Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Researcher Discloses CVE-2026-23988 Vulnerability in Rufus - On 23 January 2026, SentinelOne disclosed details of CVE-2026-23988, a high-severity time-of-check time-of-use (TOCTOU) race condition vulnerability affecting Rufus (versions 4.11 and earlier), a tool used to format and create bootable USB drives.
The vulnerability is caused by unsafe file-handling logic within Rufus’s network module (src/net.c). If successfully exploited, an attacker could execute arbitrary code with Administrator-level privileges. Users are advised to upgrade to Rufus version 4.12 BETA to reduce the risk of exploitation.
Threat Actors Exploit CVE-2026-23760 in SmarterMail to Hijack Privileged Accounts and Achieve RCE - On 22 January 2026, Huntress reported active exploitation of CVE-2026-23760, a critical account takeover vulnerability affecting SmarterTools SmarterMail versions earlier than Build 9511.
The vulnerability allows unauthenticated attackers to reset passwords for privileged accounts and achieve remote code execution (RCE) through malicious system events. At the time of writing, the identity of the threat actor responsible for this in-the-wild exploitation remains unknown.
vm3 Discloses CVE-2026-22709 Sandbox Escape Vulnerability - On 26 January 2026, the vm2 project maintainers patched CVE-2026-22709, a critical-severity vulnerability affecting vm2 (versions 3.10.1 and earlier). vm2 is an npm package that provides a sandboxed environment for running JavaScript code in Node.js.
The vulnerability is caused by insufficient sanitisation of callbacks linked to Promise.prototype.then and Promise.prototype.catch. If successfully exploited, an attacker could escape the vm2 sandbox and run arbitrary code in the host environment. The issue was fixed in vm2 version 3.10.2.
Potential Threats
NotePad++ Update Feature Hijacked by Alleged China State Sponsored Actors - On 2 February 2026, BleepingComputer reported that Notepad++ update traffic had been hijacked by a suspected Chinese state-sponsored threat actor between June and December 2025. The attackers selectively redirected update requests from certain users to malicious servers by exploiting weaknesses in older update verification controls and by compromising the server hosting the Notepad++ update service. The targeting was limited in scope, affecting only specific users, and the threat actors briefly lost access in September 2025 before regaining it using previously stolen service credentials. Access was fully terminated on 2 December 2025.
In response, Notepad++ released version 8.8.9 in December 2025 to fix security flaws in WinGUp, the update component that retrieves and installs updates. The changes added certificate and signature verification and cryptographic signing of update data, with mandatory verification planned for version 8.9.2. Security researchers reported that at least three organisations were affected and that the activity was followed by hands-on reconnaissance of compromised networks.
New Agenda Ransomware Campaign Expands on WSL Abuse and Deploys Tools For Remote Access and Data Exfiltration - On 29 January 2026, TrendAI Research reported new tactics, techniques, and procedures linked to an Agenda ransomware campaign, a group that first appeared in July 2022 and later rebranded as Qilin in September 2022. The researchers observed that in 2025 the group began running a Linux-based encryptor on Windows systems by abusing the Windows Subsystem for Linux (WSL). In the latest campaign, the attackers automate the installation of WSL using a batch script, allowing them to prepare Windows hosts for Linux ransomware and expand the range of systems they can target.
The campaign also uses tools such as s5cmd to exfiltrate data from Amazon S3 and Remotely for persistent remote access. To improve operational security, the attackers randomise file extensions on LSASS memory dumps to conceal credential theft and remove MeshAgent components to reduce evidence of compromise.
Johnson Controls Report Vulnerability in Application and Network Engine Products - On 27 January 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Industrial Control Systems advisory describing a critical unauthenticated SQL injection vulnerability, tracked as CVE-2025-26385, affecting several Johnson Controls Metasys products. The flaw impacts components including the Metasys Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500, NAE8500, the System Configuration Tool (SCT), and the Controller Configuration Tool (CCT).
The vulnerability is caused by improper handling of special characters, which allows unauthenticated remote SQL execution. If exploited, an attacker could alter, delete, or exfiltrate data from systems used in critical infrastructure environments.
General News
China's Latest Draft Cybercrime Law Would Apply Worldwide - On 31 January 2026, China’s Ministry of Public Security released a draft “Law on the Prevention and Control of Cybercrime” for public consultation, which, if adopted, would expand real-name registration and identity verification requirements across sectors such as telecommunications, finance, and internet services. The draft law would ban or tightly regulate certain tools and services, including some VoIP and account-creation technologies, and place legal responsibility on providers to ensure their products are not used for criminal activity.
Although framed as targeting fraud and scam operations, the definition of cybercrime is broad and includes “false information”, unlabeled AI-generated content, and activity deemed harmful to national interests, allowing action against overseas individuals and organisations whose services or content affect China. The law would apply both inside and outside China, potentially exposing foreign companies, researchers, and non-profit organisations to penalties such as fines, asset freezes, and restrictions on business or travel. It would also further restrict access to online services through stricter identity controls and introduce new approval requirements for activities such as penetration testing and vulnerability research.
Dating-App Giants Investigate Incidents after Cybercriminals Claim to Steal Data - Dating app companies Bumble and Match Group recently responded to cybersecurity incidents claimed by the ShinyHunters cybercrime group. Bumble said a contractor’s account was compromised in a phishing attack, leading to brief unauthorised access to part of its network, which was quickly contained and did not affect user accounts, messages, or profiles. Match confirmed a separate incident involving a limited amount of user data and said affected customers were being notified, adding there was no evidence that login details, financial data, or private communications were accessed.
ShinyHunters claimed to have stolen internal Bumble documents from services such as Google Drive and Slack and to have accessed millions of Match records, with researchers reporting that leaked samples included some customer, employee, and internal corporate data. The group is known for financially motivated attacks against large organisations, and dating apps are increasingly targeted because of the sensitive personal information they hold.
Google Disrupts IPIDEA Residential Proxy Network Used by Multiple Threat Actor Groups - On 28 January 2026, Google’s Threat Intelligence Group (GTIG) announced that it had disrupted the IPIDEA proxy network, which it described as one of the world’s largest residential proxy services used to support cybercrime, espionage, and influence operations. IPIDEA worked by embedding proxy-enabled software development kits into otherwise legitimate or trojanised apps on platforms such as Android, Windows, and iOS, secretly turning infected devices into proxy exit nodes and routing third-party traffic through ordinary home internet connections.
GTIG found that the network supported multiple botnets and was used by hundreds of threat groups, including actors linked to China, North Korea, Iran, and Russia, to hide malicious activity such as password spraying and unauthorised access attempts. Google responded by taking down command-and-control and marketing infrastructure, sharing intelligence with partners and law enforcement, and blocking the SDKs within the Android ecosystem, actions which it said likely removed millions of devices from IPIDEA’s control.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Sandworm Team | ●High | → | ● High | ● 78 | → | ● 79 | ● 25 | → | ● 25 |
| Morpheus | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| JustAnon69 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 5 |
| 0APT Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 5 |
| Qilin Ransomware Group |
● Basic | → | ● Basic | ● 49 | → | ● 30 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lotus Panda | ▲ | Glassworm | ▲ | CVE-2026-21509 | ▲ | Notepad++ | ▲ | |
| North Korea | ▲ | EVEREST | ▲ | CVE-2020-10189 | ▲ | Nation States | ▲ | |
| Sh3llhunter | ▲ | SpearPhishing | ▲ | CWE-297 | ▲ | MongoDB | ▲ | |
| Dark Storm | ▲ |
Backdoor |
▲ | CVE-2020-5902 | ▲ | Italy | ▲ | |
| IGRC Cyber | ▲ | T1583.001 | ▲ | CVE-2025-19781 | ▲ | Hinge | ▲ | |
Prominent Information Security Events
Notepad++ Supply-Chains Attack by Suspected Chinese Threat Group
Source: Insikt Group | Validated Intelligence Event
IOC: URL - api[.]wiresguard[.]com
IOC: Hash - b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3
IOC: IP - 124[.]222[.]137[.]114
The open-source text editor Notepad++ was compromised by a suspected Chinese threat group between June 2025 and 10 December 2025. The attackers abused the Notepad++ update process, which lacked sufficient tamper validation, to redirect selected users to attacker-controlled servers where malware was downloaded instead of a legitimate update file.Investigation of the incident found that the threat group had breached Notepad++’s hosting provider, which operated the shared infrastructure used to deliver update files. In response, Notepad++ released version 8.8.9 to strengthen update validation and migrated its services to a new hosting provider.
Open-source research has assessed with medium confidence that the Chinese state-sponsored threat group Lotus Blossom was responsible for the campaign. The activity reportedly focused on targets with an interest in East Asia and involved the deployment of a custom backdoor known as Chrysalis, alongside Metasploit modules and Cobalt Strike implants. Insikt Group is continuing to assess the campaign and, at the time of writing, has not confirmed the attribution to Lotus Blossom.
New Agenda Ransomware Campaign Expands WSL Abuse and Deploys Tools foe Remote Access and Exfiltration
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - ffd33236db262ae8503c6f73ace47cd33bb48915
IOC: Hash - 1f1ec799755dcd64baca5c4b963430732f44b1d1
On 29 January 2026, TrendAI Research reported new tactics, techniques, and procedures associated with an Agenda ransomware campaign, a group that first emerged in July 2022 and later rebranded as Qilin in September 2022. The researchers noted that during 2025 the group began deploying a Linux-based encryptor on Windows systems by abusing the Windows Subsystem for Linux (WSL), effectively bypassing some traditional Windows-focused security controls.
In the most recent campaign, the attackers automate the installation of WSL using a batch script, enabling them to prepare compromised Windows hosts for Linux ransomware execution and significantly broaden the range of systems they can target.
The campaign also makes use of tools such as s5cmd to exfiltrate data from Amazon S3 storage and Remotely to maintain persistent remote access to victim environments. To strengthen their operational security, the attackers randomise file extensions on LSASS memory dump files to disguise credential harvesting activity and remove MeshAgent components after use to minimise forensic artefacts. Together, these techniques indicate a shift towards more flexible and evasive ransomware operations that blend Windows and Linux tooling
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-23988 (Rufus) – This vulnerability can be addressed by upgrading Rufus to version 4.12 BETA or later, which resolves the unsafe file-handling logic in the network module.
-
CVE-2026-23760 (SmarterTools SmarterMail) – This vulnerability can be addressed by updating SmarterMail to Build 9511 or later, which fixes the account takeover and remote code execution flaw.
-
CVE-2026-22709 (vm2) – This vulnerability can be addressed by patching vm2 to version 3.10.2, which corrects the sandbox escape issue caused by insufficient callback sanitisation.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.