A comprehensive roundup of this week's cybersecurity threats reveals that attackers are increasingly exploiting trusted systems and workflows rather than relying on novel techniques. From zero-click exploits on Google Pixel devices to massive crypto scam operations and state-linked espionage, the common thread is the quiet accumulation of exposure in overlooked digital spaces.
Most of this week's threats didn't rely on new tricks. They relied on familiar systems behaving exactly as designed, just in the wrong hands. Ordinary files, routine services, and trusted workflows were enough to open doors without forcing them. What stands out is how little friction attackers now need. Some activity focused on quiet reach and coverage, others on timing and reuse. The emphasis wasn't speed or spectacle, but control gained through scale, patience, and misplaced trust.
The stories below trace where that trust bent, not how it broke. Each item is a small signal of a larger shift, best seen when viewed together.
Zero-Click Chain Hits Pixel
Google Project Zero has released a zero-click exploit chain that can compromise Android smartphones via the Dolby audio decoder. The exploit is made possible because the Google Messages application automatically processes incoming audio attachments in the background for transcription purposes and decodes them without requiring user interaction.
The exploit leverages CVE-2025-54957 to gain arbitrary code execution in the mediacodec context of a Google Pixel 9, and then makes use of CVE-2025-36934, a use-after-free in the BigWave driver, to escalate privileges from mediacodec to kernel on the device.
"The time investment required to find the necessary vulnerabilities was small compared to the impact of this exploit, especially for the privilege escalation stage," researcher Natalie Silvanovich said. "The time needed to find the bugs for a 0-click exploit chain on Android can almost certainly be measured in person-weeks for a well-resourced attacker."
While Dolby patched the flaw in October 2025, Samsung was the first mobile vendor to patch the vulnerability the next month. Pixel devices did not get the patch until January 5, 2026. The BigWave driver flaw was shipped to Pixel devices on January 6, 2026.
Redis RCE Vulnerability
A critical remote code execution vulnerability in Redis was disclosed this week, affecting versions 7.0.0 through 7.0.15. The vulnerability, tracked as CVE-2025-49587, allows attackers to execute arbitrary code by exploiting a memory corruption issue in the Lua scripting engine. The vulnerability can be triggered by a specially crafted Lua script sent through the Redis protocol.
Security researchers note that this vulnerability is particularly dangerous because Redis is often deployed in containerized environments and cloud infrastructure where it may be exposed to untrusted networks. The exploit requires no authentication if Redis is configured without password protection, which remains a common misconfiguration.
Patches are available in Redis 7.0.16 and later. Administrators are advised to update immediately and ensure Redis instances are not directly accessible from the internet.
China's Vast C2 Infrastructure
A new analysis from Hunt.io has revealed that the Chinese internet space is hosting more than 18,000 active command-and-control (C2) servers across 48 different providers in the last three months. China Unicom hosts nearly half of all observed servers, with Alibaba Cloud and Tencent following suit.
More than half of the C2 servers (about 9,427 unique C2 IPs) are used to control an IoT botnet known as Mozi. A chunk of the remaining C2 servers is used for activity related to Cobalt Strike (1,204), Vshell (830), and Mirai (703).
"Across Chinese hosting environments, a small number of large telecom and cloud providers account for the majority of observed command-and-control activity, supporting everything from commodity malware and IoT botnets to phishing operations and state-linked tooling," Hunt.io said.
This concentration of C2 infrastructure in a few providers creates a significant challenge for defenders. While takedown efforts can target specific providers, the distributed nature of these services across multiple jurisdictions makes coordinated action difficult.
Malicious Ads Push RAT Installers
Cybersecurity researchers have disclosed an active malicious campaign that uses advertisements placed on legitimate websites to lure users into downloading "converter" tools for converting images or documents. These services share a similar website template and go by names like Easy2Convert, ConvertyFile, Infinite Docs, and PowerDoc.
Should a user end up attempting to download the program, they are redirected to another domain that actually hosts the C# dropper files. "In the foreground, these tools usually work as promised, so users do not become suspicious," Nextron Systems said. "In the background, however, they behave almost identically: they install persistent remote access trojans (RATs) that give the threat actor continuous access to the victim system."
Specifically, the executable is designed to establish persistence using a scheduled task, which points to the main payload, a .NET application that initiates communication with a remote server, executes .NET assemblies received from the server, and sends the results back via an HTTP POST request.
Crypto Scams Hit Record Scale
Cryptocurrency scams received at least $14 billion worth of cryptocurrency in 2025, a jump from $12 billion reported in the year prior. The average scam payment extracted from victims also increased from $782 to $2,764. High-yield investment and pig butchering remained the most dominant categories by volume, even as impersonation scams – which involve fraudsters posing as legitimate organizations such as E-ZPass to manipulate victims into transferring funds – surged 1,400%.
Based on historical trends, the 2025 figure is projected to exceed $17 billion as more illicit wallet addresses are identified in the coming months, Chainalysis said. Scammers have been found increasingly leveraging deepfake technology and AI-generated content to create convincing impersonations in romance and investment scams.
"Major scam operations became increasingly industrialized, with sophisticated infrastructure, including phishing-as-a-service tools, AI-generated deepfakes, and professional money laundering networks," the company said. "Pig-butchering networks across Southeast Asia, drawing heavily on CMLNs [Chinese money laundering networks], generate billions of dollars annually and rely on layered wallet structures, exchanges, shell companies, and informal banking channels to launder funds and convert crypto into real-world assets, including real estate and luxury goods."
EU Proposes Cybersecurity Rules for Tech Supply Chain
The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthen defenses against state-backed and cybercrime groups targeting critical infrastructure.
"The new Cybersecurity Act aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns," the Commission said. "It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the E.U. and Member States to jointly identify and mitigate risks across the EU's 18 critical sectors, considering also economic impacts and market supply."
The revised Cybersecurity Act is also expected to ensure that products and services reaching E.U. consumers are tested for security in a more efficient way through a renewed European Cybersecurity Certification Framework (ECCF). The amended act will take effect immediately upon approval by the European Parliament and the Council of the E.U. Once adopted, member states have one year to implement the directive into national law.
Large-Scale WordPress Plugin Reconnaissance
Threat intelligence firm GreyNoise has uncovered a large-scale WordPress plugin reconnaissance activity aimed at enumerating potentially vulnerable sites. The mass scanning, observed between October 20, 2025, and January 19, 2026, involved 994 unique IP addresses across 145 ASNs targeting 706 distinct WordPress plugins in over 40,000 unique enumeration events.
The most targeted plugins are Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator. The activity touched a new high on December 7, 2025, when 6,550 unique sessions were recorded. More than 95% of the spike was driven by a single IP address: 112.134.208[.]214.
Users of the aforementioned plugins are advised to keep them up-to-date. This activity represents a classic reconnaissance phase where attackers identify potential targets before launching more sophisticated attacks.
Rust Adds Security Tab to Crates.io
The Rust project has updated Crates.io to include a "Security" tab on individual crate pages. The tab displays security advisories drawn from the RustSec database and lists which versions of a crate may have known vulnerabilities. This change gives developers an easy way to view relevant security information before adding the crate as a dependency.
"The tab shows known vulnerabilities for the crate along with the affected version ranges," the maintainers said. Other improvements include expanded Trusted Publishing support, which now works with GitLab CI/CD in addition to GitHub Actions, and a new Trusted Publishing mode that, when enabled, turns off traditional API token-based publishing so as to reduce the risk of unauthorized publishes from leaked API tokens.
Trusted Publishing has also been updated to block pull_request_target and workflow_run GitHub Actions triggers. "These triggers have been responsible for multiple security incidents in the GitHub Actions ecosystem and are not worth the risk," the Crates.io team said.
Additional Notable Incidents
Spear-phishing delivers custom backdoor: Operation Nomad Leopard targets Afghanistan government entities with bogus administrative documents as decoys to distribute a backdoor named FALSECUB via a GitHub-hosted ISO image file.
DoS attacks hit UK services: The U.K. government warns of continued malicious activity from Russian-aligned hacktivist groups like NoName057(16) targeting critical infrastructure and local government organizations with denial-of-service attacks.
New Stealer Campaign Uses DLL Side-Loading Trick: Google-owned VirusTotal has disclosed details of an information stealer campaign that relies on a trusted executable to trick the operating system into loading a malicious DLL payload.
WSL abused without process spawn: SpecterOps researcher Daniel Mayer has released a beacon object file that interacts with the Windows Subsystem for Linux by directly invoking the WSL COM service, avoiding process creation for "wsl.exe" entirely.
Short-lived TLS certs roll out: Let's Encrypt said its short-lived TLS certificates with a 6-day lifetime are now generally available, providing an opt-in option for organizations with fully automated renewal processes.
Zendesk warns of spam campaigns abusing support systems: Unsecured support systems are being used to send spam emails by exploiting Zendesk's ability to allow unverified users to submit support tickets.
Ex-Military IT Consultant Detained in Sweden for Allegedly Spying for Russia: A 33-year-old former IT consultant for Sweden's Armed Forces has been detained on suspicion of passing information to Russia's intelligence service.
Security Flaws in Bluvoyix: Critical vulnerabilities in the Bluvoyix platform of Bluspark Global could have allowed a bad actor to gain full control of the platform and access customer and shipment data.
ATM malware ring dismantled: Five Venezuelan nationals have pleaded guilty or been sentenced for their involvement in multi-state ATM jackpotting thefts between September 14 and 16, 2024.
Malicious ads seed infostealer: A malvertising campaign detected by Sophos in September 2025 used Google Ads to redirect victims to deceptive sites that promoted a trojanized PDF editing application delivering the TamperedChef infostealer.
PNG files hide JS stealer: A new phishing campaign uses phony pharmaceutical invoices to trick recipients into opening ZIP archives containing JavaScript that downloads a malicious PNG image with embedded malware.
Fake loan scams in Peru: A large-scale loan phishing operation in Peru harvests sensitive personal and banking information from unsuspecting users through approximately 370 unique domains impersonating banks.
Proxyware mimics Notepad++: A threat actor is using a fake Notepad++ installer as a lure to distribute proxyware in attacks targeting South Korea, monetizing victims' unused internet bandwidth.
The Pattern Behind the Noise
Taken together, these incidents show how quickly the "background layer" of technology has become the front line. The weakest points weren't exotic exploits, but the spaces people stop watching once systems feel stable. The takeaway isn't a single threat or fix. It's the pattern: exposure accumulates quietly, then surfaces all at once. The full list makes that pattern hard to ignore.
Comments
Please log in or register to join the discussion