Zero Day Wire - Zero Day Wire (Page 3)

Threats

ScarCruft Deploys Six Malware Families in Ruby Jumper Campaign to Breach Air-Gapped Networks via USB Propagation

North Korean threat actor ScarCruft has deployed a fresh arsenal of six malware families in a campaign codenamed Ruby Jumper that targets air-gapped networks through USB-based propagation and abuses Zoho WorkDrive as command-and-control infrastructure — the first time the group has used this cloud service in its operations. The campaign, discovered

Threats

New Threat Actor UAT-10027 Deploys Dohdoor Backdoor Against US Education and Healthcare Using DNS-over-HTTPS for Stealth C2

Cisco Talos has disclosed a previously undocumented threat activity cluster tracked as UAT-10027 that has been targeting US education and healthcare organizations since at least December 2025 with a novel backdoor called Dohdoor. The backdoor uses DNS-over-HTTPS (DoH) for command-and-control communications and hides behind Cloudflare infrastructure, making all outbound C2

Threats

Aeternum C2 Botnet Uses Polygon Blockchain as Sole Command Infrastructure, Making Traditional Takedowns Impossible

Qrator Research Lab has identified a new botnet called Aeternum C2 that represents a fundamental shift in how botnets maintain command and control: it uses the Polygon blockchain as its sole C2 infrastructure, publishing all operator commands through smart contracts that are replicated across thousands of nodes worldwide. Unlike previous

Threats

US Sanctions Russian Exploit Broker Operation Zero for Acquiring Stolen Zero-Days From Jailed L3Harris Executive

The US government has sanctioned Russian exploit broker Operation Zero (Matrix LLC), its owner Sergey Sergeyevich Zelenyuk, and six associated individuals and entities for acquiring and distributing cyber exploits that harmed national security. The sanctions directly follow the sentencing of Peter Williams, the former L3Harris/Trenchant cyber executive who was

Alerts

Cisco SD-WAN Zero-Day Exploited Since 2023 by Sophisticated Threat Actor — CVSS 10.0 Authentication Bypass Triggers CISA Emergency Directive

A CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager has been under active exploitation since 2023 — over two years before disclosure — by a highly sophisticated threat actor that used it to compromise network management infrastructure and establish persistent footholds in high-value organizations. The vulnerability,

Breaches

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

Threats

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

Threats

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

Threats

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

Threats

Massiv Android Banking Trojan Disguised as IPTV Apps Enables Full Device Takeover for Financial Fraud

ThreatFabric has disclosed a new Android banking trojan called Massiv that masquerades as IPTV streaming apps to gain access to victims' devices, enabling full remote control and financial fraud through device takeover attacks. Although currently observed in a limited number of targeted campaigns, the malware already poses significant risk

Threats

CRESCENTHARVEST Campaign Deploys RAT Malware Against Iran Protest Supporters Using DLL Sideloading via Signed Google Binary

Acronis Threat Research Unit (TRU) has disclosed a new espionage campaign dubbed CRESCENTHARVEST that targets supporters of Iran's ongoing protests with a custom remote access trojan designed for long-term surveillance and data theft. The campaign, observed since January 9, 2026, is believed to be the work of an

Threats

Underground Telegram Channels Weaponize SmarterMail Exploits Within Days of Disclosure, Enabling Ransomware Campaigns

Researchers at Flare have documented the rapid weaponization of critical SmarterMail vulnerabilities across underground Telegram channels, showing how threat actors moved from disclosure to exploit sharing to ransomware deployment in a matter of days. The activity centers on two critical vulnerabilities — CVE-2026-24423 (CVSS 9.3), an unauthenticated remote code execution