Major Incidents or Breaches

  • The Swedish IT systems supplier Miljödata suffered a data breach impacting 1.5 million individuals. The Swedish Authority for Privacy Protection (IMY) is investigating.
  • Japanese media conglomerate Nikkei reported a data breach after its Slack platform was compromised, exposing personal data of over 17,000 employees and business partners.
  • Hundreds of malicious Android apps on Google Play were downloaded over 42 million times between June 2024 and May 2025, according to Zscaler, distributing various malware strains.
  • Threat actors are actively exploiting a critical vulnerability in the Post SMTP WordPress plugin (installed on 400,000+ sites) to hijack admin accounts.
  • Attackers are exploiting a critical authentication bypass flaw in the JobMonster WordPress theme, allowing admin account hijacking under certain conditions.
  • European authorities dismantled a cryptocurrency fraud and money laundering network responsible for defrauding victims of over €600 million, arresting nine individuals.
  • U.S. prosecutors indicted three individuals for deploying BlackCat (ALPHV) ransomware against five U.S. companies between May and November 2023, resulting in network compromise and extortion.
  • Transportation and logistics companies have been targeted by threat actors using sophisticated attack chains to deploy remote access tools and steal cargo.

Newly Discovered Vulnerabilities

  • CISA added critical vulnerabilities in Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog. The CWP flaw (CVE-2025-48703) allows remote, unauthenticated command execution and is being actively exploited.
  • A critical vulnerability (CVE-2025-11953) in the “@react-native-community/cli” npm package for React Native allowed arbitrary command/code execution on Windows, macOS, and Linux. The issue has now been patched.
  • Four security flaws were disclosed in Microsoft Teams enabling attackers to impersonate colleagues and edit messages without detection, facilitating social engineering and phishing attacks.
  • Google’s AI-powered agent “Big Sleep” discovered five new vulnerabilities in Apple’s Safari WebKit. Apple has issued patches addressing these and over 100 other vulnerabilities across its operating systems.
  • The November 2025 Android update patched two critical remote code execution vulnerabilities in the platform’s System component.
  • Apple released updates for iOS and macOS addressing 110 vulnerabilities, including 19 in WebKit, some of which were critical.

Notable Threat Actor Activity

  • A new cybercrime collective has formed, merging Scattered Spider, LAPSUS$, and ShinyHunters. The group has created at least 16 Telegram channels since August 2025, indicating increased coordination.
  • The Russian threat group “Curly COMrades” is abusing Microsoft Hyper-V to deploy hidden Alpine Linux-based virtual machines on Windows hosts, bypassing endpoint detection and response (EDR) solutions to run malware undetected.
  • Operation SkyCloak: Threat actors are deploying a Tor-enabled OpenSSH backdoor via weaponized phishing attachments, targeting defense sectors in Russia and Belarus.
  • The North Korean group Kimsuky has debuted the HTTPTroy backdoor against South Korean targets, with enhanced obfuscation and anti-analysis features.
  • The SesameOp backdoor has been observed using the OpenAI API as a covert command-and-control (C2) channel, demonstrating the misuse of generative AI services for stealthy communications.
  • Criminals are impersonating U.S. Immigration and Customs Enforcement (ICE) agents in social engineering campaigns, prompting an FBI warning to law enforcement.

Trends, Tools, or Tactics of Interest

  • Browser sandbox evasion: Attackers are exploiting browser behaviors to steal credentials, abuse extensions, and move laterally, bypassing traditional security tools.
  • Increased ransomware and extortion attacks in Europe, with attackers leveraging geopolitical tensions and AI-enhanced social engineering.
  • Malicious Android apps continue to proliferate on official app stores, using fake news and identification apps as lures for banking trojans and data theft.
  • Use of AI and cloud APIs (e.g., OpenAI) by threat actors for covert C2 and operational security.
  • Open source security: The Wazuh platform is being promoted for ransomware defense, reflecting ongoing interest in open source security tooling.

Regulatory or Policy Developments

  • Microsoft announced plans to remove Defender Application Guard from Office, starting with Office version 2602 in February 2026 and completing removal by December 2027.
  • California fined Sling TV for deceptive privacy practices, including misleading opt-out controls and improper use of children’s data for ad targeting.
  • The Swedish privacy regulator (IMY) is investigating the Miljödata breach for potential violations of data protection requirements.

Industry Moves

  • Bugcrowd acquired application security firm Mayhem, nearly doubling its valuation.
  • Zscaler acquired AI security company SPLX to enhance its Zero Trust Exchange platform with red teaming and threat inspection capabilities.