Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 2 January
Analysis of the HoneyMyte cyber espionage group
Securelist researchers have analysed a sophisticated kernel-mode rootkit linked to the HoneyMyte cyberespionage group (associated with Mustang Panda), which is used to achieve persistence and advanced evasion in Windows environments.
This technique is based on the deployment of a malicious driver that intercepts operating system kernel functions to hide the presence of files, processes and network communications, neutralising the effectiveness of conventional security tools. The method has been applied in campaigns targeting government, diplomatic and research sectors in Southeast Asia, Central Asia and Africa, allowing attackers to maintain undetectable access for extended periods.
The potential impact is the total loss of system integrity and the exfiltration of critical intelligence under absolute kernel control.
Threat actors launch millions of malicious requests targeting Adobe ColdFusion servers
Researchers at GreyNoise Labs have identified a massive exploitation campaign dubbed "ColdFusion++ Christmas Campaign," attributed to a possible initial access broker (IAB) operating from CTG Server Limited's infrastructure in Japan.
The malicious activity, which peaked on 25 December 2025 to take advantage of reduced vigilance, consisted of the coordinated scanning and exploitation of more than 767 different CVEs, including critical flaws in Adobe ColdFusion such as CVE-2023-26359 (CVSSv3 9.8 according to Adobe), CVE-2023-38205 (CVSSv3 7.5 according to Adobe) and CVE-2024-20767 (CVSSv3 7.4 according to Adobe) using tools such as Interactsh for out-of-band attack verification (OAST).
With an impact spanning more than 2.5 million requests against 47 different technologies (Tomcat, WordPress, SAP, etc.) in 20 countries, with the US and Spain being the most affected, the campaign seeks to establish persistent footholds for future intrusions.
Spear-phishing campaign targeting Israeli targets detected
Israel's National Cybersecurity Directorate has issued an urgent alert about a sophisticated spear-phishing campaign targeting professionals in the security and defence sectors in Israel, attributed to the APT42 threat group (also known as Charming Kitten).
The attack method uses WhatsApp as the primary vector, where attackers impersonate legitimate organisations using pretexts of conferences and industry events to send messages with shortened links via the msnl[.]ink service. Upon clicking, victims are redirected to fraudulent websites designed to steal credentials or download malicious files, leveraging a standardised server infrastructure in countries such as Germany, the Netherlands and Italy.
The impact of this activity, linked to Iranian intelligence objectives, is the compromise of high-value personnel and infiltration into critical defence networks.
DarkSpectre: large-scale malicious extensions for espionage, fraud, and corporate intelligence theft
Researchers have identified DarkSpectre, a Chinese threat actor responsible for at least three major malicious campaigns using browser extensions, which have infected more than 8.8 million users over seven years. The group operates parallel campaigns such as ShadyPanda (surveillance and affiliate fraud), GhostPoster (stealthy loading of malware hidden in images) and The Zoom Stealer, aimed at stealing corporate intelligence from video conferencing platforms.
DarkSpectre maintains legitimate extensions for years to gain trust and then arms them through updates or remote uploads. Its extensions exfiltrate data in real time, enable remote code execution, and collect sensitive information from business meetings.
Korean Air confirms data breach following attack on external supplier
Korean Air confirmed that, following a cyberattack on its external catering and in-flight sales service provider, KC&D, the personal data of around 30,000 employees was exposed, including names, telephone numbers and bank account details, although no associated fraud has been reported to date.
The airline said it had already implemented emergency security measures, notified the relevant authorities of the incident and advised its staff to exercise extreme caution when dealing with suspicious communications, as well as reviewing and strengthening security controls with its partners.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
