Cyber OSINT Overview, Jan 19 - Jan 25, 2026 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Artificial intelligence is shifting from a conceptual risk to an operational tool for both offensive and defensive cybersecurity actions. Threat actors are now using AI to author entire malware frameworks like VoidLink and generate sophisticated PowerShell backdoors, while defenders are integrating AI into SOC workflows and threat hunting. The industry is currently grappling with the ‘agentic’ shift, where AI systems perform autonomous actions rather than just providing analysis. This transition introduces new vulnerabilities like prompt injection and automated lateral movement that traditional security stacks are not yet tuned to detect.

• Critical infrastructure, particularly in the energy and manufacturing sectors, faces an intensifying wave of targeted cyberattacks from state-aligned groups. Pro-Russian group Sandworm has been linked to failed data-wiping attacks against Poland’s power grid, while China-nexus actors like UAT-8837 are exploiting zero-day vulnerabilities in public-facing applications to gain initial access to North American infrastructure. These campaigns utilize destructive malware such as DynoWiper and sophisticated reconnaissance to disrupt services and steal sensitive configurations. The high dependency on interconnected IT and OT systems makes these sectors lucrative targets for both espionage and extortion.

• CISA and other global agencies have rapidly updated their Known Exploited Vulnerabilities (KEV) catalogs to address active threats in widely used enterprise platforms. Major updates include vulnerabilities in Cisco Unified Communications, VMware vCenter, and common developer tools like Vite and Prettier. Active exploitation of these flaws often involves unauthenticated remote code execution or authentication bypass, allowing attackers to escalate privileges and fully compromise network infrastructure. Organizations are being urged to prioritize these patches immediately, as they are frequently leveraged by both state-sponsored actors and initial access brokers.

Critical Vulnerabilities #

• An 11-year-old critical authentication bypass vulnerability, CVE-2026-24061, has been discovered in GNU InetUtils telnetd versions 1.9.3 to 2.7. The flaw allows unauthenticated remote attackers to obtain root access by injecting specific environment variables into the system login process. Multiple proof-of-concept exploits are publicly available, and active exploitation has already been observed in the wild. Defenders are advised to disable telnetd immediately or upgrade to version 2.8, as the service is still widely used in legacy OT/ICS environments.

• Cisco has released emergency patches for CVE-2026-20045, a critical unauthenticated remote code execution (RCE) vulnerability in Unified Communications products. The flaw stems from improper input validation in HTTP requests, allowing attackers to execute commands with root privileges. CISA has added the vulnerability to the KEV catalog following confirmed reports of real-world exploitation. Impacted products include Unified CM, Unity Connection, and Webex Calling Dedicated Instance, requiring immediate patching to prevent full system compromise.

• Oracle’s January 2026 Critical Patch Update addresses a maximum-severity vulnerability, CVE-2026-21962, in the WebLogic Server Proxy Plug-in. An unauthenticated remote actor can exploit this flaw via HTTP to gain unauthorized access to critical data, including creation, deletion, or modification rights. The vulnerability affects Oracle HTTP Server and WebLogic deployments using Apache or IIS plug-ins. A public proof-of-concept (PoC) is now available, significantly increasing the risk for internet-facing middleware infrastructure.

• Fortinet has confirmed that critical FortiCloud Single Sign-On (SSO) authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) are being exploited against devices that were thought to be fully patched. Threat actors are using forged SAML assertions to create local administrator accounts for persistence and exfiltrating configuration files. Investigations suggest the initial fixes may be incomplete or that a secondary attack path exists. Administrators are urged to manually disable FortiCloud SSO and monitor logs for unusual configuration exports and unauthorized account creation.

Major Incidents #

• Sportswear giant Under Armour is investigating a massive data breach after customer records for 72 million unique email addresses were published on a popular cybercrime forum. The data set allegedly includes full names, purchase histories, physical locations, and dates of birth, stemming from a November 2025 attack claimed by the Everest ransomware group. While the company stated that payment systems and passwords were not affected, the public distribution of the database poses a significant risk for targeted phishing and identity theft. The incident has already led to a class-action lawsuit alleging negligence in data protection.

• Nike is probing a potential security breach after the WorldLeaks cybercrime group published 1.4TB of stolen data, containing over 188,000 files, on their Tor leak site. WorldLeaks, an extortion-focused group that recently rebranded from Hunters International, has shifted away from file encryption to pure data theft and extortion. The footwear giant has launched an investigation to verify the claims and assess the impact on consumer privacy. This incident follows a broader trend of high-profile retail and apparel brands being targeted by data theft collectives using similar extortion tactics.

• IT distribution leader Ingram Micro confirmed that a July 2025 ransomware attack led to the theft of sensitive personal data for over 42,000 individuals. The attackers breached internal file repositories, exfiltrating employment records and applicant information including names and contact details. Although the initial operational disruption lasted only a week, the full scope of the data theft was not discovered until December 2025. The company has begun notifying affected individuals and regulatory authorities as required by state laws.

Emerging Threats #

• A new era of AI-authored malware has emerged with the discovery of VoidLink, an advanced Linux framework developed almost entirely by artificial intelligence. Researchers found that a single actor orchestrated the malware’s creation in under a week using generative models for planning, coding, and testing. VoidLink features high maturity, including eBPF and LKM rootkits and modules for cloud enumeration in AWS and Azure. This normalization of high-complexity attacks through AI significantly lowers the resource barrier for advanced offensive operations.

• Attackers are weaponizing Google Calendar invites to perform indirect prompt injection against AI assistants like Gemini. By embedding hidden instructions in event descriptions, threat actors can trick an AI assistant into summarizing confidential meeting data and leaking it to an attacker-controlled event. While this specific issue was reported as fixed, the broader risk of agentic browsers and assistants processing untrusted external inputs remains high. Organizations are advised to restrict auto-add features in calendars and review domain-wide sharing settings.

• North Korean threat actors, including Kimsuky and PurpleBravo, are evolving their social engineering tactics to target high-value engineering teams. The ‘Contagious Interview’ campaign now uses personalized LinkedIn recruiter lures and weaponized VS Code extensions to deliver malware like BeaverTail and MoonPeak. These groups are leveraging AI-generated phishing content and malicious ‘ClickFix’ lures that trick users into running commands to ‘repair’ their browsers. These campaigns specifically target software developers with access to blockchain infrastructure and cryptocurrency holdings.

• A mass spam campaign is abusing Zendesk’s automated ticket creation system to flood inboxes with thousands of legitimate-looking emails from trusted brands like Discord and Dropbox. Termed ‘relay spam,’ the technique involves creating fake support tickets using a victim’s email address, triggering an automatic confirmation mail. While no phishing links have been identified, the high volume of ’noise’ can be used to disrupt operations or hide other malicious activity. Zendesk has introduced new safety features, but administrators are encouraged to restrict ticket submissions to verified users.

Regulatory and Policy Updates #

• The European Commission has proposed a revised Cybersecurity Act aimed at phasing out ‘high-risk’ mobile and telecom products from the EU’s ICT supply chains. The legislation builds on the 5G security toolbox and specifically targets equipment from non-EU countries deemed to pose a national security risk, notably Russia and China. Mobile networks will have 36 months to comply once passed, while fixed and satellite networks will follow specific transition periods. Huawei has already criticized the move, claiming it violates WTO obligations and basic legal principles of non-discrimination.

• NIST officials have warned that significant staffing cuts are impacting the agency’s ability to maintain core cybersecurity priorities, including encryption validation. The lab responsible for testing and validating the U.S. government’s encryption has lost nearly 90 employees since 2025, leading to concerns about growing backlogs. While the agency is pushing for automation to reduce validation times, current workforce constraints are slowing the transition to post-quantum cryptographic standards. This reduction comes as federal agencies face a 2030 deadline to deprecate classical algorithms like RSA.

• Google has agreed to pay an $8.25 million settlement to resolve allegations that its AdMob platform collected data from children’s apps without parental consent. The class-action lawsuit claimed that Google’s ‘Designed for Families’ program failed to enforce COPPA compliance, allowing the collection of exact locations, device IDs, and IP addresses. This settlement arrives as the FTC strengthens COPPA rules to include biometric data and mandatory opt-ins for targeted advertising. Families in most U.S. states are eligible for payments, though New Mexico is excluded due to a prior state-level settlement.

Security Operations #

• Critical vulnerabilities have been identified in the reference implementations of the Model Context Protocol (MCP) maintained by Anthropic and Microsoft. These flaws, including path traversal and argument injection, allow attackers to leverage prompt injection to create malicious files or achieve remote code execution on the underlying host. Because many developers use these servers as blueprints for integrating AI into development tools like Git, the risk of supply-chain compromise is elevated. Security teams should treat AI-interfacing tools as privileged services and implement strict input validation for all LLM-driven parameters.

• Modern security operations are increasingly prioritizing centralized logging as a defense against ‘SIEM sprawl’ and high alert fatigue. Aggregating logs from disparate systems—including email, endpoint, cloud, and identity—into a single view reduces the risk of real threats being lost in ’noise.’ Unified platforms are helping teams perform faster investigations and more accurate threat detection by correlating events across domains. This trend is driven by the fact that attackers frequently use legitimate tools, making behavioral context more critical than individual indicators.

• Phased application control rollouts are being advocated as a strategic baseline to reduce technical debt and minimize disruption. Following NIST’s five-phase approach—inventory, design, pilot, scale, and sustain—allows security teams to introduce controls without impacting business productivity. This method ensures that critical applications are protected while providing the necessary visibility to refine policies before full-scale enforcement. Modern managed services are increasingly used to handle the operational burden of maintenance and automated patching associated with these controls.

Wins #

• The Pwn2Own Automotive 2026 competition concluded in Tokyo with security researchers earning a record-breaking $1,047,000 for 76 unique zero-day vulnerabilities. Exploits targeted Tesla infotainment systems, level 2 EV chargers, and in-vehicle infotainment units from brands like Alpine and Sony. Fuzzware.io claimed the ‘Master of Pwn’ title, demonstrating high-level expertise in breaking modern automotive components. The event highlights the critical need for manufacturers to address security at the design stage as automotive systems become increasingly connected.

• A large-scale multi-state ATM jackpotting operation was dismantled following an investigation by the U.S. Secret Service and local law enforcement. Two Venezuelan nationals were convicted and sentenced for using laptops and specialized malware to force ATMs in the Southeastern United States to dispense all available cash. This conviction led to a broader federal grand jury indictment of 54 additional individuals tied to the Tren de Aragua criminal gang. The perpetrators face federal prison sentences and significant restitution orders before they are deported to Venezuela.

• European law enforcement agencies have identified the alleged ringleader of the Black Basta ransomware group, nearly a year after a massive leak of internal chat logs. Oleg Evgenievich Nefedov, a Russian national, has been placed on the Europol and Interpol most-wanted lists for extorting over 100 German companies and 600 others globally. This naming aligns with a broader international strategy to target the core leadership of major cybercrime syndicates. While the group has been relatively dormant, authorities raided several co-conspirator residences in Ukraine, seizing data and cryptocurrency assets.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.