of the university, such as names, Social Security numbers, financial account details, and medical records.

VULNERABILITIES AND PATCHES

• A high-severity memory-read vulnerability, CVE-2025-14847, dubbed “MongoBleed” has been identified in multiple MongoDB Server versions, allowing unauthenticated remote attackers to exploit a zlib implementation flaw and potentially access uninitialized heap memory. The issue, caused by improper handling of length parameter inconsistency (CWE-130), may permit arbitrary code execution and system compromise. Affected versions include MongoDB 4.0 through 8.2.3.
• Details on a critical serialization injection vulnerability in LangChain Core were disclosed. CVE-2025-68664 (CVSS 9.3) affects langchain-core, where unescaped user-controlled dictionaries with lc keys are treated as trusted objects during deserialization, enabling secret extraction, prompt injection, and potentially arbitrary code execution.
• A critical buffer overflow vulnerability, CVE-2025-68615, in Net-SNMP’s snmptrapd daemon can be triggered remotely via a specially crafted packet. The issue has a CVSS score of 9.8 and may allow unauthenticated attackers to achieve remote code execution or cause service crashes. Patches are available, and the vulnerability is addressed in Net-SNMP versions 5.9.5 and 5.10.pre2.

THREAT INTELLIGENCE REPORTS

• Check Point researchers describe a phishing campaign in which attackers abused Google Cloud Application Integration’s “Send Email” workflow to send over 9,000 spoofed Google notification emails from a Google address. The messages targeted manufacturing, technology, and finance sectors and used multi-step redirection through Google domains to lead victims to a Microsoft-themed credential harvesting site. Most victims located in the US, Asia-Pacific, and Europe.
• Researchers uncovered a two-year Evasive Panda campaign using adversary-in-the-middle DNS poisoning to deliver MgBot via fake updaters and stealthy loaders. The chain used multi-stage shellcode, hybrid encryption, and DLL sideloading to run MgBot in memory, with victim-specific payloads tied to machines via DPAPI and RC5. Attackers poisoned legitimate domains, injected into signed system processes for persistence, and updated configs with hardcoded C2s.

Check Point Harmony Endpoint provides protection against this threat (Infostealer.Win.MgBot)

• A Webrat campaign leveraged fake GitHub repositories masquerading as exploit and proof-of-concept code for high-severity CVEs, targeting gamers, students, and inexperienced security researchers. The attack uses droppers to elevate privileges, disable Windows Defender, and deploy the Webrat backdoor, enabling remote control, credential theft, keylogging, and device surveillance.
• Researchers found lotusbail, a malicious npm package masquerading as a WhatsApp Web API library that intercepts messages and steals session/auth data, contacts, and media via WebSocket tampering and device-pairing hijack. Separately, 14 malicious NuGet packages were found redirecting crypto funds and stealing Google Ads OAuth tokens.

The post 29th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated that no passwords, payment information, or government-issued IDs were compromised. OpenAI also acknowledged a related incident that was caused by compromise of Mixpanel. The breach has been attributed to the ShinyHunters extortion group.
• SoundCloud, an online audio streaming platform, has confirmed a cyber attack that resulted in threat actors gaining unauthorized access to a database containing users’ email addresses and public profile information. The breach affected approximately 20% of SoundCloud’s users, which might impact 28 million accounts, and caused outages and VPN connection issues. The ShinyHunters extortion gang has claimed responsibility for this attack.
• Autoparts giant LKQ has acknowledged a cyberattack tied to the Oracle E-Business Suite compromise. The company said personal data of over 9,070 people, including Employer Identification Numbers and Social Security numbers, was exposed.

Check Point IPS provides protection against this threat (Oracle Multiple Products Remote Code Execution)

• DXS International, a British NHS technology supplier, has encountered a cyber-attack on December 14^th that resulted in unauthorized access to its internal office servers, affecting internal systems but not disrupting clinical services. It remains unclear whether NHS patient data was compromised.
• The University of Sydney has suffered a data breach that resulted in hackers gaining access to an online coding repository and stealing files containing personal information of staff and students. Over 27,000 individuals were affected, including names, dates of birth, phone numbers, home addresses, and job details for current and former staff, students, alumni, and affiliates.
• Petróleos de Venezuela (PDVSA), Venezuela’s state oil company, has experienced a cyberattack that resulted in disruptions to its export operations and offline systems managing the country’s main crude terminal. The incident affected administrative and operational network systems, leading to a halt in cargo deliveries. The scope of data or user information compromised has not been disclosed.
• Denmark’s water utility has experienced a cyber attack that resulted in a disruption of critical water infrastructure systems. The attack impacted operational control systems supporting essential services, forming part of a broader campaign of attacks targeting Denmark’s critical infrastructure and electoral environment. The Danish Defence Intelligence Service attributed the incident to the Russia affiliated group Z-Pentest.

VULNERABILITIES AND PATCHES

• Critical severity vulnerability with a CVSS score of 10.0 was disclosed in HPE OneView Software. The flaw, CVE-2025-37164, allows unauthenticated remote code execution and affects all versions prior to 11.00, including versions 5.20 through 10.20. Successful exploitation could enable a remote attacker to execute arbitrary code on affected centralized IT infrastructure management systems.

Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))

• A critical remote code execution vulnerability, CVE-2025-14733, in WatchGuard Firebox firewalls running Fireware OS 11.x and later is being actively exploited. The out-of-bounds write flaw enables unauthenticated remote code execution on unpatched devices with IKEv2, without user interaction.
• Researchers spotted active exploitation of CVE-2025-59718 and CVE-2025-59719, critical authentication bypass flaws in Fortinet FortiGate, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers can log in without credentials and export full device configurations, risking cracked passwords.

THREAT INTELLIGENCE REPORTS

• Check Point Research revealed a sophisticated wave of attacks attributed to the Chinese threat actor Ink Dragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised IIS servers into relay nodes with ShadowPad, exploits predictable configuration keys for access, and deploys a new FinalDraft backdoor for exfiltration and lateral movement.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research analyzed GachiLoader, a Node.js–based malware loader observed in a campaign linked to the YouTube Ghost Network. The campaign is notable for extensive obfuscation and a previously undocumented PE injection technique. GachiLoader deploys a second-stage loader, Kidkadi, which abuses Vectored Exception Handling (VEH) in a novel method, dubbed Vectored Overloading, to load its malicious payload.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research noticed a surge in darknet campaigns recruiting insiders at banks, crypto exchanges, telecoms, and major tech firms to sell access and data. Listings advertise payouts of $3,000 to $15,000, offer datasets like 37 million records for $25,000, and solicit telecom staff for SIM swapping to bypass two-factor authentication.
• Check Point researchers updated on a global surge in AI-driven holiday scams across phishing, fake retail sites, and social media giveaways. They recorded 33,502 phishing emails in two weeks and over 10,000 daily ads impersonating delivery brands like Royal Mail, FedEx, UPS and DPD, while AI chatbots help fraudulent stores appear credible.

The post 22nd December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 15th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The Indian government confirmed cyber incidents involving GPS spoofing at seven major airports, including Delhi, Mumbai, Kolkata, and Bengaluru. The attack affected aircrafts using GPS-based landing procedures. Despite signal disruption to navigation data, authorities stated no flights were cancelled or diverted, with contingency measures and Air Traffic Control safeguards preventing operational impact.
• US-based healthcare technology provider, TriZetto Provider Solutions, has notified healthcare clients of a long-running unauthorized access to a customer web portal. With this access a threat actor accessed historical eligibility transaction reports containing protected health information (PHI). Exposed data includes patient and insured PII.
• 700Credit, a US-based credit check and identity verification provider, suffered a data breach affecting at least 5.6 million people. The incident exposed private information after an unidentified attacker accessed dealer-collected data between May and October 2025. The company is notifying impacted individuals and offering credit monitoring, while Michigan’s attorney general urged affected users to enable credit freezes or monitoring to mitigate fraud risk.
• Pierce County Library System in Washington has disclosed a cyberattack impacting over 340,000 individuals after threat actors accessed its systems, forcing a full shutdown. The breach exposed user data and extensive employee PII. The attack was claimed by the INC ransomware gang, which has targeted multiple US government entities in 2025.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)

• The French Interior Ministry confirmed a cyberattack targeting its email servers, allowing an attacker to access a number of internal files. Authorities stated there is no evidence of serious data compromise at this stage. An investigation is ongoing, with no attribution yet identified.
• Russian Government IT contractor Mikord was reportedly breached by an anonymous hacker group. The group claims to have maintained access for months, exfiltrated source code, internal communications, financial and technical records, and damaged infrastructure tied to a firm allegedly involved in Russia’s unified military draft database. While Mikord’s director confirmed a hack, Russia’s Ministry of Defense denied any breach or data leak.
• An employee of Home Depot, the US home improvement retailer, had mistakenly exposed a private GitHub token, granting access to internal systems for nearly a year. The token enabled entry to hundreds of private code repositories and key cloud systems and was revoked upon discovery.

VULNERABILITIES AND PATCHES

• Google released an urgent Chrome update on to address a high severity flaw (CVE-2025-14174) actively exploited in the wild and linked to the ANGLE graphics library used for WebGL. The bug likely enables memory corruption that could allow remote code execution.
• Apple released emergency security updates to patch two actively exploited zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174. The vulnerabilities were exploited in sophisticated targeted attacks against specific individuals. Both flaws affect WebKit and enable remote code execution or memory corruption via malicious web content, impacting iPhones, iPads, Macs, and other Apple platforms.
• SAP released details and patches for three vulnerabilities, including CVE-2025-42880 (code injection in Solution Manager, CVSS 9.9), CVE-2025-55754 (Commerce Cloud Tomcat flaws, CVSS 9.6), and CVE-2025-42928 (jConnect deserialization, CVSS 9.1), alongside several high severity issues.

THREAT INTELLIGENCE REPORTS

• Check Point Research reports a global rise in cyber attacks in November 2025, averaging 2,003 weekly attempts per organization, with education most targeted sector and rising exposure from generative AI. 727 ransomware incidents were recorded, a 22% increase YoY, with North America accounting for 55% of cases and industrial manufacturing being the top victim industry.
• Check Point Research exposed ValleyRAT’s modular system, including a kernel-mode rootkit that can remain loadable on fully updated Windows 11 despite built-in protections. The research linked leaked builder artifacts to plugins and identified about 6,000 samples, with roughly 85 percent emerging in the last six months after the builder’s public release.
• Check Point researchers revealed a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications. The attackers sent over 40,000 phishing emails targeting roughly 6,100 customers over the past two weeks, abusing Mimecast’s secure-link rewriting feature as a smokescreen to make their links appear safe and authenticated
• Researchers have analyzed STAC6565 campaign, which with high confidence is associated with the GOLD BLADE threat group (aka RedCurl, RedWolf, and Earth Kapre). The campaign is mostly targeting Canadian organizations, blending data theft with selective QWCrypt ransomware. The threat actor uses multi-stage infection chains that include payloads downloaded via WebDAV, DLL side-loading using legitimate Adobe components, and BYOVD abuse to evade detection.
• Researchers uncovered a new phishing technique called ConsentFix that tricks people into giving attackers access to their Microsoft accounts. The method uses a browser-native prompt that persuades victims to copy and paste a link. Once the link is submitted, attackers can get access without needing a password or multi-factor authentication.

The post 15th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The University of Pennsylvania and the University of Phoenix were hit by data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite servers. At least 1,488 people at UPenn and numerous students, alumni, donors, staff, faculty, employees, and suppliers at Phoenix were impacted. The Cl0p ransomware gang is likely responsible, as part of a broader campaign.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Financial software provider Marquis Software Solutions has disclosed a data breach that impacted over 74 banks and credit unions across the US and exposed sensitive data of more than 400,000 customers. The Akira ransomware gang is possibly responsible for the attack, which exploited vulnerabilities in SonicWall firewalls to gain network access.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira)

• American pharmaceutical firm Inotiv has reported on a ransomware attack that occurred in August 2025. The Qilin ransomware group claimed responsibility, leaking personal information from over 9,500 individuals, including current and former employees and their family members.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• South Korean retail giant Coupang has confirmed a data breach that resulted in the exposure of personal information belonging to nearly 34 million clients, including full names, phone numbers, email addresses, and more. No payment details or account passwords were leaked in the incident.
• YouTube app for Android TV, SmartTube, has been targeted in an attack that resulted in the compromise of its developer signing keys and the distribution of a malicious update containing hidden malware. The incident impacted Android TV, Fire TV Stick, and similar device users.
• Belgian postal and package delivery service, Bpost, has suffered a data breach that resulted in the exfiltration of 5,140 files totaling about 30.46GB from a third-party exchange platform. The stolen data reportedly includes personal and business information of some customers of the affected department. The ransomware group TridentLocker has claimed responsibility for the attack.
• Canadian wireless telecommunications provider, Freedom Mobile, has experienced a data breach that resulted in attackers gaining unauthorized access to its customer account management platform and stealing personal information, including names, addresses, dates of birth, phone numbers, and account numbers. The company has not disclosed the exact number of affected customers.

VULNERABILITIES AND PATCHES

• Check Point has elaborated on the critical React2Shell vulnerability, CVE-2025-55182, that affects React 19.x and related server-side frameworks such as Next.js 15.x/16.x. The vulnerability enables unauthenticated remote code execution via malicious HTTP requests targeting the server’s decoding process. Exploitation allows attackers to gain full control over application servers, intercept sensitive data, inject false transactions, and potentially pivot deeper into enterprise environments.

Check Point IPS provides protection against this threat (React Server Components Remote Code Execution (CVE-2025-55182))

• Check Point Research revealed a vulnerability in OpenAI Codex CLI that allowed attackers to achieve remote code execution via malicious project-local configuration files (MCP entries) executed without user prompts. OpenAI released a patch in version 0.23.0 to address the automatic execution risk.
• Check Point Research shared details of a critical exploit in Yearn Finance’s yETH pool, where an attacker abused a smart contract flaw to mint trillions of tokens with a minuscule deposit, resulting in the theft of approximately $9 million in assets from the Ethereum-based DeFi protocol.

THREAT INTELLIGENCE REPORTS

• Check Point summarizes a multiyear Salt Typhoon cyber-espionage campaign that compromised 80 telecom providers worldwide and a US state Army National Guard network, chaining SIM-based credential theft, network scans, Ivanti/PAN-OS/Cisco CVEs and GTP/GTPDOOR abuses to exfiltrate sensitive communications and configuration data.
• US and Canadian cybersecurity agencies outlined BRICKSTORM, a stealthy backdoor used by Chinese affiliated hackers to infiltrate VMware vSphere environments and maintain long-term access. The campaign targeted government services and IT, stealing credentials via VM snapshots and creating hidden machines.
• The ShadyPanda threat actor ran a seven-year campaign weaponizing verified Chrome and Edge extensions to infect over 4.3 million devices with spyware for remote code execution, payload delivery, traffic redirection, credential and cookie theft, browser fingerprinting, HTTPS credential interception, and behavioral biometrics exfiltration.
• Researchers identified a campaign weaponizing Velociraptor, a digital forensics tool, to establish stealthy command channels and maintain persistence in enterprise environments. Attackers exploited SharePoint’s “ToolShell” chain using CVE-2025-49706 and CVE-2025-49704, linked to Storm-2603, and in confirmed cases delivered Warlock ransomware.
• Albiriox, a new Android banking trojan sold as Malware-as-a-Service (MaaS), targets over 400 financial and crypto apps using VNC-style remote control, accessibility abuse, overlays, and black-screen masking for on-device fraud. The malware is spread via smishing, WhatsApp lures, and fake apps with droppers over unencrypted TCP C2 channels using structured JSON messages.

The post 8th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate location, operating system, browser information, referring websites, and organization or user IDs. No sensitive credentials or API keys were exposed.
• Dartmouth College, a private Ivy League research university in New Hampshire, has been a victim of a data breach that resulted in the theft of personal information, including names, Social Security numbers and financial details, from its Oracle E-Business Suite servers. The Cl0p extortion gang was responsible for exploiting zero-day vulnerability as part of a broader campaign. Other targets include Harvard University, Envoy Air, and others with sensitive data exposed via dark web and torrent sites.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Concurrent Processing Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Crisis24, a leader in crisis and risk management, was hit by a cyberattack on its OnSolve CodeRED emergency alert platform that resulted in widespread disruption of notification systems nationwide and the theft of user data. Leaked information including names, addresses, email addresses, phone numbers, and clear-text passwords affecting state and local governments, public safety agencies, and residents across the US. The INC Ransomware gang has claimed responsibility for the attack and is offering stolen data for sale.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)

• Major American investment advisory provider SitusAMC has confirmed a data breach that resulted in the compromise of corporate data associated with client relationships, including accounting records, legal agreements, and potentially customer data. The breach impacted an undisclosed number of clients and customers, likely including largest banks and financial institutions in the US, with no information yet provided on the amount or exact type of data leaked.
• A Russian postal operator Donbas Post has encountered a cyber-attack that disrupted its corporate network, web platform, and email systems, destroying over 1,000 workstations, 100 virtual machines, and several dozen terabytes of data, and forcing the suspension of services at postal branches and the call center. The Ukrainian Cyber Alliance has claimed responsibility.
• The French Football Federation (FFF) has suffered a data breach that resulted in unauthorized access to administrative management software and theft of personal and contact information from members of French football clubs. Exposed data includes names, email addresses, and more.

VULNERABILITIES AND PATCHES

• A new Mirai-based botnet, ShadowV2, was observed exploiting multiple known vulnerabilities (including CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375) in IoT devices to gain control and launch distributed denial-of-service (DDoS) attacks. The botnet leveraged command injection and other flaws in routers, NAS devices, and DVRs across global sectors.

Check Point IPS provides protection against this threat (D-Link DNS NAS Devices Command Injection (CVE-2024-10914); D-Link DNS Series Command Injection; TP-Link Archer AXE75 Command Injection (CVE-2024-53375))

• Security researcher uncovered more than 17,000 exposed credentials during a scan of 5.6 million public GitLab repositories, including API keys, passwords, and access tokens associated with over 2,800 domains. Many of these credentials – primarily Google Cloud, MongoDB, Telegram, and OpenAI keys – remain active. While most were leaked after 2018, some valid keys date back to 2009.
• A patch was released for a critical authentication bypass vulnerability (CVE-2025-59366) in ASUS routers with AiCloud enabled, which allows remote attackers to exploit chained path traversal and OS command injection flaws for unauthorized function execution. Successful exploitation does not require user interaction and could result in attackers gaining control over vulnerable devices.

THREAT INTELLIGENCE REPORTS

• Check Point researchers analyzed the Shai-Hulud 2.0 npm supply chain campaign that compromised over 600 npm packages and 25,000 GitHub repositories. Malicious preinstall scripts stole developer and multi-cloud credentials, exfiltrated them to attacker GitHub repos, registered infected hosts as self-hosted runners, and used the stolen tokens for worm-like propagation across npm and GitHub.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.ShaiHulud.ta.*)

• Check Point researchers uncovered GhostAd, a large-scale Android adware campaign where at least 15 Google Play applications with millions of installs abuse foreground services, blank notifications, JobScheduler, and ad SDKs to run persistent background ads and drain device resources. These applications also use background execution and storage permissions to persist, hide, and silently exfiltrate external-storage files, including corporate documents, to attacker infrastructure.
• Check Point overviews expected cyber risks at 2026, including converging agentic AI, quantum computing, and Web 4.0. The blog outlines 12 trends: autonomous AI operations, digital-twin/XR environments, LLM-native attacks, deepfake fraud, quantum “harvest-now, decrypt-later” exposure, data-pressure ransomware, expanding supply-chain, SaaS, and identity threats.
• Researchers detailed HashJack, an indirect prompt injection technique that embeds malicious instructions in elements like URL fragments or emails to manipulate AI browser assistants – including Comet, Copilot for Edge, and Gemini for Chrome. This method enables threat actors to trigger phishing, misinformation, data exfiltration, and credential theft, exploiting LLMs’ inability to distinguish instructions from legitimate data.

The post 1st December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsight integrations and has revoked all active access tokens as a precaution, emphasizing there is no vulnerability in the Salesforce’s core platform.
• Eurofiber France SAS, the French unit of Dutch telecommunications provider Eurofiber Group N.V., has been a victim of a data breach. The attack resulted in an unauthorized access to its French ticket management system and exfiltration of customer information from its cloud division and regional sub-brands. A threat actor “ByteToBreach” claimed responsibility for the attack.
• Italian IT provider Almaviva has confirmed a cyberattack, with stolen data including information from Ferrovie dello Stato Italiane, Italy’s national railway operator. Nearly 2.3 TB of sensitive files were leaked, including passenger passport data, employee records across FS subsidiaries, defense-related contracts, and financial documents. Almaviva says critical services remain operational.
• South Korean giant battery maker LG Energy Solution has experienced a ransomware attack at a single overseas facility, which the company says has been restored, with headquarters unaffected. The Akira gang claimed to have stolen 1.7 terabytes of data.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Win.Akira)

• Microsoft’s Azure cloud was hit by a massive 15.72 Tbps distributed denial-of-service (DDoS) attack (3.64 billion packets per second) against a public IP address in Australia, sourced from over 500,000 IPs. The high-rate UDP flood is attributed to the Aisuru Turbo Mirai-class IoT botnet, which abuses compromised home routers, cameras, and other internet-connected devices.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Mirai)

• French social security service provider, Pajemploi, has suffered a data breach that resulted in the theft of personal data linked to up to 1.2 million of private employers using its childcare services. Exposed information reportedly includes full names, places of birth, postal addresses, Social Security numbers, Pajemploi and accreditation numbers, and banking institution names.
• AIPAC, a US political advocacy organization, has encountered a data breach tied to an external third-party system, with notification filed to the Maine attorney general on November 14^th. Unauthorized access occurred between October 2024 and February 2025, impacting 810 individuals and exposing personal identifiers. No threat actor claimed responsibility.

VULNERABILITIES AND PATCHES

• Fortinet warned of CVE-2025-58034, a FortiWeb command injection flaw actively exploited in the wild. The bug lets authenticated attackers run unauthorized code via crafted requests, with updates available for multiple 7.x and 8.x releases.

Check Point IPS provides protection against this threat (Fortinet FortiWeb Command Injection (CVE-2025-58034))

• Google fixed CVE-2025-13223, a high-severity type confusion flaw in Chrome’s V8 engine. The bug is being actively exploited to run malicious code via crafted web pages. Google has issued fixes in Chrome 142.0.7444.175 and later.
• Researchers warns of active exploitation and a public proof of concept of CVE-2025-11001, a 7-Zip Windows vulnerability that lets attackers run code by abusing ZIP symbolic link handling. The flaw carries a CVSS 7.0 score and was fixed in 7-Zip version 25.00.

THREAT INTELLIGENCE REPORTS

• Check Point Research uncovered a surge in fraudulent Black Friday domains and brand impersonation. Roughly 1 in 11 new Black Friday domains are malicious, and 1 in 25 domains referencing Amazon, AliExpress, or Alibaba pose active threats, with fake storefronts stealing credentials and payment data. Recent examples also mimic HOKA and AliExpress.
• Check Point researchers detailed a Europe-wide scam in which criminal networks use generative AI to impersonate health regulators and sell fake GLP-1 weight-loss products. The criminals clone logos and endorsements from the official health services, then localize persuasive ads to exploit drug shortages and public trust.
• Akamai discovered a RAT that disguises its C2 traffic as LLM chat completions API requests, sending Base64- and XOR-encoded payloads without standard headers. The malware steals data from remote access tools and browsers and deploys a .NET proxy toolkit with persistence.
• Researchers analyzed a Howling Scorpius campaign that used fake CAPTCHA prompts to install SectopRAT on a global data storage and infrastructure company, enabling remote control and lateral movement. Over 42 days, the attackers stole nearly 1 TB of data, deleted cloud backups, and deployed Akira ransomware across three networks, halting operations.
• Google analyzed a nearly three-year APT24 cyber-espionage campaign centered on the BadAudio C++ downloader, which uses AES-encrypted C2 traffic, cookie-embedded host profiling, and control-flow flattening to deploy payloads such as Cobalt Strike Beacon in memory. The research details how APT24 shifted from strategic web compromises to large-scale supply-chain and spear-phishing operations that weaponize FingerprintJS-based browser fingerprinting, DLL search-order hijacking, and repeatedly re-compromised Taiwanese marketing infrastructure to deliver BADAUDIO across more than 1,000 domains.

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed breach involving the British National Health Service (NHS). The group has leaked data sets ranging from gigabytes to terabytes and is sending extortion emails to Oracle EBS customers. Oracle has issued emergency patches, but investigations indicate exploitation began months before disclosure.

Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution)

• Payment processor Checkout.com has discloseda data breach by the ShinyHunters threat group. Attackers accessed documents from a legacy cloud storage system that wasn’t properly decommissioned, potentially affecting about 25% of current merchants. That being said, no payment card numbers or funds were compromised. The company is notifying impacted parties and regulators.
• DoorDash, a food delivery company, has confirmeda data breach after an employee fell victim to a social engineering scam. Contact details including names, physical addresses, email addresses, and phone numbers were accessed across the US, Canada, Australia, and New Zealand.
• Ransomware group dubbed “J Group” claims to have breached Australian engineering firm IKAD. The group has reportedly exfiltrated 800GB of data by exploiting a VPN flaw and maintaining undetected access for five months. IKAD confirmed a cyber incident and the theft of non-sensitive contract and HR information, while denying exposure of classified defence data.
• Pro-Russian group NoName057(16) launched DDoS attacks disrupting Danish government, municipal, and defense-related websites, including the Ministry of Transport, Borger.dk, and Terma. The outages were brief with no data loss, and the activity aligns with wider pro-Russia targeting of European institutions.
• Port Alliance, a Russian port operator handling coal and fertilizer exports, has reportedthree days of cyberattacks combining DDoS and attempted network intrusions. Terminals remain operational, but digital services were disrupted by a botnet of more than 15,000 rotated IP addresses. The goal of the attack was to destabilize operations and disrupt business processes.
• Princeton University disclosed a breach of its Advancement database on November 10, lasting less than 24 hours before attackers were removed. The compromised database contained names, contact information, and fundraising records for alumni, donors, faculty, students, and parents, but did not include Social Security numbers, passwords, or financial information.

VULNERABILITIES AND PATCHES

• Microsoft’s October Patch Tuesday Microsoft addressed63 vulnerabilities, including an actively exploited Windows zero-day, CVE-2025-62215, a kernel privilege escalation flaw used to gain admin access. It also addressed CVE-2025-60724, a critical GDI+ vulnerability rated 9.8 enabling remote code execution via malicious documents or uploaded files, impacting Windows and Office.

Check Point IPS provides protection against this threat (Microsoft Windows Kernel Privilege Escalation (CVE-2025-62215))

• Researchers uncoveredCVE-2025-20337 and CVE-2025-5777, critical zero-day flaws in Cisco Identity Service Engine and Citrix products actively exploited against internet-facing systems. The flaws enable remote code execution without login, administrator access, and deployment of custom in-memory webshells. The exploitation began before disclosure or complete patches.

Check Point IPS provides protection against these threats (Cisco Identity Services Engine Remote Code Execution (CVE-2025-20337), Citrix NetScaler Out-of-Bounds Read (CVE-2025-5777))

• Researchers analyzedCVE-2025-12480, a critical authentication bypass in the Triofox enterprise file sharing platform (CVSS 9.1). Attackers are actively exploiting it to create admin accounts and run code via the built-in antivirus feature, installing remote access tools and tunneling RDP.

Check Point IPS provides protection against this threat (Gladinet Triofox Authentication Bypass (CVE-2025-12480))

THREAT INTELLIGENCE REPORTS

• Check Point Research reports on a fragmented ransomware landscape in Q3 2025, with 85 active groups and 1,592 victims listed across leak sites, averaging 535 victims per month. Qilin led activity while LockBit 5.0 returned, signaling potential recentralization. Manufacturing and business services remained the most affected sectors.
• Check Point Research published its October 2025 global threat report, highlighting a continued rise in cyberattacks, with organizations averaging 1,938 weekly attacks (+5% YoY) and ransomware incidents surging 48% YoY. The report also notes escalating GenAI-related data leakage risks, with 1 in 44 enterprise prompts exposing sensitive information.
• Check Point researchers analyzed a phishing campaign abusing Meta’s Facebook Business Suite and the facebookmail.com domain to deliver convincing fake notifications. More than 40,000 emails targeted over 5,000 organizations across the US, Europe, Canada, and Australia, targeting SMBs in advertising-reliant sectors, bypassing filters, and directing victims to credential-harvesting sites.
• Check Point researchers profiledthe Payroll Pirates, a malvertising network impersonating payroll systems, credit unions, and trading platforms in the US. Using Google and Microsoft ads, cloaking, and Telegram bots to bypass authentication codes, it has targeted over 200 interfaces and lured more than 500,000 users, with activity spiking in September 2025.

The post 17th November – Threat Intelligence Report appeared first on Check Point Research.