Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Alleged Exploit and PoC for Actively Exploited High-Severity Path Traversal Affecting Gogs (CVE-2025-8110) - On 12 December 2025, a GitHub user shared an alleged proof-of-concept exploit for CVE-2025-8110, a high-severity path traversal vulnerability affecting Gogs versions 0.13.3 and earlier. On 12 January 2026, CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities catalogue. Gogs subsequently announced a pull request to address the issue on 5 January 2026; however, no formal release or updated stable version has been issued at the time of writing.
The vulnerability exists in the PutContents API file write logic, which improperly handles symbolic links and allows path traversal. An authenticated, low-privileged user with network access to a vulnerable Gogs instance could exploit the API without user interaction to write arbitrary files on the host system, potentially leading to local code execution.
Alleged PoC for Actively Exploited Vulnerability affecting Windows Desktop Manager (CVE-2026-20805) - On 13 January 2026, the US Cybersecurity and Infrastructure Security Agency added CVE-2026-20805 to its Known Exploited Vulnerabilities catalogue, and an alleged proof‑of‑concept exploit was shared publicly the following day. CVE-2026-20805 is a medium‑severity information disclosure vulnerability affecting Desktop Window Manager (DWM) across multiple supported versions of Windows, including Windows 10, Windows 11, and several Windows Server releases. Microsoft addressed the issue as part of its January 2026 Patch Tuesday updates.
The vulnerability is caused by improper handling of sensitive data within Desktop Window Manager, allowing local information disclosure. An authenticated attacker with the ability to run code locally on an affected system could exploit the flaw to access sensitive information.
Fortinet Patches Critical FortiSIEM Vulnerability (CVE-2025-64155) - On 13 January 2026, Fortinet patched CVE-2025-64155, a critical-severity operating system command injection vulnerability affecting Fortinet FortiSIEM versions 7.4 and earlier. The issue is caused by improper input validation within an unauthenticated API endpoint exposed by the FortiSIEM phMonitor service. If exploited, a threat actor could execute arbitrary commands or code through specially crafted TCP requests.
The vulnerability has been resolved in FortiSIEM versions 7.1.9 and later, 7.2.7 and later, 7.3.5 and later, and 7.4.1 and later. At the time of writing, there are no reports of active exploitation.
Potential Threats
KongTuke Delivers ModeloRAT via Browser Extensions in Crashfix Campaign - Since at least January 2026, Huntress has observed a browser-based phishing campaign attributed to the threat actor known as “KongTuke”. The activity involves a malicious Chrome extension that deliberately crashes victims’ browsers and displays a fake security warning branded as CrashFix. According to a Huntress report published on 16 January 2026, the campaign coerces users into running a pre-copied PowerShell command via the Windows Run dialog, initiating a multi-stage infection chain that can deploy the ModeloRAT backdoor on domain-joined systems.
The infection begins when users searching for an ad blocker install NexShield, a malicious Chrome extension masquerading as a legitimate tool. The extension destabilises the browser to trigger crashes, then presents a fraudulent repair prompt instructing users to run a command controlled by the attacker. This command retrieves and executes obfuscated PowerShell payloads, performs system and environment checks, and, on domain-joined systems, installs ModeloRAT, a Python-based remote access tool that establishes persistence and communicates with attacker-controlled infrastructure.
Threat Actors Deploy Evelyn Stealer Malware Via Trojanised Visual Code Extensions - On 19 January 2026, Trend Micro reported that unidentified threat actors are targeting software developers through malicious Visual Studio Code extensions to deliver the Evelyn Stealer information-stealing malware. The activity builds on earlier findings from December 2025, which identified the abuse of development tooling as an initial access vector.
The infection chain begins when a developer installs a malicious extension, which drops a trojanised Lightshot.dll that is sideloaded by the legitimate Lightshot.exe. This DLL launches a hidden PowerShell command to download a second-stage payload, runtime.exe, which injects the Evelyn Stealer malware into a legitimate Windows process. Once active, the malware harvests credentials, browser data, system information, and cryptocurrency wallets, then packages and exfiltrates the collected data to attacker-controlled infrastructure.
Threat Actors Launch Shipping-Themed Phishing Campaign, Delivering Filesless Remcos RAT - On 14 January 2026, FortiGuard Labs reported a high-severity phishing campaign targeting Microsoft Windows users that delivered a fileless Remcos remote access trojan (RAT), enabling full remote control of affected systems. The campaign exploited CVE-2017-11882, a remote code execution vulnerability in Microsoft’s legacy Equation Editor component, which allows attacker-supplied code to run when Microsoft Word processes a crafted equation object in an RTF file.
The campaign used phishing emails impersonating a Vietnamese shipping company to lure recipients into opening a malicious Word document. The file retrieved a remote RTF template and exploited CVE-2017-11882 to execute shellcode, which launched obfuscated scripts and PowerShell to load a hidden .NET module directly into memory. This module established persistence, injected the Remcos payload into a legitimate process, and enabled command-and-control communications to support remote access and surveillance activities.
General News
UK Government Warns of Ongoing Russian Hacktivist Activity - On 19 January 2026, the UK government warned that Russian‑aligned hacktivist groups are continuing disruptive denial‑of‑service (DDoS) attacks against critical infrastructure and local government organisations in the country. The National Cyber Security Centre (NCSC) said these attacks aim to take websites offline and disable services, and while they lack technical sophistication, they can still cause significant operational and financial impact.
The advisory specifically highlighted the pro‑Russian group NoName057(16), active since March 2022, which uses a crowdsourced platform to conduct DDoS campaigns. Although a mid‑2025 law‑enforcement operation disrupted some of its activity, the group has resumed operations with its core operators believed to be outside the reach of authorities. NCSC urged organisations, particularly local authorities and critical infrastructure operators, to review and strengthen their defences against DDoS attacks.
EU plans cybersecurity overhaul to block foreign high-risk suppliers - The European Commission has introduced a major cybersecurity legislative overhaul aimed at strengthening the protection of the bloc’s critical infrastructure by targeting so‑called “high‑risk” foreign suppliers. The proposal would give the EU authority to mandate the removal of such suppliers—particularly in telecommunications networks—and conduct EU‑wide risk assessments across 18 critical sectors, addressing concerns about reliance on non‑EU technology providers. This initiative builds on earlier voluntary measures like the EU’s 5G Security Toolbox but would make restrictions and potential bans compulsory rather than optional for member states.
In addition to supply‑chain measures, the revised Cybersecurity Act included in the package is designed to streamline certification procedures, bolster the role of the EU Agency for Cybersecurity (ENISA) with capabilities such as early threat alerts and incident reporting, and support coordinated responses to cyber threats alongside Europol and national teams. The legislation is framed as a step towards enhancing the EU’s technological sovereignty and defending against sophisticated state‑backed and criminal cyber attacks, though it does not explicitly name specific companies in its text.
Leader and Members of BlackBasta Ransomware Group Identified by German-Ukrainian Investigation - On 15 January 2026, Germany’s Public Prosecutor’s Office and Federal Criminal Police issued an arrest warrant for Russian national Oleg Evgenievich Nefedov, accused of founding and leading the BlackBasta Ransomware Group. Authorities also linked him to prior activity with the Conti Ransomware Group. Between March 2022 and February 2025, BlackBasta reportedly targeted over 100 German entities and around 600 organisations worldwide, seizing hundreds of millions of euros, including more than €20 million from German victims. Nefedov is listed on Europol’s Most Wanted and Interpol’s Red Notice.
In coordination with German authorities, the Ukrainian Cyber Police searched residences and seized evidence linked to two other suspected BlackBasta members. Investigators indicated the suspects acted as “hash crackers,” facilitating credential theft and lateral movement before ransomware deployment. The operation was supported by authorities from the Netherlands, Switzerland, and the United Kingdom.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Chinese Hackers | ●Moderate | → | ● Moderate | ● 49 | → | ● 49 | ● 51 | → | ● 50 |
| orpheus | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Wanderer | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Obscura | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 40 | → | ● 30 |
| RATNICK |
● Basic | → | ● Basic | ● 35 | → | ● 35 | ● 35 | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Russian Armed Forces | ▲ | PDFSIDER | ▲ | CVE-2026-20919 | ▲ | Iran | ▲ | |
| Martha Root | ▲ | EVEREST | ▲ | CVE-2026-20805 | ▲ | Television | ▲ | |
| PalachPro | ▲ | DOS | ▲ | CVE-2022-0847 | ▲ | Ingram Micro | ▲ | |
| BlueDelta | ▲ | REMCOS RAT | ▲ | CVE-2025-8110 | ▲ | Icloud | ▲ | |
| The Gentleman Ransomware Group | ▲ | T1204.022 | ▲ | CVE-2025-43300 | ▲ | Hospitality | ▲ | |
Prominent Information Security Events
KongTuke Delivers ModeloRAT via Malicious Browser Extension in CrashFix Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 199[.]217[.]98[.]108
IOC: Hash - c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c
Since at least January 2026, Huntress has observed a targeted browser-based phishing campaign conducted by the threat actor “KongTuke”, which leverages a malicious Chrome extension to crash victims’ browsers and display a fake security alert known as CrashFix. According to a 16 January 2026 report, the campaign coerces users into running a pre-copied PowerShell command via the Windows Run dialogue, triggering a multistage infection chain that delivers the ModeloRAT backdoor to domain-joined systems.
The attack begins when users searching for an ad blocker install NexShield, a malicious Chrome extension disguised as a legitimate ad-blocking tool. Upon installation, the extension generates a unique identifier, communicates with attacker-controlled infrastructure, and uses scheduled timers to delay malicious activity. NexShield destabilises the browser by creating excessive runtime connections, causing crashes, and then presents a fraudulent CrashFix pop-up claiming the browser needs manual repair. The pop-up restricts user interaction and disables developer shortcuts to hinder inspection, while recurring timers allow the crash-and-alert cycle to repeat if the extension remains installed.
When users follow the instructions in the fake alert, the clipboard-provided command executes a multistage infection chain that abuses built-in Windows utilities to download and run obfuscated PowerShell content. The payload performs environment checks, including analysis tool and virtualisation detection, and determines whether the system is domain-joined. Domain-joined systems receive a Python-based payload that installs ModeloRAT, establishes registry persistence, and communicates with attacker infrastructure via encrypted traffic. Non-domain systems follow an alternate execution path with additional obfuscation. The campaign combines social engineering, deceptive browser behaviour, and multistage malware delivery to compromise systems while evading standard detection measures.
Threat Actors Deploy Evelyn Stealer Malware via Trojanised Visual Studio Extensions
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598
IOC: URL - sever09[.]mentality[.]cloud
On 19 January 2026, Trend Micro reported that unidentified threat actors are targeting software developers through malicious Visual Studio Code extensions to deliver the Evelyn Stealer information‑stealing malware. The activity builds on earlier findings from December 2025, which highlighted the abuse of developer tooling as an initial access vector, demonstrating a continued focus on compromising development environments.
The infection chain begins when a developer installs a malicious Visual Studio Code extension, which drops a trojanised Lightshot.dll that is sideloaded by the legitimate Lightshot.exe process. Once loaded, the DLL executes a hidden PowerShell command to download a second‑stage payload, runtime.exe. This payload acts as a process hollowing injector, decrypting the embedded Evelyn Stealer malware and injecting it into a suspended instance of a legitimate Windows process, allowing it to run covertly.
After execution, Evelyn Stealer loads additional browser injection components and launches browser processes with stealth configurations designed to evade security controls. The malware harvests credentials, browser session data, system details, screenshots, clipboard contents, and cryptocurrency wallet information. Collected data is staged locally, packaged with victim metadata, and exfiltrated to attacker‑controlled infrastructure, highlighting the risk posed to developers and organisations that rely on compromised development tools.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-8110 (Gogs Path Traversal) – This vulnerability can be addressed by applying the forthcoming Gogs patch once formally released.
-
CVE-2026-20805 (Windows Desktop Manager Information Disclosure) – This vulnerability can be addressed by applying Microsoft's recent January security updates.
-
CVE-2025-64155 (FortiSIEM) – This vulnerability can be addressed by updating FortiSIEM to versions 7.1.9 or later.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.