Good morning. This is your security briefing for Saturday, January 03, 2026, covering 15 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
Pranshu Parmar has released witr, a Linux utility that maps the complete causal chain of running processes to help defenders identify how processes started and what systems are responsible for their existence. The open-source tool provides read-only analysis and warns about security concerns like root processes or services listening on public interfaces.
Logisek released a PowerShell tool for auditing Azure RBAC role assignments and detecting unauthorized changes through drift detection. The script creates baselines and compares live environments to identify new, removed, or modified assignments that could indicate privilege escalation attempts.
Ait-aecid published an open-source rootkit detection tool that uses eBPF time tracing to identify Linux rootkits by monitoring execution time anomalies in kernel functions. The method employs machine learning to detect temporal shifts indicating rootkit manipulation, tested against the CARAXES rootkit on Linux kernels 5.15 through 6.11.
As part of the 100 Days of YARA 2026 series, Squiblydoo developed a YARA rule to detect hardcoded strings in binaries obfuscated using the obfusheader technique. This detection capability targets a specific obfuscation method used to evade static analysis of compiled binaries.
RustyNoob-619 released another YARA rule in the 2026 series that detects Windows PE files containing invalid Product IDs in the PE Rich Header. This targets one of the most common anomalies used in malware analysis and threat hunting.
Resecurity deployed honeypots with synthetic data containing 28,000 consumer records and 190,000 payment transactions to conduct counterintelligence operations. The deception successfully lured threat actors including the ShinyHunters group, enabling monitoring of their activities and infrastructure identification through OPSEC failures.
Researchers on Hugging Face released CoLog, a framework using collaborative transformers for detecting anomalies in operating system logs. The tool achieves 99.63% precision in identifying both point and collective anomalies across seven benchmark datasets.
Lsecqt released SessionView, a lightweight C# console application for enumerating and displaying user sessions on Windows Servers. The tool allows administrators to list active sessions and retrieve detailed information including connection states and usernames by leveraging the WTS API and Windows Registry.
Rasta Mouse presented BOF Cocktails, a novel implementation pattern for applying evasion tradecraft directly to Beacon Object Files within the Crystal Palace framework. This technique merges evasion code into BOFs themselves rather than relying on API hooking in parent implants, reducing detection surface for red team operations.
CorvraLabs released EvilNeko, a red team tool that automates Browser in the Browser attacks by orchestrating containerized browser instances via WebRTC. The tool scales BITB infrastructure for multiple targets and pre-loads Chrome extension payloads to emulate realistic phishing attacks.
Glueckkanja disclosed ConsentFix, a new OAuth 2.0-based attack technique that bypasses Microsoft Entra Conditional Access policies by exploiting the authorization code flow. Attackers trick users into providing authorization codes through localhost redirect URIs, then redeem these codes for bearer tokens to impersonate users and access resources like Azure Resource Manager.
KELA Cyber Intelligence Center reported that Iranian-linked hacking group Handala compromised Telegram accounts of Israeli officials including former Prime Minister Naftali Bennett through session hijacking. The breach exposed contact information for senior Israeli officials, journalists, and business executives, likely using social engineering or spear phishing for credentials.
Koi Research identified Wave 4 attacks by the GlassWorm threat actor now targeting macOS developers in cryptocurrency and web3 sectors. The operation uses AES-256-CBC encrypted JavaScript payloads, Solana blockchain for immutable C2 infrastructure, and attempts to trojanize hardware wallet applications like Ledger Live and Trezor Suite.
Brian Krebs reported that the Kimwolf botnet has infected over 2 million devices globally, primarily targeting insecure Android TV boxes and digital photo frames with ADB mode enabled by default. The botnet exploits residential proxy networks to tunnel through firewalls for ad fraud, account takeovers, content scraping, and DDoS attacks.
Snyk discovered a new variant of the Shai-Hulud malware version 3.0 embedded in the @vietmoney/react-big-calendar npm package on December 29, 2025. The malware features improved obfuscation, enhanced error handling to evade security scanners, and targets data exfiltration to GitHub repositories with a focus on stealth and cross-platform stability.