Major Incidents or Breaches

  • Inotiv, a US-based company, disclosed a ransomware attack resulting in the theft of names, addresses, Social Security numbers, and financial and medical information of 9,542 individuals.
  • Freedom Mobile reported a data breach involving the compromise of customer personal information through its account management platform.
  • Marquis suffered a data breach impacting over 780,000 people, with compromised data including names, addresses, Social Security numbers, and card numbers.

Newly Discovered Vulnerabilities

  • A critical command injection vulnerability in Array Networks AG Series secure access gateways (ArrayOS AG VPN devices) has been actively exploited since August 2025. Threat actors are deploying webshells and creating rogue users.
  • A maximum-severity vulnerability, CVE-2025-55182 (“React2Shell”), exists in React Server Components’ ‘Flight’ protocol, enabling remote code execution without authentication in React and Next.js applications. AWS and other sources confirm active exploitation attempts, including by China-linked threat groups. Only instances using a newer feature are affected.
  • Google released a Chrome update addressing 13 security issues, including a high-severity vulnerability in Digital Credentials.

Notable Threat Actor Activity

  • Chinese state-sponsored actors are actively exploiting the React2Shell vulnerability and targeting VMware vSphere servers with BrickStorm malware, as warned by CISA, NSA, and international partners. The BrickStorm malware is being used to backdoor VMware servers in government and technology sectors.
  • The Predator spyware, developed by Intellexa, is leveraging a new zero-click infection vector (“Aladdin”) that compromises targets via malicious advertisements without user interaction.
  • The financially motivated group GoldFactory is distributing modified banking apps in Southeast Asia (Indonesia, Thailand, Vietnam), resulting in over 11,000 mobile infections.
  • The Silver Fox threat actor is conducting a false flag campaign in China, distributing ValleyRAT malware via fake Microsoft Teams installers and search engine optimization (SEO) poisoning.
  • Russian state-sponsored hackers targeted Reporters Without Borders (RSF) using phishing emails to deliver malware.
  • China-based SMS phishing groups have shifted tactics to promote scams involving loyalty points, taxes, and fake retailers during the holiday season.
  • A student was found selling access to compromised government and university websites to Chinese threat actors for low prices.

Trends, Tools, or Tactics of Interest

  • Sophisticated fraud attacks are increasing, driven by the accessibility of AI tools and fraud-as-a-service platforms, making advanced techniques available to unskilled attackers.
  • Multi-stage phishing campaigns targeting Microsoft 365 credentials have been observed since November 2025, employing advanced evasion techniques.
  • AutoIT3 compiled scripts are being used to deliver shellcode payloads in Windows environments.
  • There is a marked increase in AI-powered attacks, evolving injection techniques, and the use of automation in both offensive and defensive cyber operations.
  • Cloudflare reported blocking 416 billion AI bot requests since July 1, indicating a surge in automated scraping and reconnaissance activity.
  • SMS phishing campaigns are adapting to current events and seasonal trends, with new lures targeting points, taxes, and fake retailers.

Regulatory or Policy Developments Affecting the Security Industry

  • The UK National Cyber Security Centre (NCSC) announced the testing of a “Proactive Notifications” service to alert UK organizations about vulnerabilities in exposed devices.
  • CISA, NSA, and allied cyber agencies published security guidance for the integration of AI in operational technology (OT) environments, outlining principles for secure AI deployment in critical infrastructure.
  • India’s Ministry of Communications rescinded an order that would have required smartphone manufacturers to preinstall a government cybersecurity app (“Sanchar Saathi”) and prevent users from disabling it.
  • Canadian police are trialing facial recognition body cameras, raising potential privacy and accuracy concerns.
  • The US Inspector General’s report on the “Signalgate” incident recommended a single procedural change to improve the handling of classified material.
  • ServiceNow acquired Veza, a provider of non-human identity (NHI) access control, to enhance its governance and AI Control Tower offerings.