Threat Advisories

CrashFix is an active and highly deceptive browser-based malware campaign that abuses a malicious Google Chrome extension to deliberately crash users’ browsers and socially engineer them into executing attacker-supplied commands. The campaign ultimately delivers a previously undocumented Windows remote access trojan known as ModeloRAT. The activity has been attributed to a traffic distribution and access-brokering operation tracked as KongTuke, also known by aliases such as TAG-124 and 404 TDS. Publicly documented in January 2026 by Huntress, this campaign represents an evolution of ClickFix-style attacks, weaponizing user frustration and trust in legitimate platforms to gain execution on corporate systems.

VoidLink is a newly disclosed, highly advanced, cloud-native Linux malware framework designed for stealthy, long-term access to modern cloud and containerized environments. First identified in December 2025 and publicly documented in January 2026 by Check Point Research, VoidLink represents a significant evolution in Linux-focused post-exploitation tooling. Its modular design, deep cloud awareness, and adaptive stealth mechanisms suggest use in cyber espionage and potentially supply chain compromise, with attribution pointing toward China-affiliated threat actors. 

Veeam has disclosed multiple security flaws in its Backup & Replication (VBR) software that expose backup infrastructure to remote code execution (RCE) attacks. The critical vulnerability CVE202559470 and two additional issues were patched on January 6, 2026. 

The chained zero-day exploit against SonicWall SMA1000 appliances (CVE-2025-40602 & CVE-2025-23006) enables unauthenticated RCE as root via exposed management consoles.  

This is a high severity, actively exploited zero-day targeting Cisco AsyncOS appliances exposed to the internet. Immediate access restrictions, segmentation, threat monitoring, and preparation for incident response and patch deployment are critical defenses until an official fix is released. 

Following the critical “React2Shell” disclosure earlier this month, three additional vulnerabilities were identified in React Server Components (RSC). These new flaws, carry high severity and widespread impact, requiring immediate developer action. As these new flaws allow an attacker to cause Denial of Service (DoS) or leak server-side source code. 

Ivanti has released urgent patches for a critical code execution vulnerability in its Endpoint Manager (EPM) platform, tracked as CVE‑2025‑10573 (CVSS 9.6). The flaw allows unauthenticated, remote attackers to perform low-complexity cross-site scripting (XSS) attacks that require minimal user interaction, potentially compromising administrative sessions and leading to code execution. 

Fortinet has disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO feature—affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. An attacker could gain unfettered administrative access using crafted SAML assertions when FortiCloud SSO is enabled. 

Two critical vulnerabilities have been disclosed in React Server Components (RSC) and Next.js App Router, enabling unauthenticated remote code execution (RCE). These flaws stem from unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary JavaScript code on the server. 

Cyber security analysts from Group-IB and UKUK have identified a continuing and expanding cyber-espionage operation run by the threat actor known as Bloody Wolf. Active since at least late 2023, the group has steadily evolved its methods while extending its reach across Central Asia. Their activity demonstrates a shift toward low-cost, legitimate remote-administration tools delivered through carefully crafted social-engineering campaigns.