Google Disrupts Massive Residential Proxy Botnet

Google has dealt a significant blow to IPIDEA, a sprawling residential proxy network that operated by hijacking user devices to route malicious traffic. The tech giant pursued legal action to seize command-and-control domains, effectively cutting off operators' ability to route traffic through compromised systems.

The disruption is estimated to have reduced IPIDEA's available device pool by millions. These residential IP addresses, particularly from the U.S., Canada, and Europe, were highly sought after by cybercriminals for their legitimacy and difficulty to block.

What makes this particularly concerning is how the proxy software spreads—either pre-installed on devices or willingly installed by users lured by promises of monetizing their internet bandwidth. Once devices are registered, operators sell access to customers who use them for various malicious purposes, including brute-forcing attacks on VPN and SSH services.

Google's action demonstrates how tech companies are increasingly willing to take legal measures against infrastructure that enables cybercrime, even when that infrastructure relies on compromised consumer devices rather than traditional servers.

Microsoft Patches Actively Exploited Office Zero-Day

Microsoft issued emergency out-of-band security patches for CVE-2026-21509, a high-severity Office vulnerability with a CVSS score of 7.8. The flaw allows attackers to bypass security features locally by exploiting untrusted inputs in security decisions.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," Microsoft stated in its advisory. The vulnerability specifically bypasses OLE mitigations that protect users from vulnerable COM/OLE controls.

While Microsoft hasn't disclosed details about the nature or scope of attacks exploiting this flaw, the fact that it warranted an emergency patch indicates active exploitation in the wild. This follows a concerning trend of zero-day vulnerabilities being discovered and exploited before vendors can release patches.

Ivanti EPMM Flaws Actively Exploited

Ivanti rolled out critical security updates for two zero-day vulnerabilities affecting its Endpoint Manager Mobile (EPMM) solution. Tracked as CVE-2026-1281 and CVE-2026-1340, these code injection flaws allow unauthenticated remote code execution.

"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti acknowledged. The company noted it lacks sufficient information about threat actor tactics to provide reliable atomic indicators.

Rapid7 emphasized the severity, noting that compromising an EPMM server could expose Personally Identifiable Information (PII) including names, email addresses, phone numbers, GPS information, and other sensitive identification data. A public proof-of-concept exploit became available shortly after disclosure.

Coordinated Cyber Attacks on Polish Power Infrastructure

Poland's CERT revealed that coordinated cyber attacks targeted over 30 wind and photovoltaic farms, a manufacturing sector company, and a large combined heat and power plant serving nearly half a million customers. The December 29, 2025 attacks were described as destructive.

The agency attributed the attacks to Static Tundra, a threat cluster also known as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard, and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's Center 16 unit.

Dragos highlighted the attackers' sophisticated understanding of electrical grid equipment and operations, noting their ability to compromise RTUs at approximately 30 sites by mapping common configurations and operational patterns.

LLMJacking Campaign Targets Exposed AI Endpoints

Cybercriminals have launched Operation Bizarre Bazaar, a large-scale campaign targeting exposed LLM and MCP endpoints. The operation hijacks system resources, resells API access, exfiltrates data, and moves laterally to internal systems.

"The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities," Pillar Security explained.

Common misconfigurations under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, and production chatbot endpoints lacking authentication or rate limits.

The attackers operate through a marketplace called silver[.]inc, hosted on bulletproof infrastructure in the Netherlands and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.

Critical Vulnerabilities Roundup

This week saw numerous critical vulnerabilities across major platforms:

Fortinet FortiOS: CVE-2026-24858 affects multiple Fortinet products including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. The vulnerability involves active FortiOS SSO exploitation.

n8n: Two high-severity flaws (CVE-2026-1470, CVE-2026-0863) allow authenticated remote code execution, potentially compromising workflow automation systems.

SolarWinds Web Help Desk: Multiple vulnerabilities (CVE-2025-40536 through CVE-2025-40553) could allow various attack vectors including authentication bypass and code execution.

React Server Components: CVE-2026-23864 poses risks to React-based applications using server components.

Western Digital Products: Multiple vulnerabilities (CVE-2025-30248, CVE-2025-26465) affect various Western Digital devices and services.

Malicious Extensions and Malware Campaigns

A malicious VS Code extension named "Angular-studio.ng-angular-extension" was discovered in Open VSX, masquerading as an Angular development tool. The extension activates when HTML or TypeScript files are opened, running encrypted JavaScript that fetches next-stage payloads.

The infection chain uses a technique called EtherHiding, constructing RPC requests to the Solana mainnet to retrieve payload URLs embedded in wallet memo fields. The malware skips execution on systems with Russian locale indicators, a common pattern among Russian-speaking threat actors.

The final payload is stealer malware capable of siphoning credentials, conducting cryptocurrency theft, establishing persistence, and exfiltrating data to servers retrieved from Google Calendar events.

MongoDB Ransom Attacks Escalate

Nearly half of all internet-exposed MongoDB servers have been compromised and held for ransom. An unidentified threat actor has targeted misconfigured instances to drop ransom notes on over 1,400 databases, demanding Bitcoin payments to restore data.

Flare's analysis found more than 208,500 publicly exposed MongoDB servers, with 100,000 exposing operational information and 3,100 accessible without authentication. Nearly half (95,000) run older versions vulnerable to N-day flaws.

"Threat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data," Flare reported. "However, there is no guarantee the attackers have the data, or will provide a working decryption key if paid."

New Attack Techniques Emerge

Researchers discovered a new technique called Exfil Out&Look that abuses Outlook add-ins to steal data from organizations. Unlike Outlook Desktop, add-ins installed via OWA can silently extract email data without generating audit logs or leaving forensic footprints.

"An attacker could exploit this behavior to trigger an add-in's core functionality when a victim sends an email, allowing it to intercept outgoing messages and send the data to a third-party server," Varonis explained.

Microsoft categorized the issue as low-severity with no immediate fix, creating a significant blind spot for organizations relying on Unified Audit Logs for detection and investigation.

Supply Chain and Infrastructure Attacks

A command-and-control server at IP address 38.255.43.60 on port 8081 was discovered serving malicious payloads associated with the Build Your Own Botnet (BYOB) framework. The open directory contained a complete deployment including droppers, stagers, payloads, and post-exploitation modules.

The multi-stage infection chain establishes persistent remote access across Windows, Linux, and macOS platforms, with capabilities for privilege escalation, keystroke logging, process termination, email harvesting, and network traffic inspection.

Additional infrastructure linked to the threat actor hosted cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads.

Global Threat Landscape Shifts

Forescout's Threat Roundup report for 2025 revealed that cyber attacks became more globally distributed and cloud-enabled. The top 10 countries accounted for only 61% of malicious traffic, down from 73% in 2022—24.

The U.S., India, and Germany were the most targeted countries, with 59% of attacks originating from ISP-managed IPs, 17% from business and government networks, and 24% from hosting or cloud providers. The vast majority of attacks originated from China, Russia, and Iran.

Attacks using OT protocols surged by 84%, led by Modbus, as threat actors increasingly exploit public-facing applications, overtaking phishing in the last quarter of 2025.

Legal and Regulatory Developments

Google agreed to pay $68 million to settle a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared private conversations without consent. The case centered on "false accepts" where Google Assistant activated and recorded communications even without the trigger word "Ok Google."

Separately, Google agreed to pay $135 million to settle allegations of illegally using users' cellular data to transmit system information to its servers without knowledge or consent since November 12, 2017.

Apple reached a similar $95 million settlement in December 2024 over Siri recordings, highlighting growing scrutiny of voice assistant privacy practices.

Critical Infrastructure and Hardware Vulnerabilities

More than a dozen headphone and speaker models were found vulnerable to WhisperPair, a new vulnerability (CVE-2025-36911) in the Google Fast Pair protocol. The attack allows threat actors to hijack accessories without user interaction and potentially track owners via Google Find Hub.

Xiaomi Redmi Buds versions 3 Pro through 6 Pro were found vulnerable to information leak (CVE-2025-13834) and denial-of-service (CVE-2025-13328) vulnerabilities, allowing attackers within Bluetooth range to expose sensitive call-related data or trigger repeatable firmware crashes.

Recommendations for Organizations

The FBI launched Operation Winter SHIELD, outlining ten actions organizations should implement to improve cyber resilience:

1. Adopt phishing-resistant authentication
2. Implement risk-based vulnerability management
3. Retire end-of-life technology
4. Manage third-party risk
5. Preserve security logs
6. Maintain offline backups
7. Inventory internet-facing systems
8. Strengthen email authentication
9. Reduce administrator privileges
10. Execute incident response plans

"Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments," the FBI stated.

Conclusion

This week's cybersecurity landscape demonstrates the evolving nature of threats across multiple fronts—from residential proxy botnets and zero-day exploits to AI endpoint hijacking and critical infrastructure attacks. The diversity and sophistication of these threats underscore the need for comprehensive security strategies that address both traditional attack vectors and emerging technologies.

Organizations must remain vigilant, patch promptly, and implement defense-in-depth strategies. As attackers continue to innovate and exploit new technologies, defenders must adapt quickly to protect their assets and data. The next wave of attacks is already forming, and preparation today determines resilience tomorrow.