Cyber OSINT Overview, Dec 29 - Jan 4, 2026 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The ‘MongoBleed’ vulnerability (CVE-2025-14847) has become a primary concern for security teams as 2025 closes, affecting nearly ubiquitous MongoDB database instances. The flaw involves a zlib-compressed network protocol issue that allows unauthenticated remote memory leaks. CISA added the defect to its Known Exploited Vulnerabilities (KEV) catalog following widespread reports of active exploitation. Researchers estimate that over 87,000 instances are exposed globally, with significant concentrations in the United States, China, and Germany. Mitigation requires immediate patching or disabling zlib compression.

• The Baltic Sea undersea cable disruptions have escalated concerns regarding hybrid warfare and critical infrastructure sabotage. Finnish authorities seized the cargo vessel ‘Fitburg’ on New Year’s Eve after it was observed dragging an anchor over a severed telecommunications cable. Two crew members, a Russian and an Azerbaijani national, were formally arrested on charges of aggravated sabotage. This incident follows similar disruptions in November involving cables connecting Finland to Germany and Sweden. NATO has officially designated deep-sea cables as critical infrastructure to prioritize proactive defense measures.

• The rise of ‘Agentic AI’ tools has introduced novel security risks, specifically regarding browser-based agents like OpenAI’s Atlas. Prompt injection has emerged as a central, potentially unfixable flaw where malicious instructions hidden in emails or websites command the agent to perform unauthorized actions. OpenAI released security updates to harden Atlas using adversarial training and reinforcement learning. European regulators are also investigating the misuse of AI tools like Grok for creating non-consensual deepfakes. These developments are forcing CISOs to establish strict governance frameworks for AI agent permissions and data access.

• Industrialized cybercrime models and the use of ‘MaaS’ (Malware-as-a-Service) have accelerated the velocity of attacks moving into 2026. Attackers increasingly utilize specialized roles, such as Initial Access Brokers and negotiation teams, to move from compromise to extortion within hours. There is a notable trend of hijacking legitimate business infrastructure, such as using stolen credentials to host malware on trusted websites. Remote Monitoring and Management (RMM) tools like ScreenConnect are frequently abused for persistence and lateral movement. Professionalization of the ecosystem has made traditional, reactive security measures insufficient.

Critical Vulnerabilities #

• SmarterMail Build 9406 and earlier are affected by a critical vulnerability (CVE-2025-52691/AV25-866) assigned a CVSS score of 10.0. The flaw allows unauthenticated remote attackers to perform arbitrary file uploads to any directory on the server. This can lead to full remote code execution if malicious web shells or binaries are uploaded. Organizations are advised to update to version Build 9413 or higher immediately. Multiple government agencies, including Singapore’s CSA and Canada’s Cyber Centre, have issued high-priority alerts for this defect.

• IBM API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11 are exposed to a critical authentication bypass vulnerability (CVE-2025-13915) with a CVSS score of 9.8. The vulnerability allows remote attackers to bypass identity verification at critical points in the application. Exploitation requires no user interaction or existing privileges. IBM recommends applying interim fixes (iFixes) through Fix Central. A temporary mitigation involves disabling self-service sign-up on the Developer Portal.

• The RondoDoX botnet has begun weaponizing a critical Next.js Server Actions vulnerability known as React2Shell (CVE-2025-55182). This flaw allows unauthenticated attackers to achieve blind remote code execution on web applications and IoT devices. Since December 2025, over 90,000 systems have been identified as potentially vulnerable. Attackers use the flaw to deploy cryptominers and Mirai-based botnet components. Organizations using Next.js are urged to patch immediately and implement network segmentation.

• WHILL Model C2 electric wheelchairs and Model F power chairs possess a critical vulnerability (CVE-2025-14346) with a CVSS score of 9.8. The devices do not enforce authentication for Bluetooth connections, allowing attackers within range to take control of product movement. Malicious actors can override speed restrictions and manipulate configuration profiles without user credentials. WHILL deployed firmware fixes on December 29, 2025, including device-side speed profile protection. Users should contact the vendor for immediate remediation details.

Major Incidents #

• Covenant Health has confirmed that a May 2025 ransomware attack by the Qilin group compromised the sensitive data of 478,188 individuals. The breach affected names, dates of birth, Social Security numbers, medical record numbers, and health insurance information. The organization completed its data analysis in December 2025 and began mailing notification letters on New Year’s Eve. Qilin, one of the most active ransomware gangs of 2025, exfiltrated 852 GB of data during the incident. Affected facilities span across New England and Pennsylvania.

• Trust Wallet reported a massive $8.5 million cryptocurrency theft affecting over 2,500 user wallets on December 24, 2025. The incident resulted from a supply chain attack that compromised the Chrome Web Store API key, allowing attackers to upload a trojanized version of the browser extension (v2.68.0). The malicious extension bypassed internal approvals and exfiltrated sensitive wallet data, including seed phrases. Trust Wallet has attributed the attack to the second wave of the Shai-Hulud NPM campaign. The company has announced plans to voluntarily reimburse all affected users.

• La Poste and La Banque Postale in France experienced significant disruptions following a DDoS attack on January 1, 2026. The pro-Russian group NoName057(16) claimed responsibility for the incident, which temporarily disabled parcel tracking and online banking services. This follows a separate attack by the same group that took place in late December 2025. Authorities emphasize that no customer data was compromised, as the attack targeted system availability rather than data integrity. An official investigation has been launched by the Paris prosecutor’s office.

• Sedgwick Government Solutions, a subsidiary of claims administrator Sedgwick, confirmed a cyber incident after the TridentLocker ransomware gang claimed to have stolen 3.4 GB of data. The subsidiary provides risk management services to sensitive US agencies, including CISA and DHS. Sedgwick stated that the impacted isolated file transfer system was segmented from the rest of the business, and claims management servers were unaffected. TridentLocker is a new group that emerged in November 2025 and has previously targeted bpost. The company has notified law enforcement and relevant federal clients.

• Tokyo FM Broadcasting Co. in Japan is investigating claims of a massive data breach involving over 3 million individual records. A threat actor using the alias ‘victim’ announced the breach on January 1, 2026, alleging exfiltration of names, birthdays, and email addresses. Technical data, including internal login IDs and IP addresses, were also reportedly taken. Cybersecurity analysts are currently verifying the authenticity of the claims. The incident highlights the continued targeting of media entities during holiday periods.

Emerging Threats #

• Ransomware groups are increasingly shifting toward a ‘pure exfiltration’ model that eliminates the encryption phase entirely. These stealthy attacks involve stealing data over weeks or months and extorting victims long after the initial breach occurs. Attackers favor this model because it minimizes malware footprints and reduces the risk of detection by EDR tools. Legitimate tools like Azure Copy and RClone are frequently used to blend data theft with normal cloud operations. Victims often pay the ransom due to fears of regulatory fallout even without system downtime.

• A sophisticated phishing campaign is abusing Google’s Application Integration infrastructure to target over 3,000 organizations, primarily in the manufacturing sector. Malicious emails originate from the legitimate address [email protected], allowing them to bypass major authentication protocols like SPF, DKIM, and DMARC. The emails impersonate Google Tasks notifications to trick users into clicking links that lead to malicious pages on Google Cloud Storage. Because the sender and infrastructure are trusted, traditional security gateways fail to block the messages. This represents a dangerous shift toward utilizing trusted cloud services to harvest enterprise credentials.

• The ‘Kimwolf’ botnet has rapidly expanded to infect over 2 million devices globally, primarily targeting Android TV boxes and digital photo frames. Kimwolf spreads by tunneling through residential proxy networks and infecting devices behind home firewalls. Many infected devices are unbranded Android TV boxes sold on major e-commerce platforms that come pre-installed with proxy malware. The botnet is used for ad fraud, content scraping, and crippling DDoS attacks. Security researchers note that most victims are located in Vietnam, Brazil, and the United States.

• The HoneyMyte (aka Mustang Panda) APT group has evolved its tactics by deploying kernel-mode rootkits to deliver and protect the ToneShell backdoor. The group uses driver files signed with stolen or leaked digital certificates to register as system mini-filters. This allows the malware to hide its own modules and provide persistence for the backdoor components. The campaign primarily targets government organizations in Southeast Asia, specifically Myanmar and Thailand. Analysts suspect the actor leverages previously compromised machines as an initial entry vector.

Regulatory and Policy Updates #

• China’s amended Cybersecurity Law came into force on January 1, 2026, introducing the most significant regulatory shifts since 2017. The update mandates near-real-time incident reporting for critical infrastructure operators, with timelines as short as 60 minutes for severe events. It also increases executive liability and swift regulatory penalties for non-compliance. These measures consolidate previous obligations into a unified framework managed by the Cyberspace Administration of China (CAC). Foreign entities selling products into the Chinese market must adapt to these shortened disclosure windows immediately.

• Estonia has implemented the European Union’s NIS2 directive through the Cybersecurity Act, which came into force in January 2026. The new law expands the number of organizations subject to mandatory cybersecurity requirements from 3,500 to 6,500 entities. Sectors now covered include air travel, railways, remote heating, ports, and hospitals. Organizations must perform regular risk assessments and implement specific defensive measures, with management now bearing clearer responsibility for security posture. Transition periods for compliance range from three to five years depending on the service’s criticality.

Security Operations #

• Enterprise security operations are shifting toward a ‘unified platform’ model that leverages AI to automate repetitive tasks like alert triage and enrichment. This approach, often called ‘Agentic Security Operations,’ aims to free up SOC analysts for strategy and preventative work. Security leaders are experimenting with ‘AI 동료’ (AI colleagues) that function like digital interns with specific job descriptions and human supervisors. The integration of real-time data fabrics and zero-copy data models is becoming essential to support the high performance required for automated remediation. These advancements help address chronic staffing shortages and alert fatigue in large organizations.

• Deception technology and synthetic data are emerging as highly effective counterintelligence tools against sophisticated threat actors. Cybersecurity firms like Resecurity are deploying ‘honeypot’ accounts populated with realistic but synthetic data to monitor unauthorized activity. By cross-referencing attacker IP addresses and logging residential proxies, defenders can gather behavioral data without risking actual production environments. This strategy has successfully misled the ShinyHunters group, which recently made overstated claims of breaching Resecurity internal systems. Using synthetic data generated by LLMs helps create deceptive models that attract attackers while providing no actionable intel.

Wins #

• Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to federal charges for their involvement in deploying ALPHV BlackCat ransomware. The defendants, who worked as ransomware negotiators and incident responders, successfully extorted approximately $1.2 million from a medical device company. They conspired with ransomware operators to receive a share of the payments and laundered funds using mixers. Their convictions send a strong signal regarding accountability for ‘insider’ threats within the security industry. Sentencing is scheduled for March 2026.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.