Today’s roundup
Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes
CVE-2025-22225 in VMware ESXi now used in active ransomware attacks
Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
China-linked Amaranth-Dragon hackers target Southeast Asian governments in 2025
EDR killer tool uses signed kernel driver from forensic software
DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
GreyNoise tracks massive Citrix Gateway recon using 63K+ residential proxies and AWS
Data breach at fintech firm Betterment exposes 1.4 million accounts
Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
Summary
The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against Iran's nuclear program, marking a sophisticated use of cyber weapons.
Ransomware groups are now actively exploiting VMware ESXi sandbox escape vulnerability CVE-2025-22225, originally patched in March 2025. CISA confirmed the flaw's use in ransomware attacks, with evidence suggesting prior zero-day exploitation since February 2024 by Chinese-speaking actors.
A large-scale web traffic hijacking campaign is actively targeting NGINX installations and Baota management panels to reroute user traffic through attacker-controlled infrastructure. Threat actors are associated with exploiting the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0).
A critical security vulnerability, CVE-2026-25049 (CVSS 9.4), has been disclosed in the n8n workflow automation platform. This flaw allows arbitrary system command execution by bypassing previous safeguards.
The China-linked Amaranth-Dragon cyberespionage group, tied to APT41, exploited a WinRAR flaw (CVE-2025-8088) in targeted campaigns against government and law enforcement agencies across Southeast Asia. The group utilized sophisticated techniques including DLL side-loading and the Havoc C2 framework.
Hackers are deploying an EDR killer tool that abuses a legitimate, yet long-revoked, EnCase kernel driver. This tool is capable of detecting and deactivating 59 different security products to bypass endpoint defenses.
A new, stealthy malware campaign dubbed DEAD#VAX is deploying the AsyncRAT remote access trojan. The attack leverages IPFS-hosted VHD phishing files, extreme script obfuscation, and in-memory execution to evade traditional detection mechanisms.
GreyNoise observed a massive, coordinated reconnaissance campaign between January 28 and February 2, 2026, targeting Citrix ADC and NetScaler Gateways. Attackers used over 63,000 residential proxies and AWS infrastructure to discover login panels and enumerate exposed versions, indicating a precursor to potential exploitation.
Fintech firm Betterment suffered a data breach in January, leading to the exposure of email addresses and other personal information from 1.4 million accounts.
The Iranian threat group Infy, also known as Prince of Persia, has resumed operations with new command-and-control servers. This activity follows an internet blackout, suggesting evolved tactics to maintain covert communications.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| APT41 | Wicked Panda, Brass Typhoon, BARIUM |
Malware Families