Threat
alerts

Active since May 2025, the financially motivated cybercriminal group Storm-2561 has been utilising Search Engine Optimisation (SEO) poisoning to distribute counterfeit Virtual Private Network (VPN) clients. The campaign redirects users who are searching for legitimate enterprise VPN software to attacker-controlled websites. This leads to the deployment of digitally signed trojans that masquerade as trusted VPN clients, ultimately designed to harvest sensitive VPN credentials.

Unlike traditional state-sponsored espionage actors who remain dormant to ensure long-term intelligence collection, Handala’s operational doctrine is defined by a rapid "disrupt, leak, and amplify" lifecycle. The group prioritises immediate visibility, psychological warfare, and the maximisation of organisational and repetitional damage.

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS Base Score: 10.0) affecting the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The vulnerability has been exploited in the wild as a zero-day since at least 2023 by a highly sophisticated threat actor tracked by Cisco Talos as UAT-8616. This flaw allows an unauthenticated, remote attacker to bypass authentication mechanisms and obtain high-level administrative privileges on affected systems.

Exploitation of CVE-2026-22769, a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVSS 10.0), represents a tactical pivot by the PRC-nexus threat cluster UNC6201. As organisations strengthen traditional endpoint defenses, this actor has redirected focus toward the "security blind spots" of enterprise infrastructure, providing a quiet environment for high-fidelity espionage.

The disclosure of CVE-2026-1731 marks a significant escalation in the exploitation of unauthenticated remote code execution (RCE) vulnerabilities within enterprise-tier management consoles. The flaw resides in a Java-based deserialisation engine where the absence of a look-ahead object filter allows attackers to inject malicious serialised payloads via the administrative API.

A coordinated investigation has revealed that the official update infrastructure for Notepad++ was compromised by the state-linked threat actor Lotus Blossom. Between June and December 2025, attackers hijacked the application's update mechanism to deliver a previously undocumented backdoor, identified as Chrysalis, to selected targets. The compromise involved the breach of a hosting provider to redirect update traffic, rather than the alteration of the Notepad++ source code itself.

Mustang Panda is a persistent, China-aligned cyber-espionage collective active since at least 2012, primarily targeting the economic data of national governments, and critical infrastructure operators. In the recent years, researchers documented a significant pivot from simple data collection to active surveillance.

Researchers at Push Security have uncovered ConsentFix, a sophisticated evolution of browser-based phishing that weaponises the trust in the OAuth 2.0 framework. Unlike traditional attacks that rely on fake login pages, the campaign exploits legitimate authentication processes of First-Party Microsoft applications as they are implicitly trusted and often "pre-consented" within corporate networks, allowing them to bypass the security.

Veeam Software disclosed a suite of critical vulnerabilities impacting its flagship Backup & Replication (VBR) platform. These flaws, most notably CVE-2025-59470 and CVE-2025-55125, facilitate Remote Code Execution (RCE), allowing attackers to compromise the backup infrastructure. A successful exploit provides a centralised hub for data exfiltration and enables attackers to irreversibly encrypt or delete recovery points, effectively neutralising an organisation's ransomware recovery capabilities.