Good morning. Yesterday's security developments from Saturday, January 10, 2026, covering 14 articles across threat intelligence, vulnerabilities, and attack techniques. All attribution is by the article authors. All article analysis is automated.
Team Cymru identified 28 IP addresses and 85 domains associated with carding markets operating between July and December 2025. The infrastructure was primarily hosted by offshore providers using TLDs dot su, dot cc, and dot ru to facilitate illegal trade of stolen credit card data.
Gavin Knapp details the MongoBleed vulnerability, CVE-2025-14847, affecting MongoDB services. The vulnerability impacts internet-facing devices running unpatched MongoDB versions and could enable remote service exploitation. Patched versions include 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
watchTowr Labs reports a critical pre-authentication Remote Code Execution vulnerability in SmarterTools' SmarterMail email server, CVE-2025-52691, with a CVSS score of 10.0. The vulnerability allows unauthenticated attackers to exploit a file upload endpoint to deploy webshells. SmarterTools silently patched the issue in build 9413 on October 10, 2025, nearly three months before public disclosure.
Amazon Web Services discloses CVE-2026-0830, a command injection vulnerability in Kiro GitLab Merge Request Helper affecting Kiro IDE versions prior to 0.6.18. The flaw allows arbitrary command execution when users open maliciously crafted workspaces. Users should immediately upgrade to version 0.6.18 or later.
RustyNoob-619 releases YARA detection rules for identifying Industroyer malware through analysis of PE Rich header characteristics. The rules provide defenders with a technical method to detect this sophisticated malware targeting industrial control systems.
Florian Roth announces Loki-RS, a high-performance, multi-threaded scanner written in Rust that identifies malicious indicators through YARA rules and IOC matching. Designed for security professionals and incident responders, it scans files and process memory to detect malware and suspicious files. The tool is currently in beta and offers features including archive scanning, interactive TUI, and HTML report generation.
The Global CVE Allocation System announces the launch of db.gcve.eu, a new open vulnerability advisory database consolidating information from over 25 public sources. The platform aims to provide defenders, researchers, and vendors with a unified reference point for vulnerability intelligence and improved correlation capabilities.
x011 releases smtp-tunnel-proxy, an open-source tool that disguises arbitrary TCP traffic as legitimate SMTP email communication to bypass Deep Packet Inspection firewalls. The tool operates using a SOCKS5 proxy on the client side and a server listening on SMTP port 587, mimicking legitimate email server behavior.
GVCoder09 develops NoDPI, a tool designed to bypass Deep Packet Inspection technology used by ISPs for traffic monitoring and blocking. The tool uses packet modification and fragmentation techniques to evade DPI detection, representing a method for circumventing network-level censorship.
0xedh releases DumpGuard BOF, a Beacon Object File tool that extracts NTLMv1 hashes from Windows sessions by exploiting the Remote Credential Guard protocol. The tool functions as a fake RDP server that tricks Windows SSPI into performing authentication, bypassing Credential Guard protections without requiring administrative privileges.
Security researcher banda publishes a detailed methodology for devirtualizing software protected by VMProtect 3.0.9, using dynamic binary instrumentation and symbolic execution to reconstruct original x86 code. The technique undermines VMProtect's anti-analysis capabilities, enabling reverse engineers to analyze previously obfuscated software.
The Canadian Broadcasting Corporation reports Juan Pablo Serrano was arrested in Spain in connection with the 2018 Desjardins data breach affecting 9.7 million people. Serrano allegedly purchased stolen personal information from insider Sébastien Boulanger-Dorval and used it for fraud schemes, facing charges including identity theft and fraud exceeding $5,000.
Emsisoft reports ransomware activity in the U.S. continued to rise in 2025 with increased victim numbers and emergence of new ransomware groups following law enforcement disruptions. Attackers are increasingly relying on social engineering tactics, particularly phone-based credential theft, rather than technical exploits.
Reuters reports France released Daniil Kasatkin, a Russian national arrested at U.S. request for alleged involvement in a ransomware hacking network targeting U.S. companies and federal institutions. Kasatkin denies the accusations and has returned to Moscow, highlighting international complications in prosecuting cybercriminals.