Daily Drop (1236)
01-31-26
Saturday, Jan 31, 2025 // (IG): BB // GITHUB // SN R&D
China-Linked UAT-8099 Targets Microsoft IIS Servers with Custom Malware and Living-off-the-Land Tactics
Bottom Line Up Front (BLUF): A previously undocumented China-linked threat actor tracked as UAT-8099 has been observed targeting Microsoft IIS web servers in a stealthy espionage campaign. According to researchers at Halcyon, the group uses bespoke malware and living-off-the-land binaries (LOLBins) to maintain persistence and avoid detection, focusing on espionage in critical sectors.
Analyst Comments: IIS servers are often overlooked in security monitoring—making them ideal targets for quiet persistence. UAT-8099 is clearly after long-term access, not smash-and-grab ransomware. Their use of custom payloads and fileless execution via Windows-native tools shows sophistication but also discipline: this is about intelligence collection. If you’re running public-facing IIS instances—especially tied to sensitive backend services—assume they’re on someone’s recon list. The lack of flashy malware here doesn’t mean low risk
READ THE STORY: THN
SideWinder APT Targets Indian Government and Industries with Stealthy Phishing and DLL Sideloading Campaigns
Bottom Line Up Front (BLUF): APT group SideWinder has launched a high-intensity campaign targeting Indian government entities, defense, finance, telecom, and healthcare sectors. The group uses phishing lures, DLL sideloading, and cloud services to evade detection, with recent attacks posing as “income tax verification” emails. The scope spans multiple industries, showing a shift from targeted espionage to broader disruption campaigns.
Analyst Comments: They’re layering social engineering with LOLBins (living-off-the-land binaries), cloud-based evasion, and staged delivery. Using Microsoft Defender’s own signed binaries to sideload malicious DLLs is especially nasty—most EDRs won’t flag it by default. The group’s ability to scale across sectors shows solid recon and a likely intelligence objective. Indian defenders need to treat this like a national-level threat actor—not just malware. This isn’t splashy ransomware; it’s stealth, data theft, and potential long-term persistence.
READ THE STORY: Freebuf
Poland Power Grid Targeted in OT Attack: Dragos Attributes Intrusion to Russian Nexus Threat Group
Bottom Line Up Front (BLUF): Dragos has confirmed a disruptive cyberattack against Polish critical infrastructure in 2024, targeting the Operational Technology (OT) environment of a power utility. The threat actor, identified as the Russian-linked group ELECTRUM, used OT-specific malware and living-off-the-land techniques. This is the first known OT-specific intrusion affecting Poland and marks a serious escalation in regional targeting of civilian energy systems.
Analyst Comments: ELECTRUM, historically tied to the 2016 Ukrainian grid attacks, deployed similar TTPs here, including custom ICS malware and hands-on-keyboard access. The use of legitimate remote access tools and abuse of Windows components like WMI and PowerShell points to deep knowledge of industrial environments. While the attack didn’t cause sustained outages, it signals capability and intent to disrupt NATO-aligned civilian infrastructure. Defenders should expect similar campaigns across Eastern Europe as geopolitical tensions persist. Assume reconnaissance operations are already underway in other grid networks.
READ THE STORY: Dragos
Polish Government Attributes December Cyberattacks to Russian APT “APT28” in Pre-Election Disruption Campaign
Bottom Line Up Front (BLUF): The Polish government has formally attributed a wave of December 2025 cyberattacks targeting key state institutions and media outlets to Russia-linked threat group APT28 (a.k.a. Fancy Bear). The coordinated campaign aimed to disrupt Poland’s parliamentary elections, aligning with Moscow’s broader strategy of undermining NATO-aligned democracies.
Analyst Comments: By hitting government systems and national news outlets ahead of a major election, the operation fits the classic Russian playbook: destabilize from within, then exploit the chaos. Attribution to APT28 is consistent with past EU election cycles. While no voting infrastructure was compromised, the timing and target set matter. Expect continued hybrid operations—cyber and influence—across NATO’s eastern flank as 2026 elections unfold.
READ THE STORY: THN
Magento Zero-Day Exploited to Root 200+ Online Stores
Bottom Line Up Front (BLUF): A zero-day vulnerability in the Magento e-commerce platform is being actively exploited to compromise over 200 stores, granting attackers full control of affected systems. Researchers from Sansec identified the flaw being used in a campaign dubbed "Xurum," where malicious payloads are injected into legitimate Magento codebases to deploy remote access tools and payment skimmers.
Analyst Comments: Magento has long been a lucrative target for financially motivated attackers, and this zero-day shows they're still investing in custom tooling for supply chain-scale abuse. The Xurum campaign gives attackers root access—meaning this goes way beyond Magecart-style card skimming. Full compromise of the store can lead to backdoored extensions, credential harvesting, lateral movement into payment processors, or data theft. Any unpatched Magento store should be considered compromised until proven otherwise. eComm security teams need to treat this as an incident, not just a patching issue.
READ THE STORY: GBhackers
Insider Threats on the Rise: Hackers Blackmail Employees to Breach Corporate Networks
Bottom Line Up Front (BLUF): A growing number of cybercrime groups are bypassing technical defenses by coercing or bribing employees to act as insider threats. A new report highlights campaigns where threat actors offer payment—or resort to blackmail—to gain access to corporate environments, in some cases requesting insiders install remote access tools or steal credentials.
Analyst Comments: Ransomware crews and access brokers are now cutting humans into the kill chain by design. Instead of wasting zero-days or brute-forcing MFA, they’re going straight to the weakest link: underpaid or compromised employees. This tactic sidesteps perimeter defenses entirely and renders many traditional security controls irrelevant. If you’re not running insider threat detection—especially around access abuse and anomalous tooling—you’re blind to this threat vector. Expect this trend to grow as attackers realize it’s faster and cheaper than writing malware.
READ THE STORY: THN
Over 3.28 Million Fortinet Devices Exposed Due to Unpatched FortiOS Flaws
Bottom Line Up Front (BLUF): Researchers at Cyble have identified over 3.28 million internet-exposed Fortinet devices running outdated or vulnerable versions of FortiOS, leaving them susceptible to multiple high-impact exploits—including several with known CVEs already weaponized in the wild. Many affected devices are firewalls and VPN appliances that serve as frontline infrastructure in enterprise networks.
Analyst Comments: This kind of exposure is catnip for ransomware crews and state-sponsored APTs alike. The fact that so many devices remain unpatched despite widespread coverage of previous Fortinet vulnerabilities points to serious gaps in asset management and patch validation. If you're running Fortinet gear, don't assume someone else is watching it—audit now.
READ THE STORY: Cyber Press
Ex-Google Engineer Convicted for Stealing AI Trade Secrets Tied to China
Bottom Line Up Front (BLUF): A former Google engineer, Linwei Ding, was convicted on four counts of stealing trade secrets related to Google’s advanced AI chip infrastructure. The Department of Justice stated Ding covertly transferred confidential files to personal devices while secretly working for Chinese AI startups. The case marks a rare conviction under the Economic Espionage Act involving cutting-edge AI hardware.
Analyst Comments: Ding’s dual employment with Chinese firms while accessing Google’s TPU (Tensor Processing Unit) data shows both how valuable this IP is—and how vulnerable companies still are to insider threats. Expect more scrutiny on employees with foreign affiliations, especially in sensitive R&D roles. Security teams should double down on data loss prevention (DLP), insider risk detection, and endpoint monitoring, especially in AI-heavy orgs.
READ THE STORY: THN
New Metasploit Modules Target FreePBX, Cacti, and SmarterMail: Public Exploits Raise Stakes for Internet-Exposed Systems
NOTE:
Newly released Metasploit modules chain authentication bypasses with SQL injection and unrestricted file upload flaws to deliver reliable remote code execution, meaning attackers no longer need custom tooling or deep VoIP knowledge to compromise systems. This turns exposed FreePBX instances into low-effort targets for rapid takeover, persistence via webshells or rogue admin accounts, and immediate abuse through toll fraud or lateral movement. In practical terms, once these modules are public, any unpatched FreePBX box on the internet should be assumed actively exploitable.
Bottom Line Up Front (BLUF): Researchers have added Metasploit modules for critical vulnerabilities in FreePBX (RCE), Cacti (unauthenticated command injection), and SmarterMail (privilege escalation). All three have known CVEs and functional proof-of-concept exploits. These modules dramatically lower the barrier for exploitation and increase risk for unpatched, internet-facing systems.
Analyst Comments: Once a vuln hits Metasploit, mass exploitation is just a matter of time. Cacti and FreePBX are common in smaller IT shops and telco environments, while SmarterMail is often used by SMBs and hosting providers. The Cacti bug is especially concerning—unauthenticated command injection makes it perfect for initial access or botnet expansion. Expect scanning activity to spike, especially from Mirai variants and low-tier actors looking to gain quick wins. If you’ve got these systems exposed, patch yesterday or expect shells.
READ THE STORY: Cyber Press
FreePBX Vulnerability Exploited in Active Campaigns Targeting VoIP Systems
Bottom Line Up Front (BLUF): A newly disclosed vulnerability in FreePBX (CVE-2023-49785) is being actively exploited in the wild, enabling remote attackers to execute arbitrary shell commands via crafted HTTP requests. The flaw affects systems with the Rest Phone Apps module enabled and allows unauthenticated remote code execution (RCE). Exploitation has already been observed in targeted VoIP environments.
Analyst Comments: VoIP infrastructure often flies under the radar in many orgs’ patch cycles—attackers know it. This FreePBX flaw is trivial to exploit and gives shell access with minimal effort. If you’re exposing FreePBX to the internet and haven’t disabled the vulnerable module or applied the fix, assume compromise. This isn’t theoretical—exploitation is happening now. Expect this to be folded into automated exploit kits and used in initial access for ransomware or espionage.
READ THE STORY: Cyber Press
Items of interest
Ivanti EPMM Hit with Two Pre-Auth RCE Vulnerabilities Exploited in the Wild (CVE-2026-1281 & CVE-2026-1340)
Bottom Line Up Front (BLUF): WatchTowr Labs disclosed two new pre-authentication remote code execution (RCE) vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. Both flaws are actively exploited in the wild and stem from classic Bash injection techniques. Attackers can gain unauthenticated shell access to vulnerable appliances exposed to the internet.
Analyst Comments: This pair of RCEs amounts to another critical blow to EPMM customers, especially given that both vulnerabilities are trivial to exploit and don’t require credentials. Worse, active exploitation has been confirmed before public disclosure, suggesting either private exploitation or leaks from coordinated disclosure processes. If your EPMM instance is exposed to the internet and unpatched, you’re already late. Prioritize isolation and forensic review.
READ THE STORY: Watchtowr
Chaining Vulnerabilities Like a Pro Bug Bounty Hunter (Video)
FROM THE MEDIA: Whether you're a beginner or an experienced bug hunter, this video will give you valuable insights and techniques to elevate your hacking game. Don't miss out—your next big find could be just one chain away.
Sina Kheirkhah - Unveiling the Ivanti vulnerability: from discovery to exploitation (Video)
FROM THE MEDIA: Unveiling the Ivanti vulnerability: from discovery to exploitation
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don't hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.