Today’s roundup
Crypto wallets received a record $158 billion in illicit funds last year
Microsoft to disable NTLM by default in future Windows releases
Microsoft fixes Outlook bug blocking access to encrypted emails
Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
OpenClaw AI Runs Wild in Business Environments
Labyrinth Chollima Evolves into Three North Korean Hacking Groups
Cyberattacks Disrupt Communications at Wind, Solar, and Heat Facilities in Poland
Coupang CEO questioned by police investigating obstruction of probe into data breach
Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
Summary
Illegal cryptocurrency transactions reached a record $158 billion in 2025, reversing a three-year decline. This significant surge highlights persistent challenges in combating financial crime within the digital asset ecosystem.
Microsoft announced plans to disable the NTLM authentication protocol by default in future Windows releases, addressing long-standing security vulnerabilities and enhancing Windows environment security.
Microsoft has released a fix for an issue preventing Microsoft 365 users from opening encrypted emails in classic Outlook after a recent update, restoring access to secure communications.
A Farsi-speaking threat actor, codenamed RedKitten and linked to Iranian state interests, is conducting a new cyber campaign. Observed in January 2026, the group targets NGOs and individuals documenting human rights abuses, coinciding with recent unrest in Iran.
Concerns are rising over OpenClaw (ClawdBot/MoltBot), a popular open-source AI assistant. Its rapid adoption in business environments and autonomous control capabilities within user computers present new security risks.
CrowdStrike reports that the North Korean hacking group Labyrinth Chollima has splintered into two additional threat actor groups. This suggests a reorganization of North Korean state-sponsored cyber operations, potentially diversifying attack campaigns.
CERT Polska detailed coordinated cyberattacks on December 29, 2025, against over 30 wind/solar farms, a manufacturer, and a major CHP plant in Poland. The attacks impacted IT and OT systems, including firmware tampering and deploying DynoWiper/LazyWiper malware via exploited FortiGate devices. While communications were disrupted, electricity and heat supply remained unaffected. Attribution points to Static Tundra, with ESET/Dragos suggesting Sandworm involvement.
Seoul Metropolitan Police questioned Coupang's acting CEO, Harold Rogers, regarding an investigation into alleged obstruction of a probe into a June 2025 data breach and associated security failures.
WatchTowr Labs detailed two critical pre-authentication RCE vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in Ivanti Endpoint Manager Mobile (EPMM). Actively exploited and on CISA's KEV catalog, these flaws leverage arithmetic expansion within Bash scripts via unauthenticated HTTP requests for command injection. Temporary RPM patches are available, with a full fix in Q1 2026.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Lazarus Group | Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet |