Threat
alerts

The disclosure of CVE-2026-1731 marks a significant escalation in the exploitation of unauthenticated remote code execution (RCE) vulnerabilities within enterprise-tier management consoles. The flaw resides in a Java-based deserialisation engine where the absence of a look-ahead object filter allows attackers to inject malicious serialised payloads via the administrative API.

A coordinated investigation has revealed that the official update infrastructure for Notepad++ was compromised by the state-linked threat actor Lotus Blossom. Between June and December 2025, attackers hijacked the application's update mechanism to deliver a previously undocumented backdoor, identified as Chrysalis, to selected targets. The compromise involved the breach of a hosting provider to redirect update traffic, rather than the alteration of the Notepad++ source code itself.

Mustang Panda is a persistent, China-aligned cyber-espionage collective active since at least 2012, primarily targeting the economic data of national governments, and critical infrastructure operators. In the recent years, researchers documented a significant pivot from simple data collection to active surveillance.

Researchers at Push Security have uncovered ConsentFix, a sophisticated evolution of browser-based phishing that weaponises the trust in the OAuth 2.0 framework. Unlike traditional attacks that rely on fake login pages, the campaign exploits legitimate authentication processes of First-Party Microsoft applications as they are implicitly trusted and often "pre-consented" within corporate networks, allowing them to bypass the security.

Veeam Software disclosed a suite of critical vulnerabilities impacting its flagship Backup & Replication (VBR) platform. These flaws, most notably CVE-2025-59470 and CVE-2025-55125, facilitate Remote Code Execution (RCE), allowing attackers to compromise the backup infrastructure. A successful exploit provides a centralised hub for data exfiltration and enables attackers to irreversibly encrypt or delete recovery points, effectively neutralising an organisation's ransomware recovery capabilities.

Jamf Threat Labs has identified a significant evolution in the deployment tactics of the MacSync Stealer malware. Previously reliant on social engineering techniques such as "ClickFix" or "drag-to-terminal" instructions, threat actors have shifted towards a more sophisticated approach. The malware is now being distributed as a code-signed Swift application, significantly increasing its ability to bypass standard macOS security controls.

Rapid7 Labs has uncovered a new, actively developing Malware-as-a-Service (MaaS) threat known as "SantaStealer". Currently promoted via Telegram and underground forums (specifically the Russian-language forum Lolz), this malware is an evolution of the previously identified "BluelineStealer".

CVE-2025-55182 is a critical, unauthenticated RCE in React Server Components affecting React 19.x and Next.js. This unsafe deserialisation flaw is actively exploited by a bifurcated landscape: PRC-linked groups targeting espionage and persistence, alongside cybercriminals deploying ransomware. Post-exploitation tradecraft has escalated rapidly, now featuring novel Linux backdoors like "PeerBlight," WAF evasion, and direct attacks on cloud control planes.

Threat actors are increasingly pivoting toward social engineering strategies, specifically towards the "ClickFix" tactic that tricks users into manually running malicious scripts. This technique effectively circumvents standard perimeter defences, such as "Mark-of-the-Web" (MOTW) controls and browser sandboxes.