Major Incidents or Breaches

  • OpenAI disclosed a data breach affecting ChatGPT API customers, resulting from a compromise at third-party analytics provider Mixpanel. Limited identifying information of API customers was exposed. Multiple Mixpanel customers were impacted by the incident.
  • Asahi, a Japanese company, suffered a ransomware attack that resulted in the theft of personal information of customers and employees, impacting approximately 2 million individuals and significantly disrupting operations.
  • The CodeRED emergency alert system in the US experienced a ransomware attack, leading to a nationwide outage and a data breach, putting millions at risk.
  • Amazon and the FBI have issued warnings regarding a surge in account takeover attacks targeting holiday shoppers, with scammers impersonating brands to gain access to user accounts.

Notable Threat Actor Activity

  • The APT group Tomiris has adopted new tools and techniques, including multi-language reverse shells and the use of open-source frameworks Havoc and AdaptixC2. The group has also been observed using Discord and Telegram for command and control communications.
  • Bloody Wolf, a threat actor, has expanded its campaign targeting Kyrgyzstan and Uzbekistan, delivering NetSupport RAT via Java-based attacks since at least June 2025.

Trends, Tools, or Tactics of Interest

  • Increased use of open-source command and control frameworks (Havoc, AdaptixC2) and mainstream messaging platforms (Discord, Telegram) for malicious communications by APT groups.
  • Growing prevalence of AI-powered malware, voice phishing (vishing) campaigns, and scams leveraging advanced technologies, as highlighted in recent threat bulletins.
  • Rise in attacks exploiting digital trust, including brand impersonation and account takeover targeting consumers during high-activity periods such as holidays.

Regulatory or Policy Developments

  • Microsoft has announced a 2026 update to Entra ID’s Content Security Policy that will block unauthorized script injection attacks during authentication, aiming to strengthen login security.