Before we begin today's briefing, we have a critical security alert. CVE-2025-37164, a remote code execution in HPE OneView with a perfect CVSS score of 10, has been added to the CISA Known Exploited Vulnerabilities catalog.
Good morning. This is your security briefing for Wednesday, January 07, 2026, covering 15 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
The Weixin Official Accounts Platform published an in-depth analysis of AuraStealer malware-as-a-service, focusing on its obfuscation and adversarial techniques. The article examines the technical implementation of evasion methods employed by this stealer malware platform.
Group-IB reports on Ghost Tap, an NFC-enabled Android malware sold in Chinese cybercrime communities on Telegram that enables remote tap-to-pay fraud. The malware uses a two-component system with a reader on victim devices to capture bank card data and a tapper on attacker devices to conduct unauthorized transactions, with victims targeted through smishing and vishing campaigns.
Zscaler ThreatLabz discovered three malicious NPM packages in November 2025 delivering NodeCordRAT, a remote access trojan that uses Discord for command-and-control communication. The malware targets Chrome credentials, API tokens, and MetaMask cryptocurrency wallet data including keys and seed phrases.
Veeam released security updates for Backup & Replication 13 addressing multiple high-severity vulnerabilities. The most critical, CVE-2025-59470 with a CVSS score of 9.0, enables authenticated users with Backup or Tape Operator roles to achieve remote code execution as root through malicious SQL parameters.
The Financial Times reports that China's Ministry of State Security conducted the Salt Typhoon cyber espionage campaign targeting email systems of US congressional committee staff. The intrusions, detected in December, compromised unencrypted phone calls, texts, and voicemails, providing China access to sensitive communications from House China, foreign affairs, intelligence, and armed services committees.
Picus Security analyzed how pro-Russia hacktivist group NoName057(16) conducts DDoS attacks against NATO and European targets using their proprietary DDoSia tool. The group recruits volunteers via Telegram with cryptocurrency incentives, primarily targeting government sectors with Ukraine being the most affected country at 29% of attacks.
Securite360 published a deep dive into Sagerunex malware used by Lotus Panda, a China-linked APT group active since 2009. The backdoor targets government, telecommunications, manufacturing, and defense sectors across Southeast Asia and Taiwan, featuring sophisticated evasion techniques including Explorer token impersonation and time-windowed operations.
Recorded Future reports that Russian state-sponsored threat group BlueDelta, linked to the GRU, conducted credential-harvesting campaigns between February and September 2025. The group impersonated legitimate webmail and VPN services including Microsoft OWA, Google, and Sophos VPN to steal credentials from Turkish energy and nuclear research agencies, European think tanks, and organizations in North Macedonia and Uzbekistan.
Gavin Knapp has launched the 100 Days of KQL 2026 Initiative, a structured program for cybersecurity professionals to enhance their Kusto Query Language skills through daily query creation. The initiative targets defenders using Azure Sentinel and Microsoft Defender for Endpoint, providing resources and a GitHub repository to improve threat hunting and detection capabilities.
T3ft3lb released a YARA rule to detect malicious LNK files associated with Squid Werewolf, also known as APT37. The rule identifies specific file characteristics, command-line arguments, and tracker data patterns indicative of this group's malware.
Squiblydoo released a YARA rule to detect PE files signed with a code-signing certificate belonging to Xiamen Jialan Guang Information Technology Service Co., Ltd. The certificate is suspected of being abused by malicious actors to sign malware, allowing it to bypass security controls that trust signed executables.
Yashraj Solanki released a YARA rule to detect malicious Windows PE files by identifying rich signatures at non-standard offsets. These specific offsets at 0x60, 0x68, 0x8C, and 0xE0 are associated with known malware that manipulates rich signature placement to evade detection.
Antonlovesdnb announced SysmonConfigPusher version 2, a modernized web-based tool for deploying and managing Sysmon configurations across Windows endpoints. It supports both agentless WMI/SMB and agent-based deployment methods, with Docker support for agent-only scenarios.
JoshuaJapes is promoting the 100 Days of KQL challenge, where security professionals create and share Kusto Query Language queries daily for 100 consecutive days. The challenge aims to improve threat detection capabilities through enhanced KQL proficiency among SOC analysts and cybersecurity professionals.
Outflank, acquired by Fortra, has developed a technique to hide processes on Windows systems with Hypervisor-Protected Code Integrity enabled by bypassing PatchGuard's integrity checks. The method uses a process notification callback to repair corrupted list entry structures just before termination checks occur, demonstrating that hardware-backed protections like HVCI can be circumvented through precise manipulation of kernel data structures.