Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Patchstack Disclosed CVE-2025-67968 Vulnerability in RealHomes CRM Plugin - On 22 January 2026, Patchstack revealed details of CVE-2025-67968, a critical arbitrary file upload vulnerability affecting the RealHomes CRM Plugin (versions 1.0.0 and earlier). RealHomes is a WordPress theme designed for real estate websites, with over 30,000 active installations. The issue arises from insufficient permission checks and a lack of file type validation within the plugin’s upload_csv_file function.
Exploitation of this flaw could allow attackers to upload and execute arbitrary files on the server, posing a serious security risk. The plugin’s developers addressed the vulnerability in version 1.0.1, which introduced the necessary checks to prevent unauthorised file uploads.
Alleged PoC for Critical Improper Access Control Vulnerability Affecting Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in (CVE-2026-21962) - On 22 January 2026, security researcher Ashwesker shared a proof‑of‑concept exploit for CVE‑2026‑21962, a critical improper access control vulnerability in Oracle Fusion Middleware. It affects Oracle HTTP Server and the WebLogic Server Proxy Plug‑in in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, as well as the WebLogic Server Proxy Plug‑in for IIS in 12.2.1.4.0. Oracle HTTP Server is an enterprise web server based on Apache, serving web content and acting as a front end for Fusion Middleware, while the WebLogic Proxy Plug‑in forwards HTTP(S) requests to WebLogic Server instances, providing load balancing and secure reverse‑proxy functionality. Oracle issued a public advisory in January 2026 listing affected CVEs and patches, including CVE‑2026‑21962.
The flaw comes from improper access control in the proxy components that process HTTP requests. An unauthenticated attacker with network access could exploit it to compromise Oracle HTTP Server and its proxy plug‑ins. Exploitation may let a remote actor create, delete, or modify critical data and gain full read access to all data.
State-Sponsored and Financially Motivated Threat Actors Exploit Path Traversal Vulnerability (CVE-2025-8088) Affecting WinRAR - On 28 January 2026, Google Threat Intelligence Group (GTIG) reported that Russian state-sponsored actors—including UNC4895, APT44, TEMP.Armageddon, and Turla—alongside China-linked and financially motivated groups, were exploiting a critical path traversal vulnerability in WinRAR up to version 7.12, CVE‑2025‑8088. The flaw allows crafted RAR archives to use Alternate Data Streams and directory traversal to write files to arbitrary locations, often the Windows Startup folder, for persistence and secondary payloads. Although patched in WinRAR 7.13, a threat actor called zeroplayer advertised an exploit in July 2025, spreading its use.
GTIG observed several campaigns: UNC4895 used spearphishing with decoy documents and “NESTPACKER” malware; APT44 distributed decoys with malicious LNK files; TEMP.Armageddon dropped HTA downloaders into Startup folders; Turla deployed “STOCKSTAY” malware via military-themed documents; a China-linked actor dropped BAT files to deliver “POISONIVY”; and financially motivated groups targeted LATAM hospitality and Indonesian organisations with phishing, RATs like XWorm and AsyncRAT, and malicious Chrome extensions injecting JavaScript into Brazilian banking sites.
Potential Threats
Threat Actors Abuse GoTo Resolve and LogMeIn RMM Tools in Greenvelope-Themed Phishing Campaign - On 22 January 2026, KnowBe4 Threat Lab reported a global dual-vector phishing campaign by an unidentified threat actor that escalated from credential theft to full system takeover using GoTo Resolve and LogMeIn remote monitoring and management (RMM) software. The attack began with phishing emails impersonating Greenvelope invitations, directing victims to fake login pages to harvest credentials. Using these credentials, the actors generated legitimate GoTo Resolve access tokens and deployed a signed executable, GreenVelopeCard.exe, which silently installed GoTo Resolve and LogMeIn as a persistent backdoor connected to a threat actor-controlled account.
After installation, the attackers escalated privileges by modifying Windows service registry settings to run the RMM service with SYSTEM-level access, created hidden scheduled tasks via COM, and abused the Windows Service Control Manager to inherit system trust. Command and control traffic used encrypted HTTPS over legitimate GoTo Resolve endpoints, making it difficult to distinguish from normal administrative activity. The campaign provided persistent remote access, full system control, and potential credential dumping on compromised systems.
MaliciousCorgi Campaign Abuses Trusted VS Code AI Extensions for Covert Code Theft - On 22 January 2026, cybersecurity firm Koi Security published a technical analysis of MaliciousCorgi, a campaign abusing the trusted Visual Studio Code marketplace to distribute AI coding assistants that secretly perform spyware activities without user consent. The campaign involves two extensions, “ChatGPT - 中文版” by WhenSunset and “ChatMoss (CodeMoss)” by zhukunpeng, which together have more than 1.5 million installations. Despite their malicious behaviour, both extensions remained active and fully functional at the time of analysis, while presenting themselves as legitimate AI coding tools.
Koi Security found that once installed, the extensions operate as advertised, answering coding queries and providing autocomplete features that send snippets of nearby code to a remote AI service. At the same time, they covertly activate three hidden data‑collection mechanisms: real‑time file monitoring that exfiltrates entire files, a server‑controlled backdoor that allows on‑demand harvesting of workspace files, and a profiling engine that loads multiple analytics SDKs to fingerprint devices and track user behaviour. Together, these capabilities enable detailed profiling of developers and potential exfiltration of sensitive source code and credentials to servers based in China.
Threat Actors Exploit SharePoint in Multi-Stage AiTM Phishing Campaign Targeting Energy Organisations via Trusted Vendors - On 21 January 2026, Microsoft Security reported a multi-stage adversary-in-the-middle (AiTM) phishing campaign targeting several energy sector organisations, followed by business email compromise (BEC) activity. The attackers sent phishing emails from a trusted organisation’s account, likely previously compromised, mimicking Microsoft SharePoint document notifications. Recipients who clicked the included SharePoint link were redirected to an AiTM credential prompt, enabling the threat actors to capture login information.
Once inside, the attackers accessed accounts from a separate IP, created inbox rules to hide incoming messages, and reviewed recent email conversations to map internal and external contacts. They sent over 600 additional phishing emails with malicious links and then carried out BEC activities, including monitoring mailboxes, deleting undelivered or out-of-office messages, and responding to inquiries to maintain stealth. Interaction with secondary phishing links triggered further AiTM attacks, leading to additional account compromises across multiple organisations.
General News
Google agrees to pay $68 million to settle voice recording lawsuit - Google has agreed to pay $68 million to settle a class-action lawsuit alleging that its voice-activated assistant illegally recorded and shared users’ private conversations with third parties without consent. A preliminary settlement was filed in a Northern California federal court on Friday and still requires judicial approval.
The plaintiffs claimed that Google Assistant, which activates when users say “Hey Google,” sometimes misheard conversations and began recording, with the data subsequently disclosed to third parties for targeted advertising. The settlement funds will be distributed to individuals who purchased Google devices since May 2016. Google reportedly agreed to the settlement without admitting any wrongdoing.
WhatsApp unveils anti-spyware ‘lockdown’ feature - WhatsApp is introducing a new security feature called Strict Account Settings, aimed at blocking spyware, the company announced on Tuesday. The feature prevents attachments and media from people outside a user’s contacts list and is targeted at journalists and public-facing individuals who may face sophisticated cyberattacks. WhatsApp describes it as a “lockdown-style feature,” similar to Apple’s lockdown mode introduced in July 2022 to protect against spyware.
The announcement references a 2019 spyware attack in which around 1,400 users were targeted with NSO Group’s zero-click Pegasus surveillance tool. In December, a federal judge barred NSO Group from using WhatsApp infrastructure for attacks, though the company is contesting the ruling. WhatsApp said the new feature will roll out gradually over the coming weeks.
UK plans sweeping overhaul of policing amid surge in online crimes - The British government has announced plans to overhaul policing, centralising efforts against cybercrime, fraud, and other online offences. The Home Office proposes a new National Police Service, Britain’s equivalent of the FBI, to handle serious non-local crimes now split across multiple forces. Local forces would remain in a more consolidated form for neighbourhood policing, while cybercrime, fraud, and counterterrorism would shift to the national service. Officials note that around 90% of crime now involves a digital element, with fraud making up roughly 44% of offences.
The National Police Service would absorb the National Crime Agency and counterterrorism units, operating with full authority rather than relying on local forces. Short-term plans include expanding cyber and fraud coordination, investing in AI and facial recognition to reduce digital backlogs, and creating a £115 million National Centre for AI in Policing. The government will introduce oversight of AI and facial recognition and commission an independent review of police structures and online law enforcement, due in summer 2026.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Sandworm Team | ●High | → | ● High | ● 78 | → | ● 79 | ● 25 | → | ● 25 |
| BlackShrantac Ransomware Group | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Genesis Ransomware Group | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| ShinyHunters | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 40 | → | ● 30 |
| Devman |
● Basic | → | ● Basic | ● 35 | → | ● 35 | ● 35 | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| World Leaks Ransomware Group | ▲ | Cyber spying | ▲ | CVE-2026-21509 | ▲ | Nike | ▲ | |
| Lazarus Group (Cyber Warfar Guideance Unit Diamond Sleet) | ▲ | T1204.002 (Malicious File) | ▲ | CVE-2026-24858 | ▲ | SoundCloud | ▲ | |
| ShinyHunters | ▲ | Blackmoon (Banbra KRBanker) | ▲ | CVE-2025-8088 | ▲ | Government of the United Kingdom | ▲ | |
| RedMike | ▲ | Romance Scam | ▲ | CVE-2026-24061 | ▲ | Crunchbase | ▲ | |
| Sandworm Team | ▲ | Spyware | ▲ | CVE-2024-37079 | ▲ | Under Armour | ▲ | |
Prominent Information Security Events
Threat Actors Abuse GoTo Resolve and LogMeIn RMM Tools in Greenvelope-Themed Phishing Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: URL - https[:]//rebrand[.]ly/xdoc1ps
IOC: Hash - 6922beeef06902c23192b2ea8b29c63c1c9898ff1325ef4be06575b65035bffe
On 22 January 2026, KnowBe4 Threat Lab reported a global dual-vector phishing campaign by an unidentified threat actor that escalated from credential harvesting to full system takeover using GoTo Resolve and LogMeIn remote monitoring and management (RMM) software. The attack began with phishing emails impersonating Greenvelope invitations, directing victims to spoofed login pages that collected valid credentials. Once obtained, the attackers generated legitimate GoTo Resolve access tokens and delivered a signed executable, GreenVelopeCard.exe, which installed GoTo Resolve and LogMeIn as a persistent backdoor. The executable contained a JSON configuration that silently installed the RMM client in unattended mode, registered it to a threat actor-controlled account, and connected it to official GoTo infrastructure for command and control (C2).
After installation, the attackers escalated privileges by modifying Windows service registry settings to run the RMM service with SYSTEM-level access. They created hidden scheduled tasks via the Windows Component Object Model (COM) interface to maintain persistence and abused the Windows Service Control Manager to inherit system trust. These techniques ensured the RMM software operated stealthily, providing the threat actors with continuous access and control over affected systems.
Command and control communications relied on encrypted HTTPS traffic over legitimate GoTo Resolve endpoints, including dumpster[.]console[.]gotoresolve[.]com and dumpster[.]dev01-console[.]gotoresolve[.]com, with settings.cc used as a fallback configuration domain. By blending malicious activity with normal administrative traffic, the campaign enabled persistent remote access, full system control, and the potential for credential dumping, making detection and mitigation particularly challenging for targeted organisations.
Threat Actors Exploit SharePoint in Multi-Stage AiTM Phishing Campaign Targeting Energy Organisations via Trusted Vendors
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 193[.]36[.]221[.]10
On 21 January 2026, Microsoft Security reported a multi-stage adversary-in-the-middle (AiTM) phishing campaign targeting multiple organisations in the energy sector, followed by business email compromise (BEC) activity. The attackers sent phishing emails from a trusted organisation’s account, likely compromised beforehand, mimicking Microsoft SharePoint document notifications. Recipients who clicked the included SharePoint link were redirected to an AiTM credential prompt, allowing the threat actors to capture login information.
Once access was gained, the attackers authenticated from a separate IP address and created inbox rules to mark incoming messages as read and hide them from view. They reviewed recent email conversations to map internal and external contacts and distribution lists, then used the compromised account to send over 600 additional phishing emails containing new malicious links.
The campaign then moved to follow-on BEC activity, with attackers monitoring mailboxes, deleting undelivered or out-of-office messages, and responding to inquiries to maintain stealth. Users who interacted with secondary phishing links were subjected to further AiTM attacks, resulting in additional account compromises across multiple organisations.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-67968 (Real Homes CRM Plugin) – This vulnerability can be addressed by applying the 1.0.1 patch which introduced the necessary checks to prevent unauthorised file uploads.
-
CVE-2026-21962 (Oracle) – This vulnerability can be addressed by updating Oracle Fusion Middleware to the most recent version.
-
CVE-2025-8088 (WinRAR) – This vulnerability can be addressed by patching WinRAR to at least version 7.13.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.