Zero Day Wire - Zero Day Wire (Page 6)

Threats

Iranian APT42 Deploys TAMECAT Backdoor Against Defense and Government Officials

Security researchers have published a detailed technical analysis of TAMECAT, a PowerShell-based backdoor used by Iran's APT42 in espionage campaigns targeting senior defense and government officials. The malware, documented by Pulsedive Threat Research with additional reporting from Israel's National Digital Agency, demonstrates sophisticated anti-detection techniques and

Threats

Operation Bizarre Bazaar: First LLMjacking Marketplace Monetizes Stolen AI Infrastructure Access

Security researchers have documented the first fully attributed criminal operation dedicated to hijacking and reselling unauthorized access to AI infrastructure at scale. Dubbed Operation Bizarre Bazaar, the campaign represents a complete LLMjacking supply chain—from initial reconnaissance to commercial marketplace monetization—operated by a threat actor known as "Hecker&

Alerts

Critical Kyverno Vulnerability Allows Cluster Admin Takeover via Policy Abuse (CVE-2026-22039)

The maintainers of Kyverno, a widely deployed Kubernetes-native policy engine, have released an emergency patch for a critical vulnerability that completely breaks namespace isolation boundaries. Tracked as CVE-2026-22039 and carrying a maximum CVSS score of 10, the flaw allows any authenticated user with permission to create namespaced policies to effectively

Alerts

CISA Adds Actively Exploited Ivanti EPMM Vulnerability to KEV Catalog (CVE-2026-1281)

CISA has added a critical Ivanti Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Tracked as CVE-2026-1281, the code injection vulnerability allows attackers to achieve unauthenticated remote code execution on affected systems. Urgent Deadline Federal agencies are required to apply

Threats

North Korea's LABYRINTH CHOLLIMA Splinters into Three Specialized Cyber Units

CrowdStrike Intelligence has reclassified LABYRINTH CHOLLIMA, the North Korean threat group behind the 2017 WannaCry ransomware attack, into three distinct operational units with specialized missions, malware, and targeting patterns. The new attribution framework recognizes GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrower core LABYRINTH CHOLLIMA group as separate adversaries that emerged

Threats

Google Disrupts IPIDEA, One of the World's Largest Residential Proxy Networks Used by 550+ Threat Groups

Google Threat Intelligence Group (GTIG) has led a coordinated disruption of IPIDEA, believed to be one of the largest residential proxy networks in the world. The operation reduced the network's available device pool by millions and exposed infrastructure leveraged by over 550 threat groups in a single week.

Alerts

SolarWinds Web Help Desk Hit with Six Critical Vulnerabilities Including Multiple RCE Flaws

SolarWinds has released an emergency patch for Web Help Desk (WHD), addressing six security vulnerabilities—four rated critical—that could allow unauthenticated attackers to fully compromise host systems. The flaws, discovered by researchers Jimi Sebree of Horizon3.ai and Piotr Bazydło of watchTowr, include multiple remote code execution vectors, authentication

Threats

Fake ClawdBot VS Code Extension Deploys ScreenConnect RAT on Developer Machines

Security researchers at Aikido Security have discovered a malicious Visual Studio Code extension masquerading as "ClawdBot Agent," a fake version of the popular AI coding assistant. The extension functions as a fully working AI tool while silently deploying remote access malware to Windows machines. The real ClawdBot team

Breaches

eScan Antivirus Compromised in Supply Chain Attack, Pushes Malware Through Legitimate Updates

Security firm Morphisec has uncovered a supply chain compromise affecting eScan antivirus software, where attackers distributed malicious updates through the vendor's legitimate update infrastructure. Discovered on January 20, 2026, the attack targeted both enterprise and consumer editions of the MicroWorld Technologies product, deploying multi-stage malware to endpoints worldwide.

Alerts

Critical SandboxJS Vulnerability Allows Complete Sandbox Escape and Remote Code Execution (CVE-2026-23830)

A critical vulnerability in SandboxJS, a widely used library for safely executing untrusted JavaScript code, allows attackers to completely escape the sandbox environment and achieve remote code execution on the host system. Tracked as CVE-2026-23830 and carrying a maximum CVSS score of 10.0, the flaw stems from an incomplete

Threats

Initial Access Broker TA584 Deploys High-Speed Phishing Campaigns with ClickFix Social Engineering and New Tsundere Bot Backdoor

The financially motivated threat actor TA584 has significantly escalated its initial access operations, adopting a high-speed attack model built around short-lived campaigns, rapid infrastructure changes, and aggressive social engineering techniques, according to research published by Proofpoint. The evolution reflects a broader shift in modern cybercrime where speed and adaptability now

Threats

Threat Actors Exploit React2Shell Vulnerability to Deploy Cryptocurrency Miners and Botnets Worldwide

Threat actors are actively exploiting a critical remote code execution vulnerability in React Server Components to compromise systems across multiple industries worldwide, deploying cryptocurrency miners, botnets, and remote access tools, according to research from BI.ZONE Threat Detection and Response. The vulnerability, tracked as CVE-2025-55182 and commonly referred to as