Daily Brief

A new cyber campaign targets U.S. government and policy entities using Venezuela-themed spear phishing to deploy the LOTUSLITE backdoor. The campaign uses a ZIP archive containing a malicious DLL, leveraging DLL side-loading techniques for execution. Attribution points to the Chinese state-sponsored group Mustang Panda, known for using DLL side-loading in its operations. LOTUSLITE communicates with a command-and-control server, enabling beaconing, remote tasking, and data exfiltration via Windows WinHTTP APIs. The backdoor ensures persistence by modifying the Windows Registry for automatic execution upon user login. This operation reflects a trend of using geopolitical lures and reliable techniques over sophisticated evasion methods. The disclosure coincides with reports of a U.S. cyber operation in Caracas, disrupting power to facilitate a military mission. The campaign underscores the effectiveness of targeted delivery and geopolitical themes in cyber espionage activities.

A critical vulnerability in Fortinet FortiSIEM, identified as CVE-2025-64155, is being exploited in the wild, affecting versions 6.7 to 7.5. The flaw allows unauthenticated attackers to execute unauthorized code via crafted TCP requests, leading to potential root access. Fortinet released patches for affected versions and suggested a temporary workaround for those unable to update immediately. Horizon3.ai provided a detailed technical write-up and proof-of-concept exploit code, aiding attackers in leveraging the vulnerability. Defused confirmed active exploitation through honeypots, signaling a significant threat to unpatched systems. Administrators are advised to check specific logs for indicators of compromise to identify potential breaches. Fortinet has yet to officially update its advisory to reflect the active exploitation status, leaving some users potentially unaware. This incident follows recent Fortinet vulnerabilities, emphasizing the need for timely patch management and proactive threat monitoring.

Cisco addressed a critical vulnerability in AsyncOS affecting Secure Email Gateway and Web Manager appliances, exploited since November 2025. The flaw allowed root-level command execution on affected systems. The vulnerability, CVE-2025-20393, impacted systems with non-standard configurations when the Spam Quarantine feature was enabled and exposed online, posing significant security risks. Cisco Talos attributed the exploitation of this vulnerability to UAT-9686, a Chinese state-linked APT group, known for deploying AquaShell backdoors and reverse-SSH tunnel malware. The threat actors used AquaTunnel and Chisel for reverse tunneling and AquaPurge for log clearing, techniques also associated with other Chinese APTs like APT41 and UNC5174. CISA added CVE-2025-20393 to its known exploited vulnerabilities catalog, mandating federal agencies to secure affected systems by December 24, 2025, following Cisco's remediation guidance. This incident underscores the necessity for organizations to regularly update their systems and monitor for signs of compromise, especially in internet-exposed configurations. The case highlights the persistent threat posed by state-sponsored actors leveraging zero-day vulnerabilities to infiltrate and maintain access to critical infrastructure.

Microsoft identified a shutdown issue in Windows 11 23H2 systems with System Guard Secure Launch after the KB5073455 update, affecting Enterprise and IoT editions. The problem prevents affected PCs from shutting down or entering hibernation, causing unexpected restarts instead. System Guard Secure Launch is a security feature designed to protect against firmware-level threats during the boot process. Microsoft has provided a temporary workaround using a command prompt shutdown, but no solution exists for hibernation issues. Users are advised to save work and shut down devices manually to prevent power loss until a permanent fix is released. Microsoft is also addressing related issues from the January 2026 updates, including Remote Desktop connection failures and false security alerts. These incidents highlight the critical need for thorough testing of security updates to prevent operational disruptions in enterprise environments.

Cisco Talos has identified a China-nexus APT, UAT-8837, targeting critical infrastructure in North America, leveraging a Sitecore zero-day vulnerability (CVE-2025-53690) with a CVSS score of 9.0. The threat actor focuses on initial access to high-value organizations, using open-source tools to gather sensitive information, including credentials and Active Directory data. UAT-8837's tactics involve disabling security features like RestrictedAdmin for RDP and using cmd.exe for direct interaction on compromised systems. The group exfiltrated DLL-based shared libraries from victims, potentially setting the stage for future supply chain attacks and reverse engineering efforts. This activity aligns with broader concerns about Chinese cyber threats to critical infrastructure, prompting alerts from Western cybersecurity agencies. Recent guidance from global cybersecurity agencies emphasizes securing operational technology environments, highlighting the risks posed by exposed and insecure OT connectivity. The ongoing threat landscape reflects both state-sponsored and opportunistic attacks on critical national infrastructure, underscoring the need for robust security measures.

Researchers identified a critical vulnerability, CVE-2025-36911, in Google's Fast Pair protocol, affecting Bluetooth audio devices from multiple manufacturers, enabling unauthorized tracking and eavesdropping. The flaw, dubbed WhisperPair, impacts hundreds of millions of wireless headphones, earbuds, and speakers, irrespective of the smartphone operating system used. The vulnerability arises from improper implementation of the Fast Pair protocol, allowing unauthorized devices to initiate pairing without user consent or knowledge. Attackers can exploit this flaw with any Bluetooth-capable device to forcibly pair with vulnerable accessories within a 14-meter range, gaining control over audio functions. Once paired, attackers can eavesdrop on conversations or track users via Google's Find Hub network, potentially leading to privacy breaches. Google awarded a $15,000 bounty to researchers and collaborated with manufacturers to issue patches, though updates may not be available for all devices yet. Users are advised to install firmware updates from manufacturers, as disabling Fast Pair on phones does not mitigate the risk on the affected accessories.

Cisco released patches for a critical zero-day vulnerability in its Secure Email Gateway, exploited by a China-linked APT group known as UAT-9686. The flaw, CVE-2025-20393, allows remote command execution with root privileges due to improper HTTP request validation in the Spam Quarantine feature. Exploitation requires specific conditions and has been used since November 2025 to deploy tools like ReverseSSH and a Python backdoor named AquaShell. Cisco's updates not only patch the vulnerability but also remove persistence mechanisms used in the attack campaign, enhancing overall security. Customers are advised to implement hardening measures, such as securing appliances behind firewalls, disabling unnecessary services, and enforcing strong authentication. Monitoring web log traffic for unusual activity is crucial to detect potential exploitation attempts and safeguard network integrity. This incident underscores the importance of timely patch management and robust security configurations to mitigate advanced persistent threats.

Cisco addressed a critical vulnerability, CVE-2025-20393, in its Secure Email Gateway and Web Manager appliances, exploited for over a month by threat actors. The flaw allowed attackers to execute arbitrary commands with root privileges, posing significant security risks to affected systems. Cisco's Talos team attributed the attacks to UAT-9686, a threat group linked to China, active since at least late November 2025. The vulnerability's exploitation included a persistence mechanism, enabling attackers to maintain control over compromised systems. Cisco released software updates to eliminate the vulnerability and remove any persistence mechanisms installed during the attacks. Customers are strongly advised to upgrade to the latest software release to protect their systems and contact Cisco Technical Assistance for support. The number of compromised appliances remains undisclosed, but the fix aims to prevent further unauthorized access.

Gootloader malware, active since 2020, is using complex ZIP archives to bypass detection, impacting cybersecurity defenses globally. The malware is delivered as a JScript file within a ZIP archive, causing analysis tools like 7-Zip and WinRAR to crash. Researchers from Huntress Labs and the DFIR Report noted the malware's return after a seven-month hiatus, with enhanced obfuscation techniques. Gootloader establishes persistence by using Windows Script Host and adding shortcut files to the Startup folder, ensuring execution at system boot. Expel researchers identified structural anomalies in the ZIP files, providing a YARA rule to help defenders detect the malware. Recommendations include changing the default application for JScript files to Notepad and blocking wscript.exe and cscript.exe to mitigate risks. The evolving tactics of Gootloader highlight the need for adaptive detection strategies and proactive security measures.

Acronis Threat Research Unit identified a phishing campaign targeting US government agencies using Venezuelan political events as bait, attributed to Chinese-linked Mustang Panda. The campaign involved a zip file with a legitimate executable and a hidden DLL-based backdoor, Lotuslite, indicating advanced tactics. Mustang Panda's operations align with geopolitical events, leveraging incidents like Maduro's capture to enhance phishing lures. US law enforcement and cybersecurity agencies have monitored Mustang Panda for years, citing breaches in government and private sectors across multiple regions. The Lotuslite malware establishes persistence, performs beaconing, and allows data theft, communicating with a hard-coded command-and-control server. The targeted approach of the campaign suggests a precise, event-driven strategy rather than a broad attack, focusing on specific high-value targets. The incident emphasizes the need for vigilance against phishing campaigns exploiting real-time geopolitical developments for cyberespionage.

Grubhub confirmed hackers accessed its systems, leading to a data breach, though sensitive financial information was reportedly not compromised. The company is dealing with extortion demands, allegedly from the ShinyHunters group, seeking Bitcoin payments to withhold stolen data. The breach involved older Salesforce data and recent Zendesk data, critical for Grubhub's customer support operations. Grubhub is collaborating with a third-party cybersecurity firm and law enforcement to address the breach and enhance security measures. The breach appears linked to a wider data theft campaign exploiting stolen OAuth tokens from Salesloft's Salesforce integration. Google's Threat Intelligence team reported that the campaign targeted sensitive credentials, impacting multiple organizations. Organizations affected by the Salesloft Drift incidents are urged to rotate all compromised access tokens and secrets to mitigate further risks.

Researchers at CISPA Helmholtz Center identified a vulnerability in AMD CPUs, named StackWarp, impacting AMD's Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technology. StackWarp allows attackers with host server control to access sensitive data in virtual machines, including cryptographic keys and system privileges. The vulnerability exploits a flaw in the CPU's stack engine, specifically targeting a control bit in the hypervisor, disrupting the stack pointer synchronization. AMD released patches in July 2025 to address the issue, but OEM firmware updates are necessary for comprehensive protection. The vulnerability is rated as low severity by AMD, yet it challenges the isolation promises of confidential virtual machines. The attack is feasible when Simultaneous Multithreading (SMT) is enabled, a feature that allows multiple threads to share CPU resources. Cloud providers using AMD Zen CPUs for confidential VMs should prioritize applying the patches to maintain security integrity. Proof-of-concept exploit code is available on GitHub, emphasizing the need for immediate action to mitigate potential risks.

A severe vulnerability in the Modular DS WordPress plugin, identified as CVE-2026-23550, permits unauthorized admin access, affecting over 40,000 installations globally. The flaw impacts versions 2.5.1 and older, enabling attackers to bypass authentication and gain admin-level privileges on targeted sites. Exploitation began on January 13, with attackers leveraging design and implementation flaws, including unchecked direct request modes. Patchstack researchers confirmed the vulnerability and coordinated with the vendor, leading to a rapid fix in version 2.5.2. The update includes enhanced route validation, a default 404 route, and improved request filtering to prevent unauthorized access. Users are urged to upgrade to version 2.5.2 or later immediately and review server logs for suspicious activity. The vendor advises regenerating WordPress salts and checking for unauthorized admin users post-update to ensure security integrity.

A misconfiguration in AWS CodeBuild exposed GitHub repositories to potential supply chain attacks, risking AWS environments globally. The issue, named CodeBreach, was identified by Wiz researchers. The flaw allowed unauthorized actors to inject malicious code into AWS's JavaScript SDK, potentially affecting numerous applications and the AWS Console itself, posing a significant security threat. The vulnerability stemmed from weaknesses in continuous integration pipelines, enabling attackers to breach build environments and access privileged credentials, leading to possible repository compromises. AWS addressed the issue in September 2025 after responsible disclosure, implementing additional mitigations such as credential rotations and securing build processes to prevent unauthorized access. No evidence was found of CodeBreach being exploited in the wild, but the incident emphasizes the critical need for robust CI/CD security practices to prevent similar vulnerabilities. The incident serves as a reminder of the importance of correctly configuring webhook filters and securing CI/CD environments to prevent unauthorized access and potential supply chain attacks. The broader implications highlight ongoing vulnerabilities in CI/CD pipeline security, as similar issues have been identified in other major companies, underscoring the need for vigilant security practices.

Anthropic's Cowork AI tool is vulnerable to prompt injection attacks, allowing unauthorized file exfiltration via its Files API, a risk first identified in October 2023. The vulnerability can be exploited by embedding a hidden prompt in documents, triggering unauthorized data transfer to an attacker's Anthropic account. PromptArmor demonstrated the flaw using a real estate file, exposing sensitive financial and personal information without user consent. Anthropic acknowledges the risk but places responsibility on users to avoid connecting Cowork to sensitive documents and monitor for suspicious activity. Despite previous warnings, Anthropic has not implemented comprehensive fixes, citing prompt injection as an industry-wide challenge. The company plans to update Cowork's virtual machine to limit access to sensitive files and directories, with further security enhancements anticipated. Users are encouraged to provide feedback during Cowork's research preview phase, as Anthropic seeks to refine its security measures.