For the latest discoveries in cyber research for the week of 5th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Two US banks, Artisans’ Bank and VeraBank, disclosed that customer data was exposed in an August ransomware attack on their vendor, Marquis Software. The vendor was breached via SonicWall vulnerability, and while the banks’ own systems were not compromised, researchers estimate the incident may have affected in total up to 1.35 million people across dozens of financial institutions.
• Romania’s largest coal-based power producer, Oltenia Energy Complex, has faced a ransomware attack attributed to the Gentlemen group. The company said files were encrypted and Enterprise Resource Planning systems, email, and the website were disrupted, partially affecting operations, while power supply remained stable and recovery continues.
• Emurasoft, maker of EmEditor software, reported a website compromise that redirected the homepage download button to a fake installer for 4 days. The installer deployed infostealer malware that harvested credentials and added a rogue extension enabling remote control and cryptocurrency swapping.
• US-based Sedgwick Government Solutions, which manages claims, workforce health, risk, and productivity for government agencies and federal employees, has experienced a cybersecurity incident. The incident was limited to an isolated file transfer system, with no evidence of access to claims servers. The company notified law enforcement and clients after the TridentLocker ransomware group claimed an attack on December 31.
• Korean Air, South Korean airline, has suffered a data breach via KC&D Service, a vendor managing inflight catering and duty free. The incident exposed personal data of roughly 30,000 employees, including names and bank account numbers, while customer information was not affected. Cl0p claimed responsibility and reportedly exploited an Oracle E-Business Suite flaw.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Trust Wallet, a cryptocurrency wallet provider, has disclosed a second Shai-Hulud supply-chain compromise of its Chrome extension, resulting in approximately $8.5 million in losses. Using a leaked Chrome store key, attackers published tampered v2.68 which exfiltrated wallet recovery phrases upon unlock.
• European Space Agency (ESA), has confirmed a cybersecurity incident affecting a very small number of external servers outside its corporate network. ESA began forensic analysis and secured potentially affected devices after a threat actor claimed to have stolen 200GB of source code and access credentials in mid-December.

VULNERABILITIES AND PATCHES

• Researchers highlighted CVE-2025-14346, a critical missing-authentication flaw in WHILL Model C2 and Model F power wheelchairs that enables attackers within Bluetooth range to take control. CISA urged immediate mitigations, warning that compromise could manipulate wheelchair movements and cause physical harm in healthcare and public settings. No public exploitation has been reported yet.
• Security researchers disclosed CVE-2025-20700, CVE-2025-20701 (CVSS 8.8) and CVE-2025-20702 (CVSS 9.6) affecting Airoha Bluetooth SoCs. The flaws enabling unauthenticated access to the RACE protocol, arbitrary memory operations, and nearby takeover of headphones to extract link keys and impersonate devices to access paired smartphones.
• A patch has been released for CVE-2025-47411, an important privilege escalation in Apache StreamPipes 0.69.0 to 0.97.0 caused by flawed user ID creation enabling JWT token manipulation. Attackers can impersonate existing administrators to gain full control.
• IBM API Connect, an enterprise API management platform, is affected by a critical authentication bypass vulnerability (CVE-2025-13915, CVSS 9.8) enabling remote unauthorized access without credentials. The flaw impacts versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, with patches and iFixes available; no exploitation has been reported.

THREAT INTELLIGENCE REPORTS

• Researchers exposed a new APT36 cyber espionage campaign targeting Indian government, academic, and strategic institutions. The Pakistan affiliated group delivers ZIP attachments disguised as PDFs that install ReadOnly and WriteOnly malware, which enables remote control, steals data, monitors clipboards, captures screenshots, and maintains access.
• DarkSpectre, a Chinese affiliated threat actor, has compromised 8.8 million Chrome, Edge, and Firefox users globally via campaigns including ShadyPanda, Zoom Stealer, and GhostPoster. The group employs malicious browser extensions with tactics such as time-bomb activation, dormant sleepers, PNG steganography, and heavy JavaScript obfuscation, exfiltrating corporate meeting data while impersonating videoconferencing tools and abusing browser platform permissions.
• Security researchers discovered two Chrome Web Store extensions, Chat GPT for Chrome with GPT-5 and AI Sidebar, that exfiltrate ChatGPT and DeepSeek chat histories, along with users’ browsing activity, every 30 minutes. The extensions collectively have over 900,000 installations, and one holds a Google Featured badge.
• Researchers identified the rapid expansion of the Kimwolf botnet, which has infected more than 2 million devices globally by abusing residential proxy networks to reach local devices behind home routers. The campaign leverages insecure Android TV boxes and digital photo frames to enable DDoS, ad fraud, account takeover, and mass scraping.

The post 5th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 15th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The Indian government confirmed cyber incidents involving GPS spoofing at seven major airports, including Delhi, Mumbai, Kolkata, and Bengaluru. The attack affected aircrafts using GPS-based landing procedures. Despite signal disruption to navigation data, authorities stated no flights were cancelled or diverted, with contingency measures and Air Traffic Control safeguards preventing operational impact.
• US-based healthcare technology provider, TriZetto Provider Solutions, has notified healthcare clients of a long-running unauthorized access to a customer web portal. With this access a threat actor accessed historical eligibility transaction reports containing protected health information (PHI). Exposed data includes patient and insured PII.
• 700Credit, a US-based credit check and identity verification provider, suffered a data breach affecting at least 5.6 million people. The incident exposed private information after an unidentified attacker accessed dealer-collected data between May and October 2025. The company is notifying impacted individuals and offering credit monitoring, while Michigan’s attorney general urged affected users to enable credit freezes or monitoring to mitigate fraud risk.
• Pierce County Library System in Washington has disclosed a cyberattack impacting over 340,000 individuals after threat actors accessed its systems, forcing a full shutdown. The breach exposed user data and extensive employee PII. The attack was claimed by the INC ransomware gang, which has targeted multiple US government entities in 2025.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)

• The French Interior Ministry confirmed a cyberattack targeting its email servers, allowing an attacker to access a number of internal files. Authorities stated there is no evidence of serious data compromise at this stage. An investigation is ongoing, with no attribution yet identified.
• Russian Government IT contractor Mikord was reportedly breached by an anonymous hacker group. The group claims to have maintained access for months, exfiltrated source code, internal communications, financial and technical records, and damaged infrastructure tied to a firm allegedly involved in Russia’s unified military draft database. While Mikord’s director confirmed a hack, Russia’s Ministry of Defense denied any breach or data leak.
• An employee of Home Depot, the US home improvement retailer, had mistakenly exposed a private GitHub token, granting access to internal systems for nearly a year. The token enabled entry to hundreds of private code repositories and key cloud systems and was revoked upon discovery.

VULNERABILITIES AND PATCHES

• Google released an urgent Chrome update on to address a high severity flaw (CVE-2025-14174) actively exploited in the wild and linked to the ANGLE graphics library used for WebGL. The bug likely enables memory corruption that could allow remote code execution.
• Apple released emergency security updates to patch two actively exploited zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174. The vulnerabilities were exploited in sophisticated targeted attacks against specific individuals. Both flaws affect WebKit and enable remote code execution or memory corruption via malicious web content, impacting iPhones, iPads, Macs, and other Apple platforms.
• SAP released details and patches for three vulnerabilities, including CVE-2025-42880 (code injection in Solution Manager, CVSS 9.9), CVE-2025-55754 (Commerce Cloud Tomcat flaws, CVSS 9.6), and CVE-2025-42928 (jConnect deserialization, CVSS 9.1), alongside several high severity issues.

THREAT INTELLIGENCE REPORTS

• Check Point Research reports a global rise in cyber attacks in November 2025, averaging 2,003 weekly attempts per organization, with education most targeted sector and rising exposure from generative AI. 727 ransomware incidents were recorded, a 22% increase YoY, with North America accounting for 55% of cases and industrial manufacturing being the top victim industry.
• Check Point Research exposed ValleyRAT’s modular system, including a kernel-mode rootkit that can remain loadable on fully updated Windows 11 despite built-in protections. The research linked leaked builder artifacts to plugins and identified about 6,000 samples, with roughly 85 percent emerging in the last six months after the builder’s public release.
• Check Point researchers revealed a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications. The attackers sent over 40,000 phishing emails targeting roughly 6,100 customers over the past two weeks, abusing Mimecast’s secure-link rewriting feature as a smokescreen to make their links appear safe and authenticated
• Researchers have analyzed STAC6565 campaign, which with high confidence is associated with the GOLD BLADE threat group (aka RedCurl, RedWolf, and Earth Kapre). The campaign is mostly targeting Canadian organizations, blending data theft with selective QWCrypt ransomware. The threat actor uses multi-stage infection chains that include payloads downloaded via WebDAV, DLL side-loading using legitimate Adobe components, and BYOVD abuse to evade detection.
• Researchers uncovered a new phishing technique called ConsentFix that tricks people into giving attackers access to their Microsoft accounts. The method uses a browser-native prompt that persuades victims to copy and paste a link. Once the link is submitted, attackers can get access without needing a password or multi-factor authentication.

The post 15th December – Threat Intelligence Report appeared first on Check Point Research.