This week’s cybersecurity threats highlight a growing trend: attackers don’t always need new exploits—they leverage ordinary tools, trusted workflows, and routine services in the wrong hands. Scale, patience, and misplaced trust often give adversaries more power than speed or spectacle.
Below is a roundup of the most notable incidents and campaigns.
Spear-Phishing Delivers Custom Backdoor
Operation Nomad Leopard targets Afghanistan
Government entities in Afghanistan were hit by a spear-phishing campaign using fake administrative documents to deliver a backdoor named FALSECUB via a GitHub-hosted ISO. The ISO contained a .LNK file to display the lure PDF and execute the C++ payload. Detected in December 2025, the attack appears low-to-moderate sophistication.
DoS Attacks Disrupt UK Services
Russian-aligned hacktivists continue targeting critical systems
Groups like NoName057(16) launched DoS attacks on UK government and local services. While technically simple, these attacks can cause significant disruption, forcing organizations to expend resources on mitigation and recovery.
Trusted Apps Used to Load Malicious DLLs
DLL Side-Loading Infostealer Campaign
Malware disguised as legitimate applications (e.g., “Malwarebytes installers”) used DLL side-loading to deploy secondary-stage information stealers. The malicious DLL, CoreMessaging.dll, executes without triggering suspicion.
Windows Subsystem for Linux (WSL) Exploited
SpecterOps released a Beacon Object File (BOF) to interact with WSL via COM services without spawning wsl.exe, enabling attackers to execute commands across installed distributions.
Ads Push Covert RAT Installers
Malicious ads for file converters like Easy2Convert and ConvertyFile distribute persistent .NET RATs while delivering legitimate functionality in the foreground.
Short-Lived TLS Certificates Now Available
Let’s Encrypt rolls out 6-day certificates for operators with automated renewal systems. Opt-in only; not default.
Support Systems Abused for Spam
Zendesk warns of relay spam
Attackers exploit unverified ticket submissions to send spam through automated confirmation emails. Organizations are advised to restrict ticket submissions to verified users.
EU Proposes Cybersecurity Rules for High-Risk Suppliers
The European Commission seeks to remove high-risk suppliers from telecom networks and critical ICT supply chains. The updated Cybersecurity Act includes harmonized, risk-based mitigation measures and a renewed European Cybersecurity Certification Framework (ECCF).
Large-Scale WordPress Plugin Recon
GreyNoise detects scans targeting 706 plugins
Over 40,000 events, primarily targeting Post SMTP, Loginizer, LiteSpeed Cache, and Elementor. Users are urged to update plugins promptly.
Rust Crates Security Enhancements
Crates.io adds a “Security” tab showing advisories from RustSec and supports Trusted Publishing to prevent unauthorized package uploads.
Chinese C2 Servers Skyrocket
Hunt.io finds 18,000+ active C2 servers in China
Nearly half hosted by China Unicom; others by Alibaba Cloud and Tencent. Servers support IoT botnets (Mozi), Cobalt Strike, VShell, and Mirai operations.
Military-Linked Espionage Case in Sweden
A former IT consultant for Sweden’s Armed Forces was detained for allegedly passing information to Russia, suspected to have occurred since 2022.
Supply-Chain Platform Vulnerabilities
Bluvoyix flaws (CVE-2026-22236 to CVE-2026-22240) allowed full admin access to customer accounts, shipments, and APIs. Patches have been applied.
Crypto Scams Hit Record Levels
$17B estimated stolen in 2025 via scams like pig-butchering and impersonation attacks. AI-generated deepfakes and sophisticated money-laundering infrastructure amplify the impact.
ATM Malware Ring Dismantled
Five Venezuelan nationals plead guilty to ATM jackpotting attacks in the U.S., deploying malware and exploiting supervisor mode.
Pixel Zero-Click Exploit
CVE-2025-54957 and CVE-2025-36934 chain allows arbitrary code execution and kernel escalation via Dolby audio decoder on Google Pixel 9. Patched January 2026.
Malvertising Campaigns Deliver Infostealers
- TamperedChef: PDF editor trojan via Google Ads, targets Germany, UK, and France.
- PureLogs Stealer: Embedded Base64 payloads in PNG images via phishing campaigns using fake pharma invoices.
Loan and Software Scams
- Fake loan offers in Peru harvest banking credentials.
- Fake Notepad++ installers in South Korea deliver proxyware for monetizing bandwidth.
Key Takeaways
The “background layer” of technology—the systems and workflows users trust—has become the frontline of attacks. Exploitation is often silent, accumulating risk until it surfaces. The pattern: ordinary tools, scaled access, and low friction can yield disproportionate control.
