Chinese state-backed hacking groups are unleashing advanced cyber weapons across Asia, with the region accounting for over half of all global APT activity. Trend Micro has tracked two threat actors since 2023 using "PeckBirdy," a sophisticated command-and-control tool that adapts to different environments.

One group infected Chinese gambling sites, tricking visitors with fake Chrome updates that installed backdoors called "Holodonut" and "MKDoor." A separate espionage-focused group targeted Asian government agencies and private organizations using the same versatile malware.

PeckBirdy's power lies in its adaptability—written in JScript, it can operate in browsers, Windows utilities, or server environments. This allows hackers to use identical tools whether targeting casual gamblers or government employees, maximizing efficiency while staying undetected.

Source: Dark Reading

Google's Threat Intelligence Group warns that hackers are actively exploiting a critical WinRAR vulnerability (CVE-2025-8088) discovered and patched in July 2025. The flaw allows attackers to drop malicious files into Windows Startup folders through specially crafted RAR archives.

Russian groups like APT44 and Turla are targeting Ukrainian military and government entities, while Chinese actors deploy POISONIVY malware. Criminal groups are also using the exploit to spread ransomware and steal data from commercial targets.

The vulnerability works by hiding malicious payloads in decoy files within RAR archives. When users open these files, the exploit writes malware to critical system directories for persistence. Despite a patch being available since July 30, widespread exploitation continues across diverse threat operations.

Source: Google Cloud Blog

A London judge ordered Saudi Arabia to pay over £3 million to satirist Ghanem al-Masarir after ruling the kingdom hacked his phones with Pegasus spyware and orchestrated a 2018 physical attack outside Harrods. Judge Pushpinder Saini found Saudi Arabia responsible for "grossly intrusive" surveillance that turned al-Masarir's smartphones into "bugging devices," secretly transmitting his personal data to the hostile state.

Al-Masarir, whose YouTube channels have 300 million views, still suffers severe depression seven years later and rarely leaves home. Saudi Arabia failed to defend the case after losing immunity arguments. The ruling represents a rare legal victory against the kingdom's transnational repression tactics.

Source: The Guardian

The Justice Department charged 31 more people in a massive ATM "jackpotting" scheme, bringing total defendants to 87. Most suspects are Venezuelan nationals, including members of the Tren de Aragua crime syndicate, plus some Colombians.

The criminals used Ploutus malware to hack ATMs and steal millions. They physically tampered with machines, swapping hard drives or using USB devices to install the malware. Once activated, it forced ATMs to spit out cash, then deleted itself to avoid detection.

While Ploutus peaked in 2017-2018, it remained active through last year. All charged individuals face deportation after conviction.

Source: Security Week

Microsoft released an emergency patch for CVE-2026-21509, a zero-day vulnerability in Office and Microsoft 365 that attackers are actively exploiting. The bug allows hackers to bypass security controls and execute malicious code by tricking users into opening infected Office files.

CISA added the vulnerability to its known exploited list, giving federal agencies until February 16 to patch or stop using affected products. Security experts believe this is likely a tool for advanced persistent threats, possibly state-sponsored groups targeting high-value victims through social engineering.

Office 2021 users just need to restart their apps for automatic protection, while Office 2016 and 2019 users must install manual updates.

Source: Dark Reading

Security firm Koi discovered six vulnerabilities dubbed 'PackageGate' affecting major JavaScript package managers including NPM, PNPM, VLT, and Bun. These flaws can bypass existing supply chain protections, allowing attackers to execute malicious code through compromised dependencies.

The vulnerabilities work differently across managers: NPM can be exploited through malicious .npmrc files in Git dependencies, while PNPM's script protections don't cover Git processing. VLT has path traversal issues in tarball extraction, and Bun's allow lists can be spoofed.

PNPM, VLT, and Bun quickly patched their issues, but NPM dismissed the report as 'informative,' claiming the behavior works as intended. GitHub maintains that users accept repository risks when installing Git dependencies.

Source: SecurityWeek

Microsoft rushed out emergency security updates on January 26, 2026, to fix CVE-2026-21509, a zero-day vulnerability in Microsoft Office that hackers are actively exploiting. The flaw lets attackers bypass Office security protections by tricking users into opening malicious files through phishing emails.

Rated "Important" with a 7.8 severity score, the vulnerability affects multiple Office versions including 2016, 2019, 2021, and Microsoft 365. Office 2021 and newer versions get automatic protection after restarting, while older versions need manual updates or registry modifications.

This marks the second actively exploited zero-day patched this month. Organizations should prioritize installing these updates immediately and watch for suspicious Office attachments, as threat actors commonly use this attack method for ransomware and advanced persistent threat campaigns.

Source: Cybersecurity News

Under Armour is investigating a data breach that occurred late last year, affecting 72 million customer email addresses according to cybersecurity site Have I Been Pwned. The stolen data included emails, names, genders, birthdates, and ZIP codes, but no passwords or financial information appears compromised.

The Baltimore-based clothing retailer maintains that their main website and payment systems weren't affected. Cybersecurity expert Troy Hunt agrees with Under Armour's assessment but expressed surprise at the company's lack of official disclosure given the breach's scale and timing. Under Armour called any claims about sensitive personal information being compromised "unfounded."

Source: CBS News Baltimore

Cybercriminals launched automated attacks against FortiGate firewall devices starting January 15, 2026, exploiting critical authentication bypass vulnerabilities disclosed by Fortinet in December 2025. The attackers use malicious SAML messages to bypass SSO login, then quickly steal configuration data and create persistent admin accounts within seconds.

Arctic Wolf detected the highly automated campaign targeting CVE-2025-59718 and CVE-2025-59719, which affect FortiOS, FortiWeb, and other Fortinet products. Attackers primarily use the account cloud-init@mail.io and create backup accounts like "secadmin" and "itadmin" to maintain access.

Fortinet users should immediately disable FortiCloud SSO, reset all credentials, and restrict management interfaces to trusted networks while monitoring for suspicious activity.

Source: Cyber Security News

CISA added a critical Zimbra Collaboration Suite vulnerability to its Known Exploited Vulnerabilities catalog Thursday, urging federal agencies to patch immediately. The flaw (CVE-2025-68645) allows attackers to access sensitive files without authentication by exploiting the webmail interface's RestFilter servlet.

Threat actors are already using this vulnerability in sophisticated, targeted campaigns according to CrowdSec researchers. The bug can expose internal system information and enable further attacks when combined with other weaknesses.

Zimbra released patches in November 2025 for versions 10.1.13 and 10.0.18. Federal agencies have three weeks to fix this and three other newly identified exploited vulnerabilities under government security directives.

Source: Security Week