CyberNews: 18/01/2026 Edition

Published by Dunateo on 2026-01-18

Today’s roundup

  • China-linked APT UAT-8837 targets North American critical infrastructure
  • Credential-stealing Chrome extensions target enterprise HR platforms
  • Malicious GhostPoster browser extensions found with 840,000 installs
  • Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

    • Summary

    Cisco Talos reports that the China-linked advanced persistent threat (APT) group, UAT-8837, has been targeting North American critical infrastructure sectors since at least 2025. The group utilizes exploits, including a zero-day vulnerability (CVE-2025-53690) in SiteCore products, and stolen credentials for initial access. Post-compromise, UAT-8837 employs various tools such as Earthworm, Sharphound, DWAgent, and Certipy for reconnaissance, credential theft, lateral movement within Active Directory environments, and persistence. Researchers observed the exfiltration of product-related DLLs, indicating potential risks of trojanization or future supply-chain attacks. This activity poses a high threat to national security and critical services.

    Malicious Chrome extensions have been identified on the Chrome Web Store, specifically targeting enterprise HR and ERP platforms. These extensions, disguised as legitimate productivity and security tools, are designed to steal authentication credentials and block access to management pages. This interference hinders an organization's ability to respond effectively to security incidents, representing a direct and significant threat to sensitive enterprise data and operational security.

    A widespread malicious campaign, dubbed GhostPoster, has compromised an estimated 840,000 users through 17 harmful browser extensions. These extensions were discovered across the Chrome, Firefox, and Edge stores. The sheer scale of installations across multiple popular browsers highlights a significant and broad user security risk, indicating a large-scale compromise vector for individual and potentially corporate users.

    Law enforcement agencies from Ukraine and Germany have identified two individuals suspected of involvement with the Russia-linked Black Basta ransomware-as-a-service (RaaS) group. A significant development in the ongoing effort against cybercrime is the placement of Oleg Evgenievich Nefedov, a 35-year-old Russian national and the alleged leader of Black Basta, on both the European Union's Most Wanted list and INTERPOL's Red Notice list, underscoring concerted international action against major cybercrime organizations.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-53690 Critical