### Impact
We fixed with [CVE-2023-2017](https://github.com/advisories/GHSA-7v2v-9rm4-7m8f) Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override

### Patches
Patched in 6.7.6.1

### Workarounds
Install the security plugin

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2026-23498

**Shopware Has Improper Control of Generation of Code in Twig rendered views**

High severity GitHub Reviewed Published Jan 14, 2026 in shopware/shopware • Updated Jan 14, 2026

**Package**

composer shopware/core (Composer)

**Affected versions**

\>= 6.7.0.0, < 6.7.6.1

**Description**

Published to the GitHub Advisory Database

Jan 14, 2026

Last updated

Jan 14, 2026

**EPSS score**

GHSA-7cw6-7h3h-v8pf: Shopware Has Improper Control of Generation of Code in Twig rendered views

Hundreds of records obtained by WIRED show thin intelligence on the Venezuelan gang in the United States, describing fragmented, low-level crime rather than a coordinated terrorist threat.

As the Trump administration publicly cast Venezuela’s Tren de Aragua (TdA) as a unified terrorist force tied to President Nicolás Maduro and operating inside the United States, hundreds of internal US government records obtained by WIRED tell a far less certain story. Intelligence taskings, law-enforcement bulletins, and drug-task-force assessments show that agencies spent much of 2025 struggling to determine whether TdA even functioned as an organized entity in the US at all—let alone as a coordinated national security threat.

While senior administration officials portrayed TdA as a centrally directed terrorist network active across American cities, internal tasking directives and threat assessments repeatedly cite “intelligence gaps” in understanding how the group operated on US soil: Whether it had identifiable leadership, whether its domestic activity reflecting any coordination beyond small local crews, and whether US-based incidents pointed to foreign direction or were simply the work of autonomous, profit-driven criminals.

The documents, marked sensitive and not intended for public disclosure, circulated widely across intelligence offices, law-enforcement agencies, and federal drug task forces throughout the year. Again and again, they flag unresolved questions about TdA’s US footprint, including its size, financing, and weapons access, warning that key estimates—such as the number of members operating in the US—were often inferred or extrapolated by analysts due to a lack of corroborated facts.

Together, the documents show a wide gap between policy-level rhetoric and on-the-ground intelligence at the time. While senior administration officials spoke of “invasion,” “irregular warfare,” and “narco-terrorism,” field-level reporting consistently portrayed Tren de Aragua in the US as a fragmented, profit-driven criminal group, with no indication of centralized command, strategic coordination, or underlying political motive. The criminal activity described is largely opportunistic—if not mundane—ranging from smash-and-grab burglaries and ATM “jackpotting” to delivery-app fraud and low-level narcotics sales.

In a March 2025 proclamation invoking the Alien Enemies Act, President Donald Trump claimed the gang had “thousands” of members who had “unlawfully infiltrated the United States” and were “conducting irregular warfare and undertaking hostile actions.” He claimed the group was “aligned with, and indeed has infiltrated, the Maduro regime,” warning that Venezuela had become a “hybrid criminal state” invading the US.

At the same time, however, an internal Border Patrol assessment obtained by WIRED shows officials could not substantiate those claims, relying instead on interview-based estimates rather than confirmed detections of gang members entering the US.

In a Fox News interview the same month, US attorney general Pam Bondi called TdA “a foreign arm of the Venezuelan government,” claiming its members “are organized. They have a command structure. And they have invaded our country.” Weeks later, in a Justice Department press release announcing terrorism and drug-distribution charges against a TdA suspect, Bondi insisted it “is not a street gang—it is a highly structured terrorist organization that put down roots in our country during the prior administration.”

Documents show that inside the intelligence community, the picture appeared far less settled. Although TdA’s classification as a foreign terrorist organization—following a February 2025 State Department designation—immediately reshaped policy, internal correspondence shows the group remained poorly understood even by senior counterterrorism officials, including those at the National Counterterrorism Center. Unresolved questions about TdA—alongside newly designated drug cartel entities in Mexico—ultimately prompted intelligence managers to issue a nationwide tasking order, directing analysts to urgently address the US government’s broad “knowledge gaps.”

The directive, issued May 2, 2025, underscores the breadth of these intelligence gaps, citing unresolved questions about whether the entities had access to weapons beyond small arms, relied on bulk-cash shipments, cryptocurrencies, or mobile payment apps, or were supported by corrupt officials or state-linked facilitators overseas.

In a statement, a spokesperson for Director of National Intelligence Tulsi Gabbard attributed the shortfall to competing priorities, telling WIRED that the “Intelligence Community was unable to devote collection resources towards TdA” prior to the Trump administration giving it the “terrorist” label. “This is where the ‘knowledge gaps’ stem from.”

The tasking order makes clear those uncertainties extended beyond TdA’s past activity to its potential response under pressure. Issued by national intelligence managers overseeing counterterrorism, cyber, narcotics, and transnational crime, it flagged a lack of insight into how TdA and several Mexican cartels might adapt their operations or shift tactics in response to intensified US enforcement.

Similar limits surface in records from White House-run interagency task forces known as HIDTA (High Intensity Drug Trafficking Areas), which show counter-narcotics officials, too, were working with a materially limited understanding of TdA’s activities. In a July 2025 bulletin, a Northern California task force acknowledged that available intelligence failed “to meet the Department of Justice definition of a drug trafficking organization,” adding that TdA subsets “appear to operate independently of each other and do not appear to operate as part of a larger coordinated effort.”

TdA members are “not known to have assigned roles,” the report notes, adding that “leadership formation has not yet been identified.”

Additional HIDTA reporting likewise fails to identify a sprawling narco-terror enterprise publicly described by senior officials. A “2026 Threat Assessment” covering North Texas and Oklahoma identifies Mexican cartels as the dominant narcotics threat, while characterizing TdA activity as “street level.” That assessment drew on survey responses from dozens of law enforcement agencies and was compiled by a task force that included police chiefs, sheriffs, US attorneys, district attorneys, and senior officials from the FBI, DEA, DHS, and Secret Service, among others.

Assessments by Customs and Border Protection broke sharply from broader law enforcement perspectives. Beginning in mid-March, CBP began producing its own intelligence products, quickly ascribing TdA with both the “capability and intent” to carry out attacks inside the United States; ranking it among the “most capable” foreign terrorist groups, listing it above Hezbollah and Iran’s Revolutionary Guard Corps, while also acknowledging it had no knowledge of any “specific or credible threat.”

CBP and the Department of Homeland Security did not respond to questions or requests for comment.

Just before April, CBP unveiled a much longer “sensitive but unclassified” assessment. The report describes TdA as a growing national security concern, citing its exploitation of US-bound migration and a range of criminal activity from money laundering, to extortion, to human smuggling. The report, which drew from across border enforcement, intelligence offices, and the FBI’s own gang intelligence center, warned readers on its interagency network that its findings relied on “analytical judgments that are not fact, knowledge, or proof,” adding that it might not always distinguish in print between assumption and fact.

The same report acknowledges significant uncertainty about TdA membership figures, identifying markers, and whether US-based subsets coordinate or respond to centralized leadership. In a section titled “Intelligence Gaps,” the agency outlines unresolved issues, including the movement of criminal proceeds and where the network might seek to expand in the US. Those uncertainties culminated in a question that, publicly, the White House claimed to have already answered: “Are US-based TdA members operating under the direction of foreign-based leadership?”

The following month, a classified National Intelligence Council assessment, first reported by The Washington Post, found no evidence that TdA was directed by the Venezuelan government. When asked about the findings, the Office of the Director of National Intelligence dismissed the assessment—representing the consensus view of most US intelligence agencies—as the work of “deep state actors” acting in conjunction with the media.

Elsewhere, the CBP report undercuts assertions that the government had a clear picture of TdA’s footprint in the US. It notes that it was “difficult for US law enforcement and the intelligence community to ascertain the exact number” of TdA members due to a “lack of determinate indicators” and the “adoption of the TdA name by unaffiliated groups and persons.” Ultimately, those limitations became justification for bending statistics to support the administration’s framing of a US-based terrorist threat numbering in the “thousands.”

Over a 22-month period, CBP’s own detection methods identified no more than 83 known TdA members at the border. To reach a much larger figure, the record shows analysts relied on a “sample set of interviews,” extrapolating that “upwards of 3,000” TdA members must have crossed the border during that same period—an estimate based on the assumption that roughly “one-half of one percent” of all Venezuelan migrants who entered the US through the southwest border had ties to TdA.

The same assumption underlies the report’s treatment of Venezuelan asylum communities, which it frames as potential risk environments shaped by “sanctuary city” policies and jurisdictions the agency views as “weak” on enforcement.

In remarks Tuesday, Trump leaned into the same framing, accusing Democratic-led cities of giving gangs room to operate. Speaking in Detroit, he said that, starting on February 1, the federal government would seek to economically punish cities and states that limit cooperation with the federal government, pledging to cut off “any payments to sanctuary cities or states having sanctuary cities,” which he accused of doing “everything possible to protect criminals.”

The speech came as federal enforcement operations have expanded into hostile occupations of major US cities—deployments and mass arrests that have swept up citizens as well as immigrants, prompting protests and legal challenges from states and municipalities.

Trump singled out Venezuela in particular. “I was so angry with Venezuela,” he said. “They emptied their prisons, almost entirely emptied their prisons, into the United States.”

At the FBI, TdA’s terrorism designation sat uneasily alongside the bureau’s own prior analysis. In internal assessments before the 2024 election, the FBI described TdA as an unsophisticated compared to traditional “South American theft groups,” finding its members favored “opportunistic,” often “spontaneous” crimes, with a focus on retail theft from big-box stores and exploiting other Venezuelan and South American migrants. While the bureau consistently warned of TdA’s propensity for violence, it failed to find any coordination among members inside the US or note any evidence of complex, preplanned operations.

In 2025, FBI field-level reporting appears to have remained focused on conventional crimes, including passing references to human, weapons, and narcotics trafficking with little accompanying detail. In April, a joint situation report filed by Alabama and Tennessee field offices linked TdA to a “retail theft crew” suspected of smash-and-grab burglaries at Walmart jewelry counters in the region. While the report notes similar incidents nationwide—with losses estimated at roughly $1.2 million—it implicates only a single “confirmed” Tren de Aragua member, and makes no reference to any national-security-level threat.

The reports sit alongside public statements from FBI director Kash Patel, who, also in April, described TdA publicly as “a direct threat to our national security,” vowing to eliminate what he called a “violent terrorist organization.” Inside the bureau, records show, its Terrorism Screening Center responded by convening a “Tren de Aragua Interagency Working Group” to coordinate watch listing changes. A distribution list obtained by WIRED shows an April 2025 meeting drew participants from numerous DHS and Justice Department components, both State and Treasury, and elements of the intelligence community and military, alongside dozens of state and local agencies and fusion centers.

Reached for comment, the FBI declined to respond to questions about differences between its internal reporting and how TdA was characterized publicly by leadership. It did not acknowledge the existence of any terrorist threat, saying only that it remains steadfast in its “commitment to working with our local, state, and federal partners to combat violent gang activity in our communities, including illegal acts carried out by the Venezuelan criminal gang, Tren de Aragua.”

Similar low-level depictions of TdA activity appear in regional drug-task-force reporting. A June 2025 Northern California threat assessment noted that TdA “did not appear to be directly involved in drug trafficking,” similarly linking the group instead primarily to organized retail theft, alongside suspected involvement in “at least two shootings.” A separate assessment covering North Texas and Oklahoma alleged a connection between TdA and Walmart’s delivery app, Spark, citing suspected identity theft used to “exploit the delivery driver profession to facilitate financial fraud.”

CBP issued a similar warning the following month citing an unattributed law enforcement report, alleging TdA members had been exploiting food delivery and rideshare platforms as a source of income and a means to allegedly facilitate routine criminal activity.

According to the bulletin, TdA members—including some with “direct ties to TdA leadership”—used services such as Uber, DoorDash, and Grubhub by renting or sharing accounts obtained through personal networks or online forums. One individual, “a known TdA member and Uber driver,” it claims, “frequently delivers food and drugs to individuals living in a migrant shelter.” Others were said to be using malicious software to “steal high-fee delivery orders from other drivers.”

Walmart, Uber, GrubHub, and DoorDash did not immediately respond to requests for comment.

The document mirrors myriad other reports of sporadic crimes being loosely attributed to the group using vague attribution and low-confidence language. In August, a law-enforcement bulletin on ATM “jackpotting,” circulated by the Texas Financial Crimes Intelligence Center, warned that suspects involved in ATM malware attacks “may be associated” with TdA.

In a separate August bulletin, the New York Police Department’s Intelligence & Counterterrorism Bureau warned partners that TdA members might be attempting to infiltrate the local music scene. People “allegedly affiliated with TdA have hosted parties involving DJs,” officials said, adding that the gatherings “may be” an effort “to potentially further engage in, or promote criminal activity.”

In written responses to WIRED, the Office of the Director of National Intelligence invoked America’s war in Afghanistan to explain the framework it applies to Venezuela, pointing to a conflict that stretched two decades, consumed trillions of dollars, and saw tens of thousands of civilians and security personnel killed, in addition to nearly 2,500 US service members. Just as it found no evidence to support the claim that Maduro’s government was directing TdA, the office added, “The Taliban was never assessed to be directing al-Qaeda’s attacks.”

Trump Warned of a Tren de Aragua ‘Invasion.’ US Intel Told a Different Story

As software supply chains become longer and more interconnected, enterprises have become well aware of the need to…

As software supply chains become longer and more interconnected, enterprises have become well aware of the need to protect themselves against third-party vulnerabilities. However, the rampant adoption of artificial intelligence chatbots and AI agents means they’re struggling to do this.

On the contrary, the majority of organizations are exposing themselves to unknown risks by allowing employees to access AI services and software packages that include AI integrations, with little oversight.

This revelation is one of the main findings of Panorays’ latest CISO Survey for Third-Party Cyber Risk Management, which revealed that 60% of CISOs rate AI vendors as “uniquely risky,” primarily due to their opaque nature.

Yet despite knowing how dangerous they are, only 22% of CISOs have established proper processes for vetting AI tech vendors, leading to potentially dangerous situations where employees may unwittingly leak sensitive information via the prompts they enter.

According to Panorays, this creates risks that traditional third-party vulnerability assessment tools cannot properly capture, meaning organizations have no real way of knowing the dangers they’re exposing themselves to.

****Organizations Face New Risks with AI****

The survey of 200 U.S. CISOs found that 62% see AI vendors as having a distinct risk profile compared to traditional third-party software vendors, with 9% describing them as “significantly different” and 53% saying they are “somewhat different.”

The problem with AI chatbots is that most are closed-source, which means their underlying code is proprietary. Consequently, security teams have little understanding of how chatbots process the data that’s fed into them. It also means there’s no easy way for organizations to properly audit them.

In addition, AI users often lack security awareness regarding chatbots, increasing the risk that they might unwittingly feed sensitive information such as corporate secrets and customer data into these models.

While there’s lots of uncertainty about how AI systems use the data fed into them, the anecdotal evidence regarding how it might later be exposed is not encouraging. One of the most infamous examples of this was a 2023 incident involving Samsung, which discovered that its employees had pasted proprietary code into ChatGPT as well as the minutes of confidential internal meetings involving senior executives.

In both cases, ChatGPT seemingly retained this data and used it for training to improve its underlying large language model, which means it could have informed output in response to later prompts. Prompt injections and prompt leaks have rarely been reported by LLM developers, but they have indeed been known to happen.

****CISOs Aren’t Doing Enough****

What’s most alarming is that CISOs seem to be doing little to address these risks. Despite knowing the dangers of AI chatbots, 52% of organizations still rely on the same general processes they use for vetting traditional third-party software vendors to onboard AI tools. Yet the unpredictable nature of AI chatbots in comparison to traditional software means that general-purpose onboarding is clearly ill-suited to the task. 

Panorays found that just 22% of CISOs have developed dedicated and documented policies for vetting AI tools, with 25% relying on informal or case-by-case evaluations, which might be more desirable, but still pose risks due to the lack of standardization.

The worrying lack of proper processes for onboarding third-party AI tools is one of the main reasons why CISOs admit to having diminished visibility with regard to third-party vulnerabilities. The survey found just 17% of respondents claim to have “full visibility” into such threats, meaning that 83% are essentially unaware of just how large and expansive their organization’s threat surface really is.

That likely explains why 60% of CISOs said they’ve witnessed an increase in incidents stemming from third-party vulnerabilities over the last year.

If there’s one bright spot from the report, it’s that CISOs do at least recognize the need for a newer approach to onboarding AI, and there’s evidence to show that some larger organizations are getting it together. Breaking down the results, Panorays said 38% of companies with 10,000 or more employees have established AI-specific onboarding policies, compared to just 26% of organizations with between 5,000 and 9,999 employees, and only 10% of firms with less than 5,000 staff.

The findings underscore the evolving nature of the CISO’s role. AI tools have become extremely popular among enterprise workers because they’re so convenient, enabling faster decision-making and accelerated productivity.

Simply put, they make life easier and enable workers to get more done, and these benefits cannot easily be ignored. But they also put more pressure on CISOs, who must balance the integration of AI with more robust vetting and security measures to ensure compliance is maintained and sensitive data isn’t leaked.

****Adoption Outpacing Policy****

As Panorays notes, the findings suggest organizations are adopting AI tools faster than they can be secured, creating a dangerous visibility gap where risky models are being given access to all kinds of sensitive information without proper scrutiny.

Fortunately, CISOs do at least seem to recognize the urgent need for AI-specific onboarding policies, and implementing these will likely be one of their top priorities in the coming months.

Survey: Rapid AI Adoption Causes Major Cyber Risk Visibility Gaps

Austin, TX / USA, 14th January 2026, CyberNewsWire

**Austin, TX / USA, January 14th, 2026, CyberNewsWire**

**New monitoring capability delivers unprecedented visibility into vendor identity exposures, moving enterprises and government agencies from static risk scoring to protecting against actual identity threats.** 

SpyCloud, the leader in identity threat protection, today announced the launch of its **Supply Chain Threat Protection** solution, an advanced layer of defense that expands identity threat protection across the extended workforce, including organizations’ entire vendor ecosystems. Unlike traditional third-party risk management platforms that rely on external surface indicators and static scoring, SpyCloud Supply Chain Threat Protection provides timely access to identity threats derived from billions of recaptured breach, malware, phished, and combolist data assets, empowering organizations – from enterprise security teams to public sector agencies – to act on credible threats rather than simply observe and accept risk.

Supply Chain Threat Protection addresses a critical gap in enterprise security: the inability to maintain real-time awareness of identity exposures affecting third-party partners and vendors. According to the 2025 Verizon Data Breach Investigations Report, third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% primarily due to software vulnerabilities and weak security practices. As supply chain compromises continue to escalate, security teams need intelligence that goes beyond questionnaires and external scans to reveal active threats like phishing campaigns targeting their trusted partners, confirmed credential theft, and malware-infected devices exposing critical business applications to criminals. 

For government agencies and critical infrastructure operators, supply chain threats present national security risks that demand heightened vigilance. Public sector organizations managing sensitive data and critical services increasingly rely on contractors and technology vendors whose compromised credentials could provide adversaries with pathways into classified systems or essential infrastructure. Last year alone, the top 98 Defense Industrial Base suppliers had over 11,000 dark web exposed credentials – an 81% increase from the previous year. SpyCloud Supply Chain Threat Protection enables federal, state, and local agencies to identify when suppliers or contractors have been compromised – allowing them to take proactive measures before an identity exposure escalates into a matter of national security.

> “Third-party threats have evolved far beyond what traditional vendor assessment tools can detect,” said Damon Fleury, Chief Product Officer at SpyCloud. “Public and private sector organizations need to know when their vendors’ employees are actively compromised by malware or phishes, when authentication data is circulating on the dark web, and which partners pose the greatest real downstream threat to their business. Our new solution delivers those signals by transforming raw underground data into clear, prioritized actions that security teams use to protect their organization.”

Supply Chain Threat Protection enables organizations and agencies to continuously monitor thousands of suppliers, with each company’s threats enumerated in detail, and also represented in an at-a-glance Identity Threat Index. The Index is a comprehensive and continuously updated analysis that quantifies vendor security posture through the lens of identity exposure, from both active and historical phishing, breach, and malware sources, and surfaces which partners pose the most significant risk based on verified dark web intelligence.

**Key Capabilities Include:**

*   **Real Evidence of Compromise:** Timely recaptured identity data from breaches, malware, and successful phishes collected continuously from the criminal underground, with context that gives security teams enhanced visibility into the identity threats facing suppliers today.
*   **Identity Threat Index:** Aggregates multiple verified data sources weighted by the recency, volume, credibility, and severity of compromise, emphasizing verified identity data over static breach records for more robust and real-time visibility into vendor risk.
*   **Compromised Applications**: Identifies the internal and third-party business applications exposed on malware-infected supplier devices to support deeper investigation and risk assessment.
*   **Enhanced Vendor Management and Communications:** Facilitates sharing of actionable evidence and detailed executive-level reports directly with vendors to collaboratively improve security posture, transforming vendor relationships from adversarial scoring to collaborative protection.
*   **Integrated Response:** Leveraging SpyCloud’s console, teams now have access to identity threat protection beyond the traditional employee perimeter with this extension to suppliers, allowing analysts to respond to workforce identity threats within a single tool. 

SpyCloud Supply Chain Threat Protection is designed to support multiple use cases across Security Operations, Infosec, Vendor Risk Management, and GRC teams. Organizations can leverage the solution for vendor due diligence during procurement and onboarding, continuous risk reviews to strengthen vendor relationships, and accelerated incident response when vendor exposures threaten their own environments.

> “Security teams and their counterparts across the business are overwhelmed with vendor assessments, questionnaires, and risk scores that often don’t translate to real prevention,” said Alex Greer, Group Product Manager at SpyCloud. “Our customers have often reported that when they’re evaluating doing business with a new vendor, they lack the actionable data their legal and compliance teams need for evidence-based decision making. That’s where SpyCloud stands out. Surfacing verified identity threats tied directly to vendor compromise, letting teams escalate to leadership when to restrict data access and prioritize efforts for the greatest impact on reducing organizational risk.”

Unlike existing solutions that rely on external surface indicators and static scoring, SpyCloud provides threat data derived from underground sources – the same recaptured darknet identity data that criminals actively use to target organizations and agencies. This fundamental difference enables SpyCloud customers to move from passive risk acceptance to proactive and holistic identity threat protection.

To learn more about defending organizations from the exposures of vendors and suppliers, registration is open for SpyCloud’s upcoming Live Virtual Event, **Beyond Vendor Risk Scores: How to Solve the Hidden Identity Crisis in Your Supply Chain,** on **Thursday, January 22, 2026, at 11 am CT**. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, users can visit spycloud.com.

**Contact**

**Media Specialist**  
**Phil Tortora**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Launches Supply Chain Solution to Combat Rising Third-Party Identity Threats

A new investigation by GreyNoise reveals a massive wave of over 90,000 attacks targeting AI tools like Ollama and OpenAI. Experts warn that hackers are conducting "reconnaissance" to map out vulnerabilities in enterprise AI systems.

In a recent discovery, researchers have found that cybercriminals are turning their focus toward the systems that power modern artificial intelligence (AI). Between October 2025 and January 2026, a specialized honeypot (a trap set by security experts to catch hackers) recorded 91,403 attack sessions.

This investigation was conducted by the research firm GreyNoise, which set up fake installations of a popular AI tool called Ollama to act as bait. The research reveals that there isn’t just one group at work, but two separate campaigns are active, each trying to find a different way to exploit the growing world of AI.

****The Phone Home Trick****

The first group of attackers used a method known as Server-Side Request Forgery (SSRF). To put it simply, this is a trick where a hacker fools a company’s server into making a connection to the hacker’s own computer. Researchers noted that the attackers specifically targeted Ollama and Twilio (a popular messaging service).

By sending a “malicious registry URL,” they could force the AI server to “phone home” to their own systems. It is worth noting that this activity saw a “dramatic spike over Christmas,” with 1,688 sessions occurring in just 48 hours, according to GreyNoise’s blog post. While some of these might be security researchers or bug bounty hunters looking for rewards, the timing suggests they were pushing boundaries while IT teams were on holiday.

Campaign 1 timeline (Source: GreyNoise)

****Building a Hit List for AI Models****

The second campaign is even more concerning. Starting on December 28, 2025, two specific digital addresses (45.88.186.70 and 204.76.203.125) began a massive, methodical search of over 73 different AI endpoints. While investigating, researchers found that in just eleven days, they generated 80,469 sessions to see which AI models they could reach.

According to researchers, these were professional actors, perhaps conducting reconnaissance since they weren’t trying to break things yet. Also, they noted the actors were “building target lists” by testing models from big names like Anthropic (Claude), Meta (Llama), xAI (Grok), and DeepSeek.

> _“The attack tested both OpenAI-compatible API formats and Google Gemini formats. Every major model family appeared in the probe list: OpenAI (GPT-4o and variants), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral, Alibaba (Qwen), and xAI (Grok).”_
> 
> GreyNoise

Further probing revealed that these attackers used simple, innocent questions like “How many states are there in the United States?” just to see which models would respond.

Campaign 2 test queries (source: GreyNoise)

****How to Protect Your Systems****

To keep these systems secure, researchers at GreyNoise suggest that companies should only allow AI models to be downloaded from trusted sources. It is also important to watch out for rapid-fire requests that ask the same simple questions over and over. The scale of these attacks is massive, involving 62 source IPs across 27 countries, which is a clear sign that hackers are now mapping out their next big move.

****Expert Warnings on AI Risks****

Security teams are viewing these findings as an early warning of a much broader risk. Chris Hughes, VP of Security Strategy at Zenity, shared his perspective exclusively with Hackread.com, noting that while probing models is a concern, the immediate danger lies in how AI agents interact with company systems.

“While this marks the first public confirmation of attackers targeting AI systems, it certainly won’t be the last,” Hughes stated. He explained that the information gained from these probes will likely be used for future attacks. He warned that the greater risk appears when AI tools access enterprise systems or cloud environments without proper oversight.

“As attackers move from probing models to exploiting agents, organizations that focus only on model-centric security will be responding to incidents they never saw coming,” he added.

(Photo by Egor Komarov on Unsplash)

Hackers Launch Over 91,000 Attacks on AI Systems Using Fake Ollama Servers

In today’s digital age, video content has become an essential tool for communication, education, and entertainment. Whether it’s…

In today’s digital age, video content has become an essential tool for communication, education, and entertainment. Whether it’s a tutorial, a conference, or a webinar, videos are an excellent medium for conveying information.

However, sometimes it’s more efficient to have the content in text form, whether for reference, analysis, or accessibility purposes. One of the best solutions for this is to convert video to text.

****What Does It Mean to Convert Video to Text?****

To convert video to text means transcribing the spoken words from the video into written form. This process involves listening to the video’s audio and manually or automatically writing down everything said. By doing so, you create a text version of the video content, making it easier to search, analyze, or refer back to specific points without having to rewatch the video.

****Why Convert Video to Text?****

One of the main reasons to convert video to text is to make the content more accessible. Videos, while rich in information, can be difficult to follow for people with hearing impairments. By having a transcript, you ensure that everyone can access the content in a way that suits their needs.

****Content Analysis****

Having a text version of a video allows for easier content analysis. Whether it’s extracting key points, summarizing the content, or pulling quotes, text offers a more flexible and detailed approach than video.

****Methods for Converting Video to Text****

There are several methods available for converting video to text, each with its own set of benefits and drawbacks.

****1: Manual Transcription****

Manual transcription involves watching the video and typing out what is being said. This method can be very accurate, but it can also be time-consuming, especially for longer videos. It requires a lot of attention to detail and patience, but it guarantees high-quality results.

****2: Automated Transcription Tools****

Automated transcription tools use artificial intelligence to analyze the audio in a video and generate a text version. While these tools are fast and efficient, they may not be as accurate as manual transcription. They can struggle with accents, background noise, and overlapping speech, but they are still useful for quick transcriptions.

****3: Hybrid Approach****

A hybrid approach combines both manual and automated transcription. In this method, an automated tool is first used to generate a rough transcript, which is then reviewed and corrected by a human. This method strikes a balance between speed and accuracy.

****Benefits of Converting Video to Text********Improved Accessibility and Compliance****

Text transcripts make video content usable for people with hearing impairments and for users who cannot play audio in certain environments. Transcripts also help organizations meet accessibility guidelines and internal compliance requirements.

****Better Search and Discoverability****

Text can be indexed and searched easily. Converting video to text allows search engines to understand the content of a video, which improves visibility and makes it easier for users to find specific topics or phrases without watching the full video.

****Time Efficiency and Quick Reference****

Reading is often faster than watching. A text version allows users to scan, locate key points, and return to important sections instantly. This is especially useful for long lectures, meetings, and training videos.

****Content Repurposing Opportunities****

Once video content is in text form, it can be reused in many ways. Transcripts can become blog posts, articles, documentation, captions, summaries, or internal knowledge base entries. This extends the value of a single video across multiple formats.

****Easy Sharing and Distribution****

Text is lightweight and flexible. Transcripts can be shared through email, messaging platforms, reports, or social media without large file sizes or playback limitations. This makes information easier to distribute to broader audiences.

****Conclusion****

Converting video to text transforms video content into a more accessible, searchable, and reusable format. Beyond convenience, it improves efficiency, expands reach, and increases the long term value of video assets. By adding accurate transcripts, video content becomes easier to use, easier to share, and more useful for a wider range of audiences.

(Photo by Kelly Sikkema on Unsplash)

Convert Video to Text: A Comprehensive Guide

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.
Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.

Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022.

These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium's WebView tag (CVE-2026-0628, CVSS score: 8.8).

The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw.

"Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally," Microsoft said in an advisory. "The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory."

There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity.

"DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something," Adam Barnett, lead software engineer at Rapid7, said in a statement. "In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user-mode memory where Windows components coordinate various actions between themselves."

Microsoft previously addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051, CVSS score: 7.8), which was described as a privilege escalation flaw that was abused by multiple threat actors, in connection with the distribution of QakBot and other malware families. Satnam Narang, senior staff research engineer at Tenable, called DWM a "frequent flyer" on Patch Tuesday, with 20 CVEs patched in the library since 2022.

Jack Bicer, director of vulnerability research at Action1, said the vulnerability can be exploited by a locally authenticated attacker to disclose information, defeat address space layout randomization (ASLR), and other defenses.

"Vulnerabilities of this nature are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits," Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News.

"By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026.

Another vulnerability of note concerns a security feature bypass impacting Secure Boot Certificate Expiration (CVE-2026-21265, CVSS score: 6.4) that could allow an attacker to undermine a crucial security mechanism that ensures that firmware modules come from a trusted source and prevent malware from being run during the boot process.

In November 2025, Microsoft announced that it will be expiring three Windows Secure Boot certificates issued in 2011, effective June 2026, urging customers to update to their 2023 counterparts -

*   Microsoft Corporation KEK CA 2011 (June 2026) - Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX)
*   Microsoft Windows Production PCA 2011 (October 2026) - Windows UEFI CA 2023 (for signing the Windows boot loader)
*   Microsoft UEFI CA 2011 (June 2026) - Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs)

"Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time," Microsoft said. "To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance."

The Windows maker also pointed out that the latest update removes Agere Soft Modem drivers "agrsm64.sys" and "agrsm.sys" that were shipped natively with the operating system. The third-party drivers are susceptible to a two-year-old local privilege escalation flaw (CVE-2023-31096, CVSS score: 7.8) that could allow an attacker to gain SYSTEM permissions.

In October 2025, Microsoft took steps to remove another Agere Modem driver called "ltmdm64.sys" following in-the-wild exploitation of a privilege escalation vulnerability (CVE-2025-24990, CVSS score: 7.8) that could permit an attacker to gain administrative privileges.

Also high on the priority list should be CVE-2026-20876 (CVSS score: 6.7), a critical-rated privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave, enabling an attacker to obtain Virtual Trust Level 2 (VTL2) privileges, and leverage it to subvert security controls, establish deep persistence, and evade detection.

"It breaks the security boundary designed to protect Windows itself, allowing attackers to climb into one of the most trusted execution layers of the system," Mike Walters, president and co-founder of Action1, said.

"Although exploitation requires high privileges, the impact is severe because it compromises virtualization-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   ABB
*   Adobe
*   Amazon Web Services
*   AMD
*   Arm
*   ASUS
*   Broadcom (including VMware)
*   Cisco
*   ConnectWise
*   Dassault Systèmes
*   D-Link
*   Dell
*   Devolutions
*   Drupal
*   Elastic
*   F5
*   Fortinet
*   Fortra
*   Foxit Software
*   FUJIFILM
*   Gigabyte
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Grafana
*   Hikvision
*   HP
*   HP Enterprise (including Aruba Networking and Juniper Networks)
*   IBM
*   Imagination Technologies
*   Lenovo
*   Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitel
*   Mitsubishi Electric
*   MongoDB
*   Moxa
*   Mozilla Firefox and Firefox ESR
*   n8n
*   NETGEAR
*   Node.js
*   NVIDIA
*   ownCloud
*   QNAP
*   Qualcomm
*   Ricoh
*   Samsung
*   SAP
*   Schneider Electric
*   ServiceNow
*   Siemens
*   SolarWinds
*   SonicWall
*   Sophos
*   Spring Framework
*   Synology
*   TP-Link
*   Trend Micro, and
*   Veeam

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Explore how cybercrime markets turn stolen data into laundered funds using dollar‑pegged assets, mixers and exchanges-and why tracking BTC USDT price and stablecoin flows now matters for security, fraud and AML teams.

A corporate customer database is breached on a quiet Sunday night. Millions of credentials and card numbers are quietly exfiltrated, sorted, and listed on a well‑known fraud shop on a cybercrime forum. Over the next few days, small crews buy slices of that data and start testing logins, draining loyalty points, taking over e‑commerce accounts, and running carding scripts against online merchants.

The successful hits are funnelled into mule accounts and digital wallets. From there, the proceeds converge. Balances spread across multiple services are swept into a single exchange and converted into liquid, dollar‑pegged assets for rapid movement across chains and borders.

That final conversion step often routes through major trading pairs like BTC USDT, making real-time price data a useful signal for analysts tracking large, possibly illicit, fund flows. A reliable BTC USDT price view offers immediate insight into where capital is concentrating across exchanges.

****Why This Matters for Security, Fraud, and Compliance Teams****

For many organisations, finance app security and breach handling still live in separate silos from Anti-Money Laundering (AML) and sanctions controls. Traditional data breach playbooks focus on containment, forensics, and notification.

Separately, compliance teams watch fiat rails and customer behaviour for money‑laundering red flags. Stablecoin‑enabled laundering sits directly between those worlds. It turns stolen data into on‑chain flows that are neither purely “cyber” nor purely “financial” in the old sense.

****Data Breach Economics and Cybercrime Markets********From Breach to Inventory: How Stolen Data Becomes a Product****

Once attackers gain access to an email environment, data warehouse, or payment system, the breach is only the beginning. Large dumps are pulled out, decrypted where necessary, and triaged.

High‑value elements such as logins, full identity records, card numbers, and session tokens are carved into distinct products: credential lists, so‑called “fullz,” card dumps, and access kits for specific services. These bundles are then listed on underground markets and private channels that specialise in stolen credentials and tools.

****The Role of Markets, Brokers, and “Crime as a Service”****

Cybercrime markets now resemble fragmented financial ecosystems. Initial access brokers specialise in compromised VPNs, RDP endpoints, and email accounts. Data sellers focus on curated lists of stolen credentials or identity packages.

Carders exploit payment systems, while cash‑out crews and money mules move funds through bank accounts, wallets, and merchant accounts. At the far end sit crypto specialists who understand exchanges, mixers, and DeFi, and who turn messy revenues into cleaner balances.

****Why Dollar‑Pegged Assets Appeal to Cybercrime Markets********Dollar Exposure Without Bank Accounts****

Stablecoins offer something very simple that cybercrime markets value: exposure to the US dollar without needing a conventional bank account. Many actors operate from jurisdictions where access to US banking is restricted by geography, sanctions, or risk profile. Others can technically open accounts but fear the traceability, documentation, and closure risk that comes with repeated suspicious activity. Dollar‑pegged assets bridge that gap.

****Liquidity, Speed, and Compliance Arbitrage****

There is also a very practical side to this preference. Stablecoins move quickly between exchanges, DeFi protocols, and over‑the‑counter brokers, often with less operational friction than international bank wires. Cross‑border movement that might take days in the banking system can settle in minutes or seconds on‑chain. For cybercrime markets dealing with volatile enforcement risk and fast‑moving partners, speed matters.

Different venues also apply very different KYC and AML standards. Some offshore exchanges and services have historically offered weak controls or none at all. Others are tightly regulated.

Launderers exploit this diversity by starting on lightly regulated platforms, performing multiple hops, and then approaching more reputable venues only after they believe the trail is sufficiently muddled. Issuers and regulated platforms are increasingly aggressive about freezing tainted funds, particularly when they can link flows to sanctions evasion or high‑profile ransomware.

****Laundering Pipelines: From Compromised Data to Stablecoins********Path 1 – Direct Crypto Extortion and Ransom in Dollar‑Pegged Assets****

In some incidents, breach operators bypass the whole resale and carding ecosystem and go straight to extortion. Double‑extortion and data‑leak crews encrypt systems, exfiltrate sensitive files, and threaten to publish them unless a ransom is paid.

While bitcoin once dominated these demands, there has been a noticeable shift toward liquid stablecoins as the preferred payment method. Dollar‑pegged assets let operators lock in their revenue without worrying about price swings between the demand and the actual payment.

Recent industry analysis shows that total ransomware payments dropped markedly in 2024, falling from well over a billion dollars the year before to the mid‑hundred‑million range, even as the number of incidents remained high. Still, where payments occur, crypto is prominent. 

****Path 2 – Carding, Account Takeover, and Cash‑Out to Stablecoins****

A more traditional path starts with carding and account takeover. Stolen card data and logins from a data breach are used to make fraudulent purchases, initiate withdrawals from online wallets, or order goods that can be resold. Money mules receive and forward funds, sometimes without fully understanding the origin. At each step, banks and payment processors may detect and stop some activity, but not all.

Where transactions succeed, balances accumulate in scattered accounts and merchant profiles. These pockets of value then need to be consolidated. Criminals often turn to exchanges or peer‑to‑peer trading platforms, converting local currency or intermediary assets into stablecoins.

Each platform in this chain has its own AML rules and fraud controls, which can block individual attempts. Yet the overarching goal remains the same: convert messy, risky funds into a single, portable, dollar‑linked asset that can move freely through the crypto ecosystem.

****Path 3 – Insider Abuse and Compromised Corporate Crypto Infrastructure****

In some breaches, the target already holds digital assets. That may be a centralised exchange, a fintech with internal treasury wallets, or a corporation running crypto‑based loyalty and payment programs. In these cases, attackers or corrupt insiders may not bother with traditional carding at all. Instead, they aim directly at hot wallets, signing keys, or internal transfer systems.

Composite case studies show how diverse on‑chain assets are often rapidly swept into a smaller set of liquid stablecoins. Tokens with limited liquidity or thin markets are sold or swapped, consolidating value into one or two major dollar‑pegged assets. Only then does the layering phase begin in earnest, hopping across services and chains.

****On‑Chain Infrastructure: Mixers, DeFi, Bridges, and OTC Brokers********Mixers, Peel Chains, and DeFi‑Based Obfuscation****

Once funds sit in stablecoins, launderers turn to on‑chain infrastructure designed or repurposed to break obvious links between source and destination. Classic mixers and tumblers pool deposits from many users and then redistribute them, attempting to sever direct address‑to‑address trails. Peel chains send small amounts through long sequences of wallets, “peeling” off fragments at each step. Both techniques can be, and often are, applied to dollar‑pegged assets.

DeFi adds another layer. Stable‑swap protocols and lending platforms allow large volumes of stablecoins to move in patterns that look, at least superficially, like normal liquidity provision, arbitrage, or yield‑seeking. Tainted stablecoins can be cycled through pools, borrowed against, or mixed with clean liquidity, generating a noisy transaction history.

****Cross‑Chain Bridges, OTC Desks, and P2P Off‑Ramps****

Launderers rarely stay on a single chain. Cross‑chain bridges are used to move stablecoins between networks with different user bases and compliance postures. Sometimes this is straightforward, moving from a more monitored chain to one with weaker oversight. At other times, lesser‑known networks are used as intermediate waypoints, adding hops and complexity to tracing efforts.

Eventually, most routes approach fiat. Lightly regulated OTC brokers and peer‑to‑peer exchanges play a major role here. Stablecoins are swapped for local currency transfers, cash, or high‑value goods, often via intermediaries who specialise in “no‑questions‑asked” exits.

****Case Patterns and Enforcement Disruptions********What Recent Crackdowns Reveal About Stablecoin Laundering****

Joint operations over the last few years against darknet operators, non‑compliant exchanges, and rogue payment processors have provided a clearer window into stablecoin laundering. When infrastructure is seized, and transaction records are analysed, a familiar picture emerges: fraud shops and ransomware services settling with each other in dollar‑pegged assets, routing funds through a relatively small set of services and addresses. In some operations, authorities reported that revenues at key fraud markets dropped by around half after associated financial rails were disrupted.

These takedowns do more than remove specific nodes from the ecosystem. They also surface detailed transaction graphs and operational playbooks, which investigators and analytics companies fold back into their models.

****Adaptation: How Cybercrime Markets Respond to Pressure****

Predictably, cybercrime markets adapt when pressure mounts. As stablecoin issuers and regulated platforms freeze known illicit addresses and respond more aggressively to sanctions violations, launderers experiment. They rotate between multiple dollar‑pegged assets, use niche tokens as temporary parking spots, and design multi‑hop paths that cross several chains and jurisdictions before reaching an off‑ramp. Sanctions evasion in particular has driven some of the most complex layering patterns seen to date.

****Detection Strategies for Compliance, Fraud, and Security Teams********Turning Laundering Flows into Actionable Typologies****

Narrative descriptions of how money moves are helpful, but investigators and monitoring systems need concrete rules. Experts work with clients to convert stablecoin laundering flows into AML typologies and alert logic.

Examples include clusters of small exchange deposits from known carding geographies that rapidly consolidate into a single stablecoin wallet; abrupt, high‑value transfers to newly created addresses shortly after a disclosed breach; and repeated use of certain cross‑chain bridges and DeFi pools in close sequence following fraud events.

These typologies are then tied to specific thresholds, suppression logic, and investigative playbooks. An alert for “post‑breach stablecoin consolidation” may trigger checks against internal incident timelines, external breach reports, and known cybercrime clusters.

Another typology might focus on stablecoin‑denominated settlements with services historically associated with fraud shops. By aligning typologies with the actual economics of data breach proceeds and cybercrime markets, institutions can raise meaningful suspicious activity reports while keeping false positives manageable.

****Linking Breach Telemetry with On‑Chain Signals****

One of the most powerful and still underused techniques is fusing breach telemetry with on‑chain intelligence. Indicators from an intrusion, such as C2 domains, wallet addresses found in ransom notes, or exfiltration timestamps, often have echoes in blockchain data. Correlating those signals can transform a breach investigation from a purely internal exercise into a broader follow‑the‑money operation.

****Hardening On‑/Off‑Ramps and Partner Controls********Strengthening Stablecoin Controls at Exchanges and Fintechs****

Exchanges, brokerages, and fintech platforms that support stablecoins sit at crucial points in the laundering chain. By tuning KYC and transaction‑monitoring controls specifically for dollar‑pegged flows, these institutions can dramatically reduce their attractiveness to cybercrime markets. Practical measures include differentiated onboarding tiers, enhanced due diligence for customers or regions associated with high breach and fraud activity, and dynamic limits on stablecoin movements that adjust with behavioural risk.

****Managing Third‑Party and Infrastructure Risk****

No institution operates alone in this space. Stablecoin issuers, custodians, payment processors, analytics providers, bridge operators, and OTC partners all influence how easy or hard it is for cybercrime markets to use dollar‑pegged assets.

Evaluating these partners’ risk postures, how they handle KYC, how quickly they respond to law enforcement, and whether they freeze tainted funds is a key part of managing stablecoin exposure.

****Conclusion: Using Stablecoin Insight to Strengthen Breach Response and AML********From Static Breach Playbooks to Dynamic Financial‑Crime Defences****

The journey from a breached database to laundered funds rarely stops at cash or bitcoin anymore. In case after case, data breach proceeds move through cybercrime markets, into dollar‑pegged assets, and across a complex web of mixers, DeFi protocols, bridges, and off‑ramps. Understanding those stablecoin‑centric pipelines is no longer a niche concern for “the crypto team”; it is a core part of modern financial‑crime strategy.

Institutions that integrate on‑chain intelligence into both breach response and AML gain a real advantage. They can spot when data theft begins turning into money laundering, recognise familiar laundering architectures, and coordinate faster with partners and authorities. Rather than cleaning up after each incident in isolation, they build a dynamic defence informed by how cybercrime markets actually operate today.

(Photo by Kanchanara on Unsplash)

How Cybercrime Markets Launder Breach Proceeds and What Security Teams Miss

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025.
The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least

Cyber Espionage / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025.

The activity has been attributed with medium confidence to a Russian hacking group tracked as **Void Blizzard** (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least April 2024.

Attack chains distributing the malware leverage instant messaging Signal and WhatsApp as vectors, with the threat actors masquerading as charity organizations to convince targets into clicking on a seemingly-harmless link ("harthulp-ua\[.\]com" or "solidarity-help\[.\]org") impersonating the foundation and download a password-protected archive.

The archives contain an executable created with PyInstaller that ultimately led to the deployment of PLUGGYAPE. CERT-UA said successive iterations of the backdoor have added obfuscation and anti-analysis checks to prevent the artifacts from being executed in a virtual environment.

Written in Python, PLUGGYAPE establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT), allowing the operators to execute arbitrary code on compromised hosts. Support for communication using the MQTT protocol was added in December 2025.

In addition, the command-and-control (C2) addresses are retrieved from external paste services such as rentry\[.\]co and pastebin\[.\]com, where they are stored in base64-encoded form, as opposed to directly hard-coding the domain in the malware itself. This gives attackers the ability to maintain operational security and resilience, allowing them to update the C2 servers in real-time in scenarios where the original infrastructure is detected and taken down.

"Initial interaction with the target of a cyber attack is increasingly carried out using legitimate accounts and phone numbers of Ukrainian mobile operators, with the use of the Ukrainian language, audio and video communication, and the attacker may demonstrate detailed and relevant knowledge about the individual, organization, and its operations," CERT-UA said.

"Widely used messengers available on mobile devices and personal computers are de facto becoming the most common channel for delivering software tools for cyber threats."

In recent months, the cybersecurity agency has also revealed that a threat cluster tracked as UAC-0239 sent phishing emails from UKR\[.\]net and Gmail addresses containing links to a VHD file (or directly as an attachment) that paves the way for a Go-based stealer named FILEMESS that collects files matching certain extensions and exfiltrates them to Telegram.

Also dropped is an open-source C2 framework called OrcaC2 that enables system manipulation, file transfer, keylogging, and remote command execution. The activity is said to have targeted Ukrainian defense forces and local governments.

Educational institutions and state authorities in Ukraine have also been at the receiving end of another spear-phishing campaign orchestrated by UAC-0241 that leverages ZIP archives containing a Windows shortcut (LNK) file, opening which triggers the execution of an HTML Application (HTA) using "mshta.exe."

The HTA payload, in turn, launches JavaScript designed to download and execute a PowerShell script, which then delivers an open-source tool called LaZagne to recover stored passwords and a Go backdoor codenamed GAMYBEAR that can receive and execute incoming commands from a server and transmit the results back in Base64-encoded form over HTTP.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2026-21226

**Azure Core is vulnerable to deserialization of untrusted data**

High severity GitHub Reviewed Published Jan 13, 2026 to the GitHub Advisory Database • Updated Jan 13, 2026

**Package**

pip azure-core (pip)

**Affected versions**

< 1.38.0

**Description**

Published to the GitHub Advisory Database

Jan 13, 2026

Last updated

Jan 13, 2026

**EPSS score**

Tag

#intel