Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Angular Patches XSS Vulnerability (CVE-2026-22610) - On 9 January 2026, the Angular maintainers released a patch addressing CVE-2026-22610, a high-severity cross-site scripting (XSS) vulnerability within the Angular framework. The issue affects core components such as the @angular/core and @angular/compiler packages, with vulnerable versions including all releases up to 18.2.14, as well as versions earlier than 19.2.18, 20.3.16, and 21.0.7. The vulnerability has been resolved in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, and there is currently no indication that it has been actively exploited.
The vulnerability arises from inadequate sanitisation of SVG href and xlink:href attributes during Angular’s template compilation process. If exploited, this weakness could allow attackers to circumvent built-in security mechanisms and load unauthorised script resources, potentially exposing applications to malicious activity.
ServiceNow Patches CVE-2025-12420 in Now Assist AI Agents and Virtual Agent API - On 12 January 2026, ServiceNow announced the disclosure of CVE-2025-12420, a critical privilege escalation vulnerability impacting Now Assist AI Agents and the Virtual Agent API. The flaw affects Now Assist AI Agents versions 5.0.26 to 5.1.17, as well as Virtual Agent API versions earlier than 3.15.2 and 4.0.4. If exploited, the vulnerability would enable an unauthenticated attacker to impersonate legitimate users and carry out actions with equivalent privileges, potentially leading to a complete compromise of affected ServiceNow instances.
ServiceNow has addressed the issue by releasing updates for Now Assist AI Agents in versions 5.1.18, 5.2.19, and later, alongside fixes in the Virtual Agent API starting from versions 3.15.2 and 4.0.4. There is currently no evidence to suggest that this vulnerability is being actively exploited in real-world environments.
Appsmith Patches Critical Origin Validation Vulnerability (CVE-2026-22794) - On 12 January 2026, the Appsmith maintainers disclosed details of CVE-2026-22794, alongside a proof-of-concept exploit demonstrating the issue. This critical origin validation vulnerability affects Appsmith versions 1.92 and earlier, and arises from the application’s use of an unvalidated Origin request header when generating password reset and email verification links. An attacker could exploit this flaw to capture authentication tokens, potentially resulting in unauthorised access to user accounts.
The vulnerability has been resolved in Appsmith version 1.93, which introduces proper validation to prevent abuse of the Origin header. At the time of writing, there are no reports indicating that this issue has been actively exploited in real-world attacks.
Potential Threats
Magecart Web-Skimming Campaign Employs New Infrastructure to Steal Payment and Personal Data From Compromised E-Commerce Sites - On 13 January 2026, Silent Push reported the discovery of newly identified infrastructure linked to an ongoing Magecart web-skimming campaign that has been active since at least January 2022. The researchers identified cdn-cookie as the main delivery domain hosting obfuscated JavaScript skimmer code, with lasorie used as the data exfiltration endpoint. This campaign targets e-commerce websites and online shoppers, aiming to steal payment card details and personal information during the checkout process, including data associated with major payment networks such as American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay.
The investigation revealed that compromised e-commerce sites load the malicious JavaScript as an external resource during checkout, as observed on one affected website where the skimmer is triggered when users reach the payment page. The obfuscated code masquerades as legitimate Facebook-related scripts and abuses WordPress script-loading mechanisms to execute within the customer’s browser. To maintain persistence and evade detection, the skimmer monitors changes to the page structure, delays execution until legitimate payment components are fully loaded, and then replaces the genuine payment form with a malicious imitation. Payment and personal data are captured in real time, encrypted and exfiltrated to the attacker-controlled server, after which the skimmer restores the original form and forces a checkout error to prompt victims to re-enter their details.
Threat Actors Abuse LinkedIn Comment Reply Function to Steal Credentials- On 13 January 2026, BleepingComputer reported that LinkedIn users were being targeted in a phishing campaign carried out by unknown threat actors using impersonated “reply” comments. These comments falsely claimed to be from LinkedIn and warned users about alleged policy violations or temporary account restrictions, urging them to follow an external link. The activity involved abuse of LinkedIn branding, the official lnkd.in URL shortener, and malicious domains used to redirect victims. LinkedIn confirmed that it was aware of the campaign and stated that action was being taken to address the issue.
The attackers posted automated-looking comments beneath users’ posts, designed to appear as legitimate LinkedIn notifications. Users who followed the embedded links were taken to a phishing page that prompted them to verify their identity. Selecting the verification option redirected victims to a secondary site where login credentials were harvested. In some instances, the attackers used shortened links to further disguise the malicious destination, increasing the likelihood that users would trust and interact with the content.
Threat Actors Conduct Phishing Campaign Impersonating Employee Performance Reports to Distribute Guloader and Deploy Remcos RAT - On 8 January 2026, the AhnLab Security Intelligence Center (ASEC) reported a phishing campaign that masqueraded as an employee performance report for October 2025. The message threatened potential dismissals in order to pressure recipients into opening an attached file. According to ASEC, the campaign ultimately delivered Guloader, which was used to install the Remcos Remote Access Trojan (RAT), a malicious tool capable of keystroke logging, taking screenshots, activating webcams and microphones, and harvesting browser history and stored credentials.
The attackers distributed a RAR archive containing a Windows executable named to resemble a PDF document. As Windows may hide file extensions by default, recipients could mistake the executable for a legitimate PDF and run it. Execution triggered Guloader, which downloaded and ran shellcode directly in memory from a cloud storage location. This shellcode then deployed Remcos RAT, which established communication with attacker-controlled command-and-control infrastructure over ports 2404 and 5000.
General News
More than 40 countries impacted by North Korea IT worker scams, crypto thefts - The United States has urged UN member states to take stronger action against North Korea’s evasion of sanctions through its IT worker scheme and cryptocurrency thefts. The call came during a UN session in New York, based on a 140-page report detailing Pyongyang’s cyber operations funding its nuclear and ballistic programmes. The report links North Korea’s IT worker scheme—where citizens steal identities to gain Western employment—with billion-dollar crypto heists. These efforts help fund the regime, facilitate weapons purchases, and bypass UN Security Council resolutions, affecting over 40 countries and generating more than $2 billion in stolen cryptocurrency last year.
U.S. officials criticised China and Russia for enabling these operations, noting that stolen funds are laundered through Chinese banks and infrastructure. Cryptocurrency has been used to purchase weapons and fuel, including armored vehicles and munitions. Around 2,000 North Korean IT workers operate across China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria, and Tanzania. The schemes violate UN resolutions banning North Koreans from foreign employment and requiring their repatriation. Private sector witnesses highlighted fraudulent hiring and compromised systems, while tech firms suggested stricter checks, though North Korea’s use of AI complicates detection. North Korea condemned the U.S., accusing it of undermining the UN and violating international law.
Internet monitoring experts say Iran blackout likely to continue - Iran has extended its nationwide internet blackout into a fourth day, leaving its 90 million residents largely cut off following widespread protests that reportedly left dozens dead. The shutdown, which began on 8 January after demonstrations over economic issues spread across major cities and provinces, has seen authorities disable fixed-line internet, mobile data, and calls, while also targeting satellite-based communication tools such as Starlink. Monitors including Cloudflare, NetBlocks, and Kentik have confirmed that the blackout remains in effect, with plans reportedly underway to implement a whitelist of approved sites, suggesting the disruption could continue for several more days.
According to NetBlocks, this represents the fastest deployment of Iran’s internet “kill-switch” during protests to date, with few gaps allowing information to leave the country. Citizens have resorted to driving to border areas to pick up signals, while some Starlink terminals remain functional despite credible reports of jamming. The blackout has severely hindered reporting on the protests, with rights groups citing hundreds of deaths and thousands of arrests. Iranian officials, who retain internet access, have claimed the unrest is being fomented by the U.S. and Israel, while foreign minister Abbas Araqchi indicated that service will be restored “in coordination with security authorities.” Meanwhile, reports suggest the U.S. is considering responses, including potential cyber operations targeting Iran’s government.
Facebook login thieves now using browser-in-browser trick - On 12 January 2026, security researchers reported that cybercriminals are increasingly using a deceptive phishing method known as “browser‑in‑the‑browser” (BitB) to steal Facebook login credentials. In these attacks, victims visiting malicious or compromised websites are shown a pop‑up window that looks exactly like a legitimate browser login form, but is actually an HTML iframe built into the page itself. Because the fake login window can mimic the appearance of a real browser, complete with a convincing URL and design, many users are tricked into entering their Facebook username and password. Attackers often lure users to these pages with emails impersonating law firms, copyright notices, or security warnings about unauthorised logins, and sometimes use URL shorteners and fake CAPTCHA screens to make the scam appear more credible. Researchers say the stolen accounts are then used to spread further scams, harvest personal data, or commit identity fraud.
This BitB technique represents a significant escalation in phishing tactics because the fake login prompt appears within the victim’s current browser tab rather than in a separate window, making it much harder for users to spot something amiss. Threat actors are also hosting phishing pages on trusted cloud platforms to evade detection and increase perceived authenticity. To protect against these scams, experts recommend always navigating to a service’s official website in a fresh browser tab rather than following links in emails, scrutinising login prompts to see if the window behaves like a real browser, and enabling two‑factor authentication on accounts to reduce the risk of compromise even if credentials are inadvertently submitted.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueBravo | NEW | → | ● High | NEW | → | ● 81 | NEW | → | ● 50 |
| RedGolf | NEW | → | ● High | NEW | → | ● 83 | NEW | → | ● 25 |
| UNC6395 | NEW | → | ● Moderate | NEW | → | ● 40 | NEW | → | ● 50 |
| ghost_rider | NEW | → | ● Moderate | NEW | → | ● 35 | NEW | → | ● 30 |
| 404ads |
NEW | → | ● Moderate | NEW | → | ● 35 | NEW | → | ● 50 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lynx Ransomware Group | ▲ | PLUGGYAPE | ▲ | CVE-2026-20805 | ▲ | US Government | ▲ | |
| Void Blizzard | ▲ | Pegasus | ▲ | CVE-2025-8110 | ▲ | Endesa | ▲ | |
| Whistleblower | ▲ | TA0009 (Collection) | ▲ | CVE-2025-14847 (MongoBleed ) | ▲ | BreachForums | ▲ | |
| Kazu | ▲ | Sinobi | ▲ | CVE-2020-1472 (Zerologon) | ▲ | Betterment Holdings, Inc. | ▲ | |
| Laundry Bear | ▲ | NetExec | ▲ | CVE-2025-33073 | ▲ | Antwerp | ▲ | |
Prominent Information Security Events
Threat Actors Conduct Phishing Campaign Impersonating Employee Performance Reports to Distribute Guloader and Deploy Remcos RAT
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 196[.]251[.]116[.]219
IOC: Hash - c95f2a7556902302f352c97b7eed4159
On 8 January 2026, the AhnLab Security Intelligence Center (ASEC) reported a sophisticated phishing campaign targeting employees by impersonating an internal performance report for October 2025. The emails warned recipients of potential dismissals, creating urgency and prompting them to open the attached file. According to ASEC, the campaign ultimately delivered Guloader, a malware loader, which then installed the Remcos Remote Access Trojan (RAT). Remcos is a highly capable remote access tool that enables attackers to log keystrokes, capture screenshots, take control of webcams and microphones, and access browser history and saved credentials, giving them extensive visibility into the victim’s system.
The malicious campaign relied on a deceptive file delivery method. Attackers sent a RAR archive containing a Windows executable named staff record pdf.exe. By exploiting Windows’ default behaviour of hiding file extensions, the executable appeared to be a harmless PDF document, increasing the likelihood that recipients would run it. Once executed, the file launched Guloader, which then downloaded and ran shellcode in memory directly from a Google Drive URL. This approach allows the malware to operate without leaving traditional files on disk, making detection by standard antivirus solutions more difficult.
After executing the shellcode, the system became infected with Remcos RAT, which immediately connected to its command-and-control (C2) infrastructure at 196.251.116[.]219 over ports 2404 and 5000. Through this connection, the attackers could remotely control the compromised machines, exfiltrate sensitive data, and maintain persistent access. The campaign illustrates a coordinated use of social engineering, file masquerading, and memory-resident malware to bypass security measures and target corporate environments, highlighting the need for employees to be vigilant about unexpected email attachments and for organisations to implement layered security protections.
Threat Actors Abuse LinkedIn Comment Reply Function to Steal Credentials in New Phishing Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - very128918[.]site
IOC: URL - http[:]//lnkd[.]in/ev7Za98i
On 13 January 2026, BleepingComputer reported a new phishing campaign targeting LinkedIn users, in which unknown threat actors used impersonated “reply” comments to steal login credentials. The attackers exploited LinkedIn’s branding to make their messages appear legitimate, while also abusing the official lnkd.in URL shortener and routing victims through malicious domains such as very1929412.netlify[.]app and very128918[.]site. LinkedIn confirmed that it is aware of the activity and is taking steps to address the issue.
The phishing scheme involved posting automated, bot-like comments on users’ LinkedIn posts. These comments falsely claimed to be from LinkedIn’s policy enforcement team, warning users of supposed account violations or temporary restrictions and urging them to click an external link. Users who followed the link were taken to a phishing page hosted on very1929412.netlify[.]app, which prompted them to “verify their identity.” Clicking the verification button then redirected victims to a second malicious domain, very128918[.]site, where their login credentials were harvested.
In some cases, the threat actors leveraged LinkedIn’s official URL shortener to make the phishing links appear more trustworthy. This two-step process allowed attackers to bypass simple security checks and increase the likelihood that users would enter their credentials. The campaign demonstrates how threat actors are increasingly using familiar platforms and branded content to trick users, highlighting the importance of verifying URLs carefully and exercising caution when prompted to submit login information, even on trusted sites.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-22610 (Angular XSS Vulnerability) – This vulnerability can be addressed by upgrading Angular to patched versions 19.2.18, 20.3.16, 21.0.7 or 21.1.0-rc.0.
-
CVE-2025-12420 (ServiceNow AI Agents/Virtual Agent API) – This vulnerability can be addressed by updating Now Assist AI Agents in versions 5.1.18, 5.2.19, alongside fixes in the Virtual Agent API from versions 3.15.2 and 4.0.4.
-
CVE-2026-22794 (Appsmith) – This vulnerability can be addressed by upgrading Appsmith to version 1.93 or later, which introduces proper validation to prevent abuse of the Origin header.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.