VulnHub

The Coruna exploit kit has been identified as a significant threat targeting older iPhones, specifically those running iOS versions from 13.0 to 17.2.1. Cybercriminals are using this toolkit to steal financial data from users, which raises concerns about the safety of personal and financial information on these devices. Researchers have noted that this multi-stage campaign is particularly aimed at exploiting vulnerabilities in outdated operating systems, making it crucial for users to stay updated. With many individuals still using older iPhone models, the risks associated with this exploit are substantial. Users are urged to upgrade their devices to the latest iOS version to protect against these attacks.

A recent cyber campaign attributed to a group linked to Iran is targeting Iraqi government officials by impersonating the Ministry of Foreign Affairs. This operation, identified by Zscaler ThreatLabz and named Dust Specter, involves the deployment of new malware strains called SPLITDROP and GHOSTFORM. Observed in January 2026, these attacks aim to compromise sensitive information from officials within the Iraqi government. The use of sophisticated tactics and novel malware underscores a growing threat to government entities in the region. This incident raises concerns about the security of state institutions and the potential for sensitive data breaches that could have significant political ramifications.

Despite the widespread implementation of multi-factor authentication (MFA) in organizations, many still fall victim to credential theft. Attackers are exploiting valid usernames and passwords to gain unauthorized access to networks, particularly in Windows environments. The problem isn't with MFA itself, but rather with how comprehensively it is enforced through identity providers like Microsoft Entra ID and Okta. If MFA isn't applied consistently across all access points, attackers can bypass these security measures. This situation emphasizes the need for companies to ensure that MFA is enforced everywhere, not just in select areas, to truly safeguard their systems from credential abuse.

A new vulnerability in FreeScout, identified by researchers at Ox Security, allows attackers to execute remote code without any user interaction, a situation referred to as a zero-click exploit. This flaw, dubbed Mail2Shell, could enable malicious actors to take control of FreeScout systems, putting organizations that use this customer support platform at risk. Users of FreeScout should be particularly vigilant, as this vulnerability could lead to unauthorized access and data breaches. The lack of user interaction required for the exploit makes it especially concerning, as it can be executed without any action from the target. Organizations are urged to monitor their systems closely and apply any available updates to mitigate potential risks from this vulnerability.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Last week, a newly patched vulnerability in BeyondTrust's Remote Code Execution (RCE) software was exploited in the wild. This vulnerability poses significant risks as it allows attackers to execute commands on affected systems without authorization. BeyondTrust has issued patches to address this issue, but organizations using the affected software need to act quickly to apply these updates to prevent potential breaches. Additionally, in an interview, Deneen DeFiore, the Chief Information Security Officer at United Airlines, discussed the importance of resilience in cybersecurity. She emphasized that while prevention is crucial, organizations must also prepare for disruptions and manage risks associated with their interconnected vendor and partner ecosystems. This dual focus on resilience and safety is essential for maintaining operational integrity in today's complex digital landscape.

A recent investigation by Q Continuum has uncovered that 287 Chrome extensions are leaking private browsing data from approximately 37.4 million users to companies like Similarweb and Alibaba. These extensions, often perceived as harmless tools, have been found to convert users' browsing histories into marketable products. The data breach raises significant privacy concerns, particularly for users who may not be aware that their online activities are being monitored and sold. This incident highlights the need for users to be vigilant about the extensions they install and the permissions they grant. As these extensions may not seem malicious at first glance, it serves as a reminder of the potential risks associated with browser add-ons.

Recent threat intelligence reports indicate that a single threat actor is behind the majority of attacks exploiting two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-21962 and CVE-2026-24061. These vulnerabilities allow for remote code execution, posing significant risks to organizations using this mobile management solution. The findings suggest that companies using Ivanti's software need to be vigilant, as the attacks are actively occurring. The focus on a single actor highlights the need for targeted defenses against this specific threat. Organizations are encouraged to monitor for unusual activity and apply any available patches to mitigate potential exploitation.

Attackers are targeting users of cryptocurrency hardware wallets Trezor and Ledger by sending fake physical letters that appear to be from these companies. These letters aim to deceive users into revealing their recovery phrases, which can be used to steal their cryptocurrencies. This tactic exploits the trust users have in these well-known wallet providers and could lead to significant financial losses for those who fall for the scam. It’s crucial for users to be cautious and verify any communications they receive, especially when it comes to sensitive information like recovery phrases. The rise of such scams underscores the need for increased awareness and education around cryptocurrency security.

A newly identified hacking group, suspected to be linked to Russian intelligence, has launched attacks against various Ukrainian sectors, including defense, government, and energy. This group is using a malware called CANFAIL, which was uncovered by researchers from Google Threat Intelligence Group. The targeting of critical infrastructure and military entities raises significant concerns about national security and the ongoing conflict in the region. As these attacks could disrupt essential services and information systems, the situation highlights the need for enhanced cybersecurity measures among the affected organizations. This incident is part of a broader pattern of cyber warfare tactics being employed against Ukraine.

North Korean hackers are running a fake recruiter scheme aimed at JavaScript and Python developers, using enticing cryptocurrency-related coding challenges to lure victims. These challenges often contain hidden malware designed to compromise the developers' systems. This tactic exploits the growing interest in cryptocurrency and the remote job market, making it especially appealing to tech professionals looking for work. Developers who engage with these fake opportunities risk not only their personal data but also their work environments, as the malware can lead to further security breaches. Awareness of these scams is crucial for developers to protect themselves from potential attacks.