Welcome to this week’s pulse on the cyber threat landscape, where vulnerabilities strike fast, and defenders must move faster. Notepad++ users face a supply-chain nightmare after a malicious update; Microsoft Office’s latest 0-day is ripe for exploitation; and ESXi servers are under siege from ruthless ransomware gangs.
We’ve dissected these incidents, plus fresh intel on emerging tactics, patches to deploy now, and strategies to fortify your defenses. Dive in to stay one step ahead.
This week’s highlights include actively exploited zero-days in Microsoft Office and React Native tools, plus critical patches for Chrome, SolarWinds, and F5 products.
Vulnerabilities
Clawdbot RCE Flaw
A critical vulnerability in OpenClaw (formerly Clawdbot) enables one-click remote code execution via unsafe URL handling and WebSocket hijacking, granting attackers full system access. Victims visiting malicious sites leak auth tokens, allowing command execution after bypassing safety checks. Upgrade to v2026.1.24-1 and rotate tokens immediately. Read more
Microsoft Office Zero-Day
Russia-linked APT28 is exploiting CVE-2026-21509 in Microsoft Office to deploy COVENANT malware against Ukrainian and EU targets via phishing docs. The attack uses WebDAV for payload delivery, COM hijacking, and Filen.io C2 to evade detection. Apply registry mitigations and block IOCs as warned by CERT-UA. Read more
React Native Metro Exploit
Hackers are exploiting CVE-2025-11953 in React Native’s Metro server for RCE on Windows/Linux dev environments, delivering Rust malware via multi-stage loaders. Attacks bypass Defender and fetch payloads from attacker C2, detected since December 2025. Update to @react-native-community/cli 20.0.0+ and isolate dev servers. Read more
Chrome High-Severity Patches
Google patched CVE-2026-1862 (V8 type confusion) and CVE-2026-1861 (libvpx heap overflow) in Chrome 144.0.7559.132, risking ACE via malicious sites. Update immediately, as these memory issues are prime for chaining exploits. Read more
SolarWinds Web Help Desk RCE
CISA warns of exploited CVE-2025-40551, an unauthenticated deserialization RCE in SolarWinds Web Help Desk allowing arbitrary commands. Patch by February 6 deadline or isolate systems to prevent malware and lateral movement. Monitor logs for compromise. Read more
F5 Critical Vulnerabilities
F5 patched DoS flaws like CVE-2026-22548 in BIG-IP WAF/ASM and CVE-2026-1642 in NGINX (CVSS up to 8.2), plus config exposures. Affected versions span BIG-IP, NGINX Plus, and container services; apply fixes via iHealth or Helm. Read more
Cyber Threats
Arsink RAT Targets Android
Arsink RAT spreads via fake Google, YouTube, and WhatsApp apps on social media and file-sharing sites, hitting 45,000 devices across 143 countries to exfiltrate SMS, calls, contacts, location, and audio.
Read more: https://cybersecuritynews.com/arsink-rat-attacking-android-devices/
Malicious Google Play App
A deceptive document reader app on Google Play gained 50k+ downloads while concealing the Anatsa banking trojan, which overlays fake login screens to steal banking credentials.
Read more: https://cybersecuritynews.com/malicious-app-on-the-google-play-with-50k-downloads/
Chollima APT LNK Attack
Chollima APT (Ricochet) targets North Korean activists with spear-phishing ZIPs containing LNK files from Dropbox, executing fileless PowerShell malware for Dropbox C2 persistence.
Read more: https://cybersecuritynews.com/chollima-apt-hackers-weaponize-lnk-file/
GlassWorm VSX Breach
GlassWorm malware tainted Open VSX extensions (FTP sync, i18n tools) with 22k+ downloads, targeting developers to steal macOS browser data, crypto wallets, and SSH keys via Solana C2.
Read more: https://cybersecuritynews.com/glassworm-infiltrated-vsx-extensions/
Shadow DNS Router Hijack
Shadow DNS attackers reprogram home routers to Aeza resolvers, using EDNS0 evasion to redirect scam traffic selectively while evading detection.
Read more: https://cybersecuritynews.com/shadow-dns-hacking-routers-internet-traffic/
Cloud Platform Phishing Abuse
Threat actors exploit Microsoft Azure, Google Firebase, and AWS to host AiTM phishing kits like Tycoon2FA, leveraging trusted domains to capture enterprise credentials undetected.
Read more: https://cybersecuritynews.com/threat-actors-abuse-microsoft-google-platforms/
ValleyRAT LINE Impersonation
ValleyRAT poses as a LINE installer for Chinese users, disabling Defender, injecting into Explorer.exe, and stealing logins through the PoolParty exfiltration method.
Read more: https://cybersecuritynews.com/valleyrat-mimic-as-line-installer-attacking-users/
Interlock Ransomware Exploit
Interlock ransomware deploys “Hotta Killer” exploiting a gaming anti-cheat driver zero-day (CVE-2025-61155) to disable EDR/AV before encrypting education sector targets.
Cyber Attacks
Notepad++ Update Hijack
Attackers compromised Notepad++’s former shared hosting infrastructure from June to December 2025, selectively redirecting users to malicious update servers. The likely Chinese state-sponsored group exploited weak validation in older versions, prompting the release of v8.8.9 with hardened checks and future XMLDSig enforcement.
Read more: https://cybersecuritynews.com/notepad-hijacked/
NTDS.dit Theft Surge
Hackers are exfiltrating Active Directory’s NTDS.dit file using tools like PsExec, vssadmin, and SecretsDump to dump domain credentials undetected. This grants full control over enterprise identity systems, with experts urging KRBTGT resets and Credential Guard deployment.
Read more: https://cybersecuritynews.com/hackers-exfiltrating-ntds-dit-file/
MongoDB Ransomware Wave
Automated campaigns wipe unprotected MongoDB instances on port 27017, demanding $500-600 in Bitcoin, with 45% of exposed servers already hit. Over 200,000 servers are vulnerable due to misconfigurations in Docker images; enforce SCRAM auth and firewall rules immediately.
Read more: https://cybersecuritynews.com/mongodb-instances-hacked/
AI-Powered AWS Breach
Threat actors used LLMs to escalate stolen AWS credentials to admin access in under 10 minutes, injecting Lambda backdoors, LLMjacking Bedrock models, and spinning up costly GPU instances. Monitor for IP rotators and restrict UpdateFunctionCode permissions.
Read more: https://cybersecuritynews.com/aws-admin-access-in-minutes/
ESXi Zero-Day Ransomware
CISA warns of CVE-2025-22225 exploitation in ransomware attacks on VMware ESXi, allowing sandbox escapes via VMX flaws. Over 41,500 instances remain vulnerable; apply patches and monitor for unsigned drivers.
Read more: https://cybersecuritynews.com/vmware-esxi-0-day-ransomware-attack/
NGINX Traffic Redirection
Attackers inject proxy_pass directives into NGINX configs, especially Baota panels, to redirect traffic to scam sites without malware. Targets include Asian TLDs and .gov domains; scan for IOCs like xzz.pier46[.]com.
Read more: https://cybersecuritynews.com/threat-actors-hacking-nginx-servers/
Fake Traffic Ticket Scams
Phishers use SEO-poisoned portals mimicking Canadian provincial sites to steal PII and card details via fake fine payments. Over 70 domains on 45.156.87.0/24 harvest data; verify via official URLs only.
Read more: https://cybersecuritynews.com/beware-of-fake-traffic-ticket-portals/
Windows and Linux
Windows 11 Sign-in Bug
A UI glitch in Windows 11 (KB5064081, OS Build 26100.5074) hides the password icon on lock screens, mainly in enterprise setups with Group Policy or MDM . Users can still log in by hovering over the invisible spot, but Microsoft fixed it in the January 29, 2026, preview (KB5074105) . No security risk exists, though it boosts IT support tickets. Read more
Teams Image Retrieval Outage
Microsoft resolved an outage (TM1226769), delaying or blocking inline image loads in Teams chats across desktop, web, and mobile. It disrupted workflows like sharing threat intel screenshots in SOCs, with no breach confirmed . Engineers fixed backend issues, restoring service for 320 million users. Read more
Storage Settings UAC Prompt
Windows 11 preview KB5074105 adds UAC prompts for Settings> System> Storage access in versions 24H2/25H2, blocking unauthorized drive analysis . This prevents shoulder surfing or local tampering without admin creds. It includes AI model updates and requires the Servicing Stack Update KB5074104. Read more
NTLM Disable Roadmap
Microsoft plans to disable NTLM by default in future Windows releases via a three-phase shift to Kerberos, combating relay and pass-the-hash attacks . Phase 1 (now) audits usage; Phase 2 (H2 2026) reduces it; Phase 3 disables the default with legacy support for dependencies. Read more
Native Sysmon Integration
Windows 11 Insider Build 26300.7733 natively adds Sysmon for process, network, and file event logging to Event Log, easing SOC deployments . Enable via Settings or DISM/PowerShell; uninstall standalone Sysmon first to avoid conflicts . It’s off by default with custom XML filtering support. Read more
